Full Disclosure mailing list archives

Buffer OverFlow in ILASM and ILDASM

From: Dinis Cruz <dinis () ddplus net>
Date: Mon, 27 Mar 2006 01:53:24 +0100

Hello, just in case you haven't seen this one...

Last year I found a Buffer Overflow in Microsoft's .Net SDK ILDASM tool
which I reported privately to MSRC and eventually (after Microsoft's
response) publicly to the (low profile) Owasp-dotnet mailing list.

I was waiting for Microsoft to publicly post something about this
(although they are not going to fix it in the near future, they should
at least make their customers aware of the issue), but since they don't
seem willing to do it, here is a copy of the email I sent to the
Owasp-dotnet mailing list on 14th December 2005:

/"I just posted to this forum (Owasp .Net <http://www.owasp.net/forums/>
» Forums <http://owasp.net/forums/default.aspx?ForumGroupID=4> » .Net
Security <http://owasp.net/forums/5/ShowForum.aspx>) a series of posts
that existed in a private forum of www.owasp.net (used for issues like
this (i.e. we want the information to be shared amongst selected
Owasp.Net users but don't want it to be publicly disclosed (yet))) about
a vulnerability that me and Kerem discovered on ILASM and ILDASM:
/

    * /To MSRC: Buffer OverFlow in ILASM and ILDASM
      <http://www.owasp.net/forums/257/ShowPost.aspx> - The entire email
      conversation with MSRC (secure () microsoft com) going from the
      initial response to the final answer where they will not threat
      this as a vulnerability and will not issue a security advisory for
      it (the solution will be included in the next Service Pack)
      /
    * /Buffer Overflow in ILASM
      <http://www.owasp.net/forums/222/ShowPost.aspx> - original email
      containing my first thoughts/
    * /ILDASM Exception Creator
      <http://www.owasp.net/forums/234/ShowPost.aspx>- little tool
      created by Kerem to create .Net assemblies that crash ILDASM
      /
    * / ILDAM vulnerability ShellCode development
      <http://owasp.net/forums/252/ShowPost.aspx>
      <http://owasp.net/forums/252/ShowPost.aspx>- more code snippets
      and comments (now related to trying to inject a shellcode into the
      vulnerable process)/

/The bottom line is that this is a real issue in 1.1 and 1.0 (2.0 seems
to mitigate them), Microsoft has acknowledge the problem but will not
release a patch any time soon.

So be careful when you ILDASM something.

I also think that this issue needs further research since when we were
testing the Overflows we were finding them in several places in ILASM
and ILDASM (which means that there are probably many more variations
still to be discovered/mapped)
/
/Dinis Cruz
Owasp .Net Project Leader
www.owasp.net "/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code Wall, Kevin (Mar 25)
- Buffer OverFlow in ILASM and ILDASM Dinis Cruz (Mar 26)
- Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code Dinis Cruz (Mar 26)
  - RE: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code Jeff Williams (Mar 26)

(Thread continues...)