Bugtraq mailing list archives
Re: Is DEP easily evadable?
From: John Richard Moser <nigelenki () comcast net>
Date: Thu, 13 Jan 2005 13:40:27 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Florian Weimer wrote:
* John Richard Moser:I'm no security expert, so bear with me here; I just kind of tripped over something interesting that I'd like to ask about. I was blogging about DEP based on MS' technical documentation and came up with a quick and dirty way to use a buffer overflow (we'll assume no stackguarding, or that you found a way around it i.e. using a format string bug) to kick DEP out of the way. This is pretty much based on the PaX documentation and justification for mprotect() restrictions.Look for return-into-libc exploits. There are quite a few. Even with non-executable stack and heap, no one guarantees that buffer overflows aren't exploitable. Randomization of load addresses is intended to provide additional protection, but the number of available bits is fairly low on 32 bit machines (problably less than 16). I don't know if Windows is doing it.
I don't see anything in the docs about it, but I don't have XP (I think I have an XP license. . . yeah here it is, taped to the bottom of my laptop; but I don't have a CD, and don't feel like finding . . what are those things. . . a torrent of it) PaX does pretty nice randomization. I think 15/16 for heap and stack and 24 for mmap(), though I could be overshooting the 24. I'm on amd64 so I can't just run paxtest and see; though I could read the source code. Also, there appears to be a UUDecode() function available! :) Looks like you might be able to do attacks with NULLs in the shellcode and such? Oh well, I guess this is just redundant white noise then; I was just struck dumb a bit when it appeared that HW-DEP provided nothing in the way of real protection; I'm too used to security enhancements being real. - -- All content of all messages exchanged herein are left in the Public Domain, unless otherwise explicitly stated. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFB5sCYhDd4aOud5P8RAn+VAKCKTEfka1sMzEdL9xliKEDJDsGxEgCgkFI4 ph+fJOcB0ELonMpX/Px2RxY= =Mctm -----END PGP SIGNATURE-----
Current thread:
- Is DEP easily evadable? John Richard Moser (Jan 12)
- Re: Is DEP easily evadable? Florian Weimer (Jan 13)
- Re: Is DEP easily evadable? John Richard Moser (Jan 13)
- Re: Is DEP easily evadable? Ben Pfaff (Jan 13)
- Re: Is DEP easily evadable? John Richard Moser (Jan 14)
- Re: Is DEP easily evadable? Ben Pfaff (Jan 14)
- Re: Is DEP easily evadable? John Richard Moser (Jan 13)
- Re: Is DEP easily evadable? Florian Weimer (Jan 13)