Must Read: Sorry, but bringing back the Start menu won't help Windows 8

Topic: Hardware

Googler ships exploit to defeat DEP

Summary: A prominent security researcher has released an exploit that uses a new technique to defeat ALSR + DEP on Microsoft's Windows operating system.

Ryan Naraine

By for Zero Day |

A prominent security researcher has released an exploit that uses a new technique to defeat DEP (Data Execution Prevention) on Microsoft's Windows operating system.

The exploit, released by Google security researcher "SkyLined," uses the ret-into-libc technique to bypass DEP and launch code execution attacks on x86 platforms.

SkyLined (real name Berend-Jan Wever) is best known for introducing heap-spraying in Web browsers, a technique used in exploits to facilitate arbitrary code execution.  He previously worked at Microsoft before leaving in 2008 to work on security Google's Chrome browser.

follow Ryan Naraine on twitter

"I am releasing this because I feel it helps explain why ASLR+DEP are not a mitigation to put a lot of faith in, especially on x86 platforms," SkyLined wrote on his blog.  "32-bits does not provide sufficient address space to randomize memory to the point where guessing addresses becomes impractical, considering heap spraying can allow an attacker to allocate memory across a considerable chunk of the address space and in a highly predictable location," he added.

The code in this exploit shows how to abuse this to perform a ret-into-libc attack when you can predict or, through information leakage, determine the location of modules (exe, dll) in the process’ memory.

The source code for the Internet Exploiter 2 exploit has been posted online [zip file].

Microsoft introduced ASLR (Address Space Layout Randomization) + DEP in Windows Vista, touting them as significant anti-exploit mechanisms but researchers have spent the better part of the last year finding ways around these mitigations.

At the 2008 Black Hat conference, hackers Mark Dowd and Alex Sotirov demonstrated the new methods to get around ASLR and DEB by using Java, ActiveX controls and .NET objects to load arbitrary content into Web browsers.

IMPORTANT UPDATE:

Berend-Jan Wever wrote in to make it clear that this exploit does not bypass ASLR.  He also stressed that there is nothing in the exploit that is not public knowlege or easy to produce from public knowledge.

"It's an example of how to implement a known attack, not a new technique," he said.

He also made it clear that he did not release the code as a Google employee, but as an individual.

Topic: Hardware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

191 comments
Log in or register to join the discussion

  • This has been known since at least 2004...

    that ASLR on 32 bit systems can be bypassed by brute force. It is still useful to have as an extra layer of defense though. It is also another reason to move to 64 bit systems where it is currently still difficult to do.
    planruse
    Reply Vote

    • you can't use brute force in an hard-coded exploit

      you can't use brute force in an hard-coded exploit
      directory
      Reply Vote

  • Good find

    The more we are made aware of potential security holes, the more we can defend against them.

    At some point however, this begs the question: Is there any security at all?

    I believe the best security is your own intelligence and what you do with it.

    Also interesting is the fact this particular exploit [b]doesn't work[/b] on x64 platforms. Perhaps indicating the necessity to migrate ASAP to 64-bit platforms? Well they don't cost any more financially to acquire? Most if not all CPUs sold in the last 24 months are 99% 64-bit compliant? As a matter of fact, try to find a 32-bit CPU only in any recent PC/netbook/notebook/desktop/blade/whatever?

    So what's the hold-up?

    [i]~~~~~~~~~~~
    There is no security on this earth; there is only opportunity.
    ~ General Douglas MacArthur [/i]
    WinTard
    Reply Vote

    • Like humans, like machines

      [i]At some point however, this begs the question: Is there any security at all? [/i]

      [b]Keep On Going [/b]

      [i] For every crime, there's retribution
      And every valley has a mountainside
      No, I don't like to trade just to be happy
      That kind of deal won't turn out right
      See it ain't good to stare inside yourself too long
      For every true thing there's one more lie
      But I won't worry, 'cause if I'm living on borrowed time
      I'll just try to keep on the way I'm going[/i]

      --Bob Welch (Fleetwood Mac)
      klumper
      Reply Vote

    • There is a hold-up?

      Do some people still use a 32-bit OS nowadays? o_O
      AzuMao
      Reply Vote

      • Not many who are smart..... the only computer I have 32-bit on

        Is an old Pentium 4 HP machine that simply wouldn't do 64-bit because of the motherboard in it.
        Lerianis10
        Reply Vote

        • Do people still use 32 bit?

          Some of us have no choice. some apps simply will not run in 64 bit mode. I still have some I wrote back in the DOS days, and they are 16 bit. Will NOT run in 64 bit, not even in a dos box
          Franciscus101
          Reply Vote

          • Virtualization integration needs to be upped.

            I really think this is where microsoft should
            focus their efforts for new OSs. They want to
            get rid of the backwards compatibility issue,
            vitualization can fix that. Its a bigger
            footprint on your hard drive, but at least you
            don't have the old code containing old security
            issues hanging around.

            Imagine if all you had to do was click
            virtualize in XP or '95 or 1.0 or DOS 6.22 and
            it would just work. Better yet, maybe it could
            autodetect somehow. 8bit, 16bit, 32bit, 64bit,
            128bit, who cares, just virtualize the machine
            you need.
            shadfurman
            Reply Vote

          • I second that.

            That would be awesome, and it would make sense. Which means it's highly unlikely to happen until someone else does it first...
            914four
            Reply Vote

          • Actually, that's the problem.

            Windows will happily run 32 bit programs (by switching the processor into compatibility mode) and thus reduce the address space to.. 32 bits (1 of which is reserved), making it
            easy to search.

            So that if there's a vulnerability in that program, band-aids like ASLR will not be able to mask it.
            AzuMao
            Reply Vote

          • Solution; make 64 bit versions of them.

            If you use an HLL like C this is as trivial as recompiling it with the x86-64 flag set. If you wrote it in assembly language, it's probably so small it won't be much trouble rewriting some of it anyways.
            AzuMao
            Reply Vote

          • No! Really? Awesome!

            Now tell all the developers that.

            Adobe? Adobe?
            Wintel_BSOD
            Reply Vote

          • They already did.

            Just didn't bother with Windows because nobody
            uses it who cares about security.
            AzuMao
            Reply Vote

          • People Still use 32bit computers

            Because they can't afford a new computer and os every year. I'd love to get a win7 machine but I can't afford it.

            Security costs money. The span between the haves and the have-nots is growing.
            pmwpaul@...
            Reply Vote

        • Correct if wrong but aren't most programs designed for 32-bit only?

          1st off, I'm late on the subject matter. I have a 64bit proc in my HP laptop (used for betas and testing) I dual booted a 120gb hdd with Win7 32bit and 64bit, 60gb each partition. Installed all updates at that time to both. 1st thing i noticed was the lack of proper drivers for the 64bit.

          Once drivers were fixed, installed all required programs in the 32bit without a problem. I got to do the same thing to the 64bit Win7 and hit a wall. 70% of the programs needed werent installable and a 64bit version doesnt exist.

          But like shadfurman said, virtual environment was a fix but silly in my case. So needless to say, I stuck with the 32bit version.
          c79ram
          Reply Vote

          • Eh?

            Even Windows has had 64 bit right since, like,
            2005 (including drivers).

            And of course, everything in the Linux world has
            been 64 bit since way before then.
            AzuMao
            Reply Vote

      • Windows x64 still use a 32 bit browser by default

        ...mostly because of the lack of 64 bit Flash.
        Google Chrome, Firefox, Safari and IE are all
        32 bit browsers on Windows. Which means that
        the address space is limited and thus susceptible to this weakness.

        (IE does comes in a 64 bit version - but sans
        Flash).

        Note, this is not a *vulnerability* and much
        less an *exploit*. It is a way where an
        attacker in some cases may exploit a
        vulnerability which would otherwise be foiled
        by ASLR and DEP.
        honeymonster
        Reply Vote

        • Now THAT'S funny.

          Windows has worse Flash support than Linux now.. go figure. :p
          AzuMao
          Reply Vote

          • Could it be because Adobe 64-bit Flash

            is only available in alpha (not even beta) for Linux?

            [i]http://labs.adobe.com/technologies/flashplayer10/releasenotes_64bit.html
            Flash Player for 64-bit Linux Alpha Release Notes
            Updated: July 30, 2009

            These release notes document known issues related to the alpha versions of 64-bit Adobe? Flash? Player 10, code named "Astro". Release versions of 32-bit Flash Player 10 for Windows, Macintosh, and Linux platforms are now available from the Flash Player Download Center.

            The alpha refresh build of the 64-bit Flash Player 10 for Linux is version 10.0.32.18.

            Please uninstall any versions of Flash Player before updating your installation.[/i]

            Perhaps they Adobe has a beta out now? Who knows? Hmmm, who cares? ;)

            As for Windows:

            Google: http://www.google.com/search?q=adobe+64+bit+flash
            Results 1 - 10 of about 13,100,000 for adobe 64 bit flash. (0.07 seconds)

            [i]http://kb2.adobe.com/cps/000/6b3af6c9.html
            Flash Player support on 64-bit operating systems
            Ratings:73 of 129 people found this helpful
            Issue

            --------------------------------------------------------------------------------
            Adobe Flash Player is not supported for playback in a 64-bit browser. However, you can run Flash Player in a 32-bit browser running on a 64-bit operating system.

            Reason

            --------------------------------------------------------------------------------
            Adobe is working on Flash Player support for 64-bit platforms as part of our ongoing commitment to the cross-platform compatibility of Flash Player. We expect to provide native support for 64-bit platforms in an upcoming release of Flash Player following the release of Flash Player 10.1.

            Note: To participate in pre-release testing of 64-bit Flash Players see Adobe Labs.

            Solution

            --------------------------------------------------------------------------------
            To use Flash Player to view Flash content on a 64-bit operating system, you must run a 32-bit browser. For details on setting this up for Windows see Microsoft Help & Support.

            For details on using Flash Player on Mac OS X 10.6 on 64-bit machines, see:
            Flash Player 10 and Mac OS X 10.6 (Snow Leopard)

            and

            GPU mode support on Macintosh OS X 10.6[/i]

            I guess the ball's in Adobe's court? Microsoft is ready! And has been ready for a long-long time now.

            Did you know the first version of a full 64-bit XP OS came out back in 2001? A full nine years ago? A bit ahead of its time eh? Yeah, there was a serious lack of native 64-bit device drivers back then... Nonetheless, that was NINE years ago!

            Of course, Adobe Flash wasn't ready either back then... Alas.

            Source: http://en.wikipedia.org/wiki/Windows_XP_editions

            [i]~~~~~~~~~~~
            Am I not destroying my enemies when I make friends of them?
            ~ Abraham Lincoln, 1809-1865, 16th President of the United States[/i]
            WinTard
            Reply Vote

          • Pretty damn good for an alpha, then.

            Also, none of those 13,100,000 results mention a 64bit version of Flash for Windows.


            And no, I never really looked into Itanic compatibility. Those chips are way out of the price range for anything but niche enterprise applications.
            AzuMao
            Reply Vote
CNET Join | Log In | Privacy | Cookies Close