<<< Date Index >>>     <<< Thread Index >>>

Re[2]: [Full-disclosure] ASLR now built into Vista



Dear c0ntex,



--Friday, May 26, 2006, 11:12:41 AM, you wrote to davidl@xxxxxxxxxxxxxxx:


c> Since ASLR has been in and has been trivially circumvented in Linux
c> for years now (see my papers on return-to-libc & return-to-got) I
c> don't see it being a particularly hard issue to defeat :-)  Maybe
c> though, if they also randomise some other key areas like heap
c> locations and do some fancy relocation to non writable/executable
c> pages plus the drop-in of some ascii armour, we might then be on par
c> with a hardened Linux or *BSD..

c> Granted, I haven't looked at Vista yet :)

Bypassing  canary  word? It's easy. Bypassing Non-executable stack/heap?
OK.  Bypassing  ASLR?  May  be. Bypassing canary word + non-executable +
ASLR?  Not  so trivially. Neither return-to-library nor return-to-(IAT?)
fight randomization. The only actual way you mention in your articles is
function  address bruteforcing (sorry if I miss something). Bruteforcing
is  not always possible. Bruteforcing on growing 64-bit systems.... Good
luck.  Don't  forget,  unlike  POSIX  systems, single-thread application
under  Windows  is something extremely rare and stack/heap addresses are
usually  not  predictable too. Don't forget, that there is no such thing
as  'suid'  and exploitable applications are usually long-living, making
it even more harder. Quoting one good guy with 'C0ntex' nick:

-=-=-=-=-=-=-=-=-
Using the above protection methods does not stop attacks against programming
mistakes but it certainly makes it much harder to be successful and as such,
each solution will prove better than nothing at all.
-=-=-=-=-=-=-=-=-

-- 
~/ZARAZA
http://www.security.nnov.ru/