How did the "Blaster" worm trigger buffer overflows?

Question

In "The Security Development Lifecycle" book, Michael Howard wrote:

Take as an example the coding bug in Windows RPC/DCOM that the Blaster worm took advantage of (Microsoft 2003). The defective code looks like this:
HRESULT GetMachineName(WCHAR *pwszPath,
     WCHAR  wszMachineName[N + 1]) {
     LPWSTR pwszServerName = wszMachineName;
     while (*pwszPath != L'\\' )
         *pwszServerName++ = *pwszPath++;   
     ... }
In this code, the attacker controls the pwszPath argument so that she can overflow the wszMachineName buffer. This code bug was not picked up by any tools available within Microsoft...

I implemented many codes like the above example previously but I can't find any wrong with it and after testing the above code I still can't find a way to Overflow wszMachineName but as he mentioned this code is vulnerable to buffer overflow.

So my question is: How can an attacker take advantage of above code, like the blaster worm did?! I passed a large number of 'AAAA's to program but, but it continues without crash or problem.

I did a quick Google search and found a few sites explaining it in detail: https://books.google.co.uk/books?id=441tAwAAQBAJ&pg=PA172&lpg=PA172&dq=pwszPath+blaster&source=bl&ots=SlCL8JIJDe&sig=Qv4UEyHpNEJ4nSljJLHKvTkJdGw&hl=en&sa=X&ved=0ahUKEwicptXurMLQAhUpK8AKHckJAosQ6AEIIjAB — schroeder, Nov 24 '16 at 21:37
Just passing "a large number of A's" is not a lot for us to go on for us to troubleshoot your attempt to overflow. Give us details and context. How did you pass them? On what? How do you know that it did not crash? Was it enough A's to overflow? — schroeder, Nov 24 '16 at 21:44
Are you also aware that the source code for Blaster is pretty public and the exploit is commented so that you can understand exactly what it takes to exploit this vulnerability? — schroeder, Nov 24 '16 at 21:50
Are you attaching a debugger to monitor the behavior of the vulnerable program? Besides, there are many other parameters that can affect the vulnerable program and stop you from reproducing the same result, for example, compiler configuration etc... — n3m0, Nov 25 '16 at 10:53

score 3 · Answer 1 · answered Nov 24 '16 at 21:36

3

If you have control over pwszPath then you can pass a very large string to exceed the buffer.

I'm not sure what else to say.

answered Nov 24 '16 at 21:36

schroeder

129,372
55
299
340

I did it but the program continue without any problem. – Mohammad Sina Karvandi Nov 24 '16 at 21:38
If you want us to debug your code, then you might need to post that. Your question so far is about the flaw in the Windows code. – schroeder Nov 24 '16 at 21:41
Are you sure you were able to overflow the buffer? How are you sure? – schroeder Nov 24 '16 at 21:42

How did the "Blaster" worm trigger buffer overflows?

1 Answers1