Re: [ros-dev] [ros-diffs] [gadamopoulos] 51115: [ntoskrnl] - Implement calling OkayToCloseProcedure callouts to win32k for desktop and window station objects - Fix a bug that caused ObpCloseHandle to return success even whe...
It's hilarious how this new code has the exact same Windows security bug I gave a talk about at BlackHat 2-3 years ago (which Microsoft fixed in Vista).
It's sad how this code ignores the exported PsSetProcessWindowStation API and relevant EPROCESS field.
It's awesome how nothing changes whenever I prop up to see the "progress".
-- Best regards, Alex Ionescu
On 2011-03-22, at 5:19 AM, gadamopoulos@svn.reactos.org wrote:
Author: gadamopoulos Date: Tue Mar 22 09:19:26 2011 New Revision: 51115
URL: http://svn.reactos.org/svn/reactos?rev=51115&view=rev Log: [ntoskrnl]
- Implement calling OkayToCloseProcedure callouts to win32k for desktop and window station objects
- Fix a bug that caused ObpCloseHandle to return success even when OkayToCloseProcedure failed
[win32k]
- Rewrite SetProcessWindowStation to actually set the current window station and close the previous one
- Implement OkayToCloseProcedure callouts from the kernel to prevent closing the current desktop or window station
Modified: trunk/reactos/ntoskrnl/ex/win32k.c trunk/reactos/ntoskrnl/ob/obhandle.c trunk/reactos/ntoskrnl/ps/win32.c trunk/reactos/subsystems/win32/win32k/include/desktop.h trunk/reactos/subsystems/win32/win32k/include/win32.h trunk/reactos/subsystems/win32/win32k/include/winsta.h trunk/reactos/subsystems/win32/win32k/main/dllmain.c trunk/reactos/subsystems/win32/win32k/ntuser/desktop.c trunk/reactos/subsystems/win32/win32k/ntuser/winsta.c
Modified: trunk/reactos/ntoskrnl/ex/win32k.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/ex/win32k.c?rev=51... ============================================================================== --- trunk/reactos/ntoskrnl/ex/win32k.c [iso-8859-1] (original) +++ trunk/reactos/ntoskrnl/ex/win32k.c [iso-8859-1] Tue Mar 22 09:19:26 2011 @@ -37,9 +37,45 @@
PKWIN32_PARSEMETHOD_CALLOUT ExpWindowStationObjectParse = NULL; PKWIN32_DELETEMETHOD_CALLOUT ExpWindowStationObjectDelete = NULL; +PKWIN32_OKTOCLOSEMETHOD_CALLOUT ExpWindowStationObjectOkToClose = NULL; +PKWIN32_OKTOCLOSEMETHOD_CALLOUT ExpDesktopObjectOkToClose = NULL; PKWIN32_DELETEMETHOD_CALLOUT ExpDesktopObjectDelete = NULL;
/* FUNCTIONS ****************************************************************/
+NTSTATUS +NTAPI +ExpDesktopOkToClose( IN PEPROCESS Process OPTIONAL,
IN PVOID Object,IN HANDLE Handle,IN KPROCESSOR_MODE AccessMode)+{
- WIN32_OKAYTOCLOSEMETHOD_PARAMETERS Parameters;
- Parameters.Process = Process;
- Parameters.Object = Object;
- Parameters.Handle = Handle;
- Parameters.PreviousMode = AccessMode;
- return ExpDesktopObjectOkToClose(&Parameters);
+}
+NTSTATUS +NTAPI +ExpWindowStationOkToClose( IN PEPROCESS Process OPTIONAL,
IN PVOID Object,IN HANDLE Handle,IN KPROCESSOR_MODE AccessMode)+{
- WIN32_OKAYTOCLOSEMETHOD_PARAMETERS Parameters;
- Parameters.Process = Process;
- Parameters.Object = Object;
- Parameters.Handle = Handle;
- Parameters.PreviousMode = AccessMode;
- return ExpWindowStationObjectOkToClose(&Parameters);
+}
VOID NTAPI @@ -114,6 +150,7 @@ ObjectTypeInitializer.PoolType = NonPagedPool; ObjectTypeInitializer.DeleteProcedure = ExpWinStaObjectDelete; ObjectTypeInitializer.ParseProcedure = ExpWinStaObjectParse;
- ObjectTypeInitializer.OkayToCloseProcedure = ExpWindowStationOkToClose; ObCreateObjectType(&Name, &ObjectTypeInitializer, NULL,
@@ -124,6 +161,7 @@ ObjectTypeInitializer.GenericMapping = ExpDesktopMapping; ObjectTypeInitializer.DeleteProcedure = ExpDesktopDelete; ObjectTypeInitializer.ParseProcedure = NULL;
- ObjectTypeInitializer.OkayToCloseProcedure = ExpDesktopOkToClose; ObCreateObjectType(&Name, &ObjectTypeInitializer, NULL,
Modified: trunk/reactos/ntoskrnl/ob/obhandle.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/ob/obhandle.c?rev=... ============================================================================== --- trunk/reactos/ntoskrnl/ob/obhandle.c [iso-8859-1] (original) +++ trunk/reactos/ntoskrnl/ob/obhandle.c [iso-8859-1] Tue Mar 22 09:19:26 2011 @@ -1752,7 +1752,6 @@
/* Detach and return success */ if (AttachedToProcess) KeUnstackDetachProcess(&ApcState);
Status = STATUS_SUCCESS;Modified: trunk/reactos/ntoskrnl/ps/win32.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/ps/win32.c?rev=511... ============================================================================== --- trunk/reactos/ntoskrnl/ps/win32.c [iso-8859-1] (original) +++ trunk/reactos/ntoskrnl/ps/win32.c [iso-8859-1] Tue Mar 22 09:19:26 2011 @@ -20,6 +20,8 @@ PGDI_BATCHFLUSH_ROUTINE KeGdiFlushUserBatch = NULL; extern PKWIN32_PARSEMETHOD_CALLOUT ExpWindowStationObjectParse; extern PKWIN32_DELETEMETHOD_CALLOUT ExpWindowStationObjectDelete; +extern PKWIN32_OKTOCLOSEMETHOD_CALLOUT ExpWindowStationObjectOkToClose; +extern PKWIN32_OKTOCLOSEMETHOD_CALLOUT ExpDesktopObjectOkToClose; extern PKWIN32_DELETEMETHOD_CALLOUT ExpDesktopObjectDelete; extern PKWIN32_POWEREVENT_CALLOUT PopEventCallout;
@@ -116,6 +118,8 @@ PspW32ThreadCallout = CalloutData->ThreadCallout; ExpWindowStationObjectParse = CalloutData->WindowStationParseProcedure; ExpWindowStationObjectDelete = CalloutData->WindowStationDeleteProcedure;
- ExpWindowStationObjectOkToClose = CalloutData->WindowStationOkToCloseProcedure;
- ExpDesktopObjectOkToClose = CalloutData->DesktopOkToCloseProcedure; ExpDesktopObjectDelete = CalloutData->DesktopDeleteProcedure; PopEventCallout = CalloutData->PowerEventCallout; KeGdiFlushUserBatch = CalloutData->BatchFlushRoutine;
Modified: trunk/reactos/subsystems/win32/win32k/include/desktop.h URL: http://svn.reactos.org/svn/reactos/trunk/reactos/subsystems/win32/win32k/inc... ============================================================================== --- trunk/reactos/subsystems/win32/win32k/include/desktop.h [iso-8859-1] (original) +++ trunk/reactos/subsystems/win32/win32k/include/desktop.h [iso-8859-1] Tue Mar 22 09:19:26 2011 @@ -69,6 +69,9 @@ VOID APIENTRY IntDesktopObjectDelete(PWIN32_DELETEMETHOD_PARAMETERS Parameters);
+NTSTATUS NTAPI +IntDesktopOkToClose(PWIN32_OKAYTOCLOSEMETHOD_PARAMETERS Parameters);
LRESULT CALLBACK IntDesktopWindowProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam);
Modified: trunk/reactos/subsystems/win32/win32k/include/win32.h URL: http://svn.reactos.org/svn/reactos/trunk/reactos/subsystems/win32/win32k/inc... ============================================================================== --- trunk/reactos/subsystems/win32/win32k/include/win32.h [iso-8859-1] (original) +++ trunk/reactos/subsystems/win32/win32k/include/win32.h [iso-8859-1] Tue Mar 22 09:19:26 2011 @@ -166,6 +166,7 @@ PCLS pclsPrivateList; PCLS pclsPublicList; INT cThreads;
- HDESK hdeskStartup; DWORD dwhmodLibLoadedMask; HANDLE ahmodLibLoaded[CLIBS]; struct _WINSTATION_OBJECT *prpwinsta;
Modified: trunk/reactos/subsystems/win32/win32k/include/winsta.h URL: http://svn.reactos.org/svn/reactos/trunk/reactos/subsystems/win32/win32k/inc... ============================================================================== --- trunk/reactos/subsystems/win32/win32k/include/winsta.h [iso-8859-1] (original) +++ trunk/reactos/subsystems/win32/win32k/include/winsta.h [iso-8859-1] Tue Mar 22 09:19:26 2011 @@ -82,6 +82,9 @@ APIENTRY IntWinStaObjectParse(PWIN32_PARSEMETHOD_PARAMETERS Parameters);
+NTSTATUS NTAPI +IntWinstaOkToClose(PWIN32_OKAYTOCLOSEMETHOD_PARAMETERS Parameters);
NTSTATUS FASTCALL IntValidateWindowStationHandle( HWINSTA WindowStation, @@ -106,4 +109,7 @@
PWINSTATION_OBJECT FASTCALL IntGetWinStaObj(VOID);
+BOOL FASTCALL +UserSetProcessWindowStation(HWINSTA hWindowStation);
/* EOF */
Modified: trunk/reactos/subsystems/win32/win32k/main/dllmain.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/subsystems/win32/win32k/mai... ============================================================================== --- trunk/reactos/subsystems/win32/win32k/main/dllmain.c [iso-8859-1] (original) +++ trunk/reactos/subsystems/win32/win32k/main/dllmain.c [iso-8859-1] Tue Mar 22 09:19:26 2011 @@ -119,6 +119,7 @@ { DPRINT("Destroying W32 process PID:%d at IRQ level: %lu\n", Process->UniqueProcessId, KeGetCurrentIrql()); Win32Process->W32PF_flags |= W32PF_TERMINATED;
if (Win32Process->InputIdleEvent) { EngFreeMem((PVOID)Win32Process->InputIdleEvent);@@ -144,6 +145,9 @@ { LogonProcess = NULL; }
UserSetProcessWindowStation(NULL);}
RETURN( STATUS_SUCCESS);
@@ -220,25 +224,14 @@ { if(hWinSta != NULL) {
if(Process != CsrProcess)
if(!UserSetProcessWindowStation(hWinSta)) {
HWINSTA hProcessWinSta = (HWINSTA)InterlockedCompareExchangePointer((PVOID)&Process->Win32WindowStation, (PVOID)hWinSta, NULL);if(hProcessWinSta != NULL){/* our process is already assigned to a different window station, we don't need the handle anymore */NtClose(hWinSta);}}else{NtClose(hWinSta);
DPRINT1("Failed to set process window station\n"); } } if (hDesk != NULL) {
Win32Thread->rpdesk = NULL;Win32Thread->hdesk = NULL; if (!IntSetThreadDesktop(hDesk, FALSE)) { DPRINT1("Unable to set thread desktop\n");@@ -441,6 +434,8 @@ CalloutData.ProcessCallout = Win32kProcessCallback; CalloutData.ThreadCallout = Win32kThreadCallback; CalloutData.BatchFlushRoutine = NtGdiFlushUserBatch;
CalloutData.DesktopOkToCloseProcedure = IntDesktopOkToClose;
CalloutData.WindowStationOkToCloseProcedure = IntWinstaOkToClose;
/* Register our per-process and per-thread structures. */ PsEstablishWin32Callouts((PWIN32_CALLOUTS_FPNS)&CalloutData);
Modified: trunk/reactos/subsystems/win32/win32k/ntuser/desktop.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/subsystems/win32/win32k/ntu... ============================================================================== --- trunk/reactos/subsystems/win32/win32k/ntuser/desktop.c [iso-8859-1] (original) +++ trunk/reactos/subsystems/win32/win32k/ntuser/desktop.c [iso-8859-1] Tue Mar 22 09:19:26 2011 @@ -166,6 +166,29 @@ RemoveEntryList(&Desktop->ListEntry);
IntFreeDesktopHeap(Desktop); +}
+NTSTATUS NTAPI +IntDesktopOkToClose(PWIN32_OKAYTOCLOSEMETHOD_PARAMETERS Parameters) +{
- PTHREADINFO pti;
- pti = PsGetCurrentThreadWin32Thread();
- if( pti == NULL)
- {
/* This happens when we leak desktop handles */return TRUE;- }
- /* Do not allow the current desktop or the initial desktop to be closed */
- if( Parameters->Handle == pti->ppi->hdeskStartup ||
Parameters->Handle == pti->hdesk)- {
return FALSE;- }
- return TRUE;
}
/* PRIVATE FUNCTIONS **********************************************************/
Modified: trunk/reactos/subsystems/win32/win32k/ntuser/winsta.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/subsystems/win32/win32k/ntu... ============================================================================== --- trunk/reactos/subsystems/win32/win32k/ntuser/winsta.c [iso-8859-1] (original) +++ trunk/reactos/subsystems/win32/win32k/ntuser/winsta.c [iso-8859-1] Tue Mar 22 09:19:26 2011 @@ -187,6 +187,21 @@ return STATUS_OBJECT_TYPE_MISMATCH; }
+NTSTATUS NTAPI +IntWinstaOkToClose(PWIN32_OKAYTOCLOSEMETHOD_PARAMETERS Parameters) +{
- PPROCESSINFO ppi;
- ppi = PsGetCurrentProcessWin32Process();
- if(Parameters->Handle == ppi->hwinsta)
- {
return FALSE;- }
- return TRUE;
+}
/* PRIVATE FUNCTIONS **********************************************************/
/* @@ -915,6 +930,57 @@ return WinStaObj; }
+BOOL FASTCALL +UserSetProcessWindowStation(HWINSTA hWindowStation) +{
- PPROCESSINFO ppi;
- NTSTATUS Status;
- HWINSTA hwinstaOld;
- PWINSTATION_OBJECT NewWinSta = NULL, OldWinSta;
- ppi = PsGetCurrentProcessWin32Process();
- if(hWindowStation !=NULL)
- {
Status = IntValidateWindowStationHandle( hWindowStation,KernelMode,0,&NewWinSta);if (!NT_SUCCESS(Status)){DPRINT("Validation of window station handle (0x%X) failed\n",hWindowStation);SetLastNtError(Status);return FALSE;}- }
- OldWinSta = ppi->prpwinsta;
- hwinstaOld = ppi->hwinsta;
- /*
- FIXME - don't allow changing the window station if there are threads that are attached to desktops and own gui objects
- */
- InterlockedExchangePointer(&PsGetCurrentProcess()->Win32WindowStation, hWindowStation);
- ppi->prpwinsta = NewWinSta;
- ppi->hwinsta = hWindowStation;
- if(OldWinSta != NULL)
- {
ObDereferenceObject(OldWinSta);- }
- if(hwinstaOld != NULL)
- {
ZwClose(hwinstaOld);- }
- return TRUE;
+}
/*
- NtUserSetProcessWindowStation
@@ -934,44 +1000,15 @@ BOOL APIENTRY NtUserSetProcessWindowStation(HWINSTA hWindowStation) {
- PWINSTATION_OBJECT NewWinSta;
- NTSTATUS Status;
- DPRINT("About to set process window station with handle (0x%X)\n",
hWindowStation);- if(PsGetCurrentProcess() == CsrProcess)
- {
DPRINT1("CSRSS is not allowed to change it's window station!!!\n");EngSetLastError(ERROR_ACCESS_DENIED);return FALSE;- }
- Status = IntValidateWindowStationHandle(
hWindowStation,KernelMode,0,&NewWinSta);- if (!NT_SUCCESS(Status))
- {
DPRINT("Validation of window station handle (0x%X) failed\n",hWindowStation);SetLastNtError(Status);return FALSE;- }
- /*
- FIXME - don't allow changing the window station if there are threads that are attached to desktops and own gui objects
- */
- /* FIXME - dereference the old window station, etc... */
- InterlockedExchangePointer(&PsGetCurrentProcess()->Win32WindowStation, hWindowStation);
- DPRINT("PsGetCurrentProcess()->Win32WindowStation 0x%X\n",
PsGetCurrentProcess()->Win32WindowStation);- return TRUE;
- BOOL ret;
- UserEnterExclusive();
- ret = UserSetProcessWindowStation(hWindowStation);
- UserLeave();
- return ret;
}
/*
If you care about it, fix it... or just pass info how to do it.
If you dont care, why did you write that in the first place?
There is something here i do not understand.
2011/3/22 Alex Ionescu ionucu@videotron.ca
It's hilarious how this new code has the exact same Windows security bug I gave a talk about at BlackHat 2-3 years ago (which Microsoft fixed in Vista).
It's sad how this code ignores the exported PsSetProcessWindowStation API and relevant EPROCESS field.
It's awesome how nothing changes whenever I prop up to see the "progress".
-- Best regards, Alex Ionesc
On 2011-03-22, at 6:07 PM, Olaf Siejka wrote:
or just pass info how to do it.
Try reading the e-mail.
-- Best regards, Alex Ionescu
I see mostly bragging around and bit of subtle hinting. Not that i`d care about it.
2011/3/22 Alex Ionescu ionucu@videotron.ca
On 2011-03-22, at 6:07 PM, Olaf Siejka wrote:
or just pass info how to do it.
Try reading the e-mail.
-- Best regards, Alex Ionescu
Ros-dev mailing list Ros-dev@reactos.org http://www.reactos.org/mailman/listinfo/ros-dev
I suppose every time someone 'writes a paper' on something you take it as bragging -- however this is called a statement of fact.
Bragging sounds more like "I was the only scientist capable of discovering the phenomenon and writing a paper on it".
Or "I wrote the seminal, ground-breaking paper on..." (unless this is a well-established public fact -- but even then, one should probably not mention it in this way).
We also have something called 'references'. Therefore, when someone writes "In my paper published in Nature, Issue 12, Volume 192...." it is not a "hint", it is a reference. A competent academic would then look up the issue (and unless the author wrote two papers in the journal, you should not need any extra information).
Perhaps "2-3 years ago" was too vague -- although given the scarcity of papers I have published at that particular conference, it is not hard to find the correct "year": 2008.
Of course, the inability to make the basic Google search to discover the paper even after I referenced it, explains the inability to have read the paper before hand (hint: regular scientists will often look up papers published on the topic they're about to embark on), or to have written the code without duplicating the same security issue. If you can't read, it's hard to write.
-- Best regards, Alex Ionescu
On 2011-03-22, at 6:11 PM, Olaf Siejka wrote:
I see mostly bragging around and bit of subtle hinting. Not that i`d care about it.
2011/3/22 Alex Ionescu ionucu@videotron.ca On 2011-03-22, at 6:07 PM, Olaf Siejka wrote:
or just pass info how to do it.
Try reading the e-mail.
-- Best regards, Alex Ionescu
Ros-dev mailing list Ros-dev@reactos.org http://www.reactos.org/mailman/listinfo/ros-dev
Ros-dev mailing list Ros-dev@reactos.org http://www.reactos.org/mailman/listinfo/ros-dev
Me sorry. Me too stupid. tl:dr
I guess you shouldn't waste your time by any futher reply.
Regards
2011/3/22 Alex Ionescu ionucu@videotron.ca
I suppose every time someone 'writes a paper' on something you take it as bragging -- however this is called a statement of fact.
Bragging sounds more like "I was the only scientist capable of discovering the phenomenon and writing a paper on it".
Or "I wrote the seminal, ground-breaking paper on..." (unless this is a well-established public fact -- but even then, one should probably not mention it in this way).
We also have something called 'references'. Therefore, when someone writes "In my paper published in Nature, Issue 12, Volume 192...." it is not a "hint", it is a reference. A competent academic would then look up the issue (and unless the author wrote two papers in the journal, you should not need any extra information).
Perhaps "2-3 years ago" was too vague -- although given the scarcity of papers I have published at that particular conference, it is not hard to find the correct "year": 2008.
Of course, the inability to make the basic Google search to discover the paper even after I referenced it, explains the inability to have read the paper before hand (hint: regular scientists will often look up papers published on the topic they're about to embark on), or to have written the code without duplicating the same security issue. If you can't read, it's hard to write.
-- Best regards, Alex Ionescu
On 2011-03-22, at 6:11 PM, Olaf Siejka wrote:
I see mostly bragging around and bit of subtle hinting. Not that i`d care about it.
2011/3/22 Alex Ionescu ionucu@videotron.ca
On 2011-03-22, at 6:07 PM, Olaf Siejka wrote:
or just pass info how to do it.
Try reading the e-mail.
-- Best regards, Alex Ionescu
Ros-dev mailing list Ros-dev@reactos.org http://www.reactos.org/mailman/listinfo/ros-dev
Ros-dev mailing list Ros-dev@reactos.org http://www.reactos.org/mailman/listinfo/ros-dev
Ros-dev mailing list Ros-dev@reactos.org http://www.reactos.org/mailman/listinfo/ros-dev
Am 22.03.2011 23:17, gab Alex Ionescu folgendes von sich:
bla bla bla bla bla bla bla bla
-- Best regards, Alex Ionescu
Since you seem to be interested in helping the project but are uncapable of doing it correctly, let me help you a bit: The fact that you gave a talk about something is probably pretty important ... for your ego. Its irrelevant to fixing the problem though. Instead of mentioning it, and later posting quite a lot of even more unrelated, boring and useless information, you could have simply pointed out where the actual problem was. That would have helped more. Altough it would have been less fun of course and less people would google for your name / talk. (I didn't anyway) I wonder if MS really made the mistake of returning TRUE/FALSE in a function that is supposed to return an NTSTATUS. Probably not. Did you even notice this bug? If yes, thanks for not mentioning it to avoid any inconvenience. If no... nah, impossible,
BTW, would you like to take part in GSoC as a student? Maybe you could do something like rewriting the kernel based on windows 8 or something? I think I could mentor you.
Thanks, Timo
Unbelievable! We should be happy that Alex even commented on this commit to point out a flaw. Spend some time looking in to what he said, and less time disrespecting a man with his name on the cover of Windows Internals.
Waxy
On Tue, Mar 22, 2011 at 7:35 PM, Timo Kreuzer timo.kreuzer@web.de wrote:
Am 22.03.2011 23:17, gab Alex Ionescu folgendes von sich:
bla bla bla bla bla bla bla bla
-- Best regards, Alex Ionescu
you`re been ironic, right?
On Wed, Mar 23, 2011 at 5:22 AM, WaxDragon waxdragon@gmail.com wrote:
Unbelievable! We should be happy that Alex even commented on this commit to point out a flaw. Spend some time looking in to what he said, and less time disrespecting a man with his name on the cover of Windows Internals.
Waxy
On Tue, Mar 22, 2011 at 7:35 PM, Timo Kreuzer timo.kreuzer@web.de wrote:
Am 22.03.2011 23:17, gab Alex Ionescu folgendes von sich:
bla bla bla bla bla bla bla bla
-- Best regards, Alex Ionescu
-- <+encoded> if you square a unicorn do you get a real animal?
Ros-dev mailing list Ros-dev@reactos.org http://www.reactos.org/mailman/listinfo/ros-dev
you´re BEING, sorry
2011/3/23 Javier Agustìn Fernàndez Arroyo elhoir@gmail.com
you`re been ironic, right?
On Wed, Mar 23, 2011 at 5:22 AM, WaxDragon waxdragon@gmail.com wrote:
Unbelievable! We should be happy that Alex even commented on this commit to point out a flaw. Spend some time looking in to what he said, and less time disrespecting a man with his name on the cover of Windows Internals.
Waxy
On Tue, Mar 22, 2011 at 7:35 PM, Timo Kreuzer timo.kreuzer@web.dewrote:
Am 22.03.2011 23:17, gab Alex Ionescu folgendes von sich:
bla bla bla bla bla bla bla bla
-- Best regards, Alex Ionescu
-- <+encoded> if you square a unicorn do you get a real animal?
Ros-dev mailing list Ros-dev@reactos.org http://www.reactos.org/mailman/listinfo/ros-dev
It's the most sensible email in this thread
2011/3/23 Javier Agustìn Fernàndez Arroyo elhoir@gmail.com:
you´re BEING, sorry
2011/3/23 Javier Agustìn Fernàndez Arroyo elhoir@gmail.com
you`re been ironic, right?
On Wed, Mar 23, 2011 at 5:22 AM, WaxDragon waxdragon@gmail.com wrote:
Unbelievable! We should be happy that Alex even commented on this commit to point out a flaw. Spend some time looking in to what he said, and less time disrespecting a man with his name on the cover of Windows Internals. Waxy
On Tue, Mar 22, 2011 at 7:35 PM, Timo Kreuzer timo.kreuzer@web.de wrote:
Am 22.03.2011 23:17, gab Alex Ionescu folgendes von sich:
bla bla bla bla bla bla bla bla
-- Best regards, Alex Ionescu
-- <+encoded> if you square a unicorn do you get a real animal?
Ros-dev mailing list Ros-dev@reactos.org http://www.reactos.org/mailman/listinfo/ros-dev
Ros-dev mailing list Ros-dev@reactos.org http://www.reactos.org/mailman/listinfo/ros-dev
Uhhh No. I am sure everyone appreciates any constructive comments pointing out bugs or flaws. Especially from someone like Alex that knows his stuff. But if you come across as cocky and demeaning while doing this, your bound to get some disrespect, whether your name is on cover of Windows Internals or not. Alex's email came across to me this way.
Something such as "This code suffers from a security bug which I talked about at Blackhat 2 or 3 years ago (Fixed since Vista). Also the code ignores the exported PsSetProcessWindowStation API and relevant EPROCESS field." would have been totally professional and totally appropriate.
Mike
Date: Wed, 23 Mar 2011 00:22:00 -0400 From: waxdragon@gmail.com To: ros-dev@reactos.org Subject: Re: [ros-dev] [ros-diffs] [gadamopoulos] 51115: [ntoskrnl] - Implement calling OkayToCloseProcedure callouts to win32k for desktop and window station objects - Fix a bug that caused ObpCloseHandle to return success even whe...
Unbelievable! We should be happy that Alex even commented on this commit to point out a flaw. Spend some time looking in to what he said, and less time disrespecting a man with his name on the cover of Windows Internals.
Waxy
On Tue, Mar 22, 2011 at 7:35 PM, Timo Kreuzer timo.kreuzer@web.de wrote:
Am 22.03.2011 23:17, gab Alex Ionescu folgendes von sich:
bla bla bla bla bla bla bla bla
--
Best regards,
Alex Ionescu
I'm glad someone else was thinking that too.
From: ros-dev-bounces@reactos.org [mailto:ros-dev-bounces@reactos.org] On Behalf Of WaxDragon Sent: 23 March 2011 04:22 To: ReactOS Development List Subject: Re: [ros-dev] [ros-diffs] [gadamopoulos] 51115: [ntoskrnl] - Implement calling OkayToCloseProcedure callouts to win32k for desktop and window station objects - Fix a bug that caused ObpCloseHandle to return success even whe...
Unbelievable! We should be happy that Alex even commented on this commit to point out a flaw. Spend some time looking in to what he said, and less time disrespecting a man with his name on the cover of Windows Internals.
Waxy
On Tue, Mar 22, 2011 at 7:35 PM, Timo Kreuzer timo.kreuzer@web.de wrote:
Am 22.03.2011 23:17, gab Alex Ionescu folgendes von sich:
bla bla bla bla bla bla bla bla
-- Best regards, Alex Ionescu
both point of views have merit
On Wed, Mar 23, 2011 at 4:04 AM, Ged Murphy gedmurphy@gmail.com wrote:
I’m glad someone else was thinking that too.
From: ros-dev-bounces@reactos.org [mailto:ros-dev-bounces@reactos.org] On Behalf Of WaxDragon Sent: 23 March 2011 04:22 To: ReactOS Development List Subject: Re: [ros-dev] [ros-diffs] [gadamopoulos] 51115: [ntoskrnl] - Implement calling OkayToCloseProcedure callouts to win32k for desktop and window station objects - Fix a bug that caused ObpCloseHandle to return success even whe...
Unbelievable! We should be happy that Alex even commented on this commit to point out a flaw. Spend some time looking in to what he said, and less time disrespecting a man with his name on the cover of Windows Internals.
Waxy
On Tue, Mar 22, 2011 at 7:35 PM, Timo Kreuzer timo.kreuzer@web.de wrote:
Am 22.03.2011 23:17, gab Alex Ionescu folgendes von sich:
bla bla bla bla bla bla bla bla
-- Best regards, Alex Ionescu
-- <+encoded> if you square a unicorn do you get a real animal?
Ros-dev mailing list Ros-dev@reactos.org http://www.reactos.org/mailman/listinfo/ros-dev
It's a shame, it may seem to an outsider that ReactOS team is full of an arrogant people who don't respect a former dev with quite significant contribution. Instead of thinking and fixing, this thread turned rude even before Alex replied more.
I guess if Dave Cutler and Marc Lucovsky would write a reply here, they would also get harsh replies about their huge ego and Timo would offer to mentor them too :-)
WBR, Aleksey Bragin.
On Mar 23, 2011, at 11:04 AM, Ged Murphy wrote:
I’m glad someone else was thinking that too.
From: ros-dev-bounces@reactos.org [mailto:ros-dev- bounces@reactos.org] On Behalf Of WaxDragon Sent: 23 March 2011 04:22 To: ReactOS Development List Subject: Re: [ros-dev] [ros-diffs] [gadamopoulos] 51115: [ntoskrnl]
- Implement calling OkayToCloseProcedure callouts to win32k for
desktop and window station objects - Fix a bug that caused ObpCloseHandle to return success even whe...
Unbelievable! We should be happy that Alex even commented on this commit to point out a flaw. Spend some time looking in to what he said, and less time disrespecting a man with his name on the cover of Windows Internals.
Waxy
On Tue, Mar 22, 2011 at 7:35 PM, Timo Kreuzer timo.kreuzer@web.de wrote:
Am 22.03.2011 23:17, gab Alex Ionescu folgendes von sich:
bla bla bla bla bla bla bla bla
-- Best regards, Alex Ionescu
it may also seem like the ex-reactos team is full of arrogant people.. I guess if Cutler or Lucovsky wrote a reply in here in a similar manner they would indeed get the same reply.
wbr, kamil
----- Original Message ----- From: Aleksey Bragin To: ReactOS Development List Sent: Wednesday, March 23, 2011 10:28 AM Subject: Re: [ros-dev] [ros-diffs] [gadamopoulos] 51115: [ntoskrnl] -Implement calling OkayToCloseProcedure callouts to win32k fordesktop and window station objects - Fix a bug that causedObpCloseHandle to return success even whe...
It's a shame, it may seem to an outsider that ReactOS team is full of an arrogant people who don't respect a former dev with quite significant contribution. Instead of thinking and fixing, this thread turned rude even before Alex replied more.
I guess if Dave Cutler and Marc Lucovsky would write a reply here, they would also get harsh replies about their huge ego and Timo would offer to mentor them too :-)
WBR, Aleksey Bragin.
On Mar 23, 2011, at 11:04 AM, Ged Murphy wrote:
I’m glad someone else was thinking that too.
From: ros-dev-bounces@reactos.org [mailto:ros-dev-bounces@reactos.org] On Behalf Of WaxDragon Sent: 23 March 2011 04:22 To: ReactOS Development List Subject: Re: [ros-dev] [ros-diffs] [gadamopoulos] 51115: [ntoskrnl] - Implement calling OkayToCloseProcedure callouts to win32k for desktop and window station objects - Fix a bug that caused ObpCloseHandle to return success even whe...
Unbelievable! We should be happy that Alex even commented on this commit to point out a flaw. Spend some time looking in to what he said, and less time disrespecting a man with his name on the cover of Windows Internals.
Waxy On Tue, Mar 22, 2011 at 7:35 PM, Timo Kreuzer timo.kreuzer@web.de wrote: Am 22.03.2011 23:17, gab Alex Ionescu folgendes von sich: bla bla bla bla bla bla bla bla
-- Best regards, Alex Ionescu
_______________________________________________ Ros-dev mailing list Ros-dev@reactos.org http://www.reactos.org/mailman/listinfo/ros-dev
In the meantime -- has any one of you actually Googled for the PDF and read the appropriate section (hint: It was titled "Developer Guidance")?
-- Best regards, Alex Ionescu
On 2011-03-23, at 5:52 AM, Kamil Hornicek wrote:
it may also seem like the ex-reactos team is full of arrogant people.. I guess if Cutler or Lucovsky wrote a reply in here in a similar manner they would indeed get the same reply.
wbr, kamil
----- Original Message ----- From: Aleksey Bragin To: ReactOS Development List Sent: Wednesday, March 23, 2011 10:28 AM Subject: Re: [ros-dev] [ros-diffs] [gadamopoulos] 51115: [ntoskrnl] -Implement calling OkayToCloseProcedure callouts to win32k fordesktop and window station objects - Fix a bug that causedObpCloseHandle to return success even whe...
It's a shame, it may seem to an outsider that ReactOS team is full of an arrogant people who don't respect a former dev with quite significant contribution. Instead of thinking and fixing, this thread turned rude even before Alex replied more.
I guess if Dave Cutler and Marc Lucovsky would write a reply here, they would also get harsh replies about their huge ego and Timo would offer to mentor them too :-)
WBR, Aleksey Bragin.
On Mar 23, 2011, at 11:04 AM, Ged Murphy wrote:
I’m glad someone else was thinking that too.
From: ros-dev-bounces@reactos.org [mailto:ros-dev-bounces@reactos.org] On Behalf Of WaxDragon Sent: 23 March 2011 04:22 To: ReactOS Development List Subject: Re: [ros-dev] [ros-diffs] [gadamopoulos] 51115: [ntoskrnl] - Implement calling OkayToCloseProcedure callouts to win32k for desktop and window station objects - Fix a bug that caused ObpCloseHandle to return success even whe...
Unbelievable! We should be happy that Alex even commented on this commit to point out a flaw. Spend some time looking in to what he said, and less time disrespecting a man with his name on the cover of Windows Internals.
Waxy On Tue, Mar 22, 2011 at 7:35 PM, Timo Kreuzer timo.kreuzer@web.de wrote: Am 22.03.2011 23:17, gab Alex Ionescu folgendes von sich: bla bla bla bla bla bla bla bla
-- Best regards, Alex Ionescu
Ros-dev mailing list Ros-dev@reactos.org http://www.reactos.org/mailman/listinfo/ros-dev
Ros-dev mailing list Ros-dev@reactos.org http://www.reactos.org/mailman/listinfo/ros-dev
Let's smooth the edges:
"So all we have to do is: • Create a window station with CreateWindowStation • Protect the handle with SetHandleInformation • Close it with CloseWindowStatio Bug was caught in Vista SP1 / Server 2008 timeframe • Probably due to SDL -- obvious bug"
Source:
http://www.alex-ionescu.com/BH08-AlexIonescu.pdf
From: ionucu@videotron.ca Date: Wed, 23 Mar 2011 11:31:44 -0400 To: ros-dev@reactos.org Subject: Re: [ros-dev] [ros-diffs] [gadamopoulos] 51115: [ntoskrnl] -Implement calling OkayToCloseProcedure callouts to win32k fordesktop and window station objects - Fix a bug that causedObpCloseHandle to return success even whe...
In the meantime -- has any one of you actually Googled for the PDF and read the appropriate section (hint: It was titled "Developer Guidance")?
-- Best regards, Alex Ionescu
On 2011-03-23, at 5:52 AM, Kamil Hornicek wrote:
it may also seem like the ex-reactos team is full of arrogant people.. I guess if Cutler or Lucovsky wrote a reply in here in a similar manner they would indeed get the same reply.
wbr, kamil
----- Original Message ----- From: Aleksey Bragin To: ReactOS Development List Sent: Wednesday, March 23, 2011 10:28 AM Subject: Re: [ros-dev] [ros-diffs] [gadamopoulos] 51115: [ntoskrnl] -Implement calling OkayToCloseProcedure callouts to win32k fordesktop and window station objects - Fix a bug that causedObpCloseHandle to return success even whe...
It's a shame, it may seem to an outsider that ReactOS team is full of an arrogant people who don't respect a former dev with quite significant contribution. Instead of thinking and fixing, this thread turned rude even before Alex replied more.
I guess if Dave Cutler and Marc Lucovsky would write a reply here, they would also get harsh replies about their huge ego and Timo would offer to mentor them too :-)
WBR, Aleksey Bragin.
On Mar 23, 2011, at 11:04 AM, Ged Murphy wrote:
I’m glad someone else was thinking that too.
From: ros-dev-bounces@reactos.org [mailto:ros-dev-bounces@reactos.org] On Behalf Of WaxDragon Sent: 23 March 2011 04:22 To: ReactOS Development List Subject: Re: [ros-dev] [ros-diffs] [gadamopoulos] 51115: [ntoskrnl] - Implement calling OkayToCloseProcedure callouts to win32k for desktop and window station objects - Fix a bug that caused ObpCloseHandle to return success even whe...
Unbelievable! We should be happy that Alex even commented on this commit to point out a flaw. Spend some time looking in to what he said, and less time disrespecting a man with his name on the cover of Windows Internals.
Waxy On Tue, Mar 22, 2011 at 7:35 PM, Timo Kreuzer timo.kreuzer@web.de wrote: Am 22.03.2011 23:17, gab Alex Ionescu folgendes von sich: bla bla bla bla bla bla bla bla
-- Best regards, Alex Ionescu
Ros-dev mailing list Ros-dev@reactos.org http://www.reactos.org/mailman/listinfo/ros-dev
Ros-dev mailing list Ros-dev@reactos.org http://www.reactos.org/mailman/listinfo/ros-dev
Ros-dev mailing list Ros-dev@reactos.org http://www.reactos.org/mailman/listinfo/ros-dev
Wrong bug, it's the other one (cached winsta).
On 2011-03-23, at 11:54 AM, Gabriel ilardi wrote:
Let's smooth the edges:
"So all we have to do is: • Create a window station with CreateWindowStation • Protect the handle with SetHandleInformation • Close it with CloseWindowStatio Bug was caught in Vista SP1 / Server 2008 timeframe • Probably due to SDL -- obvious bug"
Source: http://www.alex-ionescu.com/BH08-AlexIonescu.pdf
From: ionucu@videotron.ca Date: Wed, 23 Mar 2011 11:31:44 -0400 To: ros-dev@reactos.org Subject: Re: [ros-dev] [ros-diffs] [gadamopoulos] 51115: [ntoskrnl] -Implement calling OkayToCloseProcedure callouts to win32k fordesktop and window station objects - Fix a bug that causedObpCloseHandle to return success even whe...
In the meantime -- has any one of you actually Googled for the PDF and read the appropriate section (hint: It was titled "Developer Guidance")?
-- Best regards, Alex Ionescu
On 2011-03-23, at 5:52 AM, Kamil Hornicek wrote:
it may also seem like the ex-reactos team is full of arrogant people.. I guess if Cutler or Lucovsky wrote a reply in here in a similar manner they would indeed get the same reply.
wbr, kamil
----- Original Message ----- From: Aleksey Bragin To: ReactOS Development List Sent: Wednesday, March 23, 2011 10:28 AM Subject: Re: [ros-dev] [ros-diffs] [gadamopoulos] 51115: [ntoskrnl] -Implement calling OkayToCloseProcedure callouts to win32k fordesktop and window station objects - Fix a bug that causedObpCloseHandle to return success even whe...
It's a shame, it may seem to an outsider that ReactOS team is full of an arrogant people who don't respect a former dev with quite significant contribution. Instead of thinking and fixing, this thread turned rude even before Alex replied more.
I guess if Dave Cutler and Marc Lucovsky would write a reply here, they would also get harsh replies about their huge ego and Timo would offer to mentor them too :-)
WBR, Aleksey Bragin.
On Mar 23, 2011, at 11:04 AM, Ged Murphy wrote:
I’m glad someone else was thinking that too.
From: ros-dev-bounces@reactos.org [mailto:ros-dev-bounces@reactos.org] On Behalf Of WaxDragon Sent: 23 March 2011 04:22 To: ReactOS Development List Subject: Re: [ros-dev] [ros-diffs] [gadamopoulos] 51115: [ntoskrnl] - Implement calling OkayToCloseProcedure callouts to win32k for desktop and window station objects - Fix a bug that caused ObpCloseHandle to return success even whe...
Unbelievable! We should be happy that Alex even commented on this commit to point out a flaw. Spend some time looking in to what he said, and less time disrespecting a man with his name on the cover of Windows Internals.
Waxy On Tue, Mar 22, 2011 at 7:35 PM, Timo Kreuzer timo.kreuzer@web.de wrote: Am 22.03.2011 23:17, gab Alex Ionescu folgendes von sich: bla bla bla bla bla bla bla bla
-- Best regards, Alex Ionescu
Ros-dev mailing list Ros-dev@reactos.org http://www.reactos.org/mailman/listinfo/ros-dev
Ros-dev mailing list Ros-dev@reactos.org http://www.reactos.org/mailman/listinfo/ros-dev
Ros-dev mailing list Ros-dev@reactos.org http://www.reactos.org/mailman/listinfo/ros-dev
Ros-dev mailing list Ros-dev@reactos.org http://www.reactos.org/mailman/listinfo/ros-dev
I have all your papers and data from your blog as well...
I understand the frustration. The quickness of intolerance with this project is sickening. Falling in to it's trap with quick blows of erratic tantrums. Reverting into the dark ages of coded hell. More code see less and less light of day as "if'ed" out of existence. The hacking of ignorance killing the structure. I understand the frustration.
Peace, James
On Wed, Mar 23, 2011 at 10:31 AM, Alex Ionescu ionucu@videotron.ca wrote:
In the meantime -- has any one of you actually Googled for the PDF and read the appropriate section (hint: It was titled "Developer Guidance")?
-- Best regards, Alex Ionescu
Hi everyone, http://www.alex-ionescu.com/ Main Blog, http://www.alex-ionescu.com/?p=61 Black Hat 2008 Wrap-up <------- here http://www.alex-ionescu.com/BH08-AlexIonescu.pdf <------------------ read
I would like everyone (new Developers) that haven't read this blog to do so and get up to date!
I'm not sure if M$ fixed their issues, it may not be Server 2003 but at least 2008 plus or 7.
Thanks, James
ps I have the right to use M$ since 1983........
On Tue, Mar 22, 2011 at 9:19 AM, Alex Ionescu ionucu@videotron.ca wrote:
It's hilarious how this new code has the exact same Windows security bug I gave a talk about at BlackHat 2-3 years ago (which Microsoft fixed in Vista).
It's sad how this code ignores the exported PsSetProcessWindowStation API and relevant EPROCESS field.
It's awesome how nothing changes whenever I prop up to see the "progress".
-- Best regards, Alex Ionescu
"I'm not sure if *M$*[....]
EVIL!!!!!
On Thu, Mar 31, 2011 at 2:23 AM, James Tabor jimtabor.rosdev@gmail.comwrote:
Hi everyone, http://www.alex-ionescu.com/ Main Blog, http://www.alex-ionescu.com/?p=61 Black Hat 2008 Wrap-up <------- here http://www.alex-ionescu.com/BH08-AlexIonescu.pdf <------------------ read
I would like everyone (new Developers) that haven't read this blog to do so and get up to date!
I'm not sure if M$ fixed their issues, it may not be Server 2003 but at least 2008 plus or 7.
Thanks, James
ps I have the right to use M$ since 1983........
On Tue, Mar 22, 2011 at 9:19 AM, Alex Ionescu ionucu@videotron.ca wrote:
It's hilarious how this new code has the exact same Windows security bug
I gave a talk about at BlackHat 2-3 years ago (which Microsoft fixed in Vista).
It's sad how this code ignores the exported PsSetProcessWindowStation API
and relevant EPROCESS field.
It's awesome how nothing changes whenever I prop up to see the
"progress".
-- Best regards, Alex Ionescu
Ros-dev mailing list Ros-dev@reactos.org http://www.reactos.org/mailman/listinfo/ros-dev
Needless to say, James has a special, Project dispense on using "M$".
:Thanks, :James : :ps I have the right to use M$ since 1983........
Of course I have used the occasional "$M" variable when doing some PHP programming...
On Thu, 31 Mar 2011 19:51:43 +1100, Olaf Siejka caemyr@gmail.com wrote:
Needless to say, James has a special, Project dispense on using "M$".
:Thanks, :James : :ps I have the right to use M$ since 1983........
-
Adam -
Aleksey Bragin -
Alex Ionescu -
Gabriel ilardi -
Ged Murphy -
James Tabor -
Javier Agustìn Fernàndez Arroyo -
Kamil Hornicek -
Michael Martin -
Olaf Siejka -
Samuel serapion -
Timo Kreuzer -
WaxDragon