Dailydave mailing list archives
Re: The sky's downward trajectory
From: "Rhys Kidd" <rhyskidd () gmail com>
Date: Mon, 19 Feb 2007 13:28:54 +0900
I'd assume that Immunity's method of bypassing hardware-based DEP ( ie the NX protect bit in modern CPUs ) builds on the work of skape and Skywing in Uninformed Journal v2, http://uninformed.org/?v=2&a=4&t=sumry. The attack relies on first returning to the function in ntdll.dll called NtSetInformationProcess with a parameter that disables hardware DEP on a per-process basis. As this function is code the process is allowed to direct execution flow to it while hardware DEP is still enabled. "This approach requires the knowledge of three addresses. First, the address of the mov al, 0x1 / ret equivalent must be known. Fortunately, there are many occurrences of this type of block, though they may not be as simplistic as the one described in this document. Second, the address of the start of the cmp al, 0x1 block inside ntdll!LdrpCheckNXCompatibility must be known. By depending on two addresses within ntdll, it stands to reason that an exploit can be more portable than if one were to depend on addresses from two different DLLs. Finally, the third address is the one that would be the one that is typically used on targets that didn't have hardware-enforced DEP, such as a jmp esp or equivalent instruction depending on the vulnerability in question." The impact of this method is that an exploit could be modified rather easily to first disabled DEP before attempting to return into it's own arbitrary code. So what does Microsoft provide to make this more secure? Firstly the push by Michael Howard et al to get ASLR implemented in Vista beta 2 and above means the addresses within ntdll.dll are going to be somewhat random, thereby making reliable use of this technique difficult. NX bit based defenses really should be implemented hand-in-hand with some form of memory randomisation, as was documented by the PaX project. Secondly, as Dave mentioned setting "AlwaysOn" in boot.ini should prevent DEP from being disabled on a per-process basis. HTH. Rhys
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- The sky's downward trajectory Dave Aitel (Feb 17)
- Re: The sky's downward trajectory George Ou (Feb 18)
- Re: The sky's downward trajectory Dave Aitel (Feb 18)
- Re: The sky's downward trajectory George Ou (Feb 18)
- Message not available
- Re: The sky's downward trajectory Rhys Kidd (Feb 19)
- Re: The sky's downward trajectory endrazine (Feb 19)
- Re: The sky's downward trajectory jf (Feb 19)
- Re: The sky's downward trajectory endrazine (Feb 19)
- Re: The sky's downward trajectory jf (Feb 19)
- Re: The sky's downward trajectory Jonathan Wilkins (Feb 19)
- Re: The sky's downward trajectory Dominique Brezinski (Feb 20)
- Re: The sky's downward trajectory ol (Feb 20)
- Re: The sky's downward trajectory ol (Mar 03)
- Re: The sky's downward trajectory Dave Aitel (Feb 18)
- Re: The sky's downward trajectory George Ou (Feb 18)
- Re: The sky's downward trajectory jf (Feb 20)
- Re: The sky's downward trajectory Jonathan Wilkins (Feb 19)