[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cryptography] Windows security leads to 0-day in Windows security





On 10/31/20 4:59 AM, Peter Gutmann wrote:
I'm always amused to see security components used to break security.  This
time it's Window's CNG, a.k.a. Cryptography API: Next Generation, which has an
0-day in it that affects every version of Windows back to Windows 7:

https://bugs.chromium.org/p/project-zero/issues/detail?id=2104

It's at the kernel level, and being exploited in the wild.  Very unsporting of
the attackers to ignore the "security line, do not cross" tape and attack
there anyway.

It seems strange to me that one of the better C/C++ compilers out there (Visual Studio) wouldn't see the potential for an integer overflow here. (To be sure, it's UNSIGNED integer overflow, which is at least not undefined behaviour. That might in fact be part of the problem here.) Also, it seems to me that fuzzing would have found this problem rather quickly. It's a very odd bug to have survived apparently since Win7.

Do you have any insights on how this bug remained in the code base for so long, and why none of the (reportedly excellent) static analysis components of Visual Studio have alerted to it?

Fun

Stephan

PS: Windows has ioctls? I'd always thought they were a Unix specialty.
_______________________________________________
The cryptography mailing list
cryptography AT metzdowd.com
https://www.metzdowd.com/mailman/listinfo/cryptography