Re: Crashing NT with Native Calls

[dleblanc () MINDSPRING COM (David LeBlanc)]

At 06:19 PM 9/25/98 +0200, Gigi Mori wrote:

> The bug resides in TCPIP.SYS InternalIoControl dispatch routine where
lacks a check on current IRQ level before processing the query information
request.

I think you mean IRQL, which is a little different.  At any rate, this one
isn't too surprising - any time you start dealing directly with drivers,
you're dealing with performance-oriented, trusted code.  It is likely that
all of the other code that calls into this sets the IRQL before going in.

The trade-off to fix all of this is that, of course, to add checks all over
the place for IRQL level, etc will incur a performance penalty.

There are some interesting security implications in terms of who can do
what to device drivers - see http://www.sysinternals.com/devsec.htm for a
good article on this.  An excerpt:

"The vast majority of device objects created have the following
permissions: Everyone:Read/Write (R/W) (the Everyone built-in Security
Identifier -SID - is also known as the World SID), System:Full Access, and
Administrator:Full Access."

IMHO, it would be really nice to have documented APIs implemented in user
mode for all of the command line apps - for example, nbtstat would be nice
to be able to call from inside an app.  Obviously what you're doing here is
trying to do the same thing as netstat from inside an app.


David LeBlanc
dleblanc () mindspring com