[MS] Misinterpreting the misleadingly-named STATUS_STACK_BUFFER_OVERRUN - devamazonaws.blogspot.com

I noted some time ago that STATUS_STACK_BUFFER_OVERRUN doesn't mean that there was a stack buffer overrun, although that's what it meant at first. Later, the status code was broadened to mean "Program self-triggered abnormal termination", but it was too late to change the name.

A security vulnerability report came in that went like this:

I have found a stack overflow bug in Explorer. This stack overflow occurs in ucrtbase.dll and Windows.UI.FileExplorer.dll. Since it occurs in Explorer, this can be exploited to escalate privileges. To reproduce, download the attached ZIP file and right-click it. I have also attached Explorer crash dumps for analysis.

EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ffcaa19dd7e (ucrtbase!abort+0x000000000000004e)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000007
Subcode: 0x7 FAST_FAIL_FATAL_APP_EXIT

STACK_TEXT:
ucrtbase!abort+0x4e
ucrtbase!terminate+0x29
ucrtbase!__crt_state_management::wrapped_invoke<void (__cdecl*)(void) noexcept,void>+0xf
explorer!_scrt_unhandled_exception_filter+0x5a
KERNELBASE!UnhandledExceptionFilter+0x1f1
ntdll!LdrpLogFatalUserCallbackException+0xa2
ntdll!KiUserCallbackDispatcherHandler+0x20
ntdll!RtlpExecuteHandlerForException+0xf
ntdll!RtlDispatchException+0x25a
ntdll!RtlRaiseException+0x163
KERNELBASE!RaiseException+0x6c
msvcr90!_CxxThrowException+0x86
contoso+0x104d
contososhellext!OnInvokeCommand+0x548
contososhellext!OnInvokeCommand+0x24d2a
contososhellext!OnGetCommandString+0x4f
contoso+0x2abd
contoso+0x27f0
shell32!CDefFolderMenu::GetCommandString+0x1f6
shell32!CDefFolderMenu::_UnduplicateVerbs+0x31f
shell32!CDefFolderMenu::QueryContextMenu+0x7d2
shell32!CDefView::_DoContextMenuPopup+0x2f7
shell32!CDefView::OnSelectionContextMenu+0x85
explorerframe!UIItemsView::ShowContextMenu+0x378
explorerframe!CItemsView::ShowContextMenu+0x17
shell32!CDefView::_DoContextMenu+0x92
shell32!CDefView::_OnContextMenu+0xec
shell32!CDefView::WndProc+0x718
shell32!CDefView::s_WndProc+0x5c
user32!UserCallWinProcCheckWow+0x33c
user32!CallWindowProcW+0x8e

From the exception record, we see that this was a fast-fail: FAST_FAIL_FATAL_APP_EXIT.

From the stack trace we can see that this was due to an unhandled C++ exception thrown by Contoso: Contoso called _CxxThrowException, and this ended up reaching the _scrt_unhandled_exception_filter, which decided to terminate the process.

The problem is therefore with the Contoso shell extension: When you right-click this file, the Contoso shell extension throws a C++ exception which it does not handle.

C++ exceptions cannot be thrown across the ABI boundary because there's no requirement in the ABI that the calling code even be written in C++ at all!¹ And certainly unhandled C++ exceptions are really bad ideas.

There is a bug here, but the bug is in the Contoso shell extension, not in Explorer. Such is the punishment for allowing third party extensibility: Any bug in a third party extension manifests itself as a bug in Explorer.

¹ For example, the Windows 95 shell was written in C.


Post Updated on July 31, 2023 at 03:00PM
Thanks for reading
from devamazonaws.blogspot.com

Comments

Post a Comment

Popular posts from this blog

Scenarios capability now generally available for Amazon Q in QuickSight - devamazonaws.blogspot.com

Today, AWS announces the general availability of the scenarios capability of Amazon Q in QuickSight. Amazon Q guides you through data analysis by uncovering hidden trends, making recommendations for your business, and intelligently suggesting next steps for deeper exploration—all in response to natural language interactions. Now anyone can explore past trends, forecast future scenarios, and model solutions without needing specialized skill, analyst support, or manual manipulation of data in spreadsheets. With its intuitive interface and step-by-step guidance, the scenarios capability of Amazon Q in QuickSight helps users perform complex data analysis up to 10x faster than spreadsheets. Whether you're optimizing marketing budgets, streamlining supply chains, or analyzing investments, Amazon Q makes advanced data analysis accessible so you can make data-driven decisions across your organization. This capability is accessible from any Amazon QuickSight dashboard, so you can move seam...
Read more

[MS] Introducing Pull Request Annotation for CodeQL and Dependency Scanning in GitHub Advanced Security for Azure DevOps - devamazonaws.blogspot.com

Image
In the world of software development, security is paramount. As developers, we strive to write clean, efficient, and most importantly, secure code. GitHub Advanced Security for Azure DevOps has always been at the forefront of providing tools that make it easier to build and release high-quality software. Today, we’re excited to announce a new feature release that will take your code security to the next level: PR (Pull Request) Annotation for CodeQL and Dependency Scanning. PR Annotation - What Does it Mean for You? Pull Request Annotation brings security insights directly into your development workflow. Here’s how it works: When you raise a Pull Request, CodeQL runs automatically, scanning for any potential security issues. Dependency Scanning concurrently checks for vulnerabilities in packages or libraries you might be using. If any issues are found, they are reported directly on the PR interface as annotations. Developers can see exactly what the problem is and where it occu...
Read more

AWS Console Mobile Application adds support for Amazon Lightsail - devamazonaws.blogspot.com

AWS customers can now access Amazon Lightsail from within the AWS Console Mobile App to monitor and manage Lightsail instances, containers, databases, network, storage, snapshots, domains and DNS while on the go. Visit the Services tab in the AWS Console Mobile App and select Lightsail to get started. The AWS Console Mobile App enables AWS customers monitor and manage a select set of resources and receive push notifications to stay informed and connected with their AWS resources while on-the-go. The sign-in process supports biometrics authentication, making access to AWS resources simple, secure, and quick. Lightsail offers easy-to-use virtual private server (VPS) instances, storage, databases, and more for a cost-effective monthly price. For AWS services not available natively, customers can access the AWS Management Console via an in-app browser to access service pages without additional authentication, manual navigation, or need to switch from the app to a browser. Visit the AWS...
Read more