Buffer Overflow?

Discussion in 'other anti-malware software' started by WilliamP, Apr 22, 2008.

Thread Status:
Not open for further replies.
  1. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,208
    Location:
    Fayetteville, Ga
    Thank you all for the info. Seeing as how this processor doesn't support DEP what DEP is going to be always on?
     
  2. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Software DEP:
     
  3. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    For those who are interested,

    Here are some DEP related links.

    http://www.microsoft.com/technet/security/prodtech/windowsxp/depcnfxp.mspx (How to Configure Memory Protection in Windows XP SP2)
    http://windowssecrets.com/2007/05/03/01-How-DEP-can-protect-your-PC (How DEP can protect your PC)
    http://windowssecrets.com/2007/05/10/02-Readers-revelations-on-DEP-and-software-discounts (Readers' revelations on DEP)
    http://www.vistax64.com/tutorials/120778-dep-enable-disable.html (How to Enable or Disable DEP in Vista)

    Hope this helps.


    Peace & Gratitude,

    CogitoErgoSum
     
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Here are some guidelines (draft 1) on the need for third party buffer overflow protection products:

    a) If you're using Windows XP, you need a 3rd party product that provides return-to-libc buffer overflow protection or address space layout randomization. Windows XP lacks address space layout randomization. Thus, DEP can be turned off in a return-to-libc type of buffer overflow exploit (source: http://blogs.zdnet.com/security/?p=912). Comodo Memory Firewall claims to offer return-to-libc buffer overflow protection. Wehntrust provides address space layout randomization, but there are reports of bugs with this product.

    b) If you're using Vista, address space layout randomization is available, which makes it more difficult for return-to-libc buffer overflow exploits, which can turn off DEP, to succeed. However, address space layout randomization in Vista is an opt-in protection. A telling quote from http://erratasec.blogspot.com/2008/02/unsafe-at-anyspeed.html: "Among the companies/products currently ignoring [address space layout randomization] are: Mozilla’s Firefox, Google’s toolbar, Apple’s iTunes, Adobe’s PDF reader, Roxio’s media creation tools, and Divx’s player. Actually, we haven’t found any company that turns on [address space layout randomization] consistently." I don't know if there is a way to turn on address space layout randomization always in Vista. DEP, similarly, is an opt-in protection by default in Vista. As pointed out in prior posts, this can be changed to be always on. My recommendation for Vista is if you have hardware DEP set to always on (which is not the default), and also address space layout randomization set to always on (if this is even possible?), then you don't need a third party buffer overflow protection product. For Vista, if either DEP or address space layout randomization is not always on, or if you don't have hardware DEP, then I recommend using a 3rd party product that provides return-to-libc buffer overflow protection, such as Comodo Memory Firewall. Running DEP as opt-out is not a safe substitute for always on, due to the backdoor Microsoft programmed, as alluded to by a previous post (but I'm not sure if this backdoor is also present in Vista, because the article references XP only).

    Feedback/corrections are welcome :).
     
    Last edited: Apr 24, 2008
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    There is a program available at http://erratasec.blogspot.com/2008/02/unsafe-at-anyspeed.html called Looking Glass. Description from its About box: "Looking Glass is a program designed to analyze files on Vista and determine which advanced security features are not being used. Examples include ASLR, NX, and use of unsafe functions." The program seems to work on XP also.
     
  6. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    guys ever heard of this program? it's called ozone :
    http://www.securityarchitects.com/products.html

    seems to be freeware, it's only 1.8 megs, and says it protects against buffer overflow exploits (among other things):

    from the website
    i think it uses ASLR too.
     
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  8. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    a ha! from the link you provided MrBrian :

    and according to that page it's also the only one that's freeware (unless i'm reading something wrong).

    time to download and test this sucker.......
     
  9. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,782
    Only that the link dates back to 2005.
    Outdated......Maybe.
    I notice you have Geswall installed.
    Is it wise to have two policy based security apps o_O
     
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    As a matter of fact, I found this link because of your mention of Ozone :). But then I forgot to post the answer to your question.

    For buffer overflow protection freeware, there is also Comodo Memory Firewall (which I use), ThreatFire, Prevx2, WehnTrust, the DEP stuff in Windows, and maybe some other things already mentioned in this topic.
     
    Last edited: Apr 23, 2008
  11. wat0114

    wat0114 Guest

    From the bit of research I've done, it seems buffer overflows would be of little concern if programmers wrote better code for their programs. They don't often check data sizes, or something to that effect, so buffer overflow vulnerabilities often abound in their programs, until they are found and patched? Why does no one talk about this?
     
  12. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    you are correct :) i'd temporarily unistall geswall before installing ozone.

    EDIT : do geswall, defensewall, or sandboxie stop buffer overflow exploits?


    how would any of those fair against this test? according to this link here, comodo memory firewall fails all 5. the software DEP in windows also fails all 5 tests (i've tested it myself). wehntrust is so buggy it causes blue screens of death on peoples machines, including mine, so i couldn't test it.

    however, hardware DEP passes all 5 tests, i've tested it myself (thanks lucas for the links showing how to tell if your processor supports it and how to enable it).

    if anyone has prevx or threatfire install can you run the test? it's not destructive.
     
    Last edited: Apr 24, 2008
  13. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I ran this test and my hardware DEP passed all 5 tests. :)
    Because I had hardware DEP all the time without knowing it, I was already protected against Buffer Overflows, so I don't really need CMF.
     
  14. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    According my McAfee readings, you are very right. Bad coding is the only reason why buffer overflow is possible.
    So the good guys are the reason, why the bad guys can play with us.
     
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    There is also not much discussion regarding how one becomes a victim to a buffer overflow exploit.


    ----
    rich
     
  16. wat0114

    wat0114 Guest

    Thanks for confirming what I thought to be true. Is there not some sort of standard in place that compels programmers, especially those of popular applications, to exercise more prudence in their work? In fairness, I suppose, it must be painstaking work to develop a lot of these programs, given the skill and patience required to do so. Perhaps monetary gain has more bearing in many cases, as opposed to pride in workmanship?

    I'd welcome more of it :)
     
  17. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Here are some guidelines (draft 2) of the need for third party buffer overflow protection products:

    Note: see http://en.wikipedia.org/wiki/Data_Execution_Prevention for an explanation of DEP.

    a) If you're using Windows XP with Hardware DEP on:
    Windows XP lacks address space layout randomization. As a result, buffer overflow exploits of type return-to-libc are not prevented. One thing a return-to-libc buffer overflow exploit can do is turn off Hardware DEP for a given process, except, I assume, if Hardware DEP is set to Always On (see 'Bypassing Windows Hardware-enforced Data Execution Prevention' at http://www.uninformed.org/?v=2&a=4). There are 4 settings for DEP: Opt In, Opt Out, Always On, and Always Off. The default is Opt In, which protects only Microsoft's own code, and also 3rd party code that opts in. Opt Out protects everything except those programs you specify. As noted by another post, Opt Out also excludes some programs automatically - see http://blog.fabriceroux.com/index.php/2007/02/26/hardware_dep_has_a_backdoor?blog=1 for details. Always On is the strongest setting, but might cause bootup failure because of where it is specified. If you're using the DEP Always On setting, you still need a 3rd party product that provides return-to-libc buffer overflow protection. If you're not using the DEP Always On setting, some programs will not be covered by Hardware DEP, and thus I recommend using a 3rd party buffer overflow protection product that also includes return-to-libc buffer overflow protection. Comodo Memory Firewall features buffer overflow protection, including type return-to-libc. Products that provide address space layout randomization also make return-to-libc buffer overflow exploits much more difficult. Wehntrust provides address space layout randomization, but there are reports of bugs with this product.

    b) If you're using Windows XP with software DEP on:
    Software DEP protects against only a specific type of buffer overflow exploit that targets Structured Exception Handling. Software DEP is better than nothing but nevertheless weak, and is not comparable to Hardware DEP. I recommend using a 3rd party buffer overflow protection product such as Comodo Memory Firewall.

    c) If you're using Windows XP with DEP off:
    I recommend using a 3rd party buffer overflow protection product such as Comodo Memory Firewall.

    d) If you're using Vista with Hardware DEP on:
    Address space layout randomization is available in Vista, which makes it more difficult for return-to-libc buffer overflow exploits to succeed. However, address space layout randomization in Vista is an opt-in protection. A telling quote from http://erratasec.blogspot.com/2008/02/unsafe-at-anyspeed.html: "Among the companies/products currently ignoring [address space layout randomization and DEP] are: Mozilla’s Firefox, Google’s toolbar, Apple’s iTunes, Adobe’s PDF reader, Roxio’s media creation tools, and Divx’s player. Actually, we haven’t found any company that turns on [address space layout randomization and DEP] consistently." Thus, since so many 3rd party products don't actually use address space layout randomization, you still need a 3rd party product that provides protection against return-to-libc buffer overflow exploits. One thing a return-to-libc buffer overflow exploit can do is turn off Hardware DEP for a given process, except, I assume, if Hardware DEP is set to Always On (see 'Bypassing Windows Hardware-enforced Data Execution Prevention' at http://www.uninformed.org/?v=2&a=4) (note: not sure if this actually holds true for Vista). There are 4 settings for DEP: Opt In, Opt Out, Always On, and Always Off. The default is Opt In, which protects only Microsoft's own code, and also 3rd party code that opts in. Opt Out protects everything except those programs you specify. As noted by another post, Opt Out also excludes some programs automatically - see http://blog.fabriceroux.com/index.php/2007/02/26/hardware_dep_has_a_backdoor?blog=1 for details (note: not sure if this actually holds true for Vista). Always On is the strongest setting, but might cause bootup failure because of where it is specified. If you're using the DEP Always On setting, you still need a 3rd party product that provides return-to-libc buffer overflow protection. If you're not using the DEP Always On setting, some programs will not be covered by Hardware DEP, and thus I recommend using a 3rd party buffer overflow protection product that also includes return-to-libc buffer overflow protection. Comodo Memory Firewall features buffer overflow protection, including type return-to-libc.

    e) If you're using Windows Vista with software DEP on:
    Software DEP protects against only a specific type of buffer overflow exploit that targets Structured Exception Handling. Software DEP is better than nothing but nevertheless weak, and is not comparable to Hardware DEP. I recommend using a 3rd party buffer overflow protection product such as Comodo Memory Firewall.

    f) If you're using Windows Vista with DEP off:
    I recommend using a 3rd party buffer overflow protection product such as Comodo Memory Firewall.

    Feedback/corrections are welcome :).
     
  18. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I read a post on the Comodo forum from a person I believe may be a/the developer of Comodo Memory Firewall. This individual stated that CMF throws an alert when the code in the buffer overflow exploit shellcode calls a Windows API. Thus what could perhaps be happening is that the test shellcode simply does not call a Windows API. That's just a possibility to consider.
     
    Last edited: Apr 24, 2008
  19. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    In the programming world, development speed is often valued (read:rewarded) by managers over correctness/security considerations. Also, some programmers were never taught how to code securely.
     
  20. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Not quite true - buffer overflow exploits of type return-to-libc are not prevented with Hardware DEP. That's the reason address space layout randomization was added to Vista. But even in Vista, most 3rd party products simply don't use address space layout randomization currently. Thus, you still need a product that can handle buffer overflow exploits of type return-to-libc.
     
    Last edited: Apr 24, 2008
  21. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    OK. I keep it. Thank you very much. :)
     
  22. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome :).
     
  23. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    No wonder the quality of applications is going down.
    No wonder they can't even uninstall their own software.

    When somebody isn't doing his job very well, someone else has to pay for it, in this case many, many users have to pay for it.
     
    Last edited: Apr 24, 2008
  24. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Looking at recent security advisories, it seems that there are two requirements necessary to be victimized by a buffer overflow exploit:

    1) an application that is vulnerable

    2) a malicious file that is run by the application.

    Here is a recent one for some Adobe products:

    http://secunia.com/advisories/29838/
    It seems that the new NULL pointer exploit has the same requirements. Here is one for flash:

    http://www.matasano.com/log/1032/this-new-vulnerability-dowds-inhuman-flash-exploit/
    Please list other scenarios if known!


    ----
    rich
     
  25. HyperFlow

    HyperFlow Registered Member

    Joined:
    Mar 21, 2008
    Posts:
    115
    this may not be of any use but i my self know alot of people that use VLC player

    http://secunia.com/advisories/29503/
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.