Bugtraq mailing list archives

Re: Is DEP easily evadable?

From: John Richard Moser <nigelenki () comcast net>
Date: Thu, 13 Jan 2005 13:40:27 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Florian Weimer wrote:

* John Richard Moser:

I'm no security expert, so bear with me here; I just kind of tripped
over something interesting that I'd like to ask about.

I was blogging about DEP based on MS' technical documentation and came
up with a quick and dirty way to use a buffer overflow (we'll assume no
stackguarding, or that you found a way around it i.e. using a format
string bug) to kick DEP out of the way.  This is pretty much based on
the PaX documentation and justification for mprotect() restrictions.



Look for return-into-libc exploits.  There are quite a few.

Even with non-executable stack and heap, no one guarantees that buffer
overflows aren't exploitable.  Randomization of load addresses is
intended to provide additional protection, but the number of available
bits is fairly low on 32 bit machines (problably less than 16).  I
don't know if Windows is doing it.


I don't see anything in the docs about it, but I don't have XP (I think
I have an XP license. . . yeah here it is, taped to the bottom of my
laptop; but I don't have a CD, and don't feel like finding . . what are
those things. . . a torrent of it)

PaX does pretty nice randomization.  I think 15/16 for heap and stack
and 24 for mmap(), though I could be overshooting the 24.  I'm on amd64
so I can't just run paxtest and see; though I could read the source code.

Also, there appears to be a UUDecode() function available! :)  Looks
like you might be able to do attacks with NULLs in the shellcode and such?

Oh well, I guess this is just redundant white noise then; I was just
struck dumb a bit when it appeared that HW-DEP provided nothing in the
way of real protection; I'm too used to security enhancements being real.


- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB5sCYhDd4aOud5P8RAn+VAKCKTEfka1sMzEdL9xliKEDJDsGxEgCgkFI4
ph+fJOcB0ELonMpX/Px2RxY=
=Mctm
-----END PGP SIGNATURE-----

Current thread:

Is DEP easily evadable? John Richard Moser (Jan 12)
- Re: Is DEP easily evadable? Florian Weimer (Jan 13)
  - Re: Is DEP easily evadable? John Richard Moser (Jan 13)
    - Re: Is DEP easily evadable? Ben Pfaff (Jan 13)
    - Re: Is DEP easily evadable? John Richard Moser (Jan 14)
    - Re: Is DEP easily evadable? Ben Pfaff (Jan 14)