Re: WinNT syscalls insecurity

[solar () FALSE COM (Solar Designer)]

Hello!

> What patch level have you tested this under?  Your results can very well

This was an unpatched version of NT, you're right. I'll check out SP3 when
I have some more spare time. I'm not using NT for any real work, it's just
fun for me to find out how various operating systems are implemented.

> vary depending on whether SP3+getadmin fixes were applied.  Costin Rau
> (sp?) found a number of NtXXX calls which caused crashes if they were fed a
> 0xFFFFFFFF pointer, and all of these were fixed by the second attempt at
> the getadmin patch.  Costin did a fairly extensive job of checking back in
> July.

The purpose of my message was to show that NT uses a bad approach to syscalls,
and dealing with parameters imported from user space. I'm told SP3 got many
particular bugs fixed. However, if NT used a better approach (the suggestions
at the end of my original message), these bugs would never appear. I don't
think that fixing particular bugs is the right thing to do: some will likely
remain.

> BTW, self-inflicted denial of service attacks aren't at the top of my list
> of evils.  OTOH, if you were to find a way to set the NtGlobalFlag again,
> now _that_ would be interesting.

BTW, if a better approach to dealing with the pointers was used (like different
segment base addresses), GetAdmin would never appear. As for another GetAdmin,
I just wasn't looking for it yet.

Signed,
Solar Designer