Re: Enabling DEP and ASLR on Nmap for Windows

["'Fyodor'" <fyodor () insecure org>]

On Wed, Aug 11, 2010 at 02:01:54PM +0100, Rob Nicholls wrote:
> Attached is a patch that enables ASLR and DEP for Nmap, Ncat and Nping on
> modern versions of Windows. It's a simple change to two configuration
> options in Visual C++ for each project.

Thanks Rob.  I did some simple Nmap and Ncat testing on Windows 7 Home
with the version you checked in and I haven't encountered any
problems.

> We still use "Unsafe Clib functions"

That is true.  We use some risky functions, but take care to use them
safely.  Still, we might someday consider eliminating them.

> I haven't touched SetProcessDEPPolicy() - I had tried adding something, but
> it didn't seem to work (according to LookingGlass, although I'm not sure I
> trust the results as it said "True" to ASLR and DEP in my 2000 VM so it's
> possible it's only checking the PE header?),

Yeah, Looking Glass (http://www.erratasec.com/lookingglass.html) seems
like a valuable tool, but not a well documented one.


> Because ndiff and zenmap are generated by py2exe, this would probably
> require a lot more effort. The GTK binaries and everything else in the
> py2exe folder don't support ASLR or DEP, so - if it's even possible - we'd
> have to recompile pretty much everything ourselves from scratch rather than
> using the current binaries, as well as work out how best to introduce ASLR
> and DEP for each bit (e.g. py2exe, GTK+, PyCairo).

Yeah, that sounds like a mess.

> The OpenSSL DLLs we're using (ssleay32.dll and libeay32.dll) also don't
> support ASLR or DEP. We appear to be using 0.9.8j, so it might not hurt to
> update to 1.0.0a or 0.9.8o.

Good idea.  I added a todo note to upgrade to 1.0.0a.

> The WinPcap DLLs don't support ASLR or DEP. We're distributing their signed
> binaries, so we'd really need WinPcap to make the changes at their end.

Maybe we'll ask them nicely.

> The NSIS installers that are created also don't support ASLR or DEP, and
> they do use Unsafe Clib functions. Again, I'm not sure what we can do to
> help there.

I'm not really worried about those.

> Basically, a lot of the third party files that Nmap relies upon don't use
> ASLR or DEP (yet?). We can make changes to Nmap, but as you point out
> attackers can potentially exploit the (many) unprotected DLLs.

Well, this is a start!

> On a positive note, I have a fully patched Windows 2000 virtual machine and
> it seems to cope fine with the Nmap binaries I've created with ASLR and DEP
> enabled using the DYNAMICBASE and NXCOMPAT switches (it appears 2000 simply
> ignores them and runs the programs as normal). I've been giving Windows
> Virtual PC on Windows 7 a try and it works pretty well for Microsoft Windows
> guest VMs.

Thanks for testing.

Cheers,
-F
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/