Hacker Bypasses Windows 7/8 Address Space Layout Randomization 208
hypnosec writes "Microsoft upped its security ante with Address Space Layout Randomization (ASLR) in Windows 7 and Windows 8, but it seems this mechanism to prevent hackers from jumping to a known memory location can be bypassed. A hacker has released a brilliant, yet simple trick to circumvent this protection. KingCope, a hacker who released several exploits targeting MySQL in December, has detailed a mechanism through which the ASLR of Windows 7, Windows 8 and probably other operating systems can be bypassed to load a DLL file with malicious instructions to a known address space."
Step One (Score:5, Funny)
Click on link in article...
the only thing Microsoft and others can do is... (Score:5, Informative)
... delay the inevitable.
Every new security feature they can dream up can and will be bypassed with enough time.All they can do is build it hard enough that it takes more time to crack.
Re:the only thing Microsoft and others can do is.. (Score:5, Insightful)
Re:the only thing Microsoft and others can do is.. (Score:5, Interesting)
Every new security feature they can dream up can and will be bypassed with enough time.All they can do is build it hard enough that it takes more time to crack
I'm sure they're aware of that, as is anyone with a shred of knowledge about computer security (or hell, security in general). What is your point?
Legend has it that Finnish field marshal Mannerheim was interviewed by a journalist after the Winter war. The journalist asked him if he had at any time doubted that the Finns would eventually be defeated by the Soviets. Apparently the old man sent the journalist a sharp look and then replied that just because the odds are against you it does not mean you have to make life easy for your attacker. Dunno fi that is true but if I was in computer security, that's what my outlook would be... come up with nasty defences, whey they are breached you ambush the bastards and then come up with a new line of even nastier defences.
Re: (Score:2)
That's what the Japanese did on Iwo Jima. It's a well-known military and IT strategy called "defense in depth".
Re:the only thing Microsoft and others can do is.. (Score:5, Informative)
didn't work for the japanese, because no possibility of resupply, reinforcement, or retreat. Defeat thus assured. About 21,844 killed, 216 survivors taken prisoner. A horrible bloodbath and yes 6800 american soldiers killed, but it didn't "work"
Re: (Score:3)
It was still better than the previous Japanese strategy of meeting us at the beaches and then banzai charges. Kuribayashi did quite well with the hand he was dealt.
Re: (Score:2)
Re:the only thing Microsoft and others can do is.. (Score:5, Interesting)
Japanese on Iwo Jima was "desperate defense with no hope of victory".
Finnish was "pre-planned defense in order to make enemy bleed so hard, that even Stalin would decide that gains aren't worth the cost".
It succeeded twice with quite possibly the single most insane-looking numbers in history. It was crazy enough to warrant wikipedia page screenshot becoming an internet meme:
http://www.google.com/imgres?imgurl=http://data.whicdn.com/images/18990146/finland-be-afraid-be-very-afraid_thumb.jpg&imgrefurl=http://weheartit.com/tag/soviet%2520russia&h=200&w=240&sz=11&tbnid=e8G9SZNgTBMY-M:&tbnh=87&tbnw=104&zoom=1&usg=__Tk2w1zc2NxuOzEu4OclPzzBZzVc=&sa=X&ei=RjoDUfekBYbKtAaMuYCwCQ&ved=0CCEQ9QEwAw [google.com]
This success was repeated in 1944 where Finns faced the single biggest offensive in the entire WW2 war European theatre. Soviets focused 20 artillery pieces per every kilometer of the front line. They could literally dig people out of trenches with this much artillery. In the end, finns held out and even pushed back in spite of being completely outnumbered and outgunned. Stalin remembered the lesson from Winter War and signed a peace treaty with Finland allowing it to stay independent again. It ended up going in history as the only country mentioned in Molotov-Ribbentrop that didn't get conquered by either Germany or USSR.
The main difference between these strategies is that Japanese viewed their empire as something holy and to be defended to the death, to the point where survivors should commit suicide if they failed. Finns viewed their country as something of theirs, and to be defended for as long as it remains defensible with as little losses as possible. Key difference was that finnish commanders valued lives of their soldiers very highly for the times. Japanese commanders treated their soldiers as completely disposable pawns. Difference could be explained by the fact that Japan is one of the most populated regions on the planet, while Finland is one of the least populated ones.
It's the advantage of not being a huge country with long and proud history. You learn that to stand between the giants and survive, you need to show humility to the giants in most things, but also show that when needed, you can sting them so painfully, that any potential attempts of capture will not be worth it. And most of all you learn that when you're losing, minimize your losses so you can fight another day.
Re: (Score:2)
Japanese commanders treated their soldiers as completely disposable pawns.
If you watch the very excellent world at war series [wikipedia.org], you will note an interview with one of those japanese commanders where he says that he was overwhelmed with volunteers for suicide missions. Different culture, different times.
On a side note, there will never be a better WWII documentary, because too many of the key players are dead now. The World At War series (26 episodes) has plenty of interviews with people who were actually there -- although recent declassification of soviet materials has changed
Re: (Score:3)
The point is, that Iwo Jima was a battle they knew they lost, and they threw all of their soldiers under a proverbial bus. Those who survived mostly committed seppuku.
Microsoft is definitely not doing that. They're doing what GP said Mannerheim did, strategic retreats and attacks on vulnerabilities that show up. Sometimes they lose a battle, like they did in this case, but they keep on winning the war. I.e. the OS stays overall secure enough for most users even if some aspects of its security suffer defeats
Re: (Score:2)
Microsoft and Intel spend something like 25% of their annual budgets on computer security. Going all the way from instruction sets, interrupts, supervisors and hypervisors, to DLL and kernel layouts, secure computing initiatives like SecureBIOS, hardware checksumming, file and network virus scanners, authentication protocols, network security applications, best practice virtual network layouts (separate virtual networks for different application levels). Even with all that, a standard desktop system still n
Comment removed (Score:4, Insightful)
Re: (Score:2)
If Linux is vulnerable? (Score:2)
Comment removed (Score:4, Insightful)
Re:the only thing Microsoft and others can do is.. (Score:4, Informative)
True, but you have to consider that ASLR was never intended as an unbreakable security feature. It was always just an impediment to an easy exploit of jumping to a fixed address. There are common tricks published [stackoverflow.com] for getting around ASLR to some degree.
Re: (Score:3, Interesting)
True, but you have to consider that ASLR was never intended as an unbreakable security feature. It was always just an impediment to an easy exploit of jumping to a fixed address. There are common tricks published [stackoverflow.com] for getting around ASLR to some degree.
Anyone who truly understands how computers work and specifically how ASLR does what it does should be fully aware that ASLR only stops absolutely stupid hacks. All important addresses can be looked up. They have to be looked up to be useful. If nothing can lookup an important address, nothing can really do anything to it, making it not real useful for computing in general, let alone hacking.
To get around ASLR all you have to do is consult ... the built in lookup table which is at ... A FIXED ADDRESS as i
ASLR is not so easy to bypass (Score:5, Insightful)
You're right that it boils down to just looking up the address, but see, this is a chicken-and-egg problem. You're wanting to determine addresses so you can run code, but you must run code in order to look up addresses!
You might as well say that it is easy to get a dinosaur and a dinosaur egg. To get the dinosaur, just wait for a dinosaur egg to hatch. To get the dinosaur egg, just wait for a dinosaur to lay one. Problem solved, right???
Re: (Score:2, Informative)
Anyone who truly understands how computers work and specifically how ASLR does what it does should be fully aware that ASLR only stops absolutely stupid hacks. All important addresses can be looked up. They have to be looked up to be useful. If nothing can lookup an important address, nothing can really do anything to it, making it not real useful for computing in general, let alone hacking.
To get around ASLR all you have to do is consult ... the built in lookup table which is at ... A FIXED ADDRESS as it has to be able to be found for everything to work.
No, the lookup table isn't at a fixed address. That is, in fact, the whole bloody point. The lookup table (technically the PLT, at least for ELF binaries) is at a fixed offset relative to the main binary, so if you can figure out where the main program is in memory you can find it very easily, but the point of ASLR is that it's non-trivial for the attacker to find the binary, and so they can't find the lookup table.
Now, admittedly, programs have to actually be compiled to use ASLR for this to work (older
Re: (Score:2)
Re: (Score:2)
Just use VMs...
No need to do an entire partition/separate OS thing the hard way these days. Especially not just for web browsing.
Re: (Score:3)
So are only safe if we run an OS on an isolated partition which has nothing but a web browser and the other partitions are automatically unmounted while the web browser OS is working?
Actually, we are only safe while the system is powered off, disconnected from all cabling and still in the box it came in. Trust me. After dealing with security weenies and various system lock-down methodologies for many, many years, a truly "secure" system (to their satisfaction, anyway) is unusable and you might as well not even bother to unpack it.
Re: (Score:2)
So are only safe if we run an OS on an isolated partition which has nothing but a web browser and the other partitions are automatically unmounted while the web browser OS is working?
OS on read-only media, sessions in disposable VMs.
Re:the only thing Microsoft and others can do is.. (Score:5, Insightful)
Unnecessary. Absolutely no advantage over just keeping updated and running as non-admin.It's the type of thing people who don't understand security do and then get MITMed without even noticing.
Nope, he is right. (Score:2)
He won't lose control of his hardware unless the attacker finds an exploit for escaping the VM. With snapshots, the VM can even be reliably uninfected.
Re: (Score:2)
Re: (Score:2)
But you can get a similar advantage without all the bullshit by simply having the browser in low rights mode and sandboxed, this way they would have to both find a way to escalate the privileges AND get out of the sandbox to do anything
If your browser is separated in a VM, then you can blow away everything at the press of a button. I personally don't like rebuilding my entire computer, but if it's just a browser, then I can write a script that does the whole thing for me.
Re: (Score:2)
OMG that is childishly simple (Score:2, Informative)
Fill up memory, then free some until enough is free to load the DLL.
Re:OMG that is childishly simple (Score:4, Informative)
Fill up memory, then free some until enough is free to load the DLL.
Which works fine with a 32 bit operating system. With 64 bit, filling up memory looks like a hard job to me.
Re: (Score:2)
On 64 bit, I wonder if allocating (reserving) the VM space, but not allocating memory for it, would do the trick. Harder (impossible?) to do from javascript though.
Re: (Score:3)
VirtualAlloc's without requiring a backing store work just fine for consuming enough of the 64 bit virtual backing store that it doesn't matter.
Asking for space but telling the OS you don't need it right NOW will get you an address space with no memory used until you cause a page fault by accessing it causing a page of real memory to actually be attached to it. Until that point, its just an entry in the page table, to which its easy to fill up, your computer does it every boot.
Re: (Score:2)
All this can be trivially stopped by ulimit. If a javascript can allocate 4 gigs of memory it is effectively a DoS. I would never let some web script allocate more than a fraction of physical memory.
Besides, there is absolutely no reason for a DLL to be put into same address where allocation heap resides.
Re: (Score:2)
Yep. I toyed a bit over Xmas with fixed location dynamic arrays. The problem I was trying to solve was that dynamic arrays keep moving around their data as they grow, and multiple threads accessing those arrays can clobber each other. By allocating 32 bits of address space for each dynamic array, I avoid having to relocate it as it grows. It worked OK, but unfortunately, the page table memory is not free. At startup, my code allocated many of megabytes of page table data. It also took several seconds
Re: (Score:2)
With 8 byte page table entries thats 8GB of memory just for the page table.
So I'm thinking its not actually possible to fill up the page table in systems with 8GB or less memory, and systems with 12GB of memory would probably be thrashing extremely hard (writing multiple gigabytes of data is a slow process, even on high performance SSD's)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I'm not a security expert, but isn't ASLR implemented in the dynamic linker? I would expect that the function lookup table you're talking about would be in a system level process, and not accessible in user space. My user level code would have all it's hard-coded function calls updated when loaded, and so long as my executable code is not readable, there's some protection of the actual addresses. However, if all you have to do is call a fixed location, asking for an address of whatever function is in tha
Obvious? (Score:4, Interesting)
And this exploit wasn't obvious from the start? When the heap and dynamically-loaded code share the same address space, this vulnerability always exists. We knew this 30 years ago. It took someone this long to apply it?
Re: (Score:2)
I wonder if this would be reliable in a heavily used machine with lots of processes vying for memory. There may be demands for memory blocks in the queue which were waiting longer than your request which might get serviced first.
Re:Obvious? (Score:4, Informative)
Processes would be irrelevant, since each one has it's own address space (the exploit works on the process level, not down on physical memory). And with NOP slides and other tricks, you don't need to pin down the location to the byte. Allocate one large block that'll be forced into the end of memory (start too large and work down until it succeeds, it'll have been allocated at the end of the heap because that's the only place that has a single contiguous block big enough open), allocate smaller blocks until the allocation fails (you've now filled up the heap), then resize your big block down enough to open up a hole for the DLL (it'll be loaded immediately after your big block since that's where the hole was opened up). The only real trick is chopping up the low portion of the heap and leaving enough small blocks there that most normal allocation will be happening below your big block while the only hole big enough for the DLL is above the big block, and it's not like that's all that challenging a programming problem.
And the amusing thing is that the x86 architecture allows you to make this sort of exploit physically impossible (at least without cracking ring 0 first). Separate code, heap and stack and place the heap and stack in non-executable segments, and any attempt to try this kind of thing just results in the kernel getting a memory access exception and terminating the offending process.
Re:Obvious? (Score:4, Interesting)
True, but that just shows how often demands for memory can happen in a modern multi-core machine.
Microsoft didn't implement ASLR until 2007 (Vista).
With so much multitasking going on under the processors of that time and today, it would suggest that any attempt to saturate memory would inconvience many tasks, many of whom would have allocation requests pending, probably for smaller chunks than your rogue task would require. These would stack up while your were saturating memory, and be serviced upon first, as soon as you released your block. There is no way you can do a system call tor free-memory AND follow it with DLL load command without yielding some time slots on the processors and memory allocation routines. The busier the machine the more likely this is to fail because allocation requests are always in flight.
Comment removed (Score:5, Informative)
Re: (Score:2)
If an attacker has enough access to fill all the address space of a 64 bit process, it sounds like they are already in too much control.
"It rather involved being on the other side of this airtight hatchway."
Re: (Score:3)
This appears to be a 32-bit exploit, at least as tested.
Re: (Score:3)
This appears to be a 32-bit exploit, at least as tested.
That depends on what you mean by "32-bit exploit." He's doing it as 32-bit code because then you have a LOT less memory to fill up. Even better, you have a predictable amount of memory to fill. It affects operating systems which are 64-bit; he's not doing it in a way that makes those OS versions safe, but for his own convenience of exploitation. There's another added benefit as well...not only is it easier to fill up the RAM of a 32-bit memory space, but in a 64-bit environment you won't be as likely to
Re: (Score:3)
There's another added benefit as well...not only is it easier to fill up the RAM of a 32-bit memory space, but in a 64-bit environment you won't be as likely to slog the machine down overall while you do so.
Quite the opposite. With 64 bit, the logical address space is many orders of magnitude bigger than available RAM. So you end up thrashing your virtual memory quite soon. However, the logical address space is still orders of magnitude bigger than your swapspace (4 TB if we are generous), so it's quite impossible to fill the 64 bit address space.
Re: (Score:2)
I think you've confused potential address space with actual available RAM. While you're right that there will be an impact on performance from filling up a 32-bit address space in the larger confines of a 64-bit operating system, you'll cause an even greater impact if you fill up all the actual available RAM by running the exploit in 64-bit context. And it's not about address space; the point is not to fill the address space that is potential, but the actual available RAM, because that's the point where y
Re: (Score:3, Informative)
Actually, the address space is in fact key. The goal is to load a known DLL at a known address in the process address space, not a known address in physical RAM, because process address space is what you can see in the code that you will then try to run that will try to call into the DLL.
So in a 64-bit process, this technique is pretty hard to pull off, since it does in fact rely on address space exhaustion.
Re: (Score:2, Insightful)
Not only that but the point of ASLR is to randomly locate system DLLs, not some evil hacker code. This does nothing to break the intended use of ASLR.
Re: (Score:3)
Re: (Score:2)
It's like having a wi-fi router with a built-in firewall that is enabled by default. Except they also have VPN services enabled by default too with easy to guess hardcoded administrator passwords as well.
Re: (Score:2, Troll)
They've also hired such guys to come up with Windows 8 in the first place. And Windows 7. And Windows Vista. And... you get the idea.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
"lynx" is also 64-bit, and works very well for visually impaired people who need robust text-speech. If your website does not work with lynx, it's probably too gizmo filled for ordinary use, anyway.
Re: (Score:2)
Whoa, that's wrong. I have been using 64-bit Opera for months.
Re: (Score:2)
its not hard to have a 64bit app running, with another 32bit process having its window open inside the 64bit bit apps main window.
The 32bit plugin can commuincate to the 64bit browser by usual ipc/tcp/windows msgs way.
Sure its a bit of effort, but stop being lazy, or shall we say, the 32bit plugin people, stop being lazy! make a 64bit ver.
Re: (Score:2)
So you think any application on your computer has too much access?
Easy to fix (Score:2)
There's also a really easy solution to this: Change the loader so that if there isn't enough space to perform the ASLR then the load fails. You have to handle the loader failing when you're down to the end of your memory space anyway. Suddenly you are back to not knowing where to jump to again.
Re: (Score:2)
Why is a web loaded javascript code allowed to fill the entire memory in the first place? Isn't it effectively a DoS, as the machine will swap for the next quite a few minutes?
Re: (Score:2)
Then you are ready to launch some exploit code into the active-X DLL, and you know the ad
Re: (Score:2)
It's not as hard as it sounds. Create a malicious web page that does something to fill memory (create a lot of javascript objects or something). At that time, put an active-X module on the page. This will probably trigger the loading of the Active-X dll, since it's unlikely that the user will have encountered an active-X page since they last launched internet explorer. (if they have, then this exploit might not work).
Then you are ready to launch some exploit code into the active-X DLL, and you know the address you need to smash the stack for fun and profit.
I don't understand how he knows the addresses. Virtual memory and ASLR result in the a process knowing the following:
Data X is at Location A
Data Y is at Location B
Data Z is at Location C
A,B,C are randomized offsets.
If you fill everything up, you still only have a list of random offsets. You could then kill off some objects and then HOPE that the next thing you load (a target DLL for example) fits into the freed-up space AND the OS drops it in the same physical space and presents the same virtual offset to
Re: (Score:2)
Regardless, the fix is trivial - when memory is that scarce, juggle shit around a bit when you allocate new crap.
Nah, you can't do that because you'll need to fix all the pointers, unless you're in a VM you can't do that.
Virtual memory still presents itself to the user-space program as contiguous memory (because of the TLB). So it doesn't matter where it actually is in hardware, you can still address it with the correct number.
I don't entirely understand the details either, but he has the source code there, and honestly I don't care enough to actually go through and read them. He fills up memory until the Javascr
Re: (Score:2)
Re: (Score:3)
This has the added benefit of stopping a single script from using up all of your memory.
Its as if a million JavaScript developers cried out in terror and were suddenly silenced when we stopped them from using all our system's resources.
Cool hack (Score:5, Informative)
So basically use javascript to allocate all available memory. Once you get the allocation exception, begin freeing small chunks. After each free, try loading an Active X DLL (target DLL exploit). As soon as you have freed enough blocks, the DLL will load into the space you freed. Essentially bypassing any ASLR -- there is nowhere to randomize too except the freed memory.
Re: (Score:3)
This doesn't seem to be a fundamental problem with ASLR, at least. Things could be patched to prevent something from filling up memory like that, I assume.
Re: (Score:3)
Will not work on 64 bit (Score:2, Informative)
The address Space of 64 bit processes is vast compared to available memory. The process will run out of memory before the address Space could be filled.
Unfortunately many browsers still run 32bit even on 64bit systems because of plugin compatibility. Time to move to 64 bit browser processes.
Note also that this attack is only feasible against browsers. Like other ASLR bypasses it will not Work against e.g. Outlook or Word where the attacker has very limited ability to control memory allocation.
Re:Will not work on 64 bit (Score:5, Interesting)
Every 64-bit OS I know of uses delayed allocation: when a program asks the OS for memory, the OS assigns a chunk of address space, but doesn't assign memory (physical, virtual, or otherwise) until the program actually tries to use it. It's quite possible for a program to exhaust the available address space without actually using very much memory.
Re: (Score:2)
Every 64-bit OS I know of uses delayed allocation: when a program asks the OS for memory, the OS assigns a chunk of address space, but doesn't assign memory (physical, virtual, or otherwise) until the program actually tries to use it. It's quite possible for a program to exhaust the available address space without actually using very much memory.
True. Butbthe OS will not commit more memory than it is *actually* able to assign to the process at some point. Once you allocated the memory it is the process to use. It may not be backed by physical or virtual memory (paging file) yet, but the OS must guarantee that memory *can* be accessed once it has committed to it.
The point still stands. There's a reason the article specifically limits the PoC to 32bit processes.
Re:Will not work on 64 bit (Score:4, Interesting)
VirtualAlloc with MEM_RESERVE will commit address space without reserving backing store.
Right. Can you show me how to do that from JavaScript in a browser?
Because that is what this is about. JavaScript *does not* have any function or low level binding to *reserve* memory space. It only has the ability to actually *allocate* memory (MEM_COMMIT). And that will exhaust the commit limit *long* before the address space is exhausted to the point where a library load address is predictable.
Point still stands. The technique described in the article *will not* work against 64 bit processes.
Re: (Score:2)
Every 64-bit OS I know of uses delayed allocation: when a program asks the OS for memory, the OS assigns a chunk of address space, but doesn't assign memory (physical, virtual, or otherwise) until the program actually tries to use it. It's quite possible for a program to exhaust the available address space without actually using very much memory.
True, but just the data structures for the OS heap could also become a serious burden when we start approaching actually filling the address space. On the other hand, x64 CPUs cannot handle fully arbitrary addresses, so it's all a complicated story. Suffice to say that any method using Javascript or most other "simple" ways to trigger memory allocation will also trigger memory writes into the newly allocated pages. You have to be rather careful not to write or init allocated pages in most languages and envi
Re: (Score:3)
The address Space of 64 bit processes is vast compared to available memory. The process will run out of memory before the address Space could be filled.
Unfortunately many browsers still run 32bit even on 64bit systems because of plugin compatibility. Time to move to 64 bit browser processes.
Note also that this attack is only feasible against browsers. Like other ASLR bypasses it will not Work against e.g. Outlook or Word where the attacker has very limited ability to control memory allocation.
It's worth mentioning that the critical component here is using client-executed trusted/sandboxed code (in this case, JavaScript) to exhaust the memory space. The code must be able to allocate memory, and it must be able to identify the virtual address of the memory that it allocated, else when it begins opening a hole for ASLR determinism, the shellcode won't know where to target.
Any client-side language that can allocate arbitrary memory and identify the allocated address should be able to be used in this
Re: (Score:2)
Unfortunately many browsers still run 32bit even on 64bit systems because of plugin compatibility. Time to move to 64 bit browser processes.
Notably, Google Chrome, as well as Firefox are 32-bit. Amusingly in Win8 RT, since IE is the only legitimate browser for Metro, the new tablets are resistant to this attack. It's sad that big-time browsers don't have 64 bit builds, and that you have to roll your own (Firefox - I use Waterfox) or just suffer under IA32 legacy.
Re: (Score:2)
How do you "suffer" when using a 32-bit browser?
Re: (Score:2)
Have you not read the comments in this very thread?
Re: (Score:2)
You can assign the same page of physical memory multiple times in virtual memory.
Therefore you can easily fill the whole virtual space with a single page.
Ok. Which JavaScript function would I use to do that?
DEP+ASLR are designed to prevent an attacker to get foothold when there *is* a memory corruption bug. To execute shell code the attacker has to somehow *bypass* DEP+ASLR. To do this he has very limited tools at his disposal. JavaScript does not allow the attacker to call the OS API or otherwise request certain memory areas.
So no, I can not "easily fill the whole virtual space with a single page" because I would have to do that with JavaScript if I am to u
Point of ASLR (Score:2)
The point with ASLR is for the good process to not be infiltrated by a bad one. I dont see the problem of loading a dll in a known memory location, unless you apply that to a dll of the good application, without it detecting that.
But when you arrive at that point of being able to do that, what's circumventing ASLR good for?
Re: (Score:3)
The point with ASLR is for the good process to not be infiltrated by a bad one. I dont see the problem of loading a dll in a known memory location, unless you apply that to a dll of the good application, without it detecting that.
But when you arrive at that point of being able to do that, what's circumventing ASLR good for?
You are correct that ASLR it a *mitigation*; not a failsafe protection in itself. Nor is this weakness and exploitable vulnerability *in itself*. An attacker still needs an actual exploitable memory corruption bug. But when one is found, the technique referred to as ROP can be used to bypass DEP/NX protections to gain foothold. The answer to ROP (where the attacker uses fragments of executable code loaded in known locations) is ASLR. This technique squeezes memory to take the "randomization" away from ASLR
All Fixed in Windows 9 (Score:2, Flamebait)
Or at least by Windows 10.
buffer overflows (Score:2)
Are we ever going to fix the real issue? You generally use one to start horking the stack and then get the CPU to jump to some address. Then these protections come into play.
I get the feeling people have just given up versus trying to change compilers and hardware to protect the stack. I should be able to keep writing into an unprotected char array and never come close to some instruction pointer shouldn't I. Is it too much to demand?
Re: (Score:2)
would a secondary dedicated IP stack work. Hardware wise could we tell the CPU that a byte or range is where stack is and fault if its written twice...write once or clear.
Address randomization - security through obscurity (Score:3)
Address space randomization is a form of security through obscurity. It's also an admission that your system security really sucks. The concept is that the code is full of exploitable buffer overflows, but address space randomization will make it harder for exploits to patch the right target area. So low-level exploits tend to crash the system, or at least just mess it up, rather than getting their code executed.
There are now "address spraying" attacks which counter address space randomization, so this is already an obsolete defensive measure.
Re: (Score:2)
security through obscurity
I do not think that means what you think it means.
"Security through obscurity" is being deliberately insecure and relying on other people not knowing about the insecurity as your defense.
Something like this relies on the fact that choosing a random address is much easier than guessing a random address that was previously chosen. This flaw results in forcing the victim to choose a non-random address when they intend to choose a random one. And "address spraying" works by increasing the size of the target t
Re: (Score:2)
It's already patched, and caught (Score:2)
Simple indeed (Score:2)
> A hacker has releasedÂa brilliant, yet simple trick to
> circumvent this protection
Beating up the guy after he logs in?
Re: (Score:2)
Look in a mirror! It's the address space you have to fill so that there is only one place to map the DLL. The rest can all be mapped to the zero page (and so take up zero physical memory).
Re: (Score:2)
Based on the description, so far this is only an exploit for 32-bit versions, I wonder if the size of the address space in 64-bit Windows makes it impractical?
yes
Re: (Score:2)
It doesn't even require 150 million pages. I would think making that many mappings wouldn't be a problem.
From JavaScript?. I think that would be a problem.
Remember, this technique tries to take the randomness out of ASLR *before* executing the exploit. With code in predictable locations the attacker can design an exploit using ROP (return oriented programming). But in a 64 bit process he cannot squeeze memory using JavaScript like he can on a 32 bit system.
Re:Who would've guessed? (Score:5, Interesting)
Just another in a long list of Microsoft/Windows security fails. Big shocker.
So would you rather use an OS with much, much weaker ASLR, like Linux where large parts of the OS and libraries are just loaded at predictable locations without any memory squeezing in the first place?
BTW, this technique will not Work on 64 bit processes. On OSes with weak ASLR and predictable locations for certain modules, moving to 64bits does not help on iota.
Re: (Score:2)
Just another in a long list of Microsoft/Windows security fails. Big shocker.
I know that you are probably trolling here (considering that this is a generic technique that could be applied to other operating systems), but since you have to turn off Windows Defender to get this to work (at least in Win8) then it isn't that great a failure.
Re: (Score:3)
You sure about that?
Mac OS X
Wikipedia ASLR
Apple introduced randomization of some library offsets in Mac OS X v10.5 (released October 2007).[16] Their implementation does not provide complete protection against attacks which ASLR is designed to defeat.[17][18][19][20]Mac OS X Lion 10.7 has improved ASLR implementation for all applications. Apple explains that "address space layout randomization (ASLR) has been improved for all applications. It is now available for 32-bit apps (as are heap memory protections)
Re:Other browsers and operating systems? (Score:5, Informative)
Is it possible to "rewrite the instruction pointer of the processor to a known heap address
where the shellcode resides quite deterministic" on, say, Firefox on Gnu/Linux [given that flash and java are disabled in the browser]?
This is an ASLR bypass technique, not an actual exploitable vulnerability by itself. The attacker still needs an exploitable memory corruotion vulnerability to start the attack. ASLR+DEP is designed to make it much harder for an attack to gain foothold in the face of such an attack.
An exploitable memory corruption bug could for instance be a buffer overflow or use-after-free bug in a jpeg or gif library. Such a bug allows a small window of opportunity for an attacker. However, with DEP he will have a hard time injecting actual executable code into the attacked process. Instead he will use a programming technique termed ROP (return oriented programming) where he will trampoline to code carefully chosen code fragments residing at known locations.
Think of a buffer overflow bug which allows the attacker to overwrite the return address of the vulnerable function. Instead of returning to the point where thebfunction was called, the instruction pointer will return to whatever the stack was overwritten with through the buffer overflow. The attacker *still* has not gained full control. But if he can overwrite with an address pointing to a piece of code which does all or part of what he needs he can use that. If it only does part of what he needs but ends with a RET, he can make sure that the stack above the original return address points to the Next piece of usable code.
This technique will Work in any process and on any operating system where the attacker is allowed relatively free access to allocate memory. Think browsers where JavaScript can be used to allocate/squeeze memory.
So yes, this is in no way Windows specific. It is interesting because at this point the Windows ASLR is pretty much state of the art. Only recently has OS X achieved randomization of the "dyld" - the OS libraries. Even a single library being loaded in a predictable location may be enough for the agtacker to squeeze through. Linux ASLR is weaker (not as random) and many Linux libraries are still loaded at perfectly predictable locations.
Re: (Score:2)
Re: (Score:3)
Also, returning slightly less memory than requested is a good way to get people to stop using your OS, when basically every software starts crashing.
Re: (Score:2)