Bugtraq mailing list archives

NTCrash2

From: aleph1 () DFW NET (Aleph One)
Date: Wed, 25 Mar 1998 23:34:23 -0600


Date: Wed, 25 Mar 1998 16:11:17 +0000
From: Paul Ashton <paul () ARGO DEMON CO UK>
To: NTBUGTRAQ () LISTSERV NTBUGTRAQ COM
Subject: NTCrash2

From: http://www.ntinternals.com/ntdll.htm
by Mark Russinovich.

A little over a year ago I wrote a program called NTCrash that barraged
the Native API interface with garbage parameters. The program discovered
13 WIN32K system services that failed to perform comprehensive parameter
validation, the result of which were Blue Screens. Microsoft closed these
holes in Service Pack 1.

About two months ago I revisited NTCrash and tweaked it to be more intelligent
about generating garbage - the garbage this new version, NTCrash2, produces
hits boundary conditions that can be easy to miss in validation. In fact,
this revision found 40 more APIs with Blue Screen holes. Microsoft has been
made aware of the holes and they will be closed in Service Pack 4."


40?! I wonder how many of these could be turned into exploits?

Paul
--
"Il software e' come il sesso; e' meglio quando e' gratis - LT"

Current thread:

MySQL Security, (continued)
- - - MySQL Security Sandu Mihai (Mar 29)
    - Re: MySQL Security Aleph One (Mar 29)
    - Eudora Pro 4.0 attachment/long filename problem whiz (Mar 29)
    - mysql: MySQL Security Michael Widenius (Mar 29)
    - wtmpx utility for solaris Ryan (Mar 30)
    - Re: wtmpx utility for solaris Mikael Brandstrom (Mar 31)
    - HPSBUX9803-077 Security Vulnerability with inetd on HP-UX Aleph One (Mar 30)
  - pset Buffer Overrun Vulnerability SGI Security Coordinator (Mar 26)
  - Netscape Navigator Security Vulnerabilities SGI Security Coordinator (Mar 26)
- IMAP/POP Vulnerability SGI Security Coordinator (Mar 25)
- NTCrash2 Aleph One (Mar 25)
- WinGate Intermediary Fix/Update Mike Zimmerman (Mar 26)
- More browser bugs. Dan (Mar 26)
- Trivial mSQL/MySQL DoS method? Stunt Pope (Mar 26)
  - Re: Trivial mSQL/MySQL DoS method? Nigel Reed (Mar 26)