Dailydave mailing list archives
Re: ASLR+DEP = no problem. :>
From: dave <dave () immunityinc com>
Date: Thu, 04 Feb 2010 14:09:46 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I know I'm annoying Spender by even replying, but this sort of thing is not dependant on Flash. It's simply a function of "Any JIT the attacker can pass data into will break DEP/ASLR". The only "solution" is to have every available JIT have defined entry points that the kernel enforces (which will prevent EIP from going into the middle of a JIT'd function). At that point you basically have "Determina" and you take a performance hit, which is what JIT is supposed to avoid. Or you can turn all non-trusted code JITs off. Then it comes down to "what is trusted?" and "wow, my flash code runs really slow now" and all sorts of other hilarity. You could, as you point out, move things out of the process. But there's a certain value to having things IN the process and not blocked by default. Netflix requires Silverlight which requires .Net which has a dynamic API that supports Eval(). Flash is technically the worst JIT to use for this since you can't use Eval() (or other dynamic techniques) to generate functions at runtime. And it doesn't matter that Reader/Quicktime/.Net have DEP and ASLR enabled. Our Aurora exploit works on Windows 7, and DEP/ASLR was enabled. Nicolas Pouvesle (who lead the team that worked on this here at Immunity) updated our version today to work on 32-bit IE on 64-bit Windows 7 - there's a lot of annoying little issues to work around here. But those issues aren't roadblocks. Any if Flash gets annoying to work with, you can do this with VBScript or any JIT that is in the browser. You can use this on bugs for anything that sits in a process with a JIT - - from Adobe Reader, to Java, to Flash to Word/PPT/XLS. There's lots of ways to break DEP and ASLR. Information leakages are the best way really. But JITs help break DEP/ASLR too. In the end mitigations just buy the leading edge adopters a couple of years until the offensive research teams turn their attention to them. Spender would say all this stuff is obvious, but we're happy to write exploit after exploit to demonstrate it anyways. :> - -dave Moshe Ben Abu wrote:
Yep, I agree with Thierry, once the technique will be fixed - ASLR+DEP = big problem :( Past examples: - Java Virtual Machine Heap Spray > Java is out of process since 1.6.0u10. - Actionscript Heap Spray > Flash 10 got DEP and ASLR. - .NET User Control binary > Internet Explorer 8 RTM blocks it on Internet Zone. In addition, latest versions of Adobe Reader, QuickTime and .NET Framework got DEP and ASLR enabled too... On Thu, Feb 4, 2010 at 1:14 PM, Thierry Zoller <Thierry () zoller lu <mailto:Thierry () zoller lu>> wrote: Hi, This - >It does this by playing some very odd tricks with >Flash's JIT compiler. + >In other words, ASLR >and DEP are not longer the shield they once were. Doesn't compute. You are relying on oddities, fix the oddities and ASLR/DEP are back again. -- http://blog.zoller.lu Thierry Zoller _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com <mailto:Dailydave () lists immunitysec com> http://lists.immunitysec.com/mailman/listinfo/dailydave -- Trancer Recognize-Security http://www.rec-sec.com
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAktrG3kACgkQtehAhL0gheqiewCdEj0/fhGaW1uB/EIDxmrz7PUT 5BAAnRxNyNywGxGevcNZ/FO9ysgQM6JO =/TB8 -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- ASLR+DEP = no problem. :> dave (Feb 03)
- Re: ASLR+DEP = no problem. :> Thierry Zoller (Feb 04)
- Re: ASLR+DEP = no problem. :> Moshe Ben Abu (Feb 04)
- Re: ASLR+DEP = no problem. :> dave (Feb 04)
- Re: ASLR+DEP = no problem. :> Matthew Wollenweber (Feb 04)
- Message not available
- Re: ASLR+DEP = no problem. :> Thierry Zoller (Feb 04)
- Re: ASLR+DEP = no problem. :> Alexander Sotirov (Feb 04)
- Re: ASLR+DEP = no problem. :> Nate Lawson (Feb 05)
- Re: ASLR+DEP = no problem. :> Larry Seltzer (Feb 05)
- Re: ASLR+DEP = no problem. :> Michal Zalewski (Feb 05)
- Re: ASLR+DEP = no problem. :> Moshe Ben Abu (Feb 04)
- Re: ASLR+DEP = no problem. :> Thierry Zoller (Feb 04)
- Re: ASLR+DEP = no problem. :> Sergio 'shadown' Alvarez (Feb 04)
- Re: ASLR+DEP = no problem. :> pageexec (Feb 04)
- Re: ASLR+DEP = no problem. :> Berend-Jan Wever (Feb 05)