Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:19828
HistoryMay 12, 2008 - 12:00 a.m.

[Full-disclosure] # a new bug in Olly

2008-05-1200:00:00
vulners.com
14
JSON

Hello full-disclosure!

I've found a bug in Olly leading to crash SEH/VEH-based programs
during tracing. (an example-pack could be found at my web-site
http://nezumi.org.ru/olly-bug-776.zip, it includes two SEH/VEH
programs and requests XP or latter to run VEH, while SEH works
everywhere).

Load an example into Olly and start tracing [F7]
/* we can skip the first call by pressing [F8]
(Step Over), since it has nothing interesting for us */

xor eax,eax/mov eax,[eax] generates an exceptions,
catching by OS kernel. the kernel saves registry context
(including TF-bit, set by Olly to "1") and passes control
to NTDLL.DLL!KiUserExceptionDispatcher function -
the first user-land function executes after an exception.
it calls SEH/VEH handler (if there is at lest one).

if the handler returns control to the code, where the exception
was raised, registry context (including TF-bit) is restored by
OS kernel. everything is fine, yes? hell, no!!!

Olly catches NTDLL.DLL!KiUserExceptionDispatcher and offers us
to press Shift-F7/F8/F9. Olly allows to trace KiUserExceptionDispatcher, but totally forgets to clean TF-bit.
as result - when control is passed the to original code
(to the command follows mov eax,[eax] in our case, since handler
adds 2bytes /* sizeof mov eax,[eax] */ to EIP), TF-bit is set!!!
so, a new exception occurs and SEH/VEH handler is called again
and over again, coz, Olly passes this exception to the program,
coz it forgets who "owns" this exception!!!

since, SEH/VEH handler doesn't expect to handle trace exaction,
we have an undefined behavior (a crash).

it's definitely a bug!!! and how we can to fix it?!
well, it's very simple. look at the prototype of
KiUserExceptionDispatcher(EXCPT_REC *pExcptRec, CONTEXT *pContext).
everything we need - is just to take pContext and clear
TF-bit manually.
pContext is the next DWORD on the stack and EFlags has C0h offset,
while TF-bit is the first bit of the next word (1 << 8).
just clean it and enjoy! press [F9] to Run the program or
do whatever you want!

of course, we can create plug-in, doing it automatically,
or set-up a conditional breakpoint on KiUserExceptionDispatcher.

I've checked the latest 2.00e version [April 19, 2008] and…
the bug is still there, damn it!

I reported about this bug to the Olly creator and he admitted it,
writing me back:

Dear Kris Kaspersky,

thank you for your bug report.

I will try to remove it from v2.0 ASAP.

Sincerely, Olly

–
Best regards,
kris mailto:[email protected]

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

JSON