System-wide Mandatory ASLR Failure to Properly Randomize (Win8+)

Discussion in 'other security issues & news' started by WildByDesign, Nov 17, 2017.

  1. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Windows 8 and later fail to properly randomize all applications if system-wide mandatory ASLR is enabled via EMET or Windows Defender Exploit Guard

    Vulnerability Note VU#817544

    Link: https://www.kb.cert.org/vuls/id/817544
    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
    "MitigationOptions"=hex:00,01,01,00,00,00,00,00,00,00,00,00,00,00,00,00


    Also see the following Twitter thread for further details.
    Link: https://twitter.com/wdormann/status/930916460473577474

    Keep in mind that this is only relevant for users who enabled System-wide Mandatory ASLR which has been known to be problematic in the past with certain drivers. Although in recent times it has been much less problematic.
     
  2. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    If it might cause any problems, I won't apply this tweak. Anti-exe and anti-exploit should take care of attacks anyway.
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    System-wide Mandatory ASLR is disabled by default in Win 10 CEF. If you apply the .reg tweak, it will enable it. I did and have not encountered any issues so far with System-wide Mandatory ASLR enabled.

    Note that Mandatory ASLR is already enabled by default anyway for a number of Microsoft system and apps when Win 10 CFE installs.
     
  5. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,344
    Location:
    Italy
    Hi.

    WildByDesign wrote:



    therefore it is necessary:

    Executables that do not opt in to ASLR - non-DYNAMICBASE applications

    practically with P.E. occurs when ASRL is not displayed:



    DOtHfsiXUAEkK7_.jpg

    if our softwares is not in these conditions the problem should not exist.
    Correct?

    ______________________________________________

    My registry value at default (mandatory ASLR off + bottom-up ASLR on) is:

    01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

    while the correct value should be

    00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00

    Correct?

     
    Last edited: Nov 20, 2017
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    This vulnerability only applies to Win 8 and 10: https://www.kb.cert.org/vuls/id/817544. Additionally, the registry mod is only needed if system-wide mandatory ASLR is enable for those OSes. Your screen shot shows you are running Win 7.

    No.

    As far as the registry mod, just download the .reg fix from bleepingcomputer.com and run it. It will merge the following:
     
    Last edited: Nov 20, 2017
  7. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,344
    Location:
    Italy
    Please read twitter link:

    https://twitter.com/wdormann/status/930916460473577474


    https://pbs.twimg.com/media/DOp7RkVX0AAoa4H.jpg:small

    https://pbs.twimg.com/media/DOrGPT1X0AEw8Bw.jpg:small

    _________________________________________________

    Then its current value after the change is:

    01,01,01,00,00,00,00,00,00,00,00,00,00,00,00,00

    if it is so I think the error is in the third value that should be 01 and instead it is 00:

    Mandatory ASRL off + Bottom- Up ASRL on


    01,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00 (correct )

    01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 (false)
     
    Last edited: Nov 20, 2017
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    These postings describe the vulnerability w/Win10 CFE system-wide ASLR. They also note that Win 7 using EMET's system-wide ASLR option also randomizes address w/o issue. Appears this is not happening in your Win 7 case. Therefore, the issue is with EMET. Also it is doubtful the .reg fix noted will fix the EMET problem. Let us know if it does.

    Also as noted in the Twitter article, it is expected behavior for eqnedt32.exe load address to be different on every reboot in Win 7 with EMET's system-wide ASLR option enabled. The problem is the same random address was not occurring when system-wide ASLR option enabled at the OS level in Win 8 and 10.
     
    Last edited: Nov 20, 2017
  9. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,344
    Location:
    Italy
    Last edited: Nov 20, 2017
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    As far as I am concerned, the problem is fixed by applying the .reg fix. As noted in the Twitter post, eqnedt32.exe was always loading at image base address 0x10000. As noted by the below screen shots, it originally loaded at 0x130000. After a reboot, it loaded at 0xB90000:

    eqnedt32.png

    eqnedt32-2.png
     
    Last edited: Nov 20, 2017
  11. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,344
    Location:
    Italy
    Last edited: Nov 20, 2017
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Before I get into your "hypothesis," it appears everyone including CERT is misstating things.
    https://www.v3.co.uk/v3-uk/news/302...easier-for-attackers-to-target-important-data

    Lets analysis this above quote statement by statement. First is:
    After I upgraded Win 10 CFE, I went in Windows Defender Security Center, Exploit settings, and the exact opposite was the case. System-wide ASLR was disabled and system-wide bottom-up-ASLR was enabled. However when I opened Process Explorer, ASLR was set on for almost every running process with the exception of an old motherboard USB 3.0 driver and Realtek's audio management process. This indicates that indeed system-wide ASLR was active but the WD Security Center setting didn't reflect that status.

    I also assume likewise that system-wide bottom-up ASLR was actually disabled. However WD Security Center setting didn't reflect that status but instead showed it was enabled.

    In other words folks, what we have is a Windows Defender Security Center MCF that hasn't been publically discussed to date!

    After applying bleepingcomputer's .reg merge fix, Windows Defender Security Center now shows both system-wide ASLR and system-wide bottom-up ASLR are both enabled. What the .reg fix does is:

    1. Sync Windows Defender Security Center system wide ASLR and bottom-up ASLR with actual system settings. And maybe;
    2. Corrects the "programs without /DYNAMICBASE to get relocated, but without any entropy" issue.

    I say maybe in regards to no. 2 because I didn't test eqnedt32.exe prior to performing the .reg fix to verify this same fixed address loading issue was actually occurring on my PC.
     
    Last edited: Nov 20, 2017
  13. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,344
    Location:
    Italy
    It is true.:thumb:
    It is a great confusion.
    Here in Italy it is already night.
    Good night itman.
     
  14. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Bottom up ASLR is on by default on my machines while Mandatory ASLR shows as off by default.

    I don't know whether I should apply the registry key mentioned also here because I have HitmanPro.Alert installed which should be overriding WD Exploit Protection.

    Any suggestions?
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Finally, the extremetech.com article simply and the best stated to date:
    In other words, both system wide ASLR and bottom-up ASLR have to be enabled - period! This is what the .reg fix does.

    It also implies if one has issues with system wide ASLR enabled and subsequently disables it, they will also have to disable system wide bottom-up ASLR it appears. That is if system wide ASLR can actually be disabled in Win 10 CFU via WD Security Center Exploit options. Appears the only way to do so is add the "mitigations" reg key value and set the first "1" hex value to "0."

    Note that the mitigations" reg key value did not exist on my Win 10 CFE build prior to the .reg fix merge.
     
    Last edited: Nov 20, 2017
  16. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    So, for the slower members in class, we all should apply the Reg key?

    Won't M$ develop their own fix for this or am I dreaming?
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    To add even more confusion to an already chaotic situation in regards to Win 10 CFE exploit protection is the below article "hot off the press." Take note that the process used in the original POC that started all this crap was indeed eqnedt32.exe. Is this a Microsoft "end around" ploy to try to diffuse the issue by casting light on the credibility of the POC?

    Microsoft Manually Patched Office Component: Researchers
    http://www.securityweek.com/microsoft-manually-patched-office-component-researchershttp://www.securityweek.com/microsoft-manually-patched-office-component-researchers

    Appears what people need to test is if this "programs without /DYNAMICBASE to get relocated, but without any entropy" issue exists for programs other than eqnedt32.exe.
     
    Last edited: Nov 20, 2017
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I did my own test. Wilder's folks, we definitely have a problem.

    I have this hex editor I use - HxD.exe. Thought it would be a good candidate and my hunch was right. Below are two screen shots. The second shot is after I rebooted. What they show is not only does the "programs without /DYNAMICBASE to get relocated, but without any entropy" .reg fix does not work, but it appears system-wide mandatory ASLR doesn't work either:eek:. Appears Win 10 CFE exploit protection is totally broke:

    Hex_Editor_1.png

    Hex_Editor_2.png
     
    Last edited: Nov 20, 2017
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    What I believe the "bug" in regards to system-wide ASLR is internally in Win 10 CEF is that it is not set to opt-out/always on. Remember those were settings in EMET for it. Appears to be no way to correct this via registry hack.
     
  20. guest

    guest Guest

    @itman what is this CEF thingy you mention? the Fall update? if yes the common term is FCU (Fall Creator Update) and CU for the previous one (Creator Update)
     
  21. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    Interesting thread.
    I, too, want to know what is "Win 10 CEF" and the "system-wide bottom-up" references to ASLR.
     
  22. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,557
    1709, 1703, 1607, 1511, 1507.
     
  23. guest

    guest Guest

    Ah ok, thx @Robin A.

    yes i remember thhis setting option, guess we have to wait MS to "fix" this "non-probem"...if they ever do...
     
  24. guest

    guest Guest

    I'm not using system-wide mandatory ASLR, but i have forced ASLR and Bottom-Up for the process HxD.exe and the result:
    (Process Hacker / Process Explorer)
    1) HxD - Process Hacker - no ASLR.png
    1) HxD - Process Explorer - no ASLR.png
    Forced ASLR:
    2) HxD - Process Hacker - forced ASLR.png
    2) HxD - Process Explorer - forced ASLR.png
    The process properties are showing that ASLR has been enabled, but the Image Base is always the same :cautious: (the same as in #18)
     
  25. guest

    guest Guest

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.