New Windows exploit defeats ASLR and DEP

Discussion in 'other security issues & news' started by MrBrian, Mar 1, 2010.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    http://blogs.zdnet.com/security/?p=5573

     
  2. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    There was a story posted a couple of weeks ago about a very similar exploit. This exploit defeated ASLR/DEP when it came to IE and Flash.

    At any rate, ASLR is not really effective on 32 bit platforms because it only has 16 bits of entropy available for randomization. These sorts of attacks as outlined in the article are usually referred to as "return-to-libc" attacks and are not new.
     
  3. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    I think this explains everything:

    It's not an attack against ASLR, it's just a way to show how to bypass DEP by using ret2libc attack. But he's assuming he knows address of VirtualProtect and ZwSetInformationProcess, which is not correct in a ASLR protected environment.

    And the author explains this perfectly in his blog:

     
  4. Dogbiscuit

    Dogbiscuit Guest

    ZDNet seems to have gone back and re-edited the content MrBrian quoted.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Hi MrBrian,

    Can you or someone else perhaps tell me how to test this exploit, what is supposed to happen? And can a tool like Comodo Memory Firewall protect against this stuff? I remember that you tested CMF against a Winamp buffer overflow a while ago, and CMF was able to stop it. :cool:
     
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I didn't try the exploit or look into it much, but Comodo Memory Firewall claims to protect against "return-to-libc" attacks, so maybe it would be helpful. By the way, I don't use Comodo Memory Firewall anymore, because its abilities have been integrated into recent versions of Comodo Internet Security. The exploit targets a bug that was fixed in Internet Explorer 6 in 2005, according to the exploit author.
     
    Last edited: Mar 7, 2010
Loading...
Thread Status:
Not open for further replies.