NGSEC's response to Idefense overflow protections whitepaper. (PART II)
Mr Johnson,
We have made available a paper conatining several (unpublished by
iDefense's paper) tests agains PAX-like solutions in WIN32. Only
tests not deep information on how this products works.
Grab it at: [264 KB]
http://www.ngsec.com/docs/whitepapers/NGSEC-Windows_overflow_protection_comparison.pdf
With this paper will try be more accurate than Idefense's one in their
windows testing. We will also try to clarify some reader
mis-interpretations such as StackDefender not protecting .data sections
in avtp.c testbed (see log below).
If we succeed with our purposes is up to the reader. We encourage the
readers to perform these tests (NGSEC sd_tester.c and Idefense avtp.c)
and get their own conclusions. Not just reading states and claims from
both parties as they may be in-accurated.
Mr Johnson, we respect your wish to defend your company reputation too.
But disclosing PRIVATE mails, partial contents on your INTERESTED parts
is definetively not the way and a very bad idea.
We could disclose some too for the readers but it is against our policy.
NGSEC is no longer feeding this threat. Reader make your own conclusions.
Best regards,
--- LOG of StackDefender protection .data
[Thu Aug 12 16:41:27 2004] ATTACK: Shellcode Execution Attempt from "avtp.exe"
at 0x00408A91
Memory Dump:
[0x00408A91] 0x5A 0x59 0x8B 0xD0 0xE8 0x7D 0xFF 0xFF
[0x00408A99] 0xFF 0xB8 0x01 0x63 0x6D 0x64 0xC1 0xF8
[0x00408AA1] 0x08 0x50 0x89 0x65 0x34 0x33 0xC0 0x66
[0x00408AA9] 0xB8 0x90 0x01 0x2B 0xE0 0x54 0x83 0xC0
[0x00408AB1] 0x72 0x50 0xFF 0x55 0x24 0x33 0xC0 0x50
[0x00408AB9] 0x50 0x50 0x50 0x40 0x50 0x40 0x50 0xFF
[0x00408AC1] 0x55 0x14 0x8B 0xF0 0x33 0xC0 0x33 0xDB
[0x00408AC9] 0x50 0x50 0x50 0xB8 0x02 0x01 0x11 0x5C
[0x00408AD1] 0xFE 0xCC 0x50 0x8B 0xC4 0xB3 0x10 0x53
[0x00408AD9] 0x50 0x56 0xFF 0x55 0x18 0x53 0x56 0xFF
[0x00408AE1] 0x55 0x1C 0x53 0x8B 0xD4 0x2B 0xE3 0x8B
[0x00408AE9] 0xCC 0x52 0x51 0x56 0xFF 0x55 0x20 0x8B
[0x00408AF1] 0xF0 0x33 0xC9 0xB1 0x54 0x2B 0xE1 0x8B
[0x00408AF9] 0xFC 0x57 0x33 0xC0 0xF3 0xAA 0x5F 0xC6
[0x00408B01] 0x07 0x44 0xFE 0x47 0x2D 0x57 0x8B 0xC6
[...]
---
NEXT GENERATION SECURITY, S.L. [NGSEC]
C\ O'donnell 46, 3º B
28009 - Madrid, SPAIN
Tel: +34 91 435 56 27
Fax: +34 91 577 84 45
http://www.ngsec.com