Re: The sky's downward trajectory

["George Ou" <george_ou () lanarchitect net>]

DEP is normally only activated for critical system components and left off
for all applications including MS Office and Internet Explorer.  From what I
understand from past experience, Hardware-enforced DEP if enabled has
defeated every zero-day flaw for IE in the past year (at least the ones that
were in the wild) but didn't help against the MS Office exploits (at least
according to Microsoft).  Can these techniques you speak of defeat
hardware-enforced DEP in most or all cases?

 

 

George Ou

 

From: dailydave-bounces () lists immunitysec com
[mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Dave Aitel
Sent: Saturday, February 17, 2007 7:10 PM
To: dailydave () lists immunitysec com
Subject: [Dailydave] The sky's downward trajectory

 

http://www.fcw.com/article97658-02-13-07-Web
<http://www.fcw.com/article97658-02-13-07-Web&printLayout> &printLayout
"""
Current U.S. cyber warfare strategy is dysfunctional, said Gen. James
Cartwright, commander of the Strategic Command (Stratcom), in a speech at
the Air Warfare Symposium in Orlando, Fla., last week. Offensive, defensive
and reconnaissance efforts among U.S. cyber forces are incompatible and
don't communicate with one another, resulting in a disjointed effort,
Cartwright said.
...
"They will exploit anything and everything," the senior official said,
referring to the Chinese hackers' strategy. And although it is impossible to
confirm the involvement of China's government, the attacks are so
deliberate, "it's hard to believe it's not government-driven," the official
said.
...
Gen. Ronald Keys, commander of Air Combat Command, told reporters at the
conference that current policies prevent the United States from pursuing
cyberthreats based in foreign countries. Technology has outpaced policy in
cyberspace, he said.

The United States should take more aggressive measures against foreign
hackers and Web sites that help others attack government systems, Keys said.
It may take a cyber version of the 2001 terrorist attacks for the country to
realize it must re-examine its approach to cyber warfare, he added.
"""

If you go into the Forbidden City, in the heart of Beijing, and walk into
the museum exhibits you will see a few preserved suits of silk armor, along
with swords, halberds, and various other Dungeons and Dragons style
weaponry. If you know what a halberd is, you probably, like me, didn't get
invited to the cool parties in high school. Let's just say it's a big stick
with an ax on top. Anyways, some of the displays have a little printed
notice of what they are, translated into English. Usually they say something
like this "Example of a few halberds used by Such and Such. This weaponry
was no match for western guns used at the time". I got the feeling the whole
exhibit was a "Memorandum to self: invest in technology immediately and
continue for next couple hundred years." 

Picking the technology to invest in is, of course, quite difficult. From
many perspectives, I'm sure, Immunity's investments would seem insane. For
example, Immunity Debugger is quite a strange thing to put so much emphasis
in, right when DEP and other protective technologies are making remote
buffer overflows a thing of the past. There are, of course, perfectly usable
free debuggers. 

Yesterday, before most of Immunity went bowling (like all hackers, we're
extremely athletic), Nico was showing me the "defeat dep" Immunity Debugger
script. You type "!defeatdep" and then it has a little wizard you go through
and then you've got a buffer that will do the return into libc trick to
defeat DEP. Simple and easy! It's part of an "Advanced Windows Overflows"
class we're teaching all next week. Nico's Immunity Debugger !heap script
allows you to do do all sorts of tricks with heaps - and to defeat the next
generation of heap protection, you're going to need all of it, plus some
luck. Kostya's "!safeseh" script does various neat things around that as
well. None of the free debuggers allow you to do this stuff, but none of the
free debuggers are specifically for exploit development either. 

One facet of an asymmetric attack is to appear to have a disjointed effort
but yet have an emergent strategic behavior that can topple an enemy. This
is something I'm sure Gen. James Cartwright knows well. In Immunity's case,
this enemy is DEP, SafeSEH, and related technologies - and only a couple
days after Microsoft Tuesday we've released an exploit for MS07-007 that
works regardless of DEP on XP SP2. Just a thought. 


-dave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave