Attacking Windows 7/8 ASLR

Discussion in 'other security issues & news' started by CloneRanger, Jan 25, 2013.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Be interesting to see if anyone here can test these !
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    It's not really that fantastic. The attack is heap spray, and it turns out that if you spray the heap enough you can predict where the next address will be very accurately.

    Naturally this type of attack is less effective on 64bit.
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    But their find is that the system is helping to find a place to put arbitrary code in IE.

    The PoC is based on filling up available memory (there is no more address space which can be randomised), not a brute force hunt on finding the planted egg, so I doubt whether the additional randomization advantage of 64 bits has much impact on this PoC.
     
    Last edited: Jan 27, 2013
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yes. It only applies to 32bit. The same attack works on Linux, and there's already a patch for this in grsecurity.
     
Loading...
Thread Status:
Not open for further replies.