Forum Index
Home Forum Radio Memberlist Help Search Quick Links

It appears you have not yet registered with our community which limits what you can do & see. It's Free To register, please click here.



Forum Index » Internet » Security Alerts and vulnerabilities » Locked and Loaded
Register Calendar Gallery Mark Forums Read

Security Alerts and vulnerabilities Lets keep abreast on the latest threats by posting those findings here..

Reply
 
Thread Tools Display Modes
  #1  
Old 01-17-2007, 10:07 AM
Symantec's Avatar
Symantec Symantec is offline
Senior Member
  
Join Date: Oct 2006
Posts: 295
Locked and Loaded
Locked and Loaded
<p>Last year, I found a curious bug in Windows regarding the handling of certain invalid opcode sequences. At the time, I simply documented it and then forgot about it. Recently, however, I was reminded of the bug, so I thought that other people might be interested in reading about it.</p>

<p>Because of the way in which the Intel x86 architecture works, when an invalid opcode exception occurs, there is no easy way to tell why it occurred. By this, I mean that without actually looking at the faulting opcode sequence, it's not possible to tell the difference between an unsupported opcode and an invalid use of the LOCK prefix. For this reason, Windows runs this code:</p>

<p> mov ecx, 4 ;maximum prefix count<br />
look_op:<br />
mov al, byte ptr es:[esi] ;points to faulting opcode sequence<br />
cmp al, f0h ;looks like LOCK?<br />
je op_lock ;yes<br />
add esi, 1 ;no, continue with next byte<br />
loop look_op ;until no more bytes<br />
mov eax, c000001d ;STATUS_ILLEGAL_INSTRUCTION<br />
ret<br />
op_lock:<br />
mov eax, c000001e ;STATUS_INVALID_LOCK_SEQUENCE<br />
ret</p>

<p>While there are only three classes of prefixes that can appear in addition to an otherwise valid lock sequence (segment override, operand-size override, and address-size override), no current CPU instruction allows REP to be combined with LOCK. This is the reason for the value of 4 in ecx. The bug is that Windows checks for only<br />
the LOCK prefix and no other. Thus, if the value "f0" happens to appear anywhere within the first four bytes of the faulting opcode sequence, <em>even if it is not truly a LOCK</em> (e.g. fe f0), then Windows will return the wrong exception value.</p>

<p>This is a particular problem for operating-system emulators, since such a condition would occur only rarely, so it seems likely that no one has support for this behaviour. Surprise!<br />
</p>
http://www.symantec.com/enterprise/security_response/weblog/2007/01/locked_and_loaded.html
http://www.symantec.com/enterprise/security_response/weblog/2007/01/locked_and_loaded.html
Wed, 17 Jan 2007 05:45:00 -0800
Reply With Quote
Posted


Reply

  • Submit Thread to Digg Digg
  • Submit Thread to del.icio.us del.icio.us
  • Submit Thread to StumbleUpon StumbleUpon
  • Submit Thread to Google Google
    • Bookmarks

    « Previous Thread | Next Thread »
    Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
     
    Thread Tools
    Display Modes
    Linear Mode Linear Mode

    Posting Rules
    You may not post new threads
    You may not post replies
    You may not post attachments
    You may not edit your posts
    BB code is On
    Smilies are On
    [IMG] code is On
    HTML code is Off
    Forum Jump



    All times are GMT -5. The time now is 11:17 AM.

    Contact Us - CyberAnswers - Archive - Privacy Statement - Top

    Firefox 2