tm.ningen@gmail.com
01-29-2007, 04:04 AM
I am not a security expert, but from reading the WinCE 5.0 docs, I am
wondering if it's possible to execute arbitrary source code in the 5.0
kernel.
[1] Invoking handle-based system calls (such as ReadFile()), is done
by dereferencing a pointer embedded in the handle, something like
ReadFile(a, b, c, d) {
(*((UNSCRAMBLE)handle)->table[offset])(a, b, c, d);
}
wouldn't it be possible to fake a handle that, when unscrambled,
points to some well crafted code that lives in the application space?
[2] The above may be hard (since you need to know the memory layout
fairly well). I think (without proof) that when a system call is made,
the same C stack (allocated by the user app) is used, all the way
while you are in the kernel (and beyond, when the kernel in turn calls
other processes such as filesys.exe). If this is true, wouldn't it be
simple to have another user thread that modifies the stack of the
first thread. Just by modifying return addresses, you can make the
kernel branch to code that lives in the user space, while stile in
kernel mode.
This sounds infinitely hackable to me. Or did I miss something grossly
obvious?
Is there any literature out there that documents why the CE 5.0 kernel
is really safe and all my worries can be summarily dismissed?
wondering if it's possible to execute arbitrary source code in the 5.0
kernel.
[1] Invoking handle-based system calls (such as ReadFile()), is done
by dereferencing a pointer embedded in the handle, something like
ReadFile(a, b, c, d) {
(*((UNSCRAMBLE)handle)->table[offset])(a, b, c, d);
}
wouldn't it be possible to fake a handle that, when unscrambled,
points to some well crafted code that lives in the application space?
[2] The above may be hard (since you need to know the memory layout
fairly well). I think (without proof) that when a system call is made,
the same C stack (allocated by the user app) is used, all the way
while you are in the kernel (and beyond, when the kernel in turn calls
other processes such as filesys.exe). If this is true, wouldn't it be
simple to have another user thread that modifies the stack of the
first thread. Just by modifying return addresses, you can make the
kernel branch to code that lives in the user space, while stile in
kernel mode.
This sounds infinitely hackable to me. Or did I miss something grossly
obvious?
Is there any literature out there that documents why the CE 5.0 kernel
is really safe and all my worries can be summarily dismissed?