The blog continues at suszter.com/ReversingOnWindows

June 5, 2012

Banned APIs Used by Browsers

I wrote a simple script for Windbg that finds deprecated functions in the modules of the process address space. It parses the name of the imported functions in the Import Address Table (IAT) of the PE image. Each API name is matched to a list of deprecated API names. If there is a match the script prints the API name out.

Here are some browser test have been done with the script. The result, in short, is all browsers use banned APIs that are flagged unsafe by Microsoft.

Chrome
I randomly chose modules in the Chrome's process address space, and found the following banned API.
0:012> $$>a< c:/work/BannedApi.wds chrome.dll c:/work/BannedApiList.txt
IAT Address: 01643000, Size: 000009b4
kernel32!IsBadWritePtr
1909 APIs scanned in IAT, 1 APIs have the name of deprecated APIs.
MSDN says "Important  This [IsBadWritePtr] function is obsolete and should not be used".

By the way, Chrome guys do pretty good job because this was the only one banned API I found in the address space albeit I didn't check all of the modules.

Firefox
Here are the banned APIs found in Firefox.
0:011> $$>a< c:/work/BannedApi.wds plugin_container c:/work/BannedApiList.txt
IAT Address: 00002000, Size: 000000d4
MSVCR80!wcslen
221 APIs scanned in IAT, 1 APIs have the name of deprecated APIs.
0:011> $$>a< c:/work/BannedApi.wds mozjs c:/work/BannedApiList.txt
IAT Address: 00169000, Size: 0000020c
MSVCR80!memcpy
MSVCR80!sprintf
546 APIs scanned in IAT, 2 APIs have the name of deprecated APIs.
0:011> $$>a< c:/work/BannedApi.wds xul c:/work/BannedApiList.txt
IAT Address: 00a27000, Size: 00002230
kernel32!lstrcatW
MSVCR80!_snprintf
MSVCR80!wcstok
MSVCR80!wcsncat
MSVCR80!strcat
MSVCR80!sscanf
MSVCR80!_ui64toa
MSVCR80!wcsncpy
MSVCR80!_i64toa
MSVCR80!sprintf
MSVCR80!memcpy
MSVCR80!strcpy
MSVCR80!_snwprintf
MSVCR80!strncpy
MSVCR80!wcslen
MSVCR80!strlen
MSVCR80!wcscpy
USER32!wsprintfW
7672 APIs scanned in IAT, 18 APIs have the name of deprecated APIs.
0:034> $$>a< c:/work/BannedApi.wds firefox.exe c:/work/BannedApiList.txt
IAT Address: 00003000, Size: 0000013c
MSVCR80!sprintf
MSVCR80!strlen
MSVCR80!_snprintf
MSVCR80!_vsnwprintf
MSVCR80!wcscpy
MSVCR80!strcpy
MSVCR80!wcslen
MSVCR80!_snwprintf
359 APIs scanned in IAT, 8 APIs have the name of deprecated APIs.
This is not a comprehensive list, I randomly chose modules in the process address space.

MSDN says "These functions [memcpy] are deprecated because more secure versions are available". Also "Security Note    These functions [strcpy] incur a potential threat brought about by a buffer overrun problem".

Internet Explorer
Some banned APIs in IE.
0:020> $$>a< c:/work/BannedApi.wds iexplore.exe c:/work/BannedApiList.txt
IAT Address: 00001000, Size: 0000020c
msvcrt!_vsnwprintf
392 APIs scanned in IAT, 1 APIs have the name of deprecated APIs.
0:020> $$>a< c:/work/BannedApi.wds jscript9.dll c:/work/BannedApiList.txt
IAT Address: 00001000, Size: 000003c4
msvcrt!_vsnwprintf
msvcrt!memcpy
743 APIs scanned in IAT, 2 APIs have the name of deprecated APIs.
0:020> $$>a< c:/work/BannedApi.wds MSHTML.dll c:/work/BannedApiList.txt
IAT Address: 00001000, Size: 00000fd4
msvcrt!memcpy
msvcrt!_vsnwprintf
msvcrt!_vsnprintf
SHLWAPI!StrCpyNW
3209 APIs scanned in IAT, 4 APIs have the name of deprecated APIs.
0:020> $$>a< c:/work/BannedApi.wds XmlLite.dll c:/work/BannedApiList.txt
IAT Address: 00001000, Size: 00000090
msvcrt!memcpy
msvcrt!_vsnwprintf
106 APIs scanned in IAT, 2 APIs have the name of deprecated APIs.
0:020> $$>a< c:/work/BannedApi.wds IEFRAME.dll c:/work/BannedApiList.txt
IAT Address: 00001000, Size: 00001640
msvcrt!_vsnprintf
msvcrt!_vsnwprintf
msvcrt!memcpy
USER32!wsprintfW
4478 APIs scanned in IAT, 4 APIs have the name of deprecated APIs.
Note
It's important to note that the presence of banned APIs doesn't mean the application is vulnerable, it means those shouldn't be there according to the Security Development Lifecycle Guideline because it's easy to go wrong with them.

If you want to try the script out I put it here. The script requires a text file containing the banned APIs, and you can get it from here.
  This blog is written and maintained by Attila Suszter. Read in Feed Reader.