Re[2]: [Full-disclosure] ASLR now built into Vista

To: c0ntex <c0ntexb@xxxxxxxxx>
Subject: Re[2]: [Full-disclosure] ASLR now built into Vista
From: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>
Date: Fri, 26 May 2006 23:16:02 +0400
Cc: "David Litchfield" <davidl@xxxxxxxxxxxxxxx>, full-disclosure@xxxxxxxxxxxxxxxxx, <bugtraq@xxxxxxxxxxxxxxxxx>, <ntbugtraq@xxxxxxxxxxxxxxxxxxxxxx>
In-reply-to: <df8ba96d0605260012k18e5a874lc51cfcbeae7277eb@xxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: http://www.security.nnov.ru
References: <053501c68074$a87f8950$5e0ba8c0@xxxxxxxxxxxxxxx> <df8ba96d0605260012k18e5a874lc51cfcbeae7277eb@xxxxxxxxxxxxxx>
Reply-to: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>

Dear c0ntex,



--Friday, May 26, 2006, 11:12:41 AM, you wrote to davidl@xxxxxxxxxxxxxxx:


c> Since ASLR has been in and has been trivially circumvented in Linux
c> for years now (see my papers on return-to-libc & return-to-got) I
c> don't see it being a particularly hard issue to defeat :-)  Maybe
c> though, if they also randomise some other key areas like heap
c> locations and do some fancy relocation to non writable/executable
c> pages plus the drop-in of some ascii armour, we might then be on par
c> with a hardened Linux or *BSD..

c> Granted, I haven't looked at Vista yet :)

Bypassing  canary  word? It's easy. Bypassing Non-executable stack/heap?
OK.  Bypassing  ASLR?  May  be. Bypassing canary word + non-executable +
ASLR?  Not  so trivially. Neither return-to-library nor return-to-(IAT?)
fight randomization. The only actual way you mention in your articles is
function  address bruteforcing (sorry if I miss something). Bruteforcing
is  not always possible. Bruteforcing on growing 64-bit systems.... Good
luck.  Don't  forget,  unlike  POSIX  systems, single-thread application
under  Windows  is something extremely rare and stack/heap addresses are
usually  not  predictable too. Don't forget, that there is no such thing
as  'suid'  and exploitable applications are usually long-living, making
it even more harder. Quoting one good guy with 'C0ntex' nick:

-=-=-=-=-=-=-=-=-
Using the above protection methods does not stop attacks against programming
mistakes but it certainly makes it much harder to be successful and as such,
each solution will prove better than nothing at all.
-=-=-=-=-=-=-=-=-

-- 
~/ZARAZA
http://www.security.nnov.ru/

References:
- ASLR now built into Vista
  - From: David Litchfield
- Re: [Full-disclosure] ASLR now built into Vista
  - From: c0ntex

Prev by Date: Re: my Web Server << v-1.0 Denial of Service Exploit
Next by Date: cURL Safe Mode Bypass PHP 4.4.2 and 5.1.4
Previous by thread: Re: [Full-disclosure] ASLR now built into Vista
Next by thread: [SECURITY] [DSA 1075-1] New awstats packages fix arbitrary command execution
Index(es):
- Date
- Thread