Is buffer overflow a real concern? If it is what is the best program to stop it? I have XP SP2 32 bit.

-{ Quote: "Is buffer overflow a real concern? If it is what is the best program to stop it? I have XP SP2 32 bit." }-

DEP or Conodo memory wall

Personnally, I use Comodo Memory Firewall to prevent against Buffer overflow...

Can someone point to a current buffer overflow exploit, and what it accomplishes?

Thanks,

----
rich

I don't know about current, but google "buffer overflow exploit download", first result :lurking:

-{ Quote: "Can someone point to a current buffer overflow exploit, and what it accomplishes?

Thanks,

----
rich" }-

Comodo have a Buffer overflow testing application at https://forums.comodo.com/comodo_memory_firewall_beta_corner/buffer_overflow_testing_application-t12541.0.html

If this is what you want...

-{ Quote: "Can someone point to a current buffer overflow exploit, and what it accomplishes?
" }-

Here is information about a buffer overflow vulnerability in Adobe Flash - http://www.securityfocus.com/bid/28695/discuss. Excerpt: "Adobe Flash Player is prone to a remote buffer-overflow vulnerability when handling multimedia files with certain tags. An attacker may exploit this issue to execute arbitrary code in the context of the affected application."

If you would like to test a (probably) harmless example of buffer overflow, please see http://forums.comodo.com/feedbackcommentsannouncementsnews/result_of_real_world_exploit_test_comodo_memory_firewall_worked-t18683.0.html;msg128015.

See http://en.wikipedia.org/wiki/Buffer_overflow for general information about buffer overflow.

thanks - I know what a buffer overflow is, and I've seen the PoC demonstrations.

I would like to see some current exploits using this technique. Are they worms, as in the past? Do they work by remote code execution, or is the user enticed to click or download something?


----
rich

-{ Quote: "
I would like to see some current exploits using this technique. Are they worms, as in the past? Do they work by remote code execution, or is the user enticed to click or download something?
" }-

If you're looking for vulnerabilities, see http://research.eeye.com/html/alerts/zeroday/index.html and http://secunia.com. If you want actual code see milw0rm or metasploit. Today, for example, vulnerability 'Adobe Products BMP Handling Buffer Overflow Vulnerability' was reported, with current fix "Do not process untrusted BMP files using the affected applications. Do not connect untrusted storage devices to the local computer."

The user doesn't necessarily have to do anything abnormal to be exploited. Merely surfing a website with malicious content with a vulnerable browser or browser addon is sufficient. Looking at an infected video in a vulnerable multimedia player could get you infected. Programs listening for incoming network connections can be exploited if they are vulnerable.

Does Comodo Memory Firewall interfere with some programs operations as DEP does?

-{ Quote: "Does Comodo Memory Firewall interfere with some programs operations as DEP does?" }-

I've used Comodo Memory Firewall for several months without problems, but of course your results might vary. See http://forums.comodo.com/comodo_memory_firewallbuffer_overflow_protection-b97.0/ for the official product forum.

So what other software is out there to help guard the 'stack.'

I know of and tried Wehnus (http://www.wehnus.com/) and also grsecurity (http://www.grsecurity.net/), and hardened linux, BSD - pax kernal patch but what else?

-{ Quote: "So what other software is out there to help guard the 'stack.'
" }-

Data Execution Prevention - built into Windows but configurable.

Use anti-malware scanner that scans all files, not just executables. Poisoned data files can be detected by at least some anti-malware products.

To limit damage - either use limited user account, or if using administrator account then use 'Basic User' setting in Software Restriction Policy for all programs that might be exposed to malicious content.

Some products listed here - http://www.sys-manage.com/PRODUCTS/BufferShield/PreventedExploits/tabid/63/Default.aspx

-{ Quote: "Is buffer overflow a real concern? If it is what is the best program to stop it? I have XP SP2 32 bit." }-

Threatfire.

I have set DEP in the past already, because I found this in my installation file :
1. Click Start / Control Panel / System
2. Click Advanced-tab
3. Click Settings of Performance
4. Click Data Execution Prevention
5. Mark "Turn on DEP for all programs and services"
6. Click OK-button
Not really convinced if that will do the job, it's M$. ::)

Is Buffershield of $20 worth to install ?

-{ Quote: "Some products listed here - http://www.sys-manage.com/PRODUCTS/BufferShield/PreventedExploits/tabid/63/Default.aspx" }-i looked at the other BO protectors would you know if CMF will protect like [BufferShield] thank for any help on this subject i'm almost lost.

-{ Quote: "Is Buffershield of $20 worth to install ?" }-
Not sure best way to find out is try it. Going by that table Wehus which is freeware nearly protects against them all.

-{ Quote: "Data Execution Prevention - built into Windows but configurable.

Use anti-malware scanner that scans all files, not just executables. Poisoned data files can be detected by at least some anti-malware products.

To limit damage - either use limited user account, or if using administrator account then use 'Basic User' setting in Software Restriction Policy for all programs that might be exposed to malicious content." }-
Okay I'm with you there as I use DEP, SRP and have a limited account on the computer already. Do we need a stack defender.

Whenus
http://www.wehnus.com/support.pl
I tried it long ago and it didn't work, bugs maybe.

Sorry, in what way didn't it work? The program, protection?

-{ Quote: "Sorry, in what way didn't it work? The program, protection?" }-
I don't remember the details, but it caused problems on my system.
Looking at the version #, its development seems to be frozen also.

-{ Quote: "Whenus
http://www.wehnus.com/support.pl
I tried it long ago and it didn't work, bugs maybe." }-

I haven't tried out this product, but I did read the same things (about bugs, that is) somewhere else online. Since development is frozen, I'd avoid it.

-{ Quote: "i looked at the other BO protectors would you know if CMF will protect like [BufferShield] thank for any help on this subject i'm almost lost." }-

I did personally test out Comodo Memory Firewall on one example (well, two if you include the Comodo BO Tester program): http://forums.comodo.com/feedbackcommentsannouncementsnews/result_of_real_world_exploit_test_comodo_memory_firewall_worked-t18683.0.html. CMF worked with both, but be careful about drawing conclusions from a sample size of two.

Here is vendor-supplied information about CMF:

"Comodo Memory Firewall detects the following types of attack:
Detection of Buffer Overflows which occur in the STACK memory,
Detection of Buffer Overflows which occur in the HEAP memory,
Detection of ret2libc attacks,
Detection of corrupted/bad SEH Chains"

-{ Quote: "I have set DEP in the past already, because I found this in my installation file :
1. Click Start / Control Panel / System
2. Click Advanced-tab
3. Click Settings of Performance
4. Click Data Execution Prevention
5. Mark "Turn on DEP for all programs and services"
6. Click OK-button
Not really convinced if that will do the job, it's M$. ::)
" }-

Software DEP and hardware DEP are different. Software DEP is weak. Hardware DEP is better. Since it's known how to bypass DEP, you might wish to consider Comodo Memory Firewall even if you have hardware DEP.

-{ Quote: "Software DEP and hardware DEP are different. Software DEP is weak. Hardware DEP is better. Since it's known how to bypass DEP, you might wish to consider Comodo Memory Firewall even if you have hardware DEP." }-
I have no idea what hardware DEP is, but I'm going to install CMF.
Any security software that enforces my boot-to-restore is welcome, except blacklist-based security softwares.
I will try CMF today and see if it likes my system. Thanks alot. :)

-{ Quote: "I have no idea what hardware DEP is, but I'm going to install CMF.
Any security software that enforces my boot-to-restore is welcome, except blacklist-based security softwares.
I will try CMF today and see if it likes my system. Thanks alot. :)" }-

You're welcome :).

See http://en.wikipedia.org/wiki/Data_Execution_Prevention.

Erik, here's utility called SecurAble (http://www.grc.com/securable.htm) to find out what your machine offers.

Thanks for the tool. My processor :
"AMD (939) ATX Athlon 4400+ 64Bit X2 Dual-Core Processor" has indeed DEP.
-{ Quote: "
Hardware DEP Available

This processor does support hardware-based data execution prevention (DEP).

When hardware DEP support is teamed up with a properly configured operating system (and that part is crucial), computer security mistakes involving the deliberate overrunning of communications buffers can be automatically detected and prevented throughout the entire computer system. This makes data execution prevention, when available and active, the single most promising improvement for PC security ever. Really.

It is very important to note, however, that hardware support for DEP is only one of several enabling requirements that must be met before any benefit can be obtained. GRC will be following up the release of SecurAble with another powerful tool, DEPuty, that will help to properly configure, test and verify the operation of your system's critical DEP subsystem.
" }-
How do I know if it is active or not ?

@ErikAlbert

At least in my laptop, there is an option in BIOS

but I also would like to know how I can test it... I haven´t a Comodo account, so I can´t download their test...

Slipfest: http://slipfest.cr0.org/

NXTEST: http://user.cs.tu-berlin.de/~normanb/

guys is there a way to get buffer overflow protection using the tools built into windows? i know windows has that DEP protection but i heard it's weak.

is there any option (especially in windows xp pro) that can provide respectable buffer overflow protection?

-{ Quote: "guys is there a way to get buffer overflow protection using the tools built into windows? i know windows has that DEP protection but i heard it's weak.

is there any option (especially in windows xp pro) that can provide respectable buffer overflow protection?" }-
That's why I installed Comodo Memory Firewall (freeware), but hardware DEP is much better and that's why I wrote some questions about it in this thread.
I like to solve this once and for all.

-{ Quote: "but hardware DEP is much better..." }-

i'm outta luck in this regard as neither of my pc's has a processor that supports hardware DEP. that's why i was hoping for a good software solution. i was hoping there was some option in windows itself that would provide a good solution to the problem but apparently there isn't and now i need to find a good third party product that does the job.

there is a freeware product called Wehnus, it seems to prevent a good majority of these exploits but when i tried it on my system i got a BSOD.


-{ Quote: "I like to solve this once and for all." }-

me too! :)

-{ Quote: "there is a freeware product called Wehnus" }-
It is written poor way. And not supported anymore.

-{ Quote: "It is written poor way. And not supported anymore." }-
I fully agree, a very buggy software and its development is frozen.

-{ Quote: "Do they work by remote code execution?" }-
Yes. The buffer overflow is used to execute shellcode which drops/download the real payload. Execution control (Anti-Executable, classical HIPS, SRP) stop the payload from being delivered.
-{ Quote: "I have set DEP in the past already, because I found this in my installation file :
1. Click Start / Control Panel / System
2. Click Advanced-tab
3. Click Settings of Performance
4. Click Data Execution Prevention
5. Mark "Turn on DEP for all programs and services"
6. Click OK-button
Not really convinced if that will do the job, it's M$. ::) " }-
You're using the OptiOut switch. AlwaysOn provides the maximum protection
Check here (http://support.microsoft.com/kb/875352/en-us) on how to setup DEP properly.
-{ Quote: "Is Buffershield of $20 worth to install ?" }-
No, if you have hardware-enforced DEP. Check for the presence of the NX-bit (http://www.grc.com/securable.htm). If you don't have hardware-enforced DEP, Comodo Memory Firewall may be the best solution.

Wehnus is buggy (it froze several of my VMs) and they don't answer support mails.

-{ Quote: "No, if you have hardware-enforced DEP. Check for the presence of the NX-bit (http://www.grc.com/securable.htm)." }-
amazingly, according to the program at that link i DO have hardware DEP :) but not hardware virtualization :( so if i enable it somehow i don't need a third party software for buffer overflow protection?

-{ Quote: "Wehnus is buggy (it froze several of my VMs) and they don't answer support mails." }-
yeah i've given up on them.

EDIT : after finding out BOTH my computers support hardware DEP thanks to lucas' link to the grc site, i followed the other link lucas provided to the microsoft site telling you how to setup hardware DEP. i then ran the buffer overflow test mentioned here (https://www.sys-manage.com/PRODUCTS/BufferShield/DEPcomparison/tabid/186/Default.aspx), i passed all 5 tests!

LUCAS i <3 u :)

I got this on DEP:

http://www.wilderssecurity.com/attachment.php?attachmentid=199086&stc=1&d=1207509197
This option is called OptOut. Programs with certain packers will bypass DEP.
http://blog.fabriceroux.com/index.php/2007/02/26/hardware_dep_has_a_backdoor?blog=1

So, if you don't want exceptions, or some auto exception (which is wonderful from a security perspective), the best option is AlwaysOn (or hex editing like the link explains, which i won't do). That is only chosen by editing the boot.ini file, substituting "OptOut" for "AlwaysOn" (after noexecute).

http://support.microsoft.com/default.aspx?kbid=875352&product=windowsxpsp2

There really isn't any whitelist, everything must comply.
Opera does not run under this mode, or didn't (ie, Opera does not run with DEP at all). The beta is ok according to MikeNAS.
Firefox must not have the talkback extension, or it won't run, no warning.

One good utility to see what programs have DEP is Process Explorer. You have to add the column "DEP".

Zopzop: i took that pic from MS site, and if you look at it you will notice that message on the bottom. It's probably what you read as well.

This means 1 of 2 things: your CPU really doesn't have the NX-bit, or that option isn't enabled in the BIOS (it happened to me).

*just is just a modified version of an earlier post... :P

-{ Quote: "so if i enable it somehow i don't need a third party software for buffer overflow protection?" }-
I'd say no. I'm not sure what we could gain installing for example CMF if we have hardware DEP and other protections provided by the OS.
-{ Quote: "LUCAS i <3 u :)" }-
Sorry, I don't know what this mean ;D

Please, also take a look at Pedro's post.

-{ Quote: "I'd say no. " }-

sweet! one less piece of software to worry about :thumb:

-{ Quote: "Sorry, I don't know what this mean ;D" }-

the <3 is supposed to be a "heart" it reads "i <3 (Heart) you" :P

Got it :thumb:

I'm ready for the future :

1. Turn on DEP for all programs and services is MARKED
2. BOOT.INI contains /NoExecute=AlwaysOn
3. CPU Hardware DEP = YES, which means to me it's active.
4. Comodo Memory Firewall v2.0.4.20 is installed and runs for all applications.

So I have now a 4-Layered Buffer Overrun Protection (LBOP) combined with
a Rollback Intrusion Prevention System (RIPS). In other words I'm invincible, like Superman.

Thanks you all for your co-operation. :)

@DEP-less users : get back on the horse and imitate me. ;D

Hi guys I have 2 computers. One processor supports DEP and one doesn't. I have installed CMF on the one that doesn't for now.

Erik, your setup still lacks ASLR (http://en.wikipedia.org/wiki/Address_space_layout_randomization), which is only available in Vista.

-{ Quote: "Erik, your setup still lacks ASLR (http://en.wikipedia.org/wiki/Address_space_layout_randomization), which is only available in Vista." }-
All these Einstein formulas are too much for my simple brain.
This has to wait until I buy another computer with winVISTA on it. In 2013 perhaps. :)

LOL, Einstein formulas ;D

What does changing BOOT. INI to /noexecute=AlwaysOn actually do?

-{ Quote: "What does changing BOOT. INI to /noexecute=AlwaysOn actually do?" }-
But don't ask me more than this.
-{ Quote: "AlwaysOn = this setting provides full DEP coverage for the whole system. All processes always run with DEP applied. The exceptions list to exempt specific programs from DEP protection is not available. System compatibility fixes for DEP do not take effect. Programs that have been opted-out by using the Application Compatibility Toolkit run with DEP applied." }-

OptOut:
-{ Quote: "DEP is enabled by default for all processes. You can manually create a list of specific programs that do not have DEP applied by using the System dialog box in Control Panel. Information technology (IT) professionals can use the Application Compatibility Toolkit to "opt-out" one or more programs from DEP protection. System compatibility fixes, or shims, for DEP do take effect." }-
AlwaysOn:
-{ Quote: "This setting provides full DEP coverage for the whole system. All processes always run with DEP applied. The exceptions list to exempt specific programs from DEP protection is not available. System compatibility fixes for DEP do not take effect. Programs that have been opted-out by using the Application Compatibility Toolkit run with DEP applied." }-
OptOut "backdoor":
-{ Quote: "Microsoft just coded a backdoor used only in OPTOUT. Bascially Microsoft checks the executable header for a section matching one of the 3 strings. If one these strings is found, DEP will be turned OFF for this application by windows." }-
Without this "backdoor", OptOut would be the preferred option. With this "backdoor", you can't trust OptOut to protect you.

Thank you all for the info. Seeing as how this processor doesn't support DEP what DEP is going to be always on?

-{ Quote: "Thank you all for the info. Seeing as how this processor doesn't support DEP what DEP is going to be always on?" }-
Software DEP:
-{ Quote: "Software DEP, while unrelated to the NX bit, is what Microsoft calls their enforcement of "Safe Structured Exception Handling". Software DEP/SafeSEH simply checks when an exception is thrown to make sure that the exception is registered in a function table for the application, and requires the program to be built with it. However, even though it creates an impression that software DEP is related to the prevention of executing code in data pages, it is a separate form of protection." }-

For those who are interested,

Here are some DEP related links.

http://www.microsoft.com/technet/security/prodtech/windowsxp/depcnfxp.mspx (How to Configure Memory Protection in Windows XP SP2)
http://windowssecrets.com/2007/05/03/01-How-DEP-can-protect-your-PC (How DEP can protect your PC)
http://windowssecrets.com/2007/05/10/02-Readers-revelations-on-DEP-and-software-discounts (Readers' revelations on DEP)
http://www.vistax64.com/tutorials/120778-dep-enable-disable.html (How to Enable or Disable DEP in Vista)

Hope this helps.


Peace & Gratitude,

CogitoErgoSum

Here are some guidelines (draft 1) on the need for third party buffer overflow protection products:

a) If you're using Windows XP, you need a 3rd party product that provides return-to-libc buffer overflow protection or address space layout randomization. Windows XP lacks address space layout randomization. Thus, DEP can be turned off in a return-to-libc type of buffer overflow exploit (source: http://blogs.zdnet.com/security/?p=912). Comodo Memory Firewall claims to offer return-to-libc buffer overflow protection. Wehntrust provides address space layout randomization, but there are reports of bugs with this product.

b) If you're using Vista, address space layout randomization is available, which makes it more difficult for return-to-libc buffer overflow exploits, which can turn off DEP, to succeed. However, address space layout randomization in Vista is an opt-in protection. A telling quote from http://erratasec.blogspot.com/2008/02/unsafe-at-anyspeed.html: "Among the companies/products currently ignoring [address space layout randomization] are: Mozilla’s Firefox, Google’s toolbar, Apple’s iTunes, Adobe’s PDF reader, Roxio’s media creation tools, and Divx’s player. Actually, we haven’t found any company that turns on [address space layout randomization] consistently." I don't know if there is a way to turn on address space layout randomization always in Vista. DEP, similarly, is an opt-in protection by default in Vista. As pointed out in prior posts, this can be changed to be always on. My recommendation for Vista is if you have hardware DEP set to always on (which is not the default), and also address space layout randomization set to always on (if this is even possible?), then you don't need a third party buffer overflow protection product. For Vista, if either DEP or address space layout randomization is not always on, or if you don't have hardware DEP, then I recommend using a 3rd party product that provides return-to-libc buffer overflow protection, such as Comodo Memory Firewall. Running DEP as opt-out is not a safe substitute for always on, due to the backdoor Microsoft programmed, as alluded to by a previous post (but I'm not sure if this backdoor is also present in Vista, because the article references XP only).

Feedback/corrections are welcome :).

There is a program available at http://erratasec.blogspot.com/2008/02/unsafe-at-anyspeed.html called Looking Glass. Description from its About box: "Looking Glass is a program designed to analyze files on Vista and determine which advanced security features are not being used. Examples include ASLR, NX, and use of unsafe functions." The program seems to work on XP also.

guys ever heard of this program? it's called ozone :
http://www.securityarchitects.com/products.html

seems to be freeware, it's only 1.8 megs, and says it protects against buffer overflow exploits (among other things):

from the website
-{ Quote: "
Does Ozone protect against buffer overflows?

Yes, Ozone's memory protection ring is designed to provide transparent protection against memory related attacks such as buffer overflows. " }-

i think it uses ASLR too.

List of buffer overflow protection products at http://isc.sans.org/diary.html?date=2005-08-23.

a ha! from the link you provided MrBrian :

-{ Quote: "* Ozone HIPS is a policy based HIPS that has buffer overflow protection by randomizing the memory address space." }-

and according to that page it's also the only one that's freeware (unless i'm reading something wrong).

time to download and test this sucker.......

-{ Quote: "
and according to that page it's also the only one that's freeware (unless i'm reading something wrong).
time to download and test this sucker.......
" }-

Only that the link dates back to 2005.
Outdated......Maybe.
I notice you have Geswall installed.
Is it wise to have two policy based security apps ???

-{ Quote: "a ha! from the link you provided MrBrian :



and according to that page it's also the only one that's freeware (unless i'm reading something wrong).

time to download and test this sucker......." }-

As a matter of fact, I found this link because of your mention of Ozone :). But then I forgot to post the answer to your question.

For buffer overflow protection freeware, there is also Comodo Memory Firewall (which I use), ThreatFire, Prevx2, WehnTrust, the DEP stuff in Windows, and maybe some other things already mentioned in this topic.

From the bit of research I've done, it seems buffer overflows would be of little concern if programmers wrote better code for their programs. They don't often check data sizes, or something to that effect, so buffer overflow vulnerabilities often abound in their programs, until they are found and patched? Why does no one talk about this?

-{ Quote: "Is it wise to have two policy based security apps ???" }-

you are correct :) i'd temporarily unistall geswall before installing ozone.

EDIT : do geswall, defensewall, or sandboxie stop buffer overflow exploits?


-{ Quote: "For buffer overflow protection freeware, there is also Comodo Memory Firewall (which I use), ThreatFire, Prevx2, WehnTrust, the DEP stuff in Windows, and maybe some other things already mentioned in this topic." }-

how would any of those fair against this test (https://www.sys-manage.com/PRODUCTS/BufferShield/DEPcomparison/tabid/186/Default.aspx)? according to this link here (http://www.wilderssecurity.com/showpost.php?p=1154420&postcount=16), comodo memory firewall fails all 5. the software DEP in windows also fails all 5 tests (i've tested it myself). wehntrust is so buggy it causes blue screens of death on peoples machines, including mine, so i couldn't test it.

however, hardware DEP passes all 5 tests, i've tested it myself (thanks lucas for the links showing how to tell if your processor supports it and how to enable it).

if anyone has prevx or threatfire install can you run the test? it's not destructive.

-{ Quote: "
however, hardware DEP passes all 5 tests, i've tested it myself (thanks lucas for the links showing how to tell if your processor supports it and how to enable it).
" }-
I ran this test and my hardware DEP passed all 5 tests. :)
Because I had hardware DEP all the time without knowing it, I was already protected against Buffer Overflows, so I don't really need CMF.

-{ Quote: "From the bit of research I've done, it seems buffer overflows would be of little concern if programmers wrote better code for their programs. They don't often check data sizes, or something to that effect, so buffer overflow vulnerabilities often abound in their programs, until they are found and patched? Why does no one talk about this?" }-
According my McAfee readings, you are very right. Bad coding is the only reason why buffer overflow is possible.
So the good guys are the reason, why the bad guys can play with us.

-{ Quote: "... so buffer overflow vulnerabilities often abound in their programs, until they are found and patched? Why does no one talk about this?" }-There is also not much discussion regarding how one becomes a victim to a buffer overflow exploit.


----
rich

-{ Quote: "According my McAfee readings, you are very right. Bad coding is the only reason why buffer overflow is possible.
So the good guys are the reason, why the bad guys can play with us." }-

Thanks for confirming what I thought to be true. Is there not some sort of standard in place that compels programmers, especially those of popular applications, to exercise more prudence in their work? In fairness, I suppose, it must be painstaking work to develop a lot of these programs, given the skill and patience required to do so. Perhaps monetary gain has more bearing in many cases, as opposed to pride in workmanship?

-{ Quote: "There is also not much discussion regarding how one becomes a victim to a buffer overflow exploit.


----
rich" }-

I'd welcome more of it :)

Here are some guidelines (draft 2) of the need for third party buffer overflow protection products:

Note: see http://en.wikipedia.org/wiki/Data_Execution_Prevention for an explanation of DEP.

a) If you're using Windows XP with Hardware DEP on:
Windows XP lacks address space layout randomization. As a result, buffer overflow exploits of type return-to-libc are not prevented. One thing a return-to-libc buffer overflow exploit can do is turn off Hardware DEP for a given process, except, I assume, if Hardware DEP is set to Always On (see 'Bypassing Windows Hardware-enforced Data Execution Prevention' at http://www.uninformed.org/?v=2&a=4). There are 4 settings for DEP: Opt In, Opt Out, Always On, and Always Off. The default is Opt In, which protects only Microsoft's own code, and also 3rd party code that opts in. Opt Out protects everything except those programs you specify. As noted by another post, Opt Out also excludes some programs automatically - see http://blog.fabriceroux.com/index.php/2007/02/26/hardware_dep_has_a_backdoor?blog=1 for details. Always On is the strongest setting, but might cause bootup failure because of where it is specified. If you're using the DEP Always On setting, you still need a 3rd party product that provides return-to-libc buffer overflow protection. If you're not using the DEP Always On setting, some programs will not be covered by Hardware DEP, and thus I recommend using a 3rd party buffer overflow protection product that also includes return-to-libc buffer overflow protection. Comodo Memory Firewall features buffer overflow protection, including type return-to-libc. Products that provide address space layout randomization also make return-to-libc buffer overflow exploits much more difficult. Wehntrust provides address space layout randomization, but there are reports of bugs with this product.

b) If you're using Windows XP with software DEP on:
Software DEP protects against only a specific type of buffer overflow exploit that targets Structured Exception Handling. Software DEP is better than nothing but nevertheless weak, and is not comparable to Hardware DEP. I recommend using a 3rd party buffer overflow protection product such as Comodo Memory Firewall.

c) If you're using Windows XP with DEP off:
I recommend using a 3rd party buffer overflow protection product such as Comodo Memory Firewall.

d) If you're using Vista with Hardware DEP on:
Address space layout randomization is available in Vista, which makes it more difficult for return-to-libc buffer overflow exploits to succeed. However, address space layout randomization in Vista is an opt-in protection. A telling quote from http://erratasec.blogspot.com/2008/02/unsafe-at-anyspeed.html: "Among the companies/products currently ignoring [address space layout randomization and DEP] are: Mozilla’s Firefox, Google’s toolbar, Apple’s iTunes, Adobe’s PDF reader, Roxio’s media creation tools, and Divx’s player. Actually, we haven’t found any company that turns on [address space layout randomization and DEP] consistently." Thus, since so many 3rd party products don't actually use address space layout randomization, you still need a 3rd party product that provides protection against return-to-libc buffer overflow exploits. One thing a return-to-libc buffer overflow exploit can do is turn off Hardware DEP for a given process, except, I assume, if Hardware DEP is set to Always On (see 'Bypassing Windows Hardware-enforced Data Execution Prevention' at http://www.uninformed.org/?v=2&a=4) (note: not sure if this actually holds true for Vista). There are 4 settings for DEP: Opt In, Opt Out, Always On, and Always Off. The default is Opt In, which protects only Microsoft's own code, and also 3rd party code that opts in. Opt Out protects everything except those programs you specify. As noted by another post, Opt Out also excludes some programs automatically - see http://blog.fabriceroux.com/index.php/2007/02/26/hardware_dep_has_a_backdoor?blog=1 for details (note: not sure if this actually holds true for Vista). Always On is the strongest setting, but might cause bootup failure because of where it is specified. If you're using the DEP Always On setting, you still need a 3rd party product that provides return-to-libc buffer overflow protection. If you're not using the DEP Always On setting, some programs will not be covered by Hardware DEP, and thus I recommend using a 3rd party buffer overflow protection product that also includes return-to-libc buffer overflow protection. Comodo Memory Firewall features buffer overflow protection, including type return-to-libc.

e) If you're using Windows Vista with software DEP on:
Software DEP protects against only a specific type of buffer overflow exploit that targets Structured Exception Handling. Software DEP is better than nothing but nevertheless weak, and is not comparable to Hardware DEP. I recommend using a 3rd party buffer overflow protection product such as Comodo Memory Firewall.

f) If you're using Windows Vista with DEP off:
I recommend using a 3rd party buffer overflow protection product such as Comodo Memory Firewall.

Feedback/corrections are welcome :).

-{ Quote: "according to this link here (http://www.wilderssecurity.com/showpost.php?p=1154420&postcount=16), comodo memory firewall fails all 5. " }-

I read a post on the Comodo forum from a person I believe may be a/the developer of Comodo Memory Firewall. This individual stated that CMF throws an alert when the code in the buffer overflow exploit shellcode calls a Windows API. Thus what could perhaps be happening is that the test shellcode simply does not call a Windows API. That's just a possibility to consider.

-{ Quote: "Thanks for confirming what I thought to be true. Is there not some sort of standard in place that compels programmers, especially those of popular applications, to exercise more prudence in their work? In fairness, I suppose, it must be painstaking work to develop a lot of these programs, given the skill and patience required to do so. Perhaps monetary gain has more bearing in many cases, as opposed to pride in workmanship?
" }-

In the programming world, development speed is often valued (read:rewarded) by managers over correctness/security considerations. Also, some programmers were never taught how to code securely.

-{ Quote: "I ran this test and my hardware DEP passed all 5 tests. :)
Because I had hardware DEP all the time without knowing it, I was already protected against Buffer Overflows, so I don't really need CMF." }-

Not quite true - buffer overflow exploits of type return-to-libc are not prevented with Hardware DEP. That's the reason address space layout randomization was added to Vista. But even in Vista, most 3rd party products simply don't use address space layout randomization currently. Thus, you still need a product that can handle buffer overflow exploits of type return-to-libc.

-{ Quote: "Not quite true - buffer overflow exploits of type return-to-libc are not prevented with Hardware DEP. That's the reason address space layout randomization was added to Vista. But even in Vista, most 3rd party products simply don't use address space layout randomization currently. Thus, you still need a product that can handle buffer overflow exploits of type return-to-libc." }-
OK. I keep it. Thank you very much. :)

-{ Quote: "OK. I keep it. Thank you very much. :)" }-

You're welcome :).

-{ Quote: "In the programming world, development speed is often valued (read:rewarded) by managers over correctness/security considerations. Also, some programmers were never taught how to code securely." }-
No wonder the quality of applications is going down.
No wonder they can't even uninstall their own software.

When somebody isn't doing his job very well, someone else has to pay for it, in this case many, many users have to pay for it.

Looking at recent security advisories, it seems that there are two requirements necessary to be victimized by a buffer overflow exploit:

1) an application that is vulnerable

2) a malicious file that is run by the application.

Here is a recent one for some Adobe products:

http://secunia.com/advisories/29838/
-{ Quote: "Successful exploitation may allow execution of arbitrary code via a specially crafted BMP file.

NOTE: Reportedly, the vulnerability can also be exploited when a malicious storage device (e.g. USB drives, cameras) is being attached to a vulnerable computer." }-

It seems that the new NULL pointer exploit has the same requirements. Here is one for flash:

http://www.matasano.com/log/1032/this-new-vulnerability-dowds-inhuman-flash-exploit/
-{ Quote: "Dowd's exploit uses a NULL pointer write32 to knock the locks off the bytecode interpreter in Flash, so that his SWF file can run bytecode that will rewrite the system stack." }-

Please list other scenarios if known!


----
rich

this may not be of any use but i my self know alot of people that use VLC player

-{ Quote: "An integer overflow error within the "MP4_ReadBox_rdrf()" function in modules/demux/mp4/libmp4.c can be exploited to cause a heap-based buffer overflow via e.g. a MP4 file with a specially crafted RDRF atom." }-

http://secunia.com/advisories/29503/

Thanks, HyperFlow, for that link.

This seems to also require a vulnerable application, and a malicious file to exploit the vulnerability.


----
rich

i was reading on there (VLC) site that Evan a file with *what should be subtitles* can be used to deliver the BO and they was suggesting to turn the auto detect subs off until the person knew if it was subs or an exploit

How would he know if it were an exploit or not?


----
rich

VLC was suggesting to make sure that it was a sub file and not a exploit file i guess one could open it put i'm not sure how that would be done with out a risk.the only thing i can find off the bat http://en.wikibooks.org/wiki/Editing_a_subtitle_file_with_a_text_editor

wat0114,
Here is the proof :
http://www.mcafee.com/us/local_content/white_papers/wp_ricochetbriefbuffer.pdf

-{ Quote: "
4. Comodo Memory Firewall v2.0.4.20 is installed and runs for all applications.
" }-

There is a CMF bug though which says CMF drivers aren't loaded when you access the gui through the system tray.

http://forums.comodo.com/help/driver_is_not_active_bug-t18836.0.html

-{ Quote: "Looking at recent security advisories, it seems that there are two requirements necessary to be victimized by a buffer overflow exploit:

1) an application that is vulnerable

2) a malicious file that is run by the application.
" }-

That's correct. "A malicious file that is run by the application" doesn't refer to just situations where you open a file in a program's File menu. It also refers to the rendering of a page in a web browser, including content processed by browser addins such as Flash. It also refers to the communication of information to a program that listens for network connections. An example of such a program is a BitTorrent client. These are some different ways that data can be brought into an application.

I think all this talk about buffer overflow is way overrated and the discussions keep munting up about it, whens the last time anyone's really got a webpage bufferoverflow and look at the percentages of them compard to more dangerous exploits on the loose.

I don't worry about them myself bscause for one thing they're overrated and another reason is too many security apps make them purely a fantasy to all get worked up over nothing really.

-{ Quote: "I think all this talk about buffer overflow is way overrated and the discussions keep munting up about it, whens the last time anyone's really got a webpage bufferoverflow and look at the percentages of them compard to more dangerous exploits on the loose.

I don't worry about them myself bscause for one thing they're overrated and another reason is too many security apps make them purely a fantasy to all get worked up over nothing really." }-

You may wish to look at http://www.f-secure.com/weblog/archives/00001408.html from F-Secure and posted by lucas1985 in another topic. Here is an excerpt:

"The criminals' new preferred way of spreading malware is via drive-by downloads on the Web. These attacks often still start with an e-mail spam run but the attachment in the e-mail has been replaced by a web link, which takes you to the malicious web site. So instead of getting infected over SMTP, you get infected over HTTP."

"Infection by a drive-by download can happen automatically just by visiting a website, unless you have a fully patched operating system, browser, and browser plug-ins. Unfortunately, most people have some vulnerabilities in their systems. Infection can also take place when you are fooled into manually clicking on a download and running a program from the web page that contains the malware."

You can have your browser scanned for some vulnerabilities at http://bcheck.scanit.be/bcheck/. The tests used are listed at http://bcheck.scanit.be/bcheck/listtests.php?action=list. Some of these are buffer overflow exploits, although the test title doesn't necessarily indicate such by using the word 'buffer.' Look at http://bcheck.scanit.be/bcheck/stats.php to see what percentage of browsers were vulnerable - usually between 12% to 20%. Keep in mind that this is the exposure rate for just this set of tests. If tests of all possible browser vulnerabilities were used, the percentages would have been higher. Of course, there is a selection bias in these results - the results are those of people who visited the site, not the population at large.

-{ Quote: "wat0114,
Here is the proof :
http://www.mcafee.com/us/local_content/white_papers/wp_ricochetbriefbuffer.pdf" }-

Thanks Erik, I saw that article last night :) This is an interesting thread. Thanks to everyone so far for your worthy feedback!

-{ Quote: " "A malicious file that is run by the application" doesn't refer to just situations where you open a file in a program's File menu. It also refers to the rendering of a page in a web browser, including content processed by browser addins such as Flash." }-A Flash object will run automatically, unless the user chooses to disable that option,
in which case the user decides whether or not to run the Flash:

http://www.wilderssecurity.com/attachment.php?attachmentid=199442&d=1208908724
______________________________________________________________________________

What other browser addins will run files automatically upon loading a web page?

thanks,


----
rich

-{ Quote: "I think all this talk about buffer overflow is way overrated and the discussions keep munting up about it, whens the last time anyone's really got a webpage bufferoverflow and look at the percentages of them compard to more dangerous exploits on the loose." }-Any line of code has the potential to be exploited. Whether or not the talk about it is overrated is certainly an individual matter. To wit,

-{ Quote: "I don't worry about them myself because..." }-This is all that matters. Security is a state of mind, and people take this and that security precaution to lessen the worry state.

Once the worry state is no longer a factor, then one can get on with her/his computing life!

While one can sympathize with the level of worry states in other people, one's responsibility is first to oneself and then to those who come under your sphere of influence and will listen to your point of view.


----
rich

-{ Quote: "There is a CMF bug though which says CMF drivers aren't loaded when you access the gui through the system tray.

http://forums.comodo.com/help/driver_is_not_active_bug-t18836.0.html" }-
Until now, I didn't notice any bug, but I'm sure it will be fixed, because it has been reported at the forum of Comodo.
If the bug occurs on MY computer, I will certainly contact Comodo myself.

My boot-to-restore always gives my system back as it was and I wouldn't be surprised that the troubles caused by this bug are gone after reboot until it occurs again.

Thanks for mentioning it, I will keep a good eye on it. :)

ok i just discovered a big downside to hardware based DEP, i freaking can't open some legitimate programs! izarc, for example, does not work with hardware DEP enabled. :thumbd:

You'll have to resort to OptOut and place exceptions for the software that don't work with DEP.
And write to the developer of IZarc asking for a DEP-compatible build

Make no mistake about it, some programs will not run in AlwaysOn. Some don't even install - i remember Jetico 1.
-{ Quote: "ok i just discovered a big downside to hardware based DEP, i freaking can't open some legitimate programs! izarc, for example, does not work with hardware DEP enabled. :thumbd:" }-
7-Zip works fine note.

To install java, if it fails, you have to use an alternative installer found on the website (offline installer).
http://www.java.com/en/download/manual.jsp

To me the choice was easy, keep AlwaysOn.
The alternative is hex editing as the backdoor link mentions, in order to have a properly functioning OptOut.

-{ Quote: "
7-Zip works fine note.
" }-

thanks! i'll keep that in mind if i decide to drop izarc.

-{ Quote: "To me the choice was easy, keep AlwaysOn." }-
i'm trialing comodo memory firewall right now. i'm hoping it's as good as they say it is, that way i wouldn't have to worry about hardware DEP (since CMF would automatically block buffer overflow and allow me to add exemptions if a program won't run with DEP enabled).

-{ Quote: "You can have your browser scanned for some vulnerabilities at http://bcheck.scanit.be/bcheck/. The tests used are listed at http://bcheck.scanit.be/bcheck/listtests.php?action=list." }-
If you're up-to-date with patches, this is the picture you'll get:

199484

:)

-{ Quote: "If you're up-to-date with patches, this is the picture you'll get:" }-

Exactly the one I get. DEP enabled on my BIOS and BOOT.ini with OptiOut.

Same here :
-{ Quote: "
Test results

* Passed Mozilla crashes with evidence of memory corruption - passed
* Passed Mozilla crashes with evidence of memory corruption - passed
* Passed Adobe Flash Player video file parsing integer overflow - passed
* Passed Mozilla crashes with evidence of memory corruption (rv:1.8.1.5) - passed
* Passed Apple QuickTime MOV file JVTCompEncodeFrame heap overflow - passed
* Passed Mozilla code execution via QuickTime Media-link files - passed
* Passed Mozilla crashes with evidence of memory corruption (rv:1.8.1.8) - passed
* Passed Mozilla memory corruption vulnerabilities (rv:1.8.1.10) - passed
* Passed Mozilla crashes with evidence of memory corruption (rv:1.8.1.12) - passed

Congratulations!
" }-
So all these good advices of participating members, seem to work. Congratulations.

I get the same results on my 98SE units 8)

My previous successfull test was done with FireFox 2.0.0.13.
I tried it with MSIE6, but MSIE couldn't handle it.

i have done the test with both ie7 & FF no problem A+...seem like if a person is fully updated and the plug-ins are up to date this test is easily passed. i use secunia to keep all that in~line and it looks like it's doing it's job.:) it would be nice to see other people post on different Browser so we all can get a better look at what is passing and what is not.

Opera 9.27 passed on my system

-{ Quote: "I think all this talk about buffer overflow is way overrated and the discussions keep munting up about it, whens the last time anyone's really got a webpage bufferoverflow and look at the percentages of them compard to more dangerous exploits on the loose.
" }-

There is a very nice breakdown of vulnerabilities by type reported in the CVE database at http://cwe.mitre.org/documents/vuln-trends/index.html#table1. See both Tables 1 and 2. Buffer overflow is listed as 'buf' in the tables. In overall number of vulnerabilities reported in 2006, buffer overflow vulnerabilities ranked 4th at 7.8%. In operating system software in 2006, buffer overflow vulnerabilities ranked 1st at 16.1%. Keep in mind that you're not exposed to some types of vulnerabilties, such as SQL injection, unless you are running a database server. Also, some vulnerabilities can be used together. For example, a cross-site scripting vulnerability can be exploited on a web server to inject JavaScript code into the web server's webpages, and when you browse the infected webpage, the JavaScript could use buffer overflow vulnerabilities in your browser and/or browser addons to try to run malware.

-{ Quote: "There is a very nice breakdown of vulnerabilities by type reported in the CVE database at http://cwe.mitre.org/documents/vuln-trends/index.html#table1. " }-From this, it's impossible to analyze the exploits. It seems to be very difficult to find analyses of current buffer overflow exploits so that a user can determine how to prevent.

In addition to those already mentioned in other places on the forum, I found:

Winamp 5.12 Remote Buffer Overflow Universal Exploit (Zero-Day)
http://www.milw0rm.com/exploits/1458

ICQ Vulnerability
Multiple ClamAV Vulnerabilities
http://www.uscert.gov/current/current_activity.html

If anyone can find others, it would be helpful. Otherwise, the user is left with a maze of statistics that afford no information about how current exploits work, what the attack vector is, etc.

Please, No PoC tests. Real live exploits only.

Also I'm interested if anyone knows of other browser addons which run their files automatically, such as Flash objects do.

See my post #86 above.

thanks,


----
rich

-{ Quote: "
If anyone can find others, it would be helpful. Otherwise, the user is left with a maze of statistics that afford no information about how current exploits work, what the attack vector is, etc.
" }-

Did you look at mi***rm and me******it?

Yes (see above)

What I've seen so far are those that target specific applications.

Aren't those mentioned in the cwe.mitre.org list analyzed somewhere? How do we know what the specifics are?

EDIT

Add:

http://www.milw0rm.com/remote.php

These are interesting PoC, all attacking specific applications.


----
rich

-{ Quote: "Rapid7 Advisory R7-0025
Buffer Overflow in NVIDIA Binary Graphics Driver For Linux

Published: Oct 16, 2006
Revision: 1.0

1. Affected system(s):

KNOWN VULNERABLE:
o NVIDIA Driver For Linux v8774
o NVIDIA Driver For Linux v8762

PROBABLY VULNERABLE:
o NVIDIA Driver for FreeBSD
o NVIDIA Driver for Solaris
o Earlier versions

KNOWN FIXED:
o None" }-

http://download2.rapid7.com/r7-0025/ http://download2.rapid7.com/r7-0025/nv_exploit.c

Note the following analyses:

Hundreds of thousands of SQL injections
http://isc.sans.org/diary.html?storyid=4331

Targeted attacks using malicious PDF files
http://isc.sans.org/diary.html?storyid=4330

Why aren't there more analyses like these of current in the wild buffer overflow exploits? Has anyone noted how many in the wild such exploits there currently are?

The cwe.mitre.org reference is a list of "publically reported vulnerabilities."

Not analyses of in the wild exploits.


----
rich

-{ Quote: "http://download2.rapid7.com/r7-0025/ http://download2.rapid7.com/r7-0025/nv_exploit.c" }-Thanks, although a bit old...

Has this been observed as a current exploit in the wild? or just an advisory of a vulnerability?


----
rich

Cyber Security Alerts

http://search.us-cert.gov/search?q=buffer+overflow+2008&spell=1&access=p&output=xml_no_dtd&ie=UTF-8&client=default_frontend&site=default_collection&proxystylesheet=default_frontend

it's 2yr old and there not a KNOWN FIX o None> i can not find any thing to prove it but some people are more than likely using it.

-{ Quote: "Cyber Security Alerts

http://search.us-cert.gov/search?q=b...fault_frontend" }-thanks -

except for two phishing scams, the others are just vulnerability advisories.

Hoping to find reports of current attacks utilizing these vulnerabilities...


----
rich

-{ Quote: "it's 2yr old and there not a KNOWN FIX o None> i can not find any thing to prove it but some people are more than likely using it." }-What leads you to this conclusion? Until reports by victims appear somewhere, how can you be sure?

I don't disregard advisories of vulnerabilities, but I want to see evidence of a current attack. For example, in the pdf files exploit linked above:

-{ Quote: "These PDF files exploit the recent vulnerability CVE-2008-0655.

The files contain:
- an embedded trojan installer;
- a clean PDF file.

Once the file is opened in a vulnerable Acrobat Reader version, the backdoor will install, and the clean PDF file is opened in the user's browser." }-

Otherwise, the vulnerability remains on my hypothetical list, and may or may not warrant action.

In the case you cite, it's a Linux driver, not applicable to my system. In fact, the milw0rm list above didn't contain any applications that I use.


----
rich

Top 10 malware reported to Sophos in March 2008 - http://www.sophos.com/security/top-10/

Top 10 malware reported to Fortinet in March 2008 - http://www.fortiguardcenter.com/reports/roundup_mar_2008.html

Top 10 malware reported to BitDefender in March 2008 - http://news.bitdefender.com/NW711-en--BitDefender-Lab’s-Top-10-Malware-List-for-March-Reveals-the-Storm-Worm-is-Back-in-Action.html

SecureWorks Threat Analyses - http://www.secureworks.com/research/threats/

it would seem to reason if they did not no they have NVIDIA Binary Graphics Driver than they have no clue that they are vulnerable!! of cores there is not going to be a report. many people are not up to date with all this stuff like people on this forum and other security forums just as you did not know that there was a vulnerability in half the thing you have read from this thread including the NVIDIA Binary Graphics Driver vulnerability. now your informed and if there's nothing from the thing's list here that pertain to your risk category it would be a wast of time to continue searching for the ghost in the machine ;D but if you really want to find out how and who has been it with BO and things like that hit some Black Hat sites there you will find tools pre made scripts to do thing that you want to see. most victims are not going to know what they just got hit with all they know is there computer is dead.

Top ten malware found on the web in quarter 1 of 2008 - http://www.sophos.com/pressoffice/news/articles/2008/04/secrep08q1.html

ATLAS report of attacks against programs listening for incoming connections in past 24 hours - http://atlas.arbor.net/summary/attacks

After starting and following this thread with interest I went into DEP on this computer and changed data execution to always on. When my wife tried to open Excel it wouldn't open. I went back in and put it back to OptIn and Excel opened. I don't know if DEP was the problem but I did get two Event numbers 1000 and 2001. I posted this for the information. Someone may run into the same situation.

-{ Quote: "After starting and following this thread with interest I went into DEP on this computer and changed data execution to always on. When my wife tried to open Excel it wouldn't open. I went back in and put it back to OptIn and Excel opened. I don't know if DEP was the problem but I did get two Event numbers 1000 and 2001. I posted this for the information. Someone may run into the same situation." }-
I didn't have any problems with Excel, but my Excel comes from MS Office 2000 Pro, so my Excel is quite old.

With AlwaysOn, I have 3 major problems, I can't open :
1. IZArc
2. R-Wipe & Clean
3. PerfectDisk
even when I exclude them (Windows and/or CMF)
Besides "AlwaysOn" blocks the exclusion lists (greyed out).

I use now OptOut without exclusions and the ScanIt-test was also successfull.

Thanks, MrBrian for the links. A quick check showed:

Miranda IM Multiple Buffer Overflow Vulnerabilities

Will look more closely later.


----
rich

-{ Quote: "I use now OptOut without exclusions and the ScanIt-test was also successfull." }-

Yeah, I also think that OptiOut is good trade-off between security and usability.

-{ Quote: "In fact, the milw0rm list above didn't contain any applications that I use.
" }-

Do you use Secunia PSI? It's a great way to discover the programs on your machine that have security-related updates. For programs that have a vulnerability but no update yet, see http://research.eeye.com/html/alerts/zeroday/index.html and http://secunia.com/historic_advisories/.

The web page 'OS-Based Mitigations Against Common Attacks' (http://perimetergrid.com/wp/2008/02/04/os-based-mitigations-against-common-attacks/) contains a nice summary of technologies that operating systems have introduced to try to prevent buffer overflow attacks. Some notes about the various sections as they pertain to Windows:
a) 'Stack Canaries': Only programs compiled with the /gs flag take advantage of this feature. This was first possible to do in the year 2002. The first version of Windows itself to be compiled with the /gs flag was Windows XP SP2. Programs compiled with the /gs flag in earlier versions of Microsoft's development tools do not have as strong of Stack Canary protection as programs compiled with the /gs flag in later versions.
b) 'Hardware Data Execution Protection': This became available with Windows XP SP2. Your hardware has to support this feature in order for it to be available. In Windows' default settings of DEP, only code that has been compiled to use this feature will use it, and thus most 3rd party programs by default do not benefit from hardware DEP. XP SP3 and Vista SP1 added the capability for the user to specify which programs to opt-in to using DEP.
c) 'Address Space Layout Randomization': This was first used in Vista. Only code that has been compiled to use this feature will use it, and thus most 3rd party programs do not benefit from Address Space Layout Randomization in Vista.
d) 'Safe Structured Exception Handling' - This is also known as software DEP, and is not the same thing as hardware DEP. This became available with Windows XP SP2. In Windows' default settings of DEP, only code that has been compiled to use this feature will use it to its full effect. Code that has not been compiled to use this feature can still use a weaker form of Safe Structured Exception Handling (source: http://technet.microsoft.com/en-us/library/bb457155.aspx). XP SP3 and Vista SP1 added the capability for the user to specify which programs to opt-in to using DEP.

The article 'Improving Software Security Analysis using Exploitation Properties' (http://www.uninformed.org/?v=9&a=4&t=txt) gives a good recent (Dec 2007) summary of the known limitations of the technologies that operating systems have introduced to try to prevent buffer overflow attacks. The article also includes a case study on why the animated cursor (ANI) exploit, fixed in April 2007, was able to work reliably even on Vista. Here is a quote from the article:

-{ Quote: "
Modern exploit mitigations have become formidable opponents with respect to the effect they have on reliable exploitation. Some of the more substantial modern mitigations include GuardStack (GS), SafeSEH, DEP (NX), ASLR, pointer encoding, and various heap improvements. The fact that there have been very few public exploits that have been able to universally bypass all of these mitigations at once is a testament to the resilience of these techniques working in concert with one another. It is obvious that the absence of a given mitigation directly contributes to the exploitability of the associated code. Likewise, it is also well known that most mitigations have situations in which they will offer little to no protection.
" }-

Http://blogs.zdnet.com/security/?p=999 contains an interview with the winner of the March 2008 Pwn2Own hacking contest. They explain how they were able to exploit Adobe Flash on Vista. Http://blogs.zdnet.com/security/?p=993 is another article on the same topic.

Http://blog.threatfire.com/2007_08_01_archive.html is a web page titled 'How do Storm, NotFound and other threats infiltrate so many PC's?'

See this (http://www.wilderssecurity.com/showthread.php?p=1229904) thread for an article titled 'Bypassing 3rd Party Windows Buffer Overflow Protection.' It explains how 3rd party buffer overflow protection programs operate, as well as their limitations.

From these readings, I have come to the conclusion that it's a good idea to use both operating system-provided buffer overflow protection technologies, such as DEP, and also a 3rd party buffer overflow protection product, such as Comodo Memory Firewall. There are bypasses possible in either approach, and thus having both provides a stronger defense IMHO.

-{ Quote: "What other browser addins will run files automatically upon loading a web page?
" }-

Java, JavaScript, and possibly others, assuming they're enabled. See section 'Browser changes' of http://en.wikipedia.org/wiki/Eolas for more details about automatic activation issues.

A report from Symantec (http://esj.com/Security/article.aspx?EditorialsID=2486&pg=1) nicely explains the current situation regarding Vista and exploits:

-{ Quote: "
"The technologies introduced in Windows Vista are very effective at protecting the core Windows operating system as well as Microsoft-compiled applications,” write Symantec ATR researchers in a new whitepaper.
" }-

-{ Quote: "
In addition, the Symantec team cites a number of developer-controlled Vista niceties, including pointer obfuscation, GS, Safe Structured Exception Handlers (SafeSEH), Address Space Layout Randomization (ASLR), and Terminate on Heap Corruption. To a degree, researchers acknowledge, these enhancements also help protect Windows Vista against attack from without.

At the same time, however, they all have a single Achilles heel. “One barrier to the success of these technologies is the requirement for third-party software vendors to explicitly leverage them. Software engineers must utilize the latest version of Microsoft’s development tools in a specific manner,” the Symantec researchers write. “Only by doing so can they enable the functionality that is designed to inhibit or minimize the impact of the different exploitation techniques."
" }-

Some good news: a correction to my post #67 about return-to-libc buffer overflow exploits is needed. If a program has been compiled to use Stack Canaries (see post #119), then return-to-libc buffer overflow exploits may be difficult or impossible to do.

Some bad news: for situations where return-to-libc buffer overflow exploits can occur, a new method has been found that increases the power of this type of exploit greatly. Here is a quote from the paper 'The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)' (www.cs.ucsd.edu/~hovav/dist/geometry.pdf):

-{ Quote: "
One might reasonably ask why, in the face of return-into-libc attacks, it was considered worthwhile to invest in deploying [Hardware Data Execution Protection]. The answer is that return-into-libc was considered a more limited attack than code injection, for two reasons:

1. in a return-into-libc attack, the attacker can call one libc function after another, but this still allows him to execute only straight-line code, as opposed to the branching and other arbitrary behavior available to him with code injection;

2. the attacker can invoke only those functions available to him in the program’s text segment and loaded libraries, so by removing certain functions from libc it might be possible to restrict his capabilities.

Were the perception of return-into-libc attacks described above correct, deploying [Hardware Data Execution Protection] would in fact weaken attackers. Unfortunately, we show in this paper that this perception is entirely untrue: we describe new return-into-libc techniques that allow arbitrary computation (and that are not, therefore, straight-line limited) and that do not require calling any functions whatsoever, so removing functions from libc is no help.
" }-

Hi,

There's no real solution against BO exploits (what about an exploit that targets Comodo protection :) ).
Any developer should "stress" his soft before any release: by fuzzing (there's many like the french Fusil (http://fusil.hachoir.org/trac) or Ufuz3 (http://research.eeye.com/html/tools/RT20070129.html) from Eeye) or with specialized application like BinDiff (http://www.zynamics.com/index.php?page=bindiff).
There is also some code vulnerability assessment service like those provided by Veracode (http://www.veracode.com/solutions) for instance.

I"m convinced that Google search or any great article can't be helpful to circumscribe BO threat: building our own exploit for education and research purpose is much more interesting.
But for about 1300 dollars, ethical hacking and vulnerability assessment of our private systems are possible with Canvas (http://www.immunitysec.com/products-canvas.shtml) (there's also another well known open source exploit plateform, but i guess that it violates the forum policy).

Off course anyone can find exploits on underground site like Milw0rm, or via exploit search database like OVS (http://linuxuser.at/vuln-search/) or search or Xploit (http://www.xploit-search.com/) search for instance.
But the most interesting exploits are off course the unpublished ones, those that you build yourself, or those sold via ICQ for 10 000 dollars or more...

And recently a team of searchers has added an "escalation" in the vulnerability/patch cat and mouse game (a summary by the SANS (http://isc.sans.org/diary.html?storyid=4310) and original news here (http://www.cs.cmu.edu/~dbrumley/pubs/apeg.html)).

I was always surprised-when visiting this forum-of the "Software as Security" religion: since we're convinced that a code can be broken, it should not be a religion anymore...

But there is of course a difference between what is technically possible (BO exploits), and what statistically happens: so we can use a computer for one, two or five years, without being the victim of a BO exploit.

Windows is currently the most attacked OS (because the most used).
Open source OS are also vulnerable, but are less attacked (like OpenBsd (http://www.openbsd.org/security.html), one patch in 10 years).

Regards

-{ Quote: "
Why aren't there more analyses like these of current in the wild buffer overflow exploits? Has anyone noted how many in the wild such exploits there currently are?
" }-

This site (http://www.securityfocus.com/brief/727) states that "approximately a third of all vulnerabilities in Microsoft products had publicly available exploit code in 2007, the same as the previous year."

-{ Quote: "From this, it's impossible to analyze the exploits. It seems to be very difficult to find analyses of current buffer overflow exploits so that a user can determine how to prevent.
" }-

Symantec has some very nice reports (http://www.wilderssecurity.com/showthread.php?t=208095) available about Internet security trends over a 6 month period. It is noted in the latest report that 73% of the vulnerabilities found in the last half of 2007 were considered to be "easily exploitable." See the link for how Symantec defines the term "easily exploitable."

-{ Quote: "
Otherwise, the user is left with a maze of statistics that afford no information about how current exploits work, what the attack vector is, etc.
" }-

At National Vulnerability Database (http://nvd.nist.gov/nvd.cfm?advancedsearch) you can search by different vulnerability parameters. Also, the National Vulnerability Database gives the Common Vulnerability Scoring System (CVSS) (http://www.first.org/cvss/cvss-guide.html) score and breakdown for a given vulnerability.

Those of you interested in the weaknesses of Vista's memory protection technologies, particularly with web browsers, may wish to read the paper 'Bypassing Browser Memory Protections: Setting Back Browser Security by 10 Years', which can be found here (http://taossa.com/index.php/2008/08/07/impressing-girls-with-vista-memory-protection-bypasses/). Pedro deserves credit for starting the thread http://www.wilderssecurity.com/showthread.php?p=1295820 which lead to the discovery of this paper. I am posting about it here because the techniques used in the paper may perhaps be extended to platforms and environments other than just browsers, and thus some people may have skipped that topic.