Category: Security

22 Nov

Porting .NET app to Vista.. DEP strikes!


An interesting issue happened these days when I tried to port some apps to Vista.

Basically all .NET apps compiled with Visual Studio 2005/2008 are marked “NX compatible” by default. If your .NET app uses an incompatible DLL or COM object, the app will crash. What I found funny was that the message was a standard access violation error instead of a more specific DEP error.

Debugging it was not easy: I was unable to step through the code in VS2005 and using WinDbg wasn’t much of help too, except that the line where it crashed was something like a mov [esp+24h], constant with ESP well within limits — an instruction which should not generate an access violation exception given the current ESP value.  At that point I was starting to think that my “attempt to read or write protected memory was, in fact, something else.

Luckily my mind went to DEP and in less than 1 minute of Google search I was able to find this link with a good solution which, for the lazy and to preserve history is to add the following two lines as a post-build step.

call “$(DevEnvDir)..\tools\vsvars32.bat”
editbin.exe /NXCOMPAT:NO $(TargetPath)

I tried, without much faith, and it worked. And the C# app was finally working on Vista. And while you are fuddling with post-builds, go on and enable LARGEADDRESSAWARE while you are at it. 32bit users will thank you.

26 Jan

Cisco VPN on Linux OpenSuse 10.3

I found this guide quite useful :

Don’t worry about the fact that the link is for a x86-64 version. It works on 32bit systems too.

However, after the installation completed, I could not connect because of an error saying “The profile specified could not be read.” (if you get a “couldn’t connect” message it’s because the vpnclient connect command should be executed as root).

Here are the things to do:

  • move the profile under /etc/opt/cisco-vpnclient/Profiles
  • check carriage returns of the file are in unix format
  • do not use the “.pcf” extension in the sudo vpnclient connect yourPCFfile command

Filed under: Linux, Security

26 Oct

IE7, Javascript, the WebBrowser control and bugs

Internet Explorer 7 (IE7) has been released. Applications around the world are breaking. … Well at least mine failed.
If you use the WebBrowser control in .NET applications or shdocwv ActiveX control you may hit this issue.

If you load the html by navigating to “about:blank” and then using DocumentText, AND you are including a script (using for example <script src=”somefile.js” language=”Javascript” type=”text/javascript”></script>) your script will effectively not be included. The main symptom is a “Error: Invalid Character” message or simply script failure.

This means that your other scripts and events in the page will fail. Most probably this is a security measure (I have a theory about it but before that .. the solution).

Solution : embed the Javascript in the HTML. You hoped for something better right ? :( Anyway embedding the script in the HTML solves the problem and if you are setting DocumentText from your code chances are it’s either generated by an XSLT (in which you can use either a msxsl javascript to include a file or a couple of xsl:include / xsl:apply-template without many side effects) or from your code (in which case.. well you are the programmer who did it, find a clean solution ;)).

Now, why have they introduced this change?
Probably they fear the scenario where a Javascript injects in some way in the DocumentText the include of a local file (along with some copy of itself) and then uses the data which now is in DocumentText in some .. evil way. I’ll try to forge some proof of concept demo.. if that is possible at all of course.

I’ve found this discussion [] which propose a number of other interesting solutions.

Another interesting page with registry keys (process wide) for IE7 is here [].