Home page logo

bugtraq logo Bugtraq mailing list archives

Microsoft C++ feature against buffer overflows itself vulnerable
From: "Chris Ren" <cren () cigital com>
Date: Thu, 14 Feb 2002 09:00:42 -0500

Microsoft added a new security feature to their latest C++ compiler, called
both Visual C++.Net and Visual C++ version 7 that  was released February
13th.  This security feature is meant to protect potentially vulnerable
source code automatically from  some forms of buffer overflow attack.  The
protection afforded by the new feature allows developers to continue to use
vulnerable string functions such as strcpy() as usual and still be
"protected" against some forms of stack smashing.  The new  feature is
closely based on an invention of Crispin Cowan's called StackGuard and is
meant to be used when creating standard  native code (not the new .NET
intermediate language, referred to as "managed code").

Note that the new feature is meant to protect any program compiled with the
"protected" compiler feature.  In other words,  the idea is that using this
feature should help developers build more secure software. However, in its
current form, the  Microsoft feature leads to a false sense of security
because it is easily defeated.  

Microsoft's feature includes the ability to set a "security error handler"
function to be called when a potential attack is  underway.  Because of the
way this was implemented, the Microsoft security feature is itself
vulnerable to attack.  An  attacker can craft a special-purpose attack
against a "protected" program, defeating the protection mechanism in a
straightforward way.  This kind of attack is not new.  See, for example,
Phrack 56 at http://www.phrack.org/show.php?p=56&a=5

There are several well known approaches not based on StackGuard that a
compiler-producer might use to defeat buffer overflow  attacks.  Microsoft
chose to adopt a weak solution rather than a more robust solution.  This is
a design-level flaw leading  to a very serious set of potential attacks
against code compiled with the new compiler.  The Microsoft compiler is thus
in  some sense a "vulnerability seeder".

More technical information about the flaw can be found at 

Microsoft has been alerted to the flaw.

Chris Ren

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]