Dailydave mailing list archives
Re: how about some netiquette? [was: (Fwd) Re: For those of you that don't know....]
From: Sinan Eren <sinan.eren () immunitysec com>
Date: Tue, 14 Dec 2004 12:47:04 -0800 (PST)
since their engine executes original code with the additional policy engine hooks, they may at most increase race windows, but they should not add new ones. what their engine itself does in the presence of
while we're at it, race conditions are actually so underrated in win32! and yet so many of them ... almost all privileged processes use some synchronization objects without strict ACL's on the security descriptor of the object. Thus makeing it possible for any user to get a handle to it. (Although there are some improvements done by MS, still many more exists, especially in third party products.) 0day hint of the day: go check msdn for CreateEvent/OpenEvent, CreateMutex/OpenMutex, CreateSemaphore/OpenSemaphore, CreateWaitableTimer/OpenWaitableTimer etc. and than run winobj! one great DoS example i ran into was an insecure mutex object which was used as a global synchronization object in a security product! any user is able get a handle to it with OpenMutex, later get the ownership with WaitForSingleObject and never release it ;)) the product generated no security events after that point and become unresponsive i believe heap races could also be introduced with insecure Event and WaitableTimer objects. Races that could even yield to exploitable double free()'s and other heap inconsistencies ... much like the BSD signal issues documented by Zalewski (http://www.bindview.com/Support/RAZOR/Papers/2001/signals.cfm) After all pulseing an event or altering the time on the waitable timer might have similar effects ;-))
threads is another question, i'd like to see how they can remain performant yet protect their own memory against modification (normally that's a round-trip to mprotect/VirtualProtect and suspension of all other threads).
I think they actually do a round-trip to VirtualProtect which may sound quite performance intensive ... dunno cheers, Sinan _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- (Fwd) Re: For those of you that don't know.... pageexec (Dec 13)
- how about some netiquette? [was: (Fwd) Re: For those of you that don't know....] Gadi Evron (Dec 13)
- Re: how about some netiquette? [was: (Fwd) Re: For those of you that don't know....] pageexec (Dec 13)
- Re: how about some netiquette? [was: (Fwd) Re: For those of you that don't know....] Dave Aitel (Dec 13)
- Re: how about some netiquette? [was: (Fwd) Re: For those of you that don't know....] Tiago Assumpcao (Dec 13)
- Re: how about some netiquette? [was: (Fwd) Re: For those of you that don't know....] pageexec (Dec 14)
- Re: how about some netiquette? [was: (Fwd) Re: For those of you that don't know....] Sinan Eren (Dec 14)
- Re: how about some netiquette? [was: (Fwd) Re: For those of you that don't know....] pageexec (Dec 14)
- Re: how about some DECENT SUBJECT LINES? (was netiquette...) Rodney Thayer (Dec 14)
- Re: how about some netiquette? [was: (Fwd) Re: For those of you that don't know....] pageexec (Dec 13)
- how about some netiquette? [was: (Fwd) Re: For those of you that don't know....] Gadi Evron (Dec 13)