Sanding our assholes with 150 grit. Slowly. Lovingly.

Windows deliberate backdoor?

interesting read for the geeky amongst you.

http://www.grc.com/sn/SN-022.htm

the meaty bit:


"Steve: Well, okay. First of all, it makes no sense at all in a metafile device context. In the context of processing a metafile, setting a printer abort is crazy because it's not a printer context. You don't print metafile contexts in this way. It's just not the way it's done in Windows. So it doesn't make sense. But it's like, okay, well, so maybe, you know, it's there anyway; they didn't think to remove it or take it out. Except that, when I was pursuing this and finally got it to work, what Windows did when it encountered this Escape function, followed by the SETABORTPROC metafile record, was it jumped immediately to the next byte of code and began to execute it. That is, it was no longer interpreting my metafile records record by record, which is the way metafiles are supposed to be processed. You don't actually execute the metafile. As we said before last week, and I think the week before, it's sort of a script. It's a script of Windows graphics calls that allow you to specify, you know, draw a rectangle from here to here, draw a line from there to there. And it's in a nice sort of device-independent fashion. So you don't run the code in the metafile. But what Windows did when it encountered this particular nonsensical sequence was to start executing the next byte of code in the metafile.

Leo: Hmm.

Steve: And it's like, okay, wait a minute.

Leo: Why?

Steve: You know, that's crazy. But what's even more crazy is what it took for me to make it do this. As I said before, each record in a metafile begins with a four-byte length, followed by a two-byte function number. So in other words, each metafile record has six bytes minimum that it can possibly be in size. Oh, and since the size is in words, the smallest possible size for a metafile record would be three words long, or six bytes. Look, the reason I had problems making this exploit happen initially is I was setting the length correctly. It turns out that the only way to get Windows to misbehave in this bizarre fashion is to set the length to one, which is an impossible value. I tried setting it to zero. It didn't trigger the exploit. I tried setting it to two, no effect. Three, no effect. Nothing, not even the correct length. Only one."
Permalink Jesus H Christ 
January 15th, 2006
"Well, it's not like a trojan, where they would be able to contact a remote machine. But, for example, if Microsoft was worried that for some reason in the future they might have cause to get visitors to their website to execute code, even if ActiveX is turned off, even if security is up full, even if firewalls are on, basically if Microsoft wanted a short circuit, a means to get code run in a Windows machine by visiting their website, they have had that ability, and this code gave it to them."
Permalink Jesus H Christ 
January 15th, 2006
No. If you're interested why it was there in the first place, check out http://blogs.technet.com/msrc/archive/2006/01/13/417431.aspx
Permalink Rex Adventure 
January 15th, 2006
interesting link thanks.

they say:

"Now, there’s been some speculation that you can only trigger this by using an incorrect size in your metafile record and that this trigger was somehow intentional. That speculation is wrong on both counts. The vulnerability can be triggered with correct or incorrect size values."

but he says:

" It turns out that the only way to get Windows to misbehave in this bizarre fashion is to set the length to one, which is an impossible value. I tried setting it to zero. It didn't trigger the exploit. I tried setting it to two, no effect. Three, no effect. Nothing, not even the correct length. Only one."


thats pretty specific, and not what MS are saying at all.


interesting bug anyway.
Permalink Jesus H Christ 
January 15th, 2006
The question is, does the bug appear in Windows NT? I can understand why 95/98/ME would process the files differently from any NT-line operating systems (NT, 2000, XP, Vista).

However, if the bug doesn't appear in NT then how did it get into later versions of the OS!
Permalink Almost H. Anonymous 
January 15th, 2006
Either way, I don't think it's deliberate -- we all know how weird bugs can happen.
Permalink Almost H. Anonymous 
January 15th, 2006
The issue with the length field, apparantly, depends on where in the file the trigger is placed. If it's at the end, you need an invalid length field that will cause the issue.

I'm amused that Win9x is (relatively) safe (or at least safer) because it disables the printer-related call unless actually printing, which means that an attack can't be automated in the same way.

The dancing bunny problem means that win9x is always going to be a fundamentally unsafe OS that will never have sufficient security updates created, but hey, you pays your money and you takes your chances. Or something.

Those bad people not buying new computers so they can actually run the new OS versions - somebody ought to spank them.
Permalink  
January 15th, 2006
The backdoor is exit-only, man, nothing's supposed to go in it. Anything else is against God's law. Unless ya want to go to hell, of course.
Permalink Bubba 
January 15th, 2006
This was my favorite part of that podcast:


Leo: Okay, so first let's just circle back to previous episodes and catch up with anything we left out there. Anything you want to update?

Steve: Yeah. There were a couple things sort of in my category of errata. Someone made the point that I refer to hackers as "hackers," rather than as "crackers."

Leo: Oh, we get this every time.

Steve: I know.

Leo: I get this so often. Let's address it.

Steve: Yeah, exactly. So I wanted to say something about it. You know, for me, the term "cracker" just, I don't know, it sounds like, you know, what African Americans refer to white guys as, or like a saltine. It just doesn't seem serious and evil. And so, you know, I try to say "malicious hacker." But, you know, on the fly, you know, when you and I are talking, I just say "hacker."
Permalink bionicroach 
January 16th, 2006

This topic was orginally posted to the off-topic forum of the
Joel on Software discussion board.

Other topics: January, 2006 Other topics: January, 2006 Recent topics Recent topics