A .NET class bug that can hang a machine instantly

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: A .NET class bug that can hang a machine instantly
From: Walt Smith <walt@xxxxxxxxxxx>
Date: 11 Dec 2003 03:53:02 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


I posted the following information to a couple of Microsoft news groups in the 
last couple of days with no response, so I thought I would post it here perhaps 
to encourage the examination of this .NET class, which I believe is vulnerable 
to exploits because of quality problems in the code.  I believe the following 
bug could easily be used in an exploit to crash any Windows machine that is 
running .NET 1.1 in Windows XP.  The bug is basically a flaw in the 
XMLTextReader class of .NET that locks the machine up so badly that it can only 
be shutdown with the power switch.  I do not have an ASP.NET environment in 
which to test it, so I would be interested to know if it has any effect there 
that is similar to C# .NET.  The bug can be reproduced in the following manner 
using the Visual Studio 7 .NET C# compiler:

1) Create a simple C# Windows Application Project and add a form 
to it.  Add System.XML to the namespaces of the project.
2) Add a ListBox control to the form.  (name it lbUsers for this code)
3) Add the following code to the OnLoad event of the form:

protected override void OnLoad(EventArgs e) 
{ 
   XmlTextReader xmlConfigFile; 

   string filename = Application.StartupPath 
+ "\\test.vtx"; 
   xmlConfigFile = new XmlTextReader(filename); 
          
   while(xmlConfigFile.Read()) 
   { 
     if(xmlConfigFile.NodeType == XmlNodeType.Element) 
     { 
        if(xmlConfigFile.Name == "User") 
        { 
          if(xmlConfigFile.HasAttributes) 
          { 
             while(xmlConfigFile.MoveToNextAttribute()) 
             { 
               if(xmlConfigFile.Name == "Name") 
                  lbUsers.Items.Add
(xmlConfigFile.Value);       
             } 
           } 
        } 
      } 
   } 
   lbUsers.Refresh(); 
   base.OnLoad (e); 
} 

4) Place the following XML File in the application 
directory for the project (the /debug directory).  Name 
the file test.vtx

<?xml version="1.0" encoding="UTF-8" ?> 
<ConfigData> 
   <UserInfo> 
      <Users> 
         <User Name="AUDREY"> 
         </User> 
         <User Name="WESLEY"> 
         </User> 
         <User Name="DADDY"> 
         </User> 
      </Users> 
   </UserInfo> 
</ConfigData> 


5)  DO NOT PLACE any breakpoints in the code.
6)  Use the F5 key (Debug/Run) to execute the code.

Result:  The machine will hang.  The only choice is the 
power switch.  CTRL-ALT-DEL is ineffective.

Other information:
a)  If you execute this code from a Button.Click event on 
the form, IT WORKS JUST FINE.
b)  If you comment out all of the code inside the while 
loop in the function, the machine will still hang.
c)  If you move the base class OnLoad above the while 
loop, the code will still hang.
d)  If you put this code in the OnActivate function of the 
form, the code will still hang.

Prev by Date: Re: A new TCP/IP blind data injection technique?
Next by Date: Re: Internet Explorer URL parsing vulnerability
Previous by thread: [CORE-2003-12-05] DCE RPC Vulnerabilities New Attack Vectors Analysis
Next by thread: Re: A .NET class bug that can hang a machine instantly
Index(es):
- Date
- Thread