![]() ![]() ![]() Now let's look at what happens with ThreadInformation as it gets passed to UserInitiateShutdown: Note that both these parameters come directly from the user program, so a piece of malware calling this function would have direct control over their values. ThreadInformationLength describes the size of this data, and as we can see, the code validates that this value is correct and fails with STATUS_INFO_LENGTH_MISMATCH if it is not. In the UserThreadInitiateShutdown case, it is supposed to be a single 4-byte integer. ThreadInformation is a pointer to some arbitrary piece of data whose meaning depends on the ThreadInformationClass parameter. The above is a snippet from NtUserSetInformationThread, which is a system call routine in win32k.sys that can be (more or less) directly called from a user-mode program. Status = UserInitiateShutdown(Thread, (PULONG) ThreadInformation) If ( ThreadInformationLength != sizeof(ULONG)) IN USERTHREADINFOCLASS ThreadInformationClass, NtUserSetInformationThread(IN HANDLE ThreadHandle, So let's get right on it and have a look at the code in question: I will be using this instance as an example of a simple but security-relevant bug, and to illustrate some of the steps kernel code must take to ensure the security of the system it runs on. The recent mailing list discussion around ReactOS SVN revision 66192 shows just how easy it is to introduce a critical security issue into kernel code. Microsoft's continuous effort to fix these vulnerabilities in its operating system consumes a lot of resources, but it is well worth it to the users: in a world of ever-increasing cyber security threats, no hole in our computers' defenses should be left open to potential attackers. If you are a Windows user, you may be used to seeing a bunch of updates pop up around the second Tuesday of every month that purport to fix "critical security issues." ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |