RE: Enabling DEP and ASLR on Nmap for Windows

["Rob Nicholls" <robert () robnicholls co uk>]

Attached is a patch that enables ASLR and DEP for Nmap, Ncat and Nping on
modern versions of Windows. It's a simple change to two configuration
options in Visual C++ for each project. We still use "Unsafe Clib functions"
according to Looking Glass (available from Errata security), but the main
executables (ncat.exe, nmap.exe, nping.exe) can support ASLR and NX (DEP).

I haven't touched SetProcessDEPPolicy() - I had tried adding something, but
it didn't seem to work (according to LookingGlass, although I'm not sure I
trust the results as it said "True" to ASLR and DEP in my 2000 VM so it's
possible it's only checking the PE header?), but that's probably down to my
lack of knowledge of C and C++ more than anything else. It seems to be used
to either disable DEP (which we don't want), enable it but prevent NS faults
from the ATL thunk layer (not ideal), or enable it permanently (what we
want). It seems that using the NXCOMPAT linker switch is equivalent to the
latter, but it looks like only XP SP3, Vista, 2008, 2008R2 and 7 support it
(i.e. 2003 SP2 and 2000 SP4 don't - although 2003 SP2 should have DEP
enabled by default so that might be why MS didn't backport support like they
did with XP SP3; ASLR isn't supported on 2003 and 2000 doesn't support
anything IIRC).

The NXCOMPAT switch sets a bit in the executable that indicates to the OS
that the application is DEP enabled. I believe that setting this bit will
override all other DEP settings - if DEP is disabled system wide or the
application is opted out of DEP, the OS will still enable DEP for the
application.

Because ndiff and zenmap are generated by py2exe, this would probably
require a lot more effort. The GTK binaries and everything else in the
py2exe folder don't support ASLR or DEP, so - if it's even possible - we'd
have to recompile pretty much everything ourselves from scratch rather than
using the current binaries, as well as work out how best to introduce ASLR
and DEP for each bit (e.g. py2exe, GTK+, PyCairo).

The OpenSSL DLLs we're using (ssleay32.dll and libeay32.dll) also don't
support ASLR or DEP. We appear to be using 0.9.8j, so it might not hurt to
update to 1.0.0a or 0.9.8o. I haven't compiled OpenSSL on Windows in quite a
while, but I don't recall any options for ASLR or DEP back then. It seems
that ssleay32.dll doesn't use "Unsafe Clib functions", but libeay32.dll does
use some.

The WinPcap DLLs don't support ASLR or DEP. We're distributing their signed
binaries, so we'd really need WinPcap to make the changes at their end. On
the plus side, none of their files use "Unsafe Clib functions" :)

The NSIS installers that are created also don't support ASLR or DEP, and
they do use Unsafe Clib functions. Again, I'm not sure what we can do to
help there.

Basically, a lot of the third party files that Nmap relies upon don't use
ASLR or DEP (yet?). We can make changes to Nmap, but as you point out
attackers can potentially exploit the (many) unprotected DLLs.

On a positive note, I have a fully patched Windows 2000 virtual machine and
it seems to cope fine with the Nmap binaries I've created with ASLR and DEP
enabled using the DYNAMICBASE and NXCOMPAT switches (it appears 2000 simply
ignores them and runs the programs as normal). I've been giving Windows
Virtual PC on Windows 7 a try and it works pretty well for Microsoft Windows
guest VMs.

Rob

-----Original Message-----
From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org]
On Behalf Of Fyodor
Sent: 11 August 2010 00:41
To: Rob Nicholls
Cc: George Orwell; nmap-dev () insecure org
Subject: Re: Enabling DEP and ASLR on Nmap for Windows

On Mon, Jul 12, 2010 at 04:03:47PM +0100, Rob Nicholls wrote:
> I was hoping to do a little bit more testing before submitting a small
> patch to enable ASLR and DEP, but it looks like everything is fine so far,
> and with this information about working with EMET I might try and send
> something out later today.

Thanks Rob.  Please do send that patch when you can, as we'd love to
include this in the next release.  Have you checked if all the DLLs
shipped with Nmap opt in to ASLR too (OpenSSL, Winpcap)?  My
understanding is that attackers can just exploit DLLs if any of them
are left unprotected.

> *I was wondering if it was worth installing/patching/testing on 2000 given
> that Microsoft stop supporting it tomorrow.

More testing is always helpful, so it would be great if you can.  But
if you don't have a Win2K machine, and you don't have any particular
reason to think this will cause a problem for Win2K, we can probably
do without for the moment.  Maybe someone else on this list can test
once we have a patch.

Cheers,
-F
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Attachment: nmap_ncat_nping_aslr_dep.patch
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/