Nmap Development mailing list archives
Re: Enabling DEP and ASLR on Nmap for Windows
From: "'Fyodor'" <fyodor () insecure org>
Date: Thu, 12 Aug 2010 22:56:08 -0700
On Wed, Aug 11, 2010 at 02:01:54PM +0100, Rob Nicholls wrote:
Attached is a patch that enables ASLR and DEP for Nmap, Ncat and Nping on modern versions of Windows. It's a simple change to two configuration options in Visual C++ for each project.
Thanks Rob. I did some simple Nmap and Ncat testing on Windows 7 Home with the version you checked in and I haven't encountered any problems.
We still use "Unsafe Clib functions"
That is true. We use some risky functions, but take care to use them safely. Still, we might someday consider eliminating them.
I haven't touched SetProcessDEPPolicy() - I had tried adding something, but it didn't seem to work (according to LookingGlass, although I'm not sure I trust the results as it said "True" to ASLR and DEP in my 2000 VM so it's possible it's only checking the PE header?),
Yeah, Looking Glass (http://www.erratasec.com/lookingglass.html) seems like a valuable tool, but not a well documented one.
Because ndiff and zenmap are generated by py2exe, this would probably require a lot more effort. The GTK binaries and everything else in the py2exe folder don't support ASLR or DEP, so - if it's even possible - we'd have to recompile pretty much everything ourselves from scratch rather than using the current binaries, as well as work out how best to introduce ASLR and DEP for each bit (e.g. py2exe, GTK+, PyCairo).
Yeah, that sounds like a mess.
The OpenSSL DLLs we're using (ssleay32.dll and libeay32.dll) also don't support ASLR or DEP. We appear to be using 0.9.8j, so it might not hurt to update to 1.0.0a or 0.9.8o.
Good idea. I added a todo note to upgrade to 1.0.0a.
The WinPcap DLLs don't support ASLR or DEP. We're distributing their signed binaries, so we'd really need WinPcap to make the changes at their end.
Maybe we'll ask them nicely.
The NSIS installers that are created also don't support ASLR or DEP, and they do use Unsafe Clib functions. Again, I'm not sure what we can do to help there.
I'm not really worried about those.
Basically, a lot of the third party files that Nmap relies upon don't use ASLR or DEP (yet?). We can make changes to Nmap, but as you point out attackers can potentially exploit the (many) unprotected DLLs.
Well, this is a start!
On a positive note, I have a fully patched Windows 2000 virtual machine and it seems to cope fine with the Nmap binaries I've created with ASLR and DEP enabled using the DYNAMICBASE and NXCOMPAT switches (it appears 2000 simply ignores them and runs the programs as normal). I've been giving Windows Virtual PC on Windows 7 a try and it works pretty well for Microsoft Windows guest VMs.
Thanks for testing. Cheers, -F _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Enabling DEP and ASLR on Nmap for Windows Fyodor (Jul 03)
- <Possible follow-ups>
- Re: Enabling DEP and ASLR on Nmap for Windows George Orwell (Jul 12)
- Re: Enabling DEP and ASLR on Nmap for Windows Rob Nicholls (Jul 12)
- Re: Enabling DEP and ASLR on Nmap for Windows Fyodor (Aug 10)
- Re: Enabling DEP and ASLR on Nmap for Windows Ron (Aug 10)
- RE: Enabling DEP and ASLR on Nmap for Windows Rob Nicholls (Aug 11)
- Re: Enabling DEP and ASLR on Nmap for Windows David Fifield (Aug 11)
- Re: Enabling DEP and ASLR on Nmap for Windows David Fifield (Aug 11)
- Re: Enabling DEP and ASLR on Nmap for Windows 'Fyodor' (Aug 12)
- Re: Enabling DEP and ASLR on Nmap for Windows Gianluca Varenni (Aug 13)
- RE: Enabling DEP and ASLR on Nmap for Windows Rob Nicholls (Aug 13)
- Re: Enabling DEP and ASLR on Nmap for Windows Rob Nicholls (Jul 12)