Re: Format Bugs in Windows Code?

[Michael Wojcik <Michael.Wojcik () MERANT COM>]

> From: Thomas Dullien [mailto:Dullien () GMX NET]
> Sent: Saturday, September 09, 2000 8:03 AM

> > [snip my idea for interpositioning *f() functions and testing format
> > string writability]

> This is _not_ a good idea. Assuming a program has been internationalized
> it will load format strings et al using LoadString() and then use these
> strings afterwards. Using your approach, you would get a _huge_ number
> of false positives.

Excellent point.  (I don't know that it demonstrates my proposal wasn't a
good idea, though, just that it's probably unworkable.  It may still be of
academic interest.)

This does suggest a modified approach: if the format string is writable,
check it against the string tables in the application and its DLLs.  A
vulgar implementation would be far too expensive, but with buffering and
idle checking...  Still probably not useful in practice but I may toy with
it further.

> Secondly, as format string problems most frequently
> appear in logging function you would sometimes have to generate pretty
> exotic error conditions which are hard to trigger unless you read either
> the source or the disassembly. If you do that, you can save yourself the
> extra step of hooking functions and just use your debugger :)

The point was to search heuristically for possible vulnerabilities during
normal use, not to exhaustively check applications for them.  I don't know
about you, but I've seen a tremendous number of error messages from Windows
applications (often incorrect ones), and I'm not a big Windows user.  (If it
weren't for corporate-mandated Office and Outlook, I wouldn't have used
Windows at all for the past few years.  Now I've been forced to do some
Windows development, to my chagrin.)

Michael Wojcik             michael.wojcik () merant com
MERANT
Department of English, Miami University