Re: Format Bugs in Windows Code?

[Michael Wojcik <Michael.Wojcik () MERANT COM>]

> From: Crispin Cowan [mailto:crispin () WIREX COM]
> Sent: Thursday, September 07, 2000 8:02 PM

> However, I also cannot recall seeing a format bug announced for Windows
> yet.  Anyone know of an instance?

I don't, offhand, but this made me think of a possible way to test for the
possibility of format bugs in binary applications without source, provided
they're linked dynamically with the MFC runtime.  Interpose wsprintf et al.
with ones that do a IsBadWritePointer on the format string.  If the format
string is writable, it's likely a variable, and possibly susceptible to user
input.

It should be possible using this method to automatically test all
dynamically-linked apps on a Win32 system as they're used, logging positive
(writable-format) results to a file somewhere with some process ID and
traceback info.  Eventually you'd probably accumulate some useful hits.

It should be possible to use a similar method on other platforms, if
applications are typically dynamically linked against the C runtime, if a
decent method of testing address writability exists[1], and if the
application in question was built using a development environment that puts
constant strings on read-only pages.  Unfortunately those are some fairly
big if's.


1. The only portable ways I know of testing the validity of an address on
Unix in user space are to intercept SIGSEGV, or to hand the address to a
system call that tries to use it (eg. read).  I've written variants of
Win32's IsBadReadPointer using both of these methods.  The former is
unfortunately not thread-safe; the latter is cumbersome (more so for testing
writability, since you have to test for readability, save the contents, test
for writability, and restore the contents) but generally workable.

Michael Wojcik             michael.wojcik () merant com
MERANT
Department of English, Miami University