Hacker Bypasses Windows 7/8 Address Space Layout Randomization 208
hypnosec writes "Microsoft upped its security ante with Address Space Layout Randomization (ASLR) in Windows 7 and Windows 8, but it seems this mechanism to prevent hackers from jumping to a known memory location can be bypassed. A hacker has released a brilliant, yet simple trick to circumvent this protection. KingCope, a hacker who released several exploits targeting MySQL in December, has detailed a mechanism through which the ASLR of Windows 7, Windows 8 and probably other operating systems can be bypassed to load a DLL file with malicious instructions to a known address space."
Obvious? (Score:4, Interesting)
And this exploit wasn't obvious from the start? When the heap and dynamically-loaded code share the same address space, this vulnerability always exists. We knew this 30 years ago. It took someone this long to apply it?
Re:Will not work on 64 bit (Score:5, Interesting)
Every 64-bit OS I know of uses delayed allocation: when a program asks the OS for memory, the OS assigns a chunk of address space, but doesn't assign memory (physical, virtual, or otherwise) until the program actually tries to use it. It's quite possible for a program to exhaust the available address space without actually using very much memory.
Re:Who would've guessed? (Score:5, Interesting)
Just another in a long list of Microsoft/Windows security fails. Big shocker.
So would you rather use an OS with much, much weaker ASLR, like Linux where large parts of the OS and libraries are just loaded at predictable locations without any memory squeezing in the first place?
BTW, this technique will not Work on 64 bit processes. On OSes with weak ASLR and predictable locations for certain modules, moving to 64bits does not help on iota.
Re:the only thing Microsoft and others can do is.. (Score:5, Interesting)
Every new security feature they can dream up can and will be bypassed with enough time.All they can do is build it hard enough that it takes more time to crack
I'm sure they're aware of that, as is anyone with a shred of knowledge about computer security (or hell, security in general). What is your point?
Legend has it that Finnish field marshal Mannerheim was interviewed by a journalist after the Winter war. The journalist asked him if he had at any time doubted that the Finns would eventually be defeated by the Soviets. Apparently the old man sent the journalist a sharp look and then replied that just because the odds are against you it does not mean you have to make life easy for your attacker. Dunno fi that is true but if I was in computer security, that's what my outlook would be... come up with nasty defences, whey they are breached you ambush the bastards and then come up with a new line of even nastier defences.
Re:Will not work on 64 bit (Score:4, Interesting)
VirtualAlloc with MEM_RESERVE will commit address space without reserving backing store.
Right. Can you show me how to do that from JavaScript in a browser?
Because that is what this is about. JavaScript *does not* have any function or low level binding to *reserve* memory space. It only has the ability to actually *allocate* memory (MEM_COMMIT). And that will exhaust the commit limit *long* before the address space is exhausted to the point where a library load address is predictable.
Point still stands. The technique described in the article *will not* work against 64 bit processes.
Re:Obvious? (Score:4, Interesting)
True, but that just shows how often demands for memory can happen in a modern multi-core machine.
Microsoft didn't implement ASLR until 2007 (Vista).
With so much multitasking going on under the processors of that time and today, it would suggest that any attempt to saturate memory would inconvience many tasks, many of whom would have allocation requests pending, probably for smaller chunks than your rogue task would require. These would stack up while your were saturating memory, and be serviced upon first, as soon as you released your block. There is no way you can do a system call tor free-memory AND follow it with DLL load command without yielding some time slots on the processors and memory allocation routines. The busier the machine the more likely this is to fail because allocation requests are always in flight.
Re:the only thing Microsoft and others can do is.. (Score:5, Interesting)
Japanese on Iwo Jima was "desperate defense with no hope of victory".
Finnish was "pre-planned defense in order to make enemy bleed so hard, that even Stalin would decide that gains aren't worth the cost".
It succeeded twice with quite possibly the single most insane-looking numbers in history. It was crazy enough to warrant wikipedia page screenshot becoming an internet meme:
http://www.google.com/imgres?imgurl=http://data.whicdn.com/images/18990146/finland-be-afraid-be-very-afraid_thumb.jpg&imgrefurl=http://weheartit.com/tag/soviet%2520russia&h=200&w=240&sz=11&tbnid=e8G9SZNgTBMY-M:&tbnh=87&tbnw=104&zoom=1&usg=__Tk2w1zc2NxuOzEu4OclPzzBZzVc=&sa=X&ei=RjoDUfekBYbKtAaMuYCwCQ&ved=0CCEQ9QEwAw [google.com]
This success was repeated in 1944 where Finns faced the single biggest offensive in the entire WW2 war European theatre. Soviets focused 20 artillery pieces per every kilometer of the front line. They could literally dig people out of trenches with this much artillery. In the end, finns held out and even pushed back in spite of being completely outnumbered and outgunned. Stalin remembered the lesson from Winter War and signed a peace treaty with Finland allowing it to stay independent again. It ended up going in history as the only country mentioned in Molotov-Ribbentrop that didn't get conquered by either Germany or USSR.
The main difference between these strategies is that Japanese viewed their empire as something holy and to be defended to the death, to the point where survivors should commit suicide if they failed. Finns viewed their country as something of theirs, and to be defended for as long as it remains defensible with as little losses as possible. Key difference was that finnish commanders valued lives of their soldiers very highly for the times. Japanese commanders treated their soldiers as completely disposable pawns. Difference could be explained by the fact that Japan is one of the most populated regions on the planet, while Finland is one of the least populated ones.
It's the advantage of not being a huge country with long and proud history. You learn that to stand between the giants and survive, you need to show humility to the giants in most things, but also show that when needed, you can sting them so painfully, that any potential attempts of capture will not be worth it. And most of all you learn that when you're losing, minimize your losses so you can fight another day.
Re:the only thing Microsoft and others can do is.. (Score:3, Interesting)
True, but you have to consider that ASLR was never intended as an unbreakable security feature. It was always just an impediment to an easy exploit of jumping to a fixed address. There are common tricks published [stackoverflow.com] for getting around ASLR to some degree.
Anyone who truly understands how computers work and specifically how ASLR does what it does should be fully aware that ASLR only stops absolutely stupid hacks. All important addresses can be looked up. They have to be looked up to be useful. If nothing can lookup an important address, nothing can really do anything to it, making it not real useful for computing in general, let alone hacking.
To get around ASLR all you have to do is consult ... the built in lookup table which is at ... A FIXED ADDRESS as it has to be able to be found for everything to work.
All ASLR does is means you need to spend a few extra clock cycles determining where you want to do your exploitation rather than hard coding it into the file.
Let me restate that ...
All ASLR does is means you have to use proper programming technics in your exploits rather than being lazy and hard coding your values.
The only security it provides is against a bug accidentally causing the same sort of crash twice in a few causes and preventing a few exceptionally lazy people from writing working exploits. Unfortunately, most of the people writing exploits are far from lazy, making ASLR effectively worthless and a good waste of a considerable chunk of processing time as now a metric fuckton of addresses have to be looked up rather than known in advance.
The 'common tricks' to 'get around ASLR' are 'write proper code'.