OllyDbg long process Module debug Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: OllyDbg long process Module debug Vulnerability
From: ATmaCA ATmaCA <atmaca@xxxxxxxxxxxxxx>
Date: 19 Mar 2005 06:11:51 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


Vendor:
Oleh Yuschuk

Application: 
OllyDbg
http://home.t-online.de/home/Ollydbg/

Introduction:
OllyDbg is a 32-bit assembler level analysing debugger for Microsoft® Windows®.
Emphasis on binary code analysis makes it particularly useful in cases where 
source is unavailable.

Affected Versions:
1.10 (final version) and prior versions.

Overview:
In OllyDbg, if a target process loads modules that contains long name 
(greater than around 200 bytes), OllyDbg will be crashed.

This hole can be used for an anti-debug method for OllyDbg.


Vendor Status:
No vendor response.

Discovery: 
ATmaCA 
atmaca@xxxxxxxxxxxxxx
www.atmacasoft.com
www.spyinstructors.com
Credit to Kozan

POC:
Debug this program with OllyDbg,
when the program runs, a folder that named "olly hole" will be 
created on desktop and a long named dll will be created in 
this folder.  then it will load this and finally
olly debug will be crashed.

http://www.atmacasoft.com/exp/OllyHole.exe

Prev by Date: [PersianHacker.NET 200503-10]PHP-Fusion v5.01 Html Injection Vulnerability
Next by Date: [ GLSA 200503-23 ] rxvt-unicode: Buffer overflow
Previous by thread: Re: [PersianHacker.NET 200503-10]PHP-Fusion v5.01 Html Injection Vulnerability
Next by thread: [ GLSA 200503-23 ] rxvt-unicode: Buffer overflow
Index(es):
- Date
- Thread