Re: ASLR+DEP = no problem. :>

[dave <dave () immunityinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I know I'm annoying Spender by even replying, but this sort of thing is
not dependant on Flash. It's simply a function of "Any JIT the attacker
can pass data into will break DEP/ASLR". The only "solution" is to have
every available JIT have defined entry points that the kernel enforces
(which will prevent EIP from going into the middle of a JIT'd function).

At that point you basically have "Determina" and you take a performance
hit, which is what JIT is supposed to avoid. Or you can turn all
non-trusted code JITs off. Then it comes down to "what is trusted?" and
"wow, my flash code runs really slow now" and all sorts of other hilarity.

You could, as you point out, move things out of the process. But there's
a certain value to having things IN the process and not blocked by
default. Netflix requires Silverlight which requires .Net which has a
dynamic API that supports Eval(). Flash is technically the worst JIT to
use for this since you can't use Eval() (or other dynamic techniques) to
generate functions at runtime.

And it doesn't matter that Reader/Quicktime/.Net have DEP and ASLR
enabled. Our Aurora exploit works on Windows 7, and DEP/ASLR was
enabled. Nicolas Pouvesle (who lead the team that worked on this here at
Immunity) updated our version today to work on 32-bit IE on 64-bit
Windows 7 - there's a lot of annoying little issues to work around here.

But those issues aren't roadblocks. Any if Flash gets annoying to work
with, you can do this with VBScript or any JIT that is in the browser.
You can use this on bugs for anything that sits in a process with a JIT
- - from Adobe Reader, to Java, to Flash to Word/PPT/XLS.

There's lots of ways to break DEP and ASLR. Information leakages are the
best way really. But JITs help break DEP/ASLR too. In the end
mitigations just buy the leading edge adopters a couple of years until
the offensive research teams turn their attention to them.

Spender would say all this stuff is obvious, but we're happy to write
exploit after exploit to demonstrate it anyways. :>

- -dave





Moshe Ben Abu wrote:
> Yep, I agree with Thierry, once the technique will be fixed - ASLR+DEP =
> big problem :(
>
> Past examples:
>  - Java Virtual Machine Heap Spray > Java is out of process since 1.6.0u10.
>  - Actionscript Heap Spray > Flash 10 got DEP and ASLR.
>  - .NET User Control binary > Internet Explorer 8 RTM blocks it on
> Internet Zone.
>
> In addition, latest versions of Adobe Reader, QuickTime and .NET
> Framework got DEP and ASLR enabled too...
>
> On Thu, Feb 4, 2010 at 1:14 PM, Thierry Zoller <Thierry () zoller lu
> <mailto:Thierry () zoller lu>> wrote:
>
>     Hi,
>     This -
>     >It does this by playing some very odd tricks with
>     >Flash's JIT compiler.
>     +
>     >In other words, ASLR
>     >and DEP are not longer the shield they once were.
>     Doesn't compute. You are relying on oddities, fix
>     the oddities and ASLR/DEP are back again.
>
>     --
>     http://blog.zoller.lu
>     Thierry Zoller
>
>
>     _______________________________________________
>     Dailydave mailing list
>     Dailydave () lists immunitysec com <mailto:Dailydave () lists immunitysec com>
>     http://lists.immunitysec.com/mailman/listinfo/dailydave
>
>
>
>
> -- 
> Trancer
> Recognize-Security
> http://www.rec-sec.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAktrG3kACgkQtehAhL0gheqiewCdEj0/fhGaW1uB/EIDxmrz7PUT
5BAAnRxNyNywGxGevcNZ/FO9ysgQM6JO
=/TB8
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave