Defeating XP SP2 Heap Protection 242
hobo2k writes "XP SP2 included canary values and hardware-implemented execution protection in order to avoid exploitable buffer overruns. Now Positive Technologies has released an article describing one way that protection could be bypassed. To solve the problem, they provide a program which disables the small allocation heap as described here. CNET reports that SP2 has been foiled."
i know the drill (Score:5, Funny)
Re:i know the drill (Score:4, Informative)
Re:i know the drill (Score:3, Insightful)
You don't mean..?! (Score:3, Funny)
A security problem in Windows? no way...
SP2 what? (Score:2, Funny)
Re:SP2 what? (Score:5, Funny)
Re:SP2 what? (Score:5, Funny)
Re:SP2 what? (Score:2, Funny)
> To take the analogy further, does that make Linux the morning-after pill?
No. Linux is like masturbation. And BSD is like necrophilia.
Re:SP2 what? (Score:3, Funny)
Re:SP2 what? (Score:3, Funny)
Remember: the only safe computing is NO COMPUTING. If you feel like you have to use a computer, then staying off-line is the only sure way to stay disease-free. There's nothing shameful about it; you'll not go blind.
Now, since I know you kids are going to want to play your Counter Strike anyway, it's best to make sure you only game with people you already know and trust. Don't deathmatch with that hussy you found at the airport bar, and never accept
Incorrect (Score:4, Informative)
Re:Incorrect (Score:2)
oh, the pill prevents ovulation by tricking the body into thinking it's pregnant, nothing to do with implantatio
Re:SP2 what? (Score:3, Funny)
Oh....
Er.. could we use metaphors that most of us could wrap our minds around?
Re:SP2 what? (Score:2)
Ooohhh!!!
Ooohhh....
Crap.
Just hold down Ctrl. (Score:5, Funny)
NX bit? (Score:3, Interesting)
Re:NX bit? (Score:3, Insightful)
Fixed Quickly? (Score:4, Interesting)
Anyway you have to wonder about this kind of technical oversight. If you are implementing an NX heap, you obviously need to NX the WHOLE heap for it to be useful.
Basically it looks like Microsoft is incapable of secure development at the core OS layer. I find that absolutely mind boggling given their resources.
Re:Fixed Quickly? (Score:3, Insightful)
Re:Fixed Quickly? (Score:3, Insightful)
Linux way of fixing things:
1) Discover there is a problem
2) Send a patch to kernel maintainers
3) Kernel is patched
Windows way of fixing things:
1) Discover problem
2) Tell Microsoft
3) Two months later, when Microsoft has done nothing, tell the world
4) Get possibly sued by Microsoft (if MS can to a Russian company)
5) After several viruses have exploited the vulnerability, Microsoft makes a patch that
Re:Fixed Quickly? (Score:3, Insightful)
The patch may be quick. It will still take a long time to deploy.
No, Windows has had automatic update for years now. Every machine I have is fully current with patches.
What would be the proportion of Linux systems running with heap protection?
Re:Fixed Quickly? (Score:2)
Why wouldn't Microsoft parlay vulnerabilities
in their core OS (and the long delays in their
providing patches) into a big push to adopt
their "Trusted Computing" initiative?
With DRM in BIOS, and no ability to use any
OS, application, or media file not explicitly
approved by Microsoft, any/all of MSFT s/w
vulnerabilities become a moot point. They will
have no legal or moral compulsion to fix any
of their s/w vulnerabilities, as all security
concerns (and responsibility) will be pa
Re:NX bit? (Score:5, Informative)
plus, there's a chicken-and-egg impediment (Score:5, Interesting)
Re:plus, there's a chicken-and-egg impediment (Score:2)
Re:plus, there's a chicken-and-egg impediment (Score:5, Interesting)
1) An exploitable memory overwrite error in a system component.
2) A heap allocation pattern that exactly matches the pattern demonstrated here.
If you don't have BOTH of these criteria met, then it won't matter.
Software DEP was never intended as anything more than a really big speedbump.
As a PoC, it's interesting, but as "the end of XP SP2?" I don't think so....
Re:NX bit? (Score:3, Insightful)
For those not in the know, XPSP2 has two forms of DEP. Hardware and Software. If your Processor supports it, WinXP uses Hardware DEP in the form of the NX bit to protect your PC. If the NX bit is not available on your CPU (Most CPU's fall under this category) then it defaultes to the Software DEP, or "sandboxing" as they put it.
If anyone wants to try and exploit this on an NX capab
Re:NX bit? (Score:2)
I mean, hardware DEP is available on 5 years old at that time. But that's crazy talk - I mean, everyone replaces their system every 6 months.
Mod parent up
Re:NX bit? (Score:3, Informative)
Netcraft confirms it (Score:1)
Linux/NX/AMD64 (Score:2)
Re:Linux/NX/AMD64 (Score:5, Informative)
http://news.zdnet.com/2100-3513_22-5227102.html/ [zdnet.com]
http://linuxgazette.net/107/pramode.html/ [linuxgazette.net]
http://kerneltrap.org/node/3240?PHPSESSID=262a094
http://searchenterpriselinux.techtarget.com/origi
Just to name a few
Re:Linux/NX/AMD64 (Score:2)
But how do apps take advantage of it?
I've compiled 2.6.10 recently, and I didn't see any options for "Enforce NX", or anything? Or is it a glibc thing?
Is that link to MS correct (Score:2)
Re:Is that link to MS correct (Score:5, Funny)
You expect too much from the editors.
Re:Is that link to MS correct (Score:2)
allows restriction of lookaside list creation, governed by a special global flag.
Using regmon and filemon, I found that PTmsHORP simply modifies the DisableHeapLookaside registry value. That old KB article was the most authoritative source I could find which describes what that registry setting does.
Also I found it interesting that a performance improvement made back in the NT4.0 days, which at the time caused so
This is way wrong. (Score:5, Interesting)
And
"In October 2004 it was discovered by MaxPatrol team that it is possible to defeat Microsoft® Windows® XP SP2 Heap protection and Data Execution Prevention mechanism."
This is too much time to fix something. I can agree with some delayed disclosure but not anything above a month.
Re:This is way wrong. (Score:5, Insightful)
The CNET article states that they didn't report it to Microsoft until Dec 22. Which is close enough to the holidays that a substantial part of many businesses staff are out until the 1st of Jan.
Anything that modifies core memory access/rights such as this needs extensive testing. It's most likely an easy fix, but you should be well aware of the outrage that would occur if they released a fix that ended up breaking things. Recall the rushed fix to OpenSSH that was distributed only to be replaced days later with a proper fix, leading to all manner of confusion as to which versions were vulnerable and not?
Given that this is a relatively minor problem - the attacker would have to have another sucessful attack vector to be able to use this, I'm glad Microsoft is [theoretically] taking the time to do this right. If you're really that worried about it, you can run the software provided by a mostly unknown Russian company that they freely admit will affect the system negatively. And pray that there's no bugs in their code and that it's not malicious...
Re:This is way wrong. (Score:2)
Re:This is way wrong. (Score:2)
Sure, that's why if anything breaks Linux kernel memory protection it takes at least a month for Linux developers to release a fix. Oh wait, it doesn't.
Re:This is way wrong. (Score:2)
No there won't. Security fixes are fast tracked and available here [redhat.com] essentially on the same time frame as patch releases to the general public.
Re:This is way wrong. (Score:2)
Don't act stupid. In many cases, Red Hat employees are the ones who develop the fixes. In all other cases, they work closely with those who do.
In hardware? (Score:1, Interesting)
We know that unix, its variants and progeny, have memory protection. How many of these rely on the hardware to protect them? Certainly 'legacy' *nixes didnt run on HW that had these features.
I guess what im saying is i dont like it as a long term strategy.
Re:In hardware? (Score:2)
Re:In hardware? (Score:2, Informative)
Re:In hardware? (Score:2)
Re:In hardware? (Score:5, Informative)
Ummm... all of them?
Memory protection requires hardware support to work, and every version of UNIX, Linux, NT (right from the beginning) and Win9x all use hardware support to implement memory protection.
It seems that you have hardware memory protection mixed up with the NX (no execute) bit. All that the NX bit does is nothing more than mark memory allocated on the heap as non executable. The application is completely free to allocate executable memory, just that a normal malloc() does not cut it for this purpose.
This is a very good feature. The reason is that 99.99% of apps never need to execute code created on the heap. The only exceptions are things that JIT code like the Java VM.
Many buffer overruns that result in exploits rely on heap memory being executable. By requiring a very small set of programs to be fixed, you can eliminate a whole type of security flaw. Is it the be all and end all? No its not. But it sure helps.
Re:In hardware? (Score:2)
Re:In hardware? (Score:2)
Not as simple as that.
YOu don't eliminate a whole class of attacks, you just make them harder. An attacker may still be able to subvert a program using a buffer overrun, but this requires a better knowledge of the heap structure surrounding the buffer and it re
Re:In hardware? (Score:2)
Not quite. If I know enough about what I am overwriting, I may still be able to overwrite addresses of dll's etc. and subvert the execution of the program. If pointers to functions are used, I can overwrite those to wi
Re:In hardware? (Score:2)
Re:In hardware? (Score:2)
It appears most of the problem is the lack of this NX bit on Intel processors. If it had been there initially both Windows and Linux would be using it and nobody would think
Re:Sement protection in the 386 (Score:2)
The problem is the '286 scheme was useless due to the '86 design that overlapped the segments. Most MSDOS programs assummed and relied on this overlap, making it impossible to write a '286 version of any system that could emulate MSDOS enough to run old programs. The '86
Re:In hardware? (Score:2, Insightful)
you can simply register an interrupt handler, for the clock, if you need to do something every clock tick, or to int21 (dos function calls) if you want to do something when a program calls dos functions.
It shouldn't be a suprise. (Score:4, Interesting)
Re:It shouldn't be a suprise. (Score:2)
I think I'd prefer a different analogy.
It's much harder to get through a barrier that's been tested and reinforced appropriately than one that's never been tried out - no matter what the skill is of the person who constructed it.
Software has bugs. Software gets fixed. Software is stronger for it. This is true of Windows, Linux, OpenSSL, and any other piece of software you c
Re:It shouldn't be a suprise. (Score:2)
Generally software does not get stronger. People keep adding (more code) to it before it can get there.
And yes, I'm talking about all software here, not just MS.
Re:It shouldn't be a suprise. (Score:2)
Every expert programmer knows that. Those that write agile software are highly aware of that.
Sadly companies often wants to get a fast fix out and that fix very seldom are 100% correct.
Re:It shouldn't be a suprise. (Score:4, Informative)
I don't see how you could possibly suggest a full redesign and rewrite and then, in the same post, complain that fast fixes are rarely 100% correct. As if the rewrite won't be a thousand times worse!
Re:It shouldn't be a suprise. (Score:3, Insightful)
If it's the same people who didn't spot the serious bug that affects the _whole_ design, the odds are much worse that starting again would actually help much.
Ask a crappy team to redesign and rewrite and they'll just come up with more crap. Let's be nice and say the team is good only the politics/process is broken, whatever, you still end up with more crap.
So far the evidence is that more often than not the same pe
Re:It shouldn't be a suprise. (Score:2)
Are you saying that taping a piece of cardboard to a steel door makes it easy to bypass? Wow, I'm gonna get me to a bank...
Never though of it. (Score:1)
I wonder.... (Score:4, Insightful)
And yet (Score:3, Funny)
Re:And yet (Score:2, Interesting)
foiled? (Score:4, Funny)
Shouldn't that read tin-foiled? C'mon, slashdot, standards?
stackguards should be last line of defence (Score:3, Insightful)
So basically, nothing has changed in the security world in the past year. The only thing is that the attitude of programmers have in some cases, become slacker because of technologies like this, believing they can get away with it now.
If you ask me though personally, I'm betting Microsoft didn't run major tests on the security of DEP anyway, only simpler ones
I blogged another way too (Score:5, Interesting)
I did blog on another way using only a stack overflow on my blog [blogspot.com]. My way was more "all existing exploits work as-is after just a little extra step" than "exploits still exist that get around DEP" though.
My way was to just slap DEP in the face by using a ret2libc with a constructed stack frame that gave the shellcode a nice, clean, executable area of memory to execute in, then copied the memory there, then returned to it. This is done by 1) Return to VirtualAlloc(), 2) Return to memcpy(), 3) return to shellcode.
They noticed this in October; it took me until January and I'm not a security expert.
For the geeks... (Score:4, Interesting)
So, will M$ take a stand? (Score:3, Insightful)
Hmmm (Score:2)
Err... Anyone else notice something funny here? (Score:2)
During the first execution this program shows the list of applications which already have this flag set.
I have DEP set to protect "essential Windows programs and services only"...
Yet, running this util, the list of programs looks nothing like a list of "essential" Windows programs. In fact, I honestly don't recognize any of the programs listed, and I say that as someone that knows what a normal Windows XP SP2 install "should" have running, even down to
Re:Err... Anyone else notice something funny here? (Score:2)
What the shit? (Score:2, Interesting)
How the shit is this a vulnerability exactly? The only way to exploit it is to have already 0wned the machine so there would be no need to disable memory protection at any scope.
Also, as mentioned, this doesn't work correctly on hardware that supports NX. Ther
Question about the stack (Score:2, Interesting)
So why not make the stack grow upwards instead of downwards?
Re:Question about the stack (Score:3, Informative)
The "stack grows down" has been embedded in the hardware design and now it cannot be changed easily.
It's Core Wars again! (Score:2)
Microsoft and the hackers are just playing CoreWars [sourceforge.net], for real, on our systems. Isn't that great?
In fact, Windows XP's heap boundary checking sounds like little more than the old RADAR-X [ociw.edu] REDCODE program...
Alternative implementation strategy (Score:2)
A better way to defeat this class of attack is to move the metadata (in this case the link table) elsewhere to another, noncontiguous page. You could still induce a buffer overflow, but such an overflow would not corrupt the whole allocation mechanism.
For extra security you could put it in kernel space and give the library a new system call to do memory allocation, but that would increase memory allocation overhead, likely unacceptably.
Analysis and solution depend heavily on what attack you wish to defen
Re:Can you blame them? (Score:5, Funny)
> Chalk and cheese?
Don't you mean simply "swiss cheese"?
Re:Can you blame them? (Score:2)
Re:Can you blame them? (Score:2)
Re:And this (Score:3, Insightful)
Re:And this (Score:5, Insightful)
Re:And this (Score:2)
Re:And this (Score:3, Informative)
The code execution protection
Re:And this (Score:2, Insightful)
Re:And this (Score:2)
Re:And this (Score:4, Funny)
http://www.microsoft.com/windowsservers
It's a fact. So this vulnerability, and the dozen others I've been patching at the work, are just some kind of imagination. Or maybe Linux / BSD / OS X users have just amazing amounts of vulnerabilities (counted together, OS & apps).
I'm drunk. And it's not a surprise. Every hardcore Linux geek (like myself), who has to maintain Windows networks for living, have more drinking problems than those who are using solely operating systems and software which are free as speech (as opposed to beer).
Responsible for security of Windows network? Next recommendation for security enhancements: different operating systems, no more IE. If there are costs, then they're definitely worth it. Microsoft has proved that they don't care. All they care is money, monopoly and marketing (FUD / brainwashing / propaganda).
Re:And this (Score:2)
It's nice that MS is even trying this, but really I think the onus is on the developer. It doesn't matter if were talking microsoft or not.
while((*(szShit++)=*(szHappens++))!='\0');
You can't make assumptions about the data you get passed...
Yep... (Score:2, Funny)
Re:Don't forget... (Score:2, Insightful)
What's the mother fucking point of reading the comments if you're going to let other people decide for you which ones are good enough to read?
Re:Don't forget... (Score:2)
Re:Don't forget... (Score:2)
Saying "XP's No eXecute can be foiled so I'll switch to a platform that doesn't even offer it" seems a little odd to me.
Plus, AMD's NX bit will catch this, so XP2 on AMD64 doesn't have this problem.
Re:Don't forget... (Score:2, Insightful)
If you browse at +3, you will miss a lot of funny as well as lot of rather intelligent posts you wouldn't get to see at +3.
Also, reading at -1 raw and uncut shows in rather stark clarity that the moderating system at slashdot is broken
Re:OK, I checked that out! Here is what I think... (Score:2)
Re:OK, I checked that out! Here is what I think... (Score:2)
Actually, you've just proven you don't have a clue.
In hibernation, the PC can be removed from the power supply completely - battery out on the floor style. Do this to a Mac in sleep mode and it dies.
The closest thing to "sleep" mode on the Mac is (believe it or not), "sleep" mode on a PC. Anyone who tries to tell you different is either self-deluded or simply trying to delude you.
Just in case you don't believe me - have a deep,
Re:An agrarian view on alternatives for XP SP2 (Score:4, Informative)
You can build things with GCC and not GPL them.
You can build things and link to libraries that are GPL and not GPL them.
So, you can develope apps for linux, using only your own code and any code that BSD people threw under the BSD license, and build them against open source libraries to use those, and have an MS style EULA and closed source.
Re:An agrarian view on alternatives for XP SP2 (Score:2)
Re:How does linux fix this? (Score:2, Insightful)
Exec Shield protects the stack, unless something's mapped above it, or unless it thinks you need an executable stack. It protects other things, randomly; the protections randomly fail. Spender also has a working exploit that takes out ES, but he can't distribute it or disclose the method because (as he needs food) he sold it for $1000 to a security firm.
The stack can
Re:Um... (Score:2)