Full Disclosure mailing list archives
Buffer OverFlow in ILASM and ILDASM
From: Dinis Cruz <dinis () ddplus net>
Date: Mon, 27 Mar 2006 01:53:24 +0100
Hello, just in case you haven't seen this one... Last year I found a Buffer Overflow in Microsoft's .Net SDK ILDASM tool which I reported privately to MSRC and eventually (after Microsoft's response) publicly to the (low profile) Owasp-dotnet mailing list. I was waiting for Microsoft to publicly post something about this (although they are not going to fix it in the near future, they should at least make their customers aware of the issue), but since they don't seem willing to do it, here is a copy of the email I sent to the Owasp-dotnet mailing list on 14th December 2005: /"I just posted to this forum (Owasp .Net <http://www.owasp.net/forums/> » Forums <http://owasp.net/forums/default.aspx?ForumGroupID=4> » .Net Security <http://owasp.net/forums/5/ShowForum.aspx>) a series of posts that existed in a private forum of www.owasp.net (used for issues like this (i.e. we want the information to be shared amongst selected Owasp.Net users but don't want it to be publicly disclosed (yet))) about a vulnerability that me and Kerem discovered on ILASM and ILDASM: / * /To MSRC: Buffer OverFlow in ILASM and ILDASM <http://www.owasp.net/forums/257/ShowPost.aspx> - The entire email conversation with MSRC (secure () microsoft com) going from the initial response to the final answer where they will not threat this as a vulnerability and will not issue a security advisory for it (the solution will be included in the next Service Pack) / * /Buffer Overflow in ILASM <http://www.owasp.net/forums/222/ShowPost.aspx> - original email containing my first thoughts/ * /ILDASM Exception Creator <http://www.owasp.net/forums/234/ShowPost.aspx>- little tool created by Kerem to create .Net assemblies that crash ILDASM / * / ILDAM vulnerability ShellCode development <http://owasp.net/forums/252/ShowPost.aspx> <http://owasp.net/forums/252/ShowPost.aspx>- more code snippets and comments (now related to trying to inject a shellcode into the vulnerable process)/ /The bottom line is that this is a real issue in 1.1 and 1.0 (2.0 seems to mitigate them), Microsoft has acknowledge the problem but will not release a patch any time soon. So be careful when you ILDASM something. I also think that this issue needs further research since when we were testing the Overflows we were finding them in several places in ILASM and ILDASM (which means that there are probably many more variations still to be discovered/mapped) / /Dinis Cruz Owasp .Net Project Leader www.owasp.net "/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code Wall, Kevin (Mar 25)
- Buffer OverFlow in ILASM and ILDASM Dinis Cruz (Mar 26)
- Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code Dinis Cruz (Mar 26)
- RE: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code Jeff Williams (Mar 26)
- Re: RE: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code KF (lists) (Mar 26)
- Re: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code Stephen de Vries (Mar 27)
- Re: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code Dinis Cruz (Mar 28)
- RE: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code Eric Swanson (Mar 27)
- Re: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code Dinis Cruz (Mar 28)
- RE: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code Jeff Williams (Mar 26)
- Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code Dinis Cruz (Mar 28)
- RE: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code Eric Swanson (Mar 28)
- RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code Eric Swanson (Mar 28)