November 2000


  Testing Buffer Overflows (cont'd)



Testing RPC and DCOM-Based Applications

 

Testing RPC and DCOM-Based Applications
The best languages for testing these types of applications probably are C/C++. I don't recommend Visual Basic because it plays by the rules. It generally won't let you create bogus buffer data and unlike C/C++ it has poor buffer manipulation capabilities. Because ActiveState Perl supports COM, Perl can be used for COM IDispatch (OLE automation) interfaces.

When creating RPC/DCOM test harnesses in C/C++, you'll need to acquire or CoCreateInstance the interface, build buffers up manually using normal C/C++ buffer methods (malloc, new, etc.), and call the functions being tested directly.

Testing Resource-Based Applications (Registry Files)
A number of vulnerabilities in the past were caused by applications reading data from physical resources such as files and registry keys and in so doing overflow internal buffers. Testing for this type of vulnerability is a little different than testing sockets, RPCs, and pipes, because the buffer injection is indirect. Rather than sending the bogus data to the recipient directly, you "prime" the resource and then make the recipient read the resource. Just about any language that can write data to your resource type and then make your application read the resource will suffice.

Take the following steps to test resource-based applications:

  1. Write malformed resource (for example, the registry key).
  2. Launch the application that reads the resource. Here is some sample Perl code that writes a file, including some gunk, and launches the application to read the file: 
    my $BIG_BUFF = 16384;
my $bData = 'A' x $BIG_BUFF;
my $file = "foo.txt";
my $app = "crash.exe";
my $FILEHANDLE;
die "Unable to open file." unless open FILEHANDLE, ">>" . $file;
printf FILEHANDLE, $bData;
close FILEHANDLE;
my $command = $app . " " . $file;
print "Invoking '" . $command . "'\n";
`$command`;
     Perl executes whatever is between the backticks (`). In this case, it will be crash.exe foo.txt and we just created foo.txt filled with 16,384 letter 'A's. Hopefully, crash.exe handles this size buffer!

    You can clobber the registry too, using Perl and the Win32API::Registry class.

Buffer overruns are a very insidious problem that can lead to many security vulnerabilities. It is imperative that you have some test plans with the words "buffer overrun" in them. If not, start with this document!

Previous: Testing Socket-Based Applications  Back to Page 1



Michael Howard is a program manager on the Windows 2000 security team. He is the author of Designing Secure Web-Based Applications for Microsoft Windows 2000 and has spoken about security-related issues at many events, including Microsoft Tech·Ed, Microsoft Professional Developer's Conferences, and numerous industry gatherings. He can be reached at mikehow@microsoft.com.


 
Resources
• "Smashing the Stack for Fun and Profit" by Aleph One.

• An excellent Perl for Windows is available from www.activestate.com.

• Michael Howard will answer your follow-up questions regarding buffer overruns. Just post them to the DevX bugs discussion group.

• For an end-to-end view of all the Win2000 security services, check out Michael Howard's book Designing Secure Web-Based Applications for Microsoft Windows 2000.
Sponsored Links


Advertising Info  |   Member Services  |   Contact Us  |   Help  |   Feedback  |   Site Map
Jupiterweb networks

internet.comearthweb.comDevx.comClickZ

Search Jupiterweb:

Jupitermedia Corporation has four divisions:
JupiterWeb, JupiterResearch, JupiterEvents, and JupiterImages

Copyright 2004 Jupitermedia Corporation All Rights Reserved.
Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

Jupitermedia Corporate Info | Newsletters | Tech Jobs | E-mail Offers