GB2312 转 BIG5 编码! 最后四个字是"*教教我啊*"! 諒諒扂陛 = *教教我啊*
2009/1/30 raystyle <[email protected]> > 啥啊て言うの? > > > 2009/1/29 ayarei <[email protected]> > > >> 扂岆圉裂赽ㄛ妦繫飲祥雅腔.... >> 呇葭珩祥諒諒扂陛 >> >> On 1堎29, 狟敁5奀41煦, raystyle <[email protected]> wrote: >> > 褥ㄛAY珩旃噶祛堤賸ˋ >> > >> > 2009/1/29 ayaREI <[email protected]> >> > >> > >> > >> > > Periodically we get reports into the MSRC of stack exhaustion in >> > > client-side applications such as Internet Explorer, Word, etc. These >> are >> > > valid stability bugs that, fortunately, do not lead to an exploitable >> > > condition by itself (no potential for elevation of privilege). We >> wanted to >> > > clarify the distinction between stack exhaustion and stack buffer >> overflow. >> > > Stack buffer overflows often lead to elevation of privilege. >> Unfortunately, >> > > the literature tends to use stack overflow to refer to both cases, >> hence the >> > > confusion. The error code STATUS_STACK_BUFFER_OVERRUN (0xc0000409) >> refers to >> > > a stack buffer overflow while the error code STATUS_STACK_OVERFLOW >> > > (0xc00000fd) refers to stack exhaustion. >> > >> > > On Bugtraq this morning, there was a public post of a stack exhaustion >> bug >> > > that, fortunately, does not lead to arbitrary code execution. Let's >> take a >> > > closer look at it and a few other examples. We'll start with today's >> Bugtraq >> > > posting: >> > >> > > <INPUT type="text" name="A" value="CCCCCCCCCCCCCCCCCCCC(many >> thousands)"> >> > >> > > When IE attempts to parse this HTML, it runs out of stack space. >> Hooking up >> > > Windbg, you will observe the following first-chance exception: >> > >> > > (f9c.5b8): Stack overflow - code c00000fd (first chance) >> > > First chance exceptions are reported before any exception handling. >> > > This exception may be expected and handled. >> > > eax=00000000 ebx=0337304c ecx=09410040 edx=0007c3c0 esi=00000000 >> edi=0346b800 >> > > eip=77f66627 esp=03373000 ebp=03373000 iopl=0 nv up ei pl nz >> na pe nc >> > > cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 >> efl=00010206 >> > > 77f66627 56 push esi >> > >> > > The stack is simply exhausted and there is no possibility of running >> > > arbitrary code in this case. Let's look at a few others. >> > >> > > The next issue was also reported in IE recently: >> > >> > > <SCRIPT> >> > > foo = new Array(); >> > > while(true) {foo = new Array(foo).sort();} >> > > </SCRIPT> >> > >> > > Again, the HTML has requested an extra-ordinary amount of stack space. >> IE >> > > attempts to allocate space and it eventually runs out. Unable to >> process the >> > > HTML, it returns a stack overflow / exhaustion error (0xc00000fd). >> > >> > > One last example is from April 2008 and, again, it leads to a stack >> > > overflow/exhaustion error (0xc00000fd): >> > >> > > var str = "aaaaaaaaaaaaaaa(many thousands)" >> > > document.myform.text.value = str >> > > document.myform.submit() >> > >> > > <form name='myform'> >> > > <input name='text' type='text' /> >> > > <input name='Submit' type='submit' /> >> > > </form> >> > >> > > As you can see, there are several ways of reaching a stack exhaustion >> > > condition. Fortunately, these are stability issues that by themselves >> cannot >> > > lead to remote code execution. This happens when a parsing client-side >> > > application cannot allocate enough stack space to complete an >> operation (as >> > > shown in the examples here where a web page was attempting to allocate >> as >> > > much stack as possible and eventually runs out of space). >> > >> > > We are always happy to triage bugs sent to [email protected]. >> Please >> > > send them in to us. We are definitely committed to engineering and >> security >> > > excellence. We evaluate every report and determine whether to service >> them >> > > as security issues or whether to hand them off to the product team to >> fix as >> > > reliability and stability issues. For each security issues, we will >> triage >> > > against the SDL bug bar (link to sample bug bar< >> http://msdn.microsoft.com/en-us/library/cc307404.aspx>) and >> > > address via the MSRC security bulletin process. All issues (such as >> these >> > > stack exhaustion bugs) that are stability or reliability issues are >> triaged >> > > according to customer impact and addressed in future releases of the >> > > product. >> > >> > > - Jonathan Ness, SVRD blogger >> > >> > > *Posting is provided "AS IS" with no warranties, and confers no >> rights.* >> > >> > > References: >> > >> > > STATUS_STACK_OVERFLOW (0xc00000fd ): >> > >> > > - Debugging a Stack Overflow >> > > http://msdn.microsoft.com/en-us/library/cc267849.aspx >> > > - StackOverflowException Class >> > > >> http://msdn.microsoft.com/en-us/library/system.stackoverflowexception... >> > >> > > STATUS_STACK_BUFFER_OVERRUN (0xc0000409): >> > >> > > - Analyze Crashes to Find Security Vulnerabilities in Your Apps >> > > http://msdn.microsoft.com/en-us/magazine/cc163311.aspx >> >> >> --~--~---------~--~----~------------~-------~--~----~ 要向邮件组发送邮件,请发到 [email protected] 要退订此邮件,请发邮件至 [email protected] -~----------~----~----~----~------~----~------~--~---
