MS Windows source accessed by hackers

[Structural Integrity]

http://www.washingtonpost.com/wp-dyn...2004Feb12.html

Poor sods.
I hope this doesn't increase the number of exploits we are going to see in worms.

[Luckeh!!!!]

they only possess the source code for MS Paint

[Structural Integrity]

link editted... 't was an older reference, now got an article from the Washington Post.

[Mit]

it could be good at the same time as being disaterous thou... it might make MS realise how many security problems there is, thus we might eventually get a secure OS from them (we can hope)

from the other side of the coin, it also might reveal a bit more about the inner workings of windows things to *nix, and enable better support for NTFS, better wine capabilities etc (ofc, the developers would have to be VERY careful not to break IP laws etc)

[Raging.Retard]

Quote:

Originally Posted by Mit

ofc, the developers would have to be VERY careful not to break IP laws etc

If they even look at it, it could cause a load of SCO type litigation.

[JetLinus]

You might have heard it, rumors seem pretty much confirmed: Windows NT and 2000 sourcecode has leaked.
Microsoft made an officialy statement admitting this. It seems a company called "Mainsoft" (that licensed windows or anything) were using an outdated FTP (wuftp?) version on a linux server, and the code leaked from there...

Apparently around 30,000 files containing about 13ish million lines of code (of a total of maybe 50m) are available via filesharing now (ca 200mb archive).

There are various news sources around (obviously), sorry that I don't provide any links (too lazy / german sources don't help you anyway). I'm sure slashdot etc will help.


There is no documentation apparently, but the identifiers themselves are pretty nice. Also helpful comments are given. The code is C (ANSI), C++, Assembler, containing make-files as well. Additionally I've read somewhere that even some Visual Basic projects were found \o/.


I found a description of the packet somewhere, have no idea though how reliable this is:

Code:

CONTENTS

WinSock32
MSHTML (IE)
RAS
Crypto-API
Winlogon
Open-GL Screensaver
setupapi
Event-Log
NETLOGON


Client components:

accesory (small programs: Notepad, Paint, Clipboard,....)
fontfldr (fonts)
progman (thinking of win3.11...)
snapins (energy managment)
accessib
games
regedit
regedit.nt4 (regedit32)
taskman (taskmanager)
control (basically control panel and profile management)
grptoreg (converter)
tools (minor stuff)
convgrp (16 bit *.grp -> 32 bit *.grp)
inc (compatibility header)
regwiz (registration wizard)
upedit (profile ditor)
cpls (control panel stuff)       
lmui (Lan Manager User Interface)
rundll32 (rundll32) 
userpri (Unicode workaround)
lz (compression)     
runonce (RunOnce wrapper)      
migrate (Update?) 
security (printer spool, REMOTE-SHELL, NTFS-rights management)   
version (?)
dskquota  
o2base (helper functions,hardware-interfaces?)   
shcompui
winver
encrypt (user management?, ...)    
pifmgr (pifmgr)  
shole (bookmark (managegement)?)

and a lot of stuff about thread and cpu handling

Wow I'd like to have a look at that, really...
Apparently it's quite funny to do a search for swearing-words, lots of comments are not "cleaned up".

[SYMM]

And the thread 2 below this isn't enough?

[JetLinus]

Quote:

Originally Posted by SYMM

And the thread 2 below this isn't enough?

Sorry... Can't believe how I didn't see this . Internet @ work wasn't working THAT well, I could just claim it was the fault of some cashing system... Hopefully this doesn't get deleted (merged would be ok I guess).

Got some more information (not by myself):

In util.cpp you get:

Code:

// the ****ing alpha cpp compiler seems to **** up the goddam type
"LPITEMIDLIST", so to work
// around the ****ing peice of shit compiler we pass the last param
as an void *instead of a LPITEMIDLIST

There is another file called killer.c

Code:

#include <stdio.h>
#include <windows.h>


Spin()
{
    int i;
    for (i=0;1;i++) {
Sleep(i*7500);
}
}

void
main(void)
{
    DWORD ThreadId;
    HANDLE Thread;
    int i;
    int failcount;

    failcount = 0;
    for (i = 0;; i++) {
Thread = CreateThread(NULL,
    0,
    (LPTHREAD_START_ROUTINE)Spin,
    NULL,
    0,
    &ThreadId
    );
if ( (i/50)*50 == i ) {
    printf("%d threads created\n", i);
    }

if (!Thread) {
    failcount++;
    printf("%d threads created before %d failure\n",
i,failcount);
    Sleep(5000);
    if ( failcount < 10 ) {
i--;
goto again;
}
    break;
    }
else {
    CloseHandle(Thread);
    }
again:;
}
}

Heyyy, WHAT a playground this windows is. Big box of surprises \o/

[Structural Integrity]

WTF?
So they have a file that creates a load of threads until it start failing to create threads.

The comment is teh funny.

And what's up with the indenting? Did you do that or is it really such a mess?

[JetLinus]

Well, this function does indeed seem to test how many threads "windows (or whatever) can take". But the filename "killer.c" and printf commands let you assume it was only used for internal testing. Btw, have they not heard of "if i mod 50 == 0 then"?

I didn't do the indenting, got this as I said from some other news sources, I think it got unformatted somewhere on the way. Apparently people say the code seems pretty good readable (I've read something like "better than linux kernel" I think [because linux source uses more abbreviations or whatever]).


Also I've read that people cleaned up the linux source by removing / editing all comments with "****" in them. But if you do a search for "suck", you'll still find funny stuff...

[queball]

merged

[Nodrog]

Quote:

Originally Posted by JetLinus

goto again;
}
break;
}
else {
CloseHandle(Thread);
}
again:;
}

...

[Structural Integrity]

Quote:

Originally Posted by Nodrog

...

Someone got a weird mind twist there... that's for sure

[JetLinus]

If someone actually got hold of the code AND understands C // Windows that much that he doesn't get lost, I'd be interested in process handling... Especially: How did they manage priorities? How are the shares distributed to the processes, and which parts of the OS can be "locked up" by crashed threads (infinite loops etc). You know... Also if someone is really interested, you might wanna find out to which extend IE and Windows are really connected -- if it's true what MS said: That you cannot "uninstall / remove" IE without "damaging" their OS (at least they claimed this in front of court, didn't they?).

[JetLinus]

And there we are, first (?) security hole found within the source code: -> :eek: <-

Apparently in IE5, there is a signed integer used for an offset in bitmap handling. You can force an overflow (i.e. getting a negative int), producing a buffer overflow. So code contained in the bitmap could be executed (basically).

Although the author claims it doesn't work in IE6, someone reported Outlook Express 6.0 might crash... Now it starts, stuff in actual data-files, bad times ahead :-/

[queball]

Quote:

Originally Posted by JetLinus

Btw, have they not heard of "if i mod 50 == 0 then"?

It's unfair to criticise someone else's code style if they haven't asked for it. Maybe the modulo operator just slipped the writer's mind, or maybe he doesn't usually write in C. I try really, really hard not to waste time worrying about code style, particularly when it comes to writing tests; clearly he has mastered this skill where I haven't. He's even used two different syntaxes for the exact same for loop for some bizarre reason.

Though since I have picked up pedant-disease: if I had to make one comment it would be that using continue is much nicer than using goto.

Quote:

Originally Posted by JetLinus

If someone actually got hold of the code AND understands C // Windows that much that he doesn't get lost, I'd be interested in process handling... Especially: How did they manage priorities? How are the shares distributed to the processes, and which parts of the OS can be "locked up" by crashed threads (infinite loops etc). You know... Also if someone is really interested, you might wanna find out to which extend IE and Windows are really connected -- if it's true what MS said: That you cannot "uninstall / remove" IE without "damaging" their OS (at least they claimed this in front of court, didn't they?).

I'm fairly sure any information about thread priorities and scheduling is publicly available if you wish to struggle through MSDN. The browser-OS integration argument is obviously rubbish. The only hard thing is trying to argue to non-programmers against MS's lies. I don't see how looking through the code will help. I think 98lite (and maybe their 2k/XP version too? though WinCE/XP are sold as more modular anyway) did a lot of good.

[Intrepid00]

Quote:

Originally Posted by JetLinus

And there we are, first (?) security hole found within the source code: -> :eek: <-

Apparently in IE5, there is a signed integer used for an offset in bitmap handling. You can force an overflow (i.e. getting a negative int), producing a buffer overflow. So code contained in the bitmap could be executed (basically).

Although the author claims it doesn't work in IE6, someone reported Outlook Express 6.0 might crash... Now it starts, stuff in actual data-files, bad times ahead :-/

Ohhh, its the end of the world. Someone found a bug on a program that has long sense been corrected. Ohh, what a word. What a world.

[JetLinus]

Quote:

Originally Posted by Intrepid00

Ohhh, its the end of the world. Someone found a bug on a program that has long sense been corrected. Ohh, what a word. What a world.

Yeah, sure, noone never ever nowhere still uses IE 5, how could I forget.
Good thing there aren't thousands (millions?) of people out there who could get "hacked" (and get there credit card details stolen) by a bitmap.

And yes yey punish those bastards for using a computer if they aren't tech professionals.
And credit card details for example shouldn't be stored on a computer anyway, right?

Pffff.

Probably more people out there using IE 5.x than Linux [/me ducks and runs away]

[Intrepid00]

Quote:

Originally Posted by JetLinus

Yeah, sure, noone never ever nowhere still uses IE 5, how could I forget.
Good thing there aren't thousands (millions?) of people out there who could get "hacked" (and get there credit card details stolen) by a bitmap.

And yes yey punish those bastards for using a computer if they aren't tech professionals.
And credit card details for example shouldn't be stored on a computer anyway, right?

Pffff.

Probably more people out there using IE 5.x than Linux [/me ducks and runs away]

In Reponse...

Quote:

It seems a company called "Mainsoft" (that licensed windows or anything) were using an outdated FTP (wuftp?) version on a linux server, and the code leaked from there...

Use outdated software, be at risk.

[xtothez]

Quote:

Originally Posted by Mit

enable better support for NTFS

Pity the source for ntfs.sys is one of the most notably missing files.