{"id":30663,"date":"2006-07-03T10:00:00","date_gmt":"2006-07-03T10:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/2006\/07\/03\/security-dont-forget-to-initialize-the-stuff-you-dont-care-about\/"},"modified":"2006-07-03T10:00:00","modified_gmt":"2006-07-03T10:00:00","slug":"security-dont-forget-to-initialize-the-stuff-you-dont-care-about","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20060703-00\/?p=30663","title":{"rendered":"Security: Don't forget to initialize the stuff you don't care about"},"content":{"rendered":"

\nLost in excitement of privilege escalation vulnerabilities is\nthe simple information disclosure through missing garbage initialization.\nEverybody should by now be familiar with the use of the\nSecureZeroMemory<\/code> function to ensure that buffers\nthat used to contain sensitive information are erased,\nbut you also have to zero out buffers before you write their\ncontents to another location.\nConsider, for example, the following binary format:\n<\/p>\n

\nstruct FILEHEADER {\n    DWORD dwMagic;\n    DWORD dwVersion;\n    WCHAR wszComment[256];\n    DWORD cbData;\n    \/\/ followed by cbData bytes of data\n};\n<\/pre>\n
\nCode that writes out one of these files might go like this:\n<\/p>\n
\nBOOL SaveToFile(HANDLE hFile, LPCWSTR pszComment,\n                DWORD cbData, const BYTE *pbData)\n{\n  DWORD cbWritten;\n  FILEHEADER fh;\n  fh.dwMagic = FILE_MAGICNUMBER;\n  fh.dwVersion = FILE_CURRENTVERSION;\n  fh.cbData = cbData;\n  return SUCCEEDED(StringCchCopyW(\n             fh.wszComment, 256, pszComment)) &&\n         WriteFile(hFile, &fh, sizeof(fh), &cbWritten, NULL) &&\n         cbWritten == sizeof(fh) &&\n         WriteFile(hFile, pbData, cbData, &cbWritten, NULL) &&\n         cbWritten == cbData;\n}\n<\/pre>\n
\nDo you see the security bug?\n<\/p>\n
\nIf the comment is shorter than 255 characters,\nthen the bytes after the terminating null consist of uninitialized\nstack garbage.\nThat stack garbage might contain interesting information that\nyou didn’t intend to leak into the file.\nSure, it won’t contain information that you already recognized\nas highly-sensitive, such as passwords,\nbut it still might contain information that, while less sensitive,\nstill would be valuable to somebody looking for it.\nFor example, depending on where the compiler decided to put\nlocal variables, you might leak an account name into those\nunused bytes.\n<\/p>\n
\nI’m told that one company’s networking software from a long time ago\nhad a bug just like this one.\nThey used a very advanced “change password” algorithm,\nthe details of which are not important.\nThe design was that only heavily encrypted data was transmitted on the wire.\nThat way, somebody who sat on the network and captured packets\nwouldn’t see anything of value.\nExcept that they had a bug in their client:\nWhen it sent the encrypted password to the server,\nit forgot to null out the unused bytes in the “change password” packet.\nAnd in those unused bytes were, you guessed it, a copy of the password\nin plain text.<\/p>\n","protected":false},"excerpt":{"rendered":"
Lost in excitement of privilege escalation vulnerabilities is the simple information disclosure through missing garbage initialization. Everybody should by now be familiar with the use of the SecureZeroMemory function to ensure that buffers that used to contain sensitive information are erased, but you also have to zero out buffers before you write their contents to […]<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-30663","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"
Lost in excitement of privilege escalation vulnerabilities is the simple information disclosure through missing garbage initialization. Everybody should by now be familiar with the use of the SecureZeroMemory function to ensure that buffers that used to contain sensitive information are erased, but you also have to zero out buffers before you write their contents to […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/30663","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=30663"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/30663\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=30663"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=30663"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=30663"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}