Full Disclosure mailing list archives
Re: RE: Unchecked buffer in mstask.dll
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 15 Jul 2004 15:03:49 +1200
"Jordan Cole (stilist)" <stilist () gmail com> to Paul Szabo:
Being curious, on Win2k, I copied cmd.exe (from winnt\system32) as xyz.pif; then (right-click) Properties, Program crashes explorer.
I had to specifically click on the "Program" tab, which evoked a null- pointer read attempt (at a guess, something in the .PIF parser assumes a length or offset will always be >0 so doesn't do any sanity checking, and/or some higher level routines don't do any checking).
I'd say that's because you changed the filetype; pif files simply contain information on how to handle a DOS executable; they aren't a program themselves. All you did was make it get confused and kill itself.
Yeah, but how long is it now since we've been telling programmers "don't trust user-supplied data"?? (Hmmmm -- does it also fail on W2K3??) And don't you also find the inconsistencies this throws up at least somewhat interesting? Rename a PE executable to a .PIF extension, right click, ask to see the file's properties and splat -- whatever code is invoked to handle that task dies a stupid, if not ugly, death because internally the file is the wrong type. However, if you double-click that renamed file it is executed as if nothing is amiss. And to think that some folk will see this as further reason to enforce their belief that when it comes to security and code quality, Microsoft really just doesn't get it... Why did MS make ".EXE files renamed as .PIF" execute "properly"? Aside from "because we can", I'd not be at all surprised if it was on some internal "stupid user tricks we should eliminate support calls for" list. But, whatever the reason, did anyone at Microsoft give two milliseconds of thought to the security (or other) consequences of that design decision? I seriously doubt it and I'm sure I'm far from alone in that... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Unchecked buffer in mstask.dll Thor Larholm (Jul 14)
- <Possible follow-ups>
- RE: Unchecked buffer in mstask.dll vesselen.mironov (Jul 14)
- RE: Unchecked buffer in mstask.dll Paul Szabo (Jul 14)
- Re: RE: Unchecked buffer in mstask.dll Jordan Cole (stilist) (Jul 14)
- Re: RE: Unchecked buffer in mstask.dll Nick FitzGerald (Jul 14)
- Re: RE: Unchecked buffer in mstask.dll Jordan Cole (stilist) (Jul 14)
- Re: RE: Unchecked buffer in mstask.dll Tim (Jul 14)
- Re: RE: Unchecked buffer in mstask.dll Curt Purdy (Jul 15)
- Re: RE: Unchecked buffer in mstask.dll Jordan Cole (stilist) (Jul 14)
- RE: Unchecked buffer in mstask.dll Dmitry Yu. Bolkhovityanov (Jul 16)
- RE: [ok] RE: Unchecked buffer in mstask.dll Curt Purdy (Jul 16)