haydn

Possible Buffer Overflow

Recommended Posts

Hi i was playing a game the other day and it wasnt multiplayer, but did require authentication to Steam to run

i noticed glitches in the game then it crashed, windows reported running out of disk space i tried to find the offending file, but suspecting intrusion i turned on network lockdown, the pc was virtually running on ram as there was only a few megs of operating hard drive space left 

Malware-bytes was shutdown and couldn't be opened im guessing as not enough memory, as was my VPN client, i cleaned my drive recycle bin etc to free up space and ran a full system scan, my external hard drive was locked up, and as it was not indexed i needed to eject it, but it wouldn't eject, it only contains images as i do photography, it seemed one file was opened preventing me ejecting it of a friend on his track day, as it was USB i shut the pc and disconnected the drive 

i restarted with network lock still enabled and it seemed to free up more workable space, the windows drive still had 263gb of unknown data and the PC was running on about 500mb, it took me some time to locate the offending file, it was a crash report folder id set up to capture blue screen crashes, funnily enough caused by tcpip exceptions that i suspected came from your web protection

i found literally thousands and thousands of crash reports generated by Debug Diag 1 there is a 2 out now that ive updated to, it creates java generated reports that can be analysed online, although i have java off by default, and never used it on this software as ive always analysed myself

I have down a deep clean on all drives with nothing detected, reconnected my VPN to a different server, im hoping the network lockdown was initiated before any damage could be done, 

Credit to Emsisoft whilst other services shutdown i assume due to lack of memory, Emsisoft stayed up and allowed a quick lockdown response

Preventing buffer overflows seems to be more than a simple switch and may require additional software, although i thought windows had this protection, im still not 100% sure if this was an attack as they would have needed access to my kernal pool, that windows defender guards against, could it just have been my game crash that caused this overflow, 

 

Any help gratefully accepted H     

Share this post


Link to post
Share on other sites

Just to add to this i did a shields up port scan and can see DCOM 1024 is open, i disabled TCP port 1024 but then found i couldn't use my browser, but i think DCOM is not controlled by the firewall so i went in to component services to disable DCOM services, but this has multiple windows services running on it including windows update, so i was loathed to disable, when i keep my vpn running the port is invisible, but i shouldn't have to rely on my VPN just to keep me safe, how do i close the port but keep the services running, should i get a 3rd party firewall and not rely on windows defender, im a bit stuck

Share this post


Link to post
Share on other sites
21 hours ago, haydn said:

... it was a crash report folder id set up to capture blue screen crashes, funnily enough caused by tcpip exceptions that i suspected came from your web protection

Malwarebytes' web protection doesn't appear to be compatible with ours at the moment, and is causing BSoD's for some users when installed alongside of our software.

 

21 hours ago, haydn said:

Preventing buffer overflows seems to be more than a simple switch and may require additional software, although i thought windows had this protection, im still not 100% sure if this was an attack as they would have needed access to my kernal pool, that windows defender guards against, could it just have been my game crash that caused this overflow,

Windows has mechanisms to protect against malicious buffer overflows, however it is still possible for them to happen accidentally (such as due to a bug) and when they happen they can corrupt data from other processes and cause them to crash too.

My guess is it probably happened due to your hard drive filling up and not having enough space.

 

15 hours ago, haydn said:

Just to add to this i did a shields up port scan and can see DCOM 1024 is open, i disabled TCP port 1024 but then found i couldn't use my browser, but i think DCOM is not controlled by the firewall so i went in to component services to disable DCOM services, but this has multiple windows services running on it including windows update, so i was loathed to disable, when i keep my vpn running the port is invisible, but i shouldn't have to rely on my VPN just to keep me safe, how do i close the port but keep the services running, should i get a 3rd party firewall and not rely on windows defender, im a bit stuck

Leave DCOM as it is, since it's a vital Windows service.

Closing the port in the firewall is fine, but also make sure that the port isn't forwarded in your router.  The Shields Up test should have never hit your computer on that port, unless it was forwarded in your router for a game (such as Battlefield 2142) or another application that uses it.

If you have UPnP enabled on your router (on by default on most) then be sure to turn it off, as it's a bit of a security risk.

Share this post


Link to post
Share on other sites

Hi right ive found it it was by BT Vision Box basically my internet TV box, i didn't set it up it must have been set up by default, it was set up to port forward to port dcom 1024 i just disabled it and dcom 1024 is in stealth, that device was provided by my ISP good old BT, ive got c++ redistributable running as well would that have allowed the hacker better access ?

What i do find annoying, there's hundreds of youtube videos teaching people hacking tech (in the name of protection) but virtually nothing on staying safe, you might say anyone can close a port, yes i can but this port covers hundreds of access points and id never heard of dcom ports that by pass your firewall until yesterday

thanks for the reply GT  

It wasnt just a crashed programs it wouldnt fill up my HD with 263gb of debug reports, which was all the space i had left on c, it didnt disable the machine completely luckily as otherwise id be trying to remove some malware or other, i did find the intruder ip but it was a proxy

Share this post


Link to post
Share on other sites
7 hours ago, haydn said:

... ive got c++ redistributable running as well would that have allowed the hacker better access ?

The Visual C++ Redistributables only install a framework that is required by applications compiled with the various versions of Microsoft Visual Studio. If you're concerned about security vulnerabilities in such frameworks, then (assume you're on Windows 10) enable the option "Receive updates for other Microsoft products when you update Windows" in the advanced options for Windows Update. More information is available at the following link:
https://www.tenforums.com/tutorials/44926-turn-off-windows-updates-microsoft-products-windows-10-a.html

Share this post


Link to post
Share on other sites

Hi Arthur ive had another program problem, its a program i downloaded to capture Blue Screen crashes i was having, called debug diagnostics originally version 1 then i upgraded to 2 it was fine until i started getting buffer overflow alarms, so im wondering if this was what was causing all my problems, it didnt have an uninstall but i finally removed it last night, with a tool called IObit

When it was installed no deep scans found anything but i see someone saying it may have cloned the original windows diagnostic debug tool, have you had anyone with problems like that, i thought i downloaded from an official Microsoft site, ive got the original upgrade file if that helps, i think its for running on servers so it consumed vast amounts of hard drive space, i thought it may have been my ignorance and stupidity ar using it, i wonder if it was trying to capture the emsisoft malwarebytes clash 

Share this post


Link to post
Share on other sites

@haydn  -  I've been googling for info about the DebugDiag tool.   I found a series of screenshots - at https://www.cantabilesoftware.com/support/DebugDiagTool - which show that setting (v1.2 of the tool) up to collect a series of dumps (albeit for a specific product) requires you to specify where they will be put.   Presumably the earlier version of the tool also gave a user a chance to specify where dump etc would be written?  Or failing that, used a standard location and told you were it was?   I don't understand how anyone could set something like this up and then not keep an eye on what it was collecting.

Also... did you ever look at the dumps?  Did you run any of the diagnosis scripts?   Did the tool ever do anything that you found useful?

It seems to me that these tools are only of use to developers (because whatever information is in the dumps etc will only mean something to them, and in any case only they can actually fix the programs that are failing).  The only situation where a user might use this tool is (like in the "Cantabile" support link above) when a product's developers need a particular user to use the tool to collect information which will then be sent to the developers.   I wouldn't expect any normal user to do this unless explicitly told to by some company's tech support staff.

 

 

  • Like 1

Share this post


Link to post
Share on other sites

Hi Jeremy yes i stupidly saw it as an upgrade to the debug software i already had and it was only after i started getting overflows and saw rundll32 i sort of suspected malware but it may have been i didn't set the cache report size the hard drive suddenly filled up, as you say this program is probably for grown ups, me not being one of them as i see some developers having trouble disabling it or removing it, just out of curiosity does Emsisoft use the rundll command to update, i was also getting rundll commands from masked ip addresses, i still have the updated v2 software in my downloads folder, if i send it are you able to check is validity, i compressed it but its still 27meg but the unpacked program is 1.4 gig, if it was sending the reports for analysis im hoping they only went to Microsoft, i did panic when i saw theres was no uninstall utility, but in the UK there is a law somewhere that says all programs produced must have an uninstall utility and being a microsft program they wouldnt make software available that wasn't unistallable  but i guess different countries have different laws, any help gratefully accepted 

 

Many thanks H 

Share this post


Link to post
Share on other sites

PS V1 needed to use java which i never enabled but v2 seemed to operate without and as such was free to do what it wanted, i can see how a hacker could easily make a malware injecting clone of this software, but i did download from Microsoft so didnt think it was a risk 

Share this post


Link to post
Share on other sites

@haydn  - you say you already had "debug software"...    What was that?     I mean, you don't write as if you are an experienced programmer...   These utilities are only for programmers (or tech support staff) to use.  

 

"if i send it are you able to check is validity"  -  No, I am not.  If you downloaded it from Microsoft I expect it will be fine.  Are the .exe's etc digitally signed by them?

 

"if it was sending the reports for analysis im hoping they only went to Microsoft"  -   Nothing I've read suggests it would send anything to MS;  it's not what it is for.    If /you/ were developing a program and it wasn't working properly, the tool might be useful to you, by eg making sure that in some tightly defined circumstances dumps would be taken to collect info about what you thought the cause of the problem might be, eg a memory leak.  Then you (the developer) would analyse the dumps looking for factors in common between them.  As far as I understand it, this tool makes it easier to define (to the OS) the exact circumstances under which dumps will be taken (so the OS spots a looming problem and forces a dump, I think, rather than you (the user) at best being able to take a dump when it is too late and the program crashes.  It also has scripts to help developers analyse the contents of the dumps (because analysing dumps by hand is very complicated slow work). 

Unless you are a developer, or were asked by some application's developer to install this and set it up in a particular way to collect dumps for their product, this will never have been of any use to you.

 

"i did panic when i saw theres was no uninstall utility" -  Why?  It installs from an MSI, so surely it would be listed in Control Panel - Add/Remove Programs, or Control Panel - Programs & Features (or whatever it's called these days) like any other properly installed application?    If it's classed as an OS component it might be in the optional Windows features part rather than the normal list of user-instaleld programs. 

Share this post


Link to post
Share on other sites
22 hours ago, haydn said:

Hi Arthur ive had another program problem, its a program i downloaded to capture Blue Screen crashes i was having, called debug diagnostics originally version 1 then i upgraded to 2 it was fine until i started getting buffer overflow alarms, so im wondering if this was what was causing all my problems..

Certain debug utilities can cause software crashes. That's actually a way to collect information on an error, by forcing a program to crash when it encounters an error thus causing a crash dump to be saved. Granted I don't know for certain if that's why you were encountering such crashes, but that's at least a possibility.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.