New Windows exploit defeats ASLR and DEP

http://blogs.zdnet.com/security/?p=5573

 

There was a story posted a couple of weeks ago about a very similar exploit. This exploit defeated ASLR/DEP when it came to IE and Flash.

At any rate, ASLR is not really effective on 32 bit platforms because it only has 16 bits of entropy available for randomization. These sorts of attacks as outlined in the article are usually referred to as "return-to-libc" attacks and are not new.

 

I think this explains everything:

It's not an attack against ASLR, it's just a way to show how to bypass DEP by using ret2libc attack. But he's assuming he knows address of VirtualProtect and ZwSetInformationProcess, which is not correct in a ASLR protected environment.

And the author explains this perfectly in his blog:

 

ZDNet seems to have gone back and re-edited the content MrBrian quoted.

 

Hi MrBrian,

Can you or someone else perhaps tell me how to test this exploit, what is supposed to happen? And can a tool like Comodo Memory Firewall protect against this stuff? I remember that you tested CMF against a Winamp buffer overflow a while ago, and CMF was able to stop it.

 

I didn't try the exploit or look into it much, but Comodo Memory Firewall claims to protect against "return-to-libc" attacks, so maybe it would be helpful. By the way, I don't use Comodo Memory Firewall anymore, because its abilities have been integrated into recent versions of Comodo Internet Security. The exploit targets a bug that was fixed in Internet Explorer 6 in 2005, according to the exploit author.