{"id":1343,"date":"2014-04-02T07:00:00","date_gmt":"2014-04-02T07:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/2014\/04\/02\/it-rather-involved-being-on-the-other-side-of-this-airtight-hatchway-invalid-parameters-from-one-security-level-crashing-code-at-the-same-security-level-again\/"},"modified":"2014-04-02T07:00:00","modified_gmt":"2014-04-02T07:00:00","slug":"it-rather-involved-being-on-the-other-side-of-this-airtight-hatchway-invalid-parameters-from-one-security-level-crashing-code-at-the-same-security-level-again","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20140402-00\/?p=1343","title":{"rendered":"It rather involved being on the other side of this airtight hatchway: Invalid parameters from one security level crashing code at the same security level (again)"},"content":{"rendered":"<p>\nA few years after\n<a HREF=\"http:\/\/blogs.msdn.com\/b\/oldnewthing\/archive\/2010\/12\/09\/10101773.aspx\">\nI posted this story<\/a>,\nthe security team received something very similar.\n<\/p>\n<blockquote CLASS=\"q\"><p>\nIf have found that if you call the\nXYZ function\n(whose last parameter is supposed to be a pointer to a <code>DWORD<\/code>)\nand instead of passing a value pointer to a <code>DWORD<\/code>,\nyou pass <code>NULL<\/code>,\nthen you can trigger an access violation in the XYZ function.\nThe XYZ function does not check whether the input parameter is\n<code>NULL<\/code>.\nThis is a denial of service attack against the system.\n<\/p><\/blockquote>\n<p>\nOkay, first of all,\neven if the XYZ function checked that the final parameter is\nnon-<code>NULL<\/code>,\nthat wouldn&#8217;t prevent a caller from passing an invalid non-<code>NULL<\/code>\npointer,\nso adding a <code>NULL<\/code> check doesn&#8217;t accomplish much\nfrom a security-theoretical standpoint.\n<\/p>\n<p>\nThe problem with this vulnerability report is that there is no elevation.\nThe attack code and the code that crashes\nare on the same side of the airtight hatchway.\nIf your goal was to make the process crash,\nthen instead of passing invalid parameters to the XYZ function,\nyou can just trigger the crash yourself.\n<\/p>\n<pre>\nint __cdecl main(int, char**)\n{\n    return *(DWORD*)NULL = 0;\n}\n<\/pre>\n<p>\nIn other words, in order to trigger an access violation in the XYZ function,\nyou must already have had enough privilege to run code,\nwhich means that you already have enough privilege to trigger\nan access violation without even needing the help of the XYZ function.\n<\/p>\n<p>\nThis dubious vulnerability falls into the category\n<i>Code execution results in code execution<\/i>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A few years after I posted this story, the security team received something very similar. If have found that if you call the XYZ function (whose last parameter is supposed to be a pointer to a DWORD) and instead of passing a value pointer to a DWORD, you pass NULL, then you can trigger an [&hellip;]<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[26],"class_list":["post-1343","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-other"],"acf":[],"blog_post_summary":"<p>A few years after I posted this story, the security team received something very similar. If have found that if you call the XYZ function (whose last parameter is supposed to be a pointer to a DWORD) and instead of passing a value pointer to a DWORD, you pass NULL, then you can trigger an [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/1343","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=1343"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/1343\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=1343"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=1343"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=1343"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}