Nmap Development mailing list archives
RE: Enabling DEP and ASLR on Nmap for Windows
From: "Rob Nicholls" <robert () robnicholls co uk>
Date: Wed, 11 Aug 2010 14:01:54 +0100
Attached is a patch that enables ASLR and DEP for Nmap, Ncat and Nping on modern versions of Windows. It's a simple change to two configuration options in Visual C++ for each project. We still use "Unsafe Clib functions" according to Looking Glass (available from Errata security), but the main executables (ncat.exe, nmap.exe, nping.exe) can support ASLR and NX (DEP). I haven't touched SetProcessDEPPolicy() - I had tried adding something, but it didn't seem to work (according to LookingGlass, although I'm not sure I trust the results as it said "True" to ASLR and DEP in my 2000 VM so it's possible it's only checking the PE header?), but that's probably down to my lack of knowledge of C and C++ more than anything else. It seems to be used to either disable DEP (which we don't want), enable it but prevent NS faults from the ATL thunk layer (not ideal), or enable it permanently (what we want). It seems that using the NXCOMPAT linker switch is equivalent to the latter, but it looks like only XP SP3, Vista, 2008, 2008R2 and 7 support it (i.e. 2003 SP2 and 2000 SP4 don't - although 2003 SP2 should have DEP enabled by default so that might be why MS didn't backport support like they did with XP SP3; ASLR isn't supported on 2003 and 2000 doesn't support anything IIRC). The NXCOMPAT switch sets a bit in the executable that indicates to the OS that the application is DEP enabled. I believe that setting this bit will override all other DEP settings - if DEP is disabled system wide or the application is opted out of DEP, the OS will still enable DEP for the application. Because ndiff and zenmap are generated by py2exe, this would probably require a lot more effort. The GTK binaries and everything else in the py2exe folder don't support ASLR or DEP, so - if it's even possible - we'd have to recompile pretty much everything ourselves from scratch rather than using the current binaries, as well as work out how best to introduce ASLR and DEP for each bit (e.g. py2exe, GTK+, PyCairo). The OpenSSL DLLs we're using (ssleay32.dll and libeay32.dll) also don't support ASLR or DEP. We appear to be using 0.9.8j, so it might not hurt to update to 1.0.0a or 0.9.8o. I haven't compiled OpenSSL on Windows in quite a while, but I don't recall any options for ASLR or DEP back then. It seems that ssleay32.dll doesn't use "Unsafe Clib functions", but libeay32.dll does use some. The WinPcap DLLs don't support ASLR or DEP. We're distributing their signed binaries, so we'd really need WinPcap to make the changes at their end. On the plus side, none of their files use "Unsafe Clib functions" :) The NSIS installers that are created also don't support ASLR or DEP, and they do use Unsafe Clib functions. Again, I'm not sure what we can do to help there. Basically, a lot of the third party files that Nmap relies upon don't use ASLR or DEP (yet?). We can make changes to Nmap, but as you point out attackers can potentially exploit the (many) unprotected DLLs. On a positive note, I have a fully patched Windows 2000 virtual machine and it seems to cope fine with the Nmap binaries I've created with ASLR and DEP enabled using the DYNAMICBASE and NXCOMPAT switches (it appears 2000 simply ignores them and runs the programs as normal). I've been giving Windows Virtual PC on Windows 7 a try and it works pretty well for Microsoft Windows guest VMs. Rob -----Original Message----- From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org] On Behalf Of Fyodor Sent: 11 August 2010 00:41 To: Rob Nicholls Cc: George Orwell; nmap-dev () insecure org Subject: Re: Enabling DEP and ASLR on Nmap for Windows On Mon, Jul 12, 2010 at 04:03:47PM +0100, Rob Nicholls wrote:
I was hoping to do a little bit more testing before submitting a small patch to enable ASLR and DEP, but it looks like everything is fine so far, and with this information about working with EMET I might try and send something out later today.
Thanks Rob. Please do send that patch when you can, as we'd love to include this in the next release. Have you checked if all the DLLs shipped with Nmap opt in to ASLR too (OpenSSL, Winpcap)? My understanding is that attackers can just exploit DLLs if any of them are left unprotected.
*I was wondering if it was worth installing/patching/testing on 2000 given that Microsoft stop supporting it tomorrow.
More testing is always helpful, so it would be great if you can. But if you don't have a Win2K machine, and you don't have any particular reason to think this will cause a problem for Win2K, we can probably do without for the moment. Maybe someone else on this list can test once we have a patch. Cheers, -F _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Attachment:
nmap_ncat_nping_aslr_dep.patch
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Enabling DEP and ASLR on Nmap for Windows Fyodor (Jul 03)
- <Possible follow-ups>
- Re: Enabling DEP and ASLR on Nmap for Windows George Orwell (Jul 12)
- Re: Enabling DEP and ASLR on Nmap for Windows Rob Nicholls (Jul 12)
- Re: Enabling DEP and ASLR on Nmap for Windows Fyodor (Aug 10)
- Re: Enabling DEP and ASLR on Nmap for Windows Ron (Aug 10)
- RE: Enabling DEP and ASLR on Nmap for Windows Rob Nicholls (Aug 11)
- Re: Enabling DEP and ASLR on Nmap for Windows David Fifield (Aug 11)
- Re: Enabling DEP and ASLR on Nmap for Windows David Fifield (Aug 11)
- Re: Enabling DEP and ASLR on Nmap for Windows 'Fyodor' (Aug 12)
- Re: Enabling DEP and ASLR on Nmap for Windows Gianluca Varenni (Aug 13)
- RE: Enabling DEP and ASLR on Nmap for Windows Rob Nicholls (Aug 13)
- Re: Enabling DEP and ASLR on Nmap for Windows Rob Nicholls (Jul 12)