October 24, 2008

Careful about the analysis you read about MS08-067

So unless you have lived under a rock since Tuesday, you know about MS08-067. It is a out-of-band security bulletin about a vulnerability in the Server Service that will allow complete code execution from a remote attacker. It's rather nasty. And there are PoC trojans and worms already in the wild.

But I don't want to talk about the vulnerability. Everybody in the world has been doing that. I want to talk about the ANALYSIS of it.

First off, there is some GREAT SDL analysis from Michael Howard over on the SDL blog. (You can read it here) Michael poses the question why SDL didn't catch this, and goes into detail discussing what mitigating circumstances exist around the code analysis... and how SDL DID work here. It's a great read.

What is MORE concerning to me though is some of the poor analysis. Jesper and I were looking at some decompiled code Alexander Sotirov released and it is apparent that there is some small but CRITICAL errors in his deciphering of the code. As an example, there is one block which reads:

while (*p != L'\\' || *p != L'/')
     if (*p == L'\0')
           return 0;

It took me a few times looking at that code to realize that it is quite possible that the loop would cause the function to bail out way before it could get to the real meat of MS08-067, because the loop always results to TRUE. After looking further at the comments in the code and completing a truth table, it was clear to Jesper and I that this code seems suspicious... to many faults and a coding style that simply isn't how Microsoft writes code. BTW, if you don't see the problem with the loop, realize that it should be an AND, not an OR. A path of '\\server' will always bail. If this simple issue was wrong in the decompile, what else could be wrong?

Anyways, to confirm the code was questionable I loaded netapi32.dll into IDA Pro (god I love that tool) and broke it down to check. Sure enough... that code analysis was NOT correct. In a few places.

Lesson to learn here is that on the Internet, everyone has a voice. What you choose to believe is really up to you. But don't believe all the analysis out there. It simply isn't correct.

MS08-067 is bad. Patch NOW. Leave the code analysis to us. :)

Posted by SilverStr at October 24, 2008 03:10 PM | TrackBack

Holy SHIT dude, you're a fucking idiot. Try decompiling a function at 4 in the morning as fast as you possibly can. So fucking what that Alex messed up ONE operating. People make mistakes and the function is still VULN.

MS fan boys like you and jesper piss me off to no end, no matter what you're at the defense of MS.

(notice my use of random capital letters, much like your blog posts)

Posted by: ErikC at October 25, 2008 01:59 PM

Here are some points:
1. If your security analysis is based on someone "decompiling a function at 4 in the morning as fast as you possibly can", then the analysis is going to be flawed, or at least stands more chance of being flawed than if it's carried out a little more leisurely, or with access to people who know things. I think that's Dana's point here.
2. We're apparently supposed to forgive Alex for providing a detailed and incorrect decompilation, but Dana's supposed to "fuck off and die in a fire" for noting this? That's something of a double standard, surely.
3. Yes, the function is still vulnerable - the decompilation was supposed to show us that, but unfortunately it's impossible to tell what's the vulnerability and what's a transcription error. That makes Alex's original post somewhat useless (I gather he has made some changes, but the last time I visited it, this error had crept back in again).
4. Jesper and Dana (and myself) are not "MS fan boys". "Paid stooges" doesn't really cover it, either. We're know-it-all busybodies who have persistently won a Microsoft award for voluntarily helping Microsoft users. Me, I support Windows because it's where I make money - I think Dana's the same. Jesper - well, he's a special breed unto himself. Used to work for Microsoft, now works at a shop that likes to not use Windows, so I'd say he's not exactly a fan-boy by any stretch of the term.
5. I'm not quite sure what "ONE operating" is, or how you might mess it up, so I'm wondering if it was 4am where you are when you wrote the post, or perhaps if you believe you're uniquely qualified to assess the idiocy or otherwise of a post due to your own extensive experience in that sphere.
Whatever the case is, your comment serves as a good example of how not to comment if you want what you say to be taken remotely seriously. Thanks for the object lesson.
P.S. Where an argument lacks in its ability to persuade, profanity doesn't generally hide that. It just makes you sound like a pre-teen.

Posted by: Alun Jones at October 28, 2008 01:59 PM