Re: Internet Exploiter 2 - bypassing DEP

["Larry Seltzer" <larry () larryseltzer com>]

Thanks SkyLined. I was confused a bit but I held off writing anything
till I understood it better. 

 

Getting back on to the point I think you were trying to make, you imply
that 32-bit address space is insufficient for the randomization in ASLR.
Actually now don't they only use 256 randomization slots? The point of
it is that if you're going to crash the system 255 out of 256 times it's
not worth attacking.

 

Larry Seltzer

 

From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of
Berend-Jan Wever
Sent: Monday, March 01, 2010 7:41 PM
To: Full-disclosure; bugtraq () securityfocus com
Subject: Re: [Full-disclosure] Internet Exploiter 2 - bypassing DEP

 

It seems my English is not as good as I thought and I accidentally led
Ryan Naraine <http://blogs.zdnet.com/security/?p=5573> , Larry Seltzer
<http://skypher.com/index.php/2010/03/01/internet-exploiter-2-dep/#comme
nts>  and probably others to come to conclusions such as that I released
a weaponized 0-day that bypasses both ASLR+DEP in current versions of
MSIE and Windows using a completely new technique and that I did so as a
Google employee.

 

However, let me try to explain better and to correct any ambiguity I may
have created in my first blog post:

- I have recently released an exploit that I developed in 2005 (before I
was employed by either MS or Google).

- I am releasing this as an individual as part of my new-years
resolution
<http://skypher.com/index.php/2010/01/02/new-years-resolutions/>  to
dump random stuff from my harddisk onto the tubes. (I have a personal
interest in security outside of my work, every now and then I find
enough time to work on and release stuff like this).

- The exploit targets a bug that was fixed in 2005
<http://skypher.com/wiki/index.php?title=Www.edup.tudelft.nl/~bjwever/ad
visory_msie_R6025.html.php> , that only affected MSIE 6.0 and earlier.

- The exploit shows how to implement the well known ret-into-libc
technique (using a heap spray) to bypass DEP.

 

- The exploit does not contain anything that is not already public,
other than how to implement a ret-into-libc using a heap-spray to
exploit complex memory corruption bugs such as the DHTML race condition
it targets.

- The exploit does not bypass ASLR.

- Using ret-into-libc to bypass DEP affects any application that has a
vulnerability that allows an attacker to use a ret-into-libc attack -
this is not MSIE specific. 

 

I hope this helps clarify some things. But, not being a native English
speaker, I may inadvertently have said things completely wrong again. I
look forward to correcting my mistakes as they show up on other news
sites in the future.

 

Cheers,

SkyLined


Berend-Jan Wever <berendjanwever () gmail com>
http://skypher.com/SkyLined




On Mon, Mar 1, 2010 at 4:51 PM, Berend-Jan Wever
<berendjanwever () gmail com> wrote:

Hey all,

 

I released a version of my Internet Exploiter 2 exploit from 2005 that
bypasses DEP. If you are familiar with my Internet Exploiter series of
exploits and/or are interested in how to use heap-spraying to bypass
DEP, you may like this:

http://skypher.com/index.php/2010/03/01/internet-exploiter-2-dep/

 

Cheers,

SkyLined


Berend-Jan Wever <berendjanwever () gmail com>
http://skypher.com/SkyLined

 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/