SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   LCC-Win32 Vendors:   Navia, Jacob
LCC-Win32 'C' Language Compiler May Insert Portions of System Memory Contents into Compiled Code
SecurityTracker Alert ID:  1004973
SecurityTracker URL:  http://securitytracker.com/id/1004973
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 7 2002
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information


Description:   A vulnerability was reported in the LCC-Win32 C compiler for Windows platforms. The complier may leak some current memory into the complied code.

It is reported that when LCC-Win32 compiles source code, it inserts some bytes (overlay) after the import table. For some executables, the compiled code may contain portions of the system memory at the time of compilation.

Impact:   The complier may insert portions of the operating system memory into the compiled code.
Solution:   No vendor solution was available at the time of this entry. According to the report, the vendor has indicated that the flaw is due to a Windows 98/Me operating system bug and is not a flaw in LCC-Win32.

The author of the report has provided some recommendations for removing the inserted code using third party utilities. See the Source Message for more details.

Vendor URL:  www.cs.virginia.edu/~lcc-win32/ (Links to External Site)
Cause:   Access control error
Underlying OS:   Windows (Me), Windows (98)

Message History:   None.


 Source Message Contents

Date:  Fri, 2 Aug 2002 21:07:35 +0000
Subject:  Lcc-win32 infos diffusion


--------------Boundary-00=_NOI8X2OZQHSNQ968QG7J
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 8bit


######################################################################

Application: Lcc-win32 (http://www.cs.virginia.edu/~lcc-win32/)
Version:     ALL and next too (bug ONLY on Win9x/Me, NOT other Windows
             version) (see Fix section for detail)
Bug:         Part of computer memory are inserted after the import
             table of the executables created with Lcc.
Risk:        Possible diffusion of personal informations. The parts of
             memory copied in the exe can be pieces of files, system
             and users informations and any other thing.
Author:      Auriemma Luigi (e-mail: bugtest@sitoverde.com)

######################################################################


Sections:
1) Introduction
2) Bug
3) The Code
4) Fix
5) Philosophy

----------------------------------------------------------------------

1) Introduction

Lcc is a really an excellent and very diffused free C compiler for
Win32.
It also contain a good IDE (Wedit) for create or continue projects
simply.
For example I use it for compile everything written in C and also for
the proof-of-concept programs in attachment to my advisories (eh eh
you can imagine my face when I have find this bug and I have thought
to all the code I have diffused before...).

----------------------------------------------------------------------

2) Bug

As I have said in the header of my advisory, the bug is reproduceable
ONLY on Windows 9x/Me.
When Lcc compile a source code it insert some bytes (overlay) after
the import table.
Normally these bytes could be all zeros, but is not so in Win9x/Me.

Then not all our executables will be filled with parts of memory and
this seems caused by the size of the resulted exe (not sure).
For example if in a source code that don't reproduce the bug we insert
or delete some lines of code, when we will recompile it we will see
that now it contain other bytes instead of the normal 0x00 bytes.

This is a simple example:

 example.c
-----------
#include <stdio.h>

int main(void) {
	printf("Lcc bug\n");
	return(0);
}
-----------

If we compile this little code we will see that after the import
table there are some bytes (just after CTRDLL.DLL and some '@') that
are different each time we compile it.

This means that we can found part of other files, part of the source
code or part of it in assembly, system and users infos, random pieces
of memory and other.

For example in some of my executables I have found a file with some
e-mail addresses of my friends, informations about my system and also
a piece of a bug report I have written some days before!

Take a look to example.exe compiled on my machine:

0000b30: 3040 0043 5254 444c 4c2e 444c 4c00 0014  0@.CRTDLL.DLL...
0000b40: 3040 0014 3040 0014 3040 0014 3040 0014  0@..0@..0@..0@..
0000b50: 3040 003d 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d  0@.=============
0000b60: 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d  ================
0000b70: 3d3d 3d0a 4946 2045 5849 5354 206a 6574  ===.IF EXIST jet
0000b80: 7479 656e 762e 6261 7420 4341 4c4c 206a  tyenv.bat CALL j
0000b90: 6574 7479 656e 762e 6261 740a 0a72 656d  ettyenv.bat..rem
0000ba0: 203d 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d   ===============
0000bb0: 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d  ================
0000bc0: 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d  ================
0000bd0: 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d 0a72 656d  ============.rem
0000be0: 203d 3d20 6368 6563 6b20 666f 7220 4a41   == check for JA
0000bf0: 5641 5f48 4f4d 4520 656e 7600 0000 0020  VA_HOME env....
0000c00: 0000 0000 0000 0020 0000 0000 1000 0000  ....... ........
0000c10: 1400 0000 2000 0000 2400 00              .... ...$..

The bytes after the last "0@." are exactly the same bytes of the file
jetty.bat, a batch file of a Java web-server!!!

----------------------------------------------------------------------

3) The Code

Watch the bytes after the import table of the executables compiled
with Lcc.

----------------------------------------------------------------------

4) Fix

The author of Lcc have said to me that this is a problem of the
operating systems that I have listed before because they don't clear
well the memory, so no official patch exist.

However it is very simple to erase this problem.
You can manually delete, overwrite or check this unuseful bytes or do
it automatically using utilities that strip Windows PE executables.

My choice is for FileScanner. This excellent free utility, that do a
lot of useful and interesting things, can also reduce the file size
and delete these unuseful and "anti-privacy" bytes.

The homepage of FS is http://smf.chat.ru/
You can download it directly from http://smf.chat.ru/files/fs.zip
So for fix your applications compiled with Lcc, you can simply use:

fs -se file.exe

----------------------------------------------------------------------

5) Philosophy

I'm really hopeful about the FULL-DISCLOSURE, because with that
"everyone" can know the real effects of an attack, the real danger of
a bug, someone can learn a bit of programming (I have learn a bit of
C from the source code of some exploits) and it's useful for all the
people that are hopeful in this type of disclosure.
No secrets!

----------------------------------------------------------------------

Any type of feedback is really welcome!

Byez



--------------Boundary-00=_NOI8X2OZQHSNQ968QG7J
Content-Type: application/x-zip;
  name="italian.zip"
Content-Transfer-Encoding: base64
Content-Description: Italian advisory
Content-Disposition: attachment; filename="italian.zip"

UEsDBBQAAAAIAOuhAi0nYIxYjQkAADsXAAAPAAAAbGNjLWFkdi1pdGEudHh0rVhtb9vIEf5cAvwP
E/cASYBNyxIlx26viM9xWh905yROLv1QoFiRS2lzJJe3JOWXw/W395ndpd6cJv1gIrEkcnd2Xp6Z
eYZh8OdnusIgDC6qKleJeFS6lOc0S5KjO1WOR9RfNk11fnx8d3cXJXW0UmahSiUimbbH/8m7ZceD
MPhFmtrt5uvDxw8frkimJMpkKSmXVBld16qQ1L+9md1QLUnWctGqRlPd0idVnt0f/yQPw4B2rp9v
eLPIGyNp5Y5QlCrekOq7erC/vr9ohUkF5QJHWHPojbqnShrCPtk0YpEr7PqhXZxvdr0VprFiC1lo
owSpspZGNZJSXWnKe6qotGmoEXNok8o87zntj/bPnyssSIwUsCvRJbsyCoP3qk6WSvsT37In7MJU
ZVlr3caHqzLTprBBUKxxrUuRq4hm8B4ruH/Wlr6JrpSAuuVGNXtAhaN0qeFr2IOf8vGR7dyXlGFt
fbirgFHOlSU8o3KqVd3IQpAmOJDaRvJ9uS/ot1bktRK1siFjvWoB+y/aRhvZOfyiNUoWkDVr1UJR
Xx4VQuXnNG8XjaybVzVAgVinMkp0MWB4fhvE/9/FssLg1gJDnYfByYCuy8botLVQCYPRgICMMBjj
QQ7tU5XgbjxgEIXBhD9zXetMCRZ09CwXS3qiSBgAOSR7lIoVfKGpLUkmCcILxyN3OuhwTjHSikrl
gp1Ml7QworGJBQyFwSfOUMTgCkhggbzWSHx3qQkQQfS8BVavX19R/5NMVTOwCcMwNnxWAT9kKA8G
iiGPF0gjZdGNaBkGRS0Lrh+qET2c9NZDt7Cq5tC91k6gUxMyNzhhhAB4UNsrBrRxsYBbYEdR2B86
O8I/nJjIqgG0crkQUEGkWFsoyd9WqkYmyBpwWhL+VbqRDfRVABpqFh+KmlAgVzKRJPiwmc0eWGqC
51ecsb+1sEgzELl2LVnrssaDMBDUtA0eqQ4VPgBYYmQiUzbV2htF0SB6XnB0oAyDS40CulCiZ0vZ
k7Nd+quSs8jV8kNW2JrTQ0JXDDCITFxxcIW47Wop2QpsdX/XCtzi4tXFjIteZzkcvXAoZEi5Ulkn
XKWTFoVj/oDzw6DPOZyLh8G3aijrglN/5tLjMWPj4CVh+8rI+ZyTwJcxDoWiRxx7SEBfCSTWHF5Y
5rR1hR+ZoyQ+t/qLte661Laf8D4nikvaWhlFtTCiRNXkMlUpj/Vqr0eEgezwAvjPUey8dtAX5Y5R
KjgVyxRFV+wbzMgLA4OkgpcgkPouHWunFmvNdTuRptEDl1OsIdTh4zhhkLX78WABvNtHGo989EvN
3QWR51AJnAbIaxjNX1kxydXeFQMn85AzlCGQsxecV52eKwkxqf3Kx2lb5NEL2NFc87uoqXIlOUuQ
nKWNbPdgeD8c2jBcJYkta5XCl1x35p3zM5L3AiUFHWAnkdAJVJnkbSrpr3WTKh0t/8bLAXkAQZX9
lVbpgH4Pgz9VBjez/gFjGC74V3kw+AtuG9m0puwP+ccfe7K5M3i8W8/46Hb6eW+v5Mb6LyE7QXe1
sdtOB+ojIlBJuy2X7z+8ns0i/LccyS1EfRVNgwBR71Vv4ACyEohX6aqnXvCiLYBbL14q3UNzxjOu
0FYrrmYuWGvM+gbvfz9N5TDYWuzTmkTNwM4fvkwM9BNWEAaOFhx6npGIuuW4b/EUay30i4h1/7tq
a9emUJR9V2ADPBIOrRLOOYwjW+m30tQV7iP2UmORlNnE0utNqGvKKFbFUQyriW0XBZrVrlmcjDuE
p+BM8+atiWxbCuunTd9ckJE2+jZeyOYVtiXgjradOHsWShsOolGFeMGGv7b4asueTsALRSNIrBEv
7zsQCsuNdzSxyTHENR8Pz2k8jIc0HMZjmowmMcVxnFCcjGT3bchPT2Ki4atoAzl0KC8j3sjAqq9/
YxnR9n8vY7KRMU5pnH7tD8v4fvvyMqYs46s7t2R8v3d5GacbGUNB8Vk8pdEwntDkZXxGkzHcMxpO
BU0np7GVEV2/oat/Xt9+oM+y8TJeQsZpfHqGVVNJp1N4cjqanuDeaEjxOD6BT+FYK4iaB1muorlo
6PICefzZyziDDHvIlwVBt6E4HfED2IIm3kmJImSslyEgY/Rtdzp/7DvEy5g/g0+TZ5CRflPGlj+2
92/5Q278gUBMx9OXvH5M0zn/nE4zOh1xhAQixEI4F5NfCclNP154GRlkTKZYMMnilxRncUrxhLe7
CNlUsX9wj365+Pc/bn7CAIvYrNMF6XTeLdpZvvl5sv5Gkbu6z07GCWScxN2q0Xr9yN3bnaY6Ad9F
jresCZHtOm3eMPc/QFIdkJ/y0ECEo1BMaVAyMB90u1D1uUCGwWeGHWPucF008SNZ+pp2J+dH4Akr
HplL+lGsxIsXL56X0e6OV2gEbmhXuwbuEcY9ktbVSLU1Zz+njt3Qh0msJ+z8yv5hOoGZZCk8A+fy
jmaB7g4luVNgwBItzwyY3JgBMh9LtIFIw28faMHM1g78TAjFI1isjZgjYmLdKbnhuaKvSKNDwtCV
stPchqszS+MeZw+RvJpRUHEsIz8utCVYzPYc6Uc13MtV4eaiLf2xbcbNhqoWtMI25UKUbcfLE3RB
1pKZIZaBmAvudSvJNzxpV2Xb8HuRNeHTVdVCDvuwgBWJByhW5ejNVpbt1/5W82AJQY6hC9OlqipV
Lp5G/+3V1lsga+zMTXcYRPLGxgGjuryFxqU0Eb1j5cT2CN0dlhkJR3IcM9ELgwKzgXJvqjCa+mVM
AHiswnhaC8dw2D+OExiVtsaNl2u6D4osPevivRtf70w21lVO+gGLPQJDWInk4cAZ1Fti3KvEwmKF
Q2QHYmubfy1XF1mULNE8THuM+pBTrspf4RhjsSlcwv+P9Va546yOHlXFE58FEnteuHeBDhiZurfz
dnfXUUBHcGSXeSgfcC7TPxdSI9cws7G2rCWrCWXFasQc53mTdf/NzLV2FbFDfYYYJQrPN+wV4Xrz
cTY7en19ezm7uf34/oqtR0B7/tVGDUkHoGc2hQ5cxPFEA2HON0YK9m6WWW+74skFGOPC4fp5GECq
sgPEmjIeOmbYcrJucIRyhwnASDsT4W6qNjH3b4X6ap0rFpyMi0t+QQoq7LYzMxV+ilMdvbcU3HFi
TK33Va5VUw8sMGEl44MjJ2303UDM+hpX3awfO/9xevu5KAwaVVmjUkz/8D0neTflJPyiorBjPY5o
eT5fAJT6mfvIu/VrpE6XTMp0LtD8YdQc7VsixdypPzzIR/4Mg/8CUEsBAhQAFAAAAAgA66ECLSdg
jFiNCQAAOxcAAA8AAAAAAAAAAQAgALaBAAAAAGxjYy1hZHYtaXRhLnR4dFBLBQYAAAAAAQABAD0A
AAC6CQAAAAA=

--------------Boundary-00=_NOI8X2OZQHSNQ968QG7J--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC