[Info-vax] VAX Macro to C conversion
Simon Clubley
clubley at remove_me.eisner.decus.org-Earth.UFP
Wed Jul 10 13:33:01 EDT 2019
On 2019-07-10, Scott Dorsey <kludge at panix.com> wrote:
>
> If you look at CERT advisories regarding security vulnerabilities in the
> past few decades, you will see that the vast majority of them are the direct
> consequence of poor management of null-terminated strings.
>
> I know, the null-terminated string thing seemed like a good idea, and easy
> to graft onto C, but in the end it has been a terrible, terrible plan and
> has cost us greatly.
This can also work the other way around.
Counted strings and descriptors can be harder to compromise, but
when you can compromise them, they can also be easier to exploit.
When I compromised DCL, I needed to insert the address of the
code to execute into the prompt string. This address appeared
as a stream of binary bytes in the prompt string, including
0x00 characters.
With a null terminated string, the copy would have stopped at the
first null. This is a known problem when trying to exploit some
types of buffer overflows and you have to use various techniques
to try and work around it.
However, as DCL uses either a counted string or descriptor (I don't
know which), the prompt string just got copied as-is, nulls and all,
and promptly overwrote the return address without me having to worry
about any of that.
Simon.
--
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
More information about the Info-vax
mailing list