Full Disclosure mailing list archives
Re: Internet Exploiter 2 - bypassing DEP
From: "Larry Seltzer" <larry () larryseltzer com>
Date: Mon, 1 Mar 2010 21:19:57 -0500
Thanks SkyLined. I was confused a bit but I held off writing anything till I understood it better. Getting back on to the point I think you were trying to make, you imply that 32-bit address space is insufficient for the randomization in ASLR. Actually now don't they only use 256 randomization slots? The point of it is that if you're going to crash the system 255 out of 256 times it's not worth attacking. Larry Seltzer From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Berend-Jan Wever Sent: Monday, March 01, 2010 7:41 PM To: Full-disclosure; bugtraq () securityfocus com Subject: Re: [Full-disclosure] Internet Exploiter 2 - bypassing DEP It seems my English is not as good as I thought and I accidentally led Ryan Naraine <http://blogs.zdnet.com/security/?p=5573> , Larry Seltzer <http://skypher.com/index.php/2010/03/01/internet-exploiter-2-dep/#comme nts> and probably others to come to conclusions such as that I released a weaponized 0-day that bypasses both ASLR+DEP in current versions of MSIE and Windows using a completely new technique and that I did so as a Google employee. However, let me try to explain better and to correct any ambiguity I may have created in my first blog post: - I have recently released an exploit that I developed in 2005 (before I was employed by either MS or Google). - I am releasing this as an individual as part of my new-years resolution <http://skypher.com/index.php/2010/01/02/new-years-resolutions/> to dump random stuff from my harddisk onto the tubes. (I have a personal interest in security outside of my work, every now and then I find enough time to work on and release stuff like this). - The exploit targets a bug that was fixed in 2005 <http://skypher.com/wiki/index.php?title=Www.edup.tudelft.nl/~bjwever/ad visory_msie_R6025.html.php> , that only affected MSIE 6.0 and earlier. - The exploit shows how to implement the well known ret-into-libc technique (using a heap spray) to bypass DEP. - The exploit does not contain anything that is not already public, other than how to implement a ret-into-libc using a heap-spray to exploit complex memory corruption bugs such as the DHTML race condition it targets. - The exploit does not bypass ASLR. - Using ret-into-libc to bypass DEP affects any application that has a vulnerability that allows an attacker to use a ret-into-libc attack - this is not MSIE specific. I hope this helps clarify some things. But, not being a native English speaker, I may inadvertently have said things completely wrong again. I look forward to correcting my mistakes as they show up on other news sites in the future. Cheers, SkyLined Berend-Jan Wever <berendjanwever () gmail com> http://skypher.com/SkyLined On Mon, Mar 1, 2010 at 4:51 PM, Berend-Jan Wever <berendjanwever () gmail com> wrote: Hey all, I released a version of my Internet Exploiter 2 exploit from 2005 that bypasses DEP. If you are familiar with my Internet Exploiter series of exploits and/or are interested in how to use heap-spraying to bypass DEP, you may like this: http://skypher.com/index.php/2010/03/01/internet-exploiter-2-dep/ Cheers, SkyLined Berend-Jan Wever <berendjanwever () gmail com> http://skypher.com/SkyLined
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Internet Exploiter 2 - bypassing DEP Berend-Jan Wever (Mar 01)
- Re: Internet Exploiter 2 - bypassing DEP Berend-Jan Wever (Mar 01)
- Re: Internet Exploiter 2 - bypassing DEP Larry Seltzer (Mar 01)
- Re: Internet Exploiter 2 - bypassing DEP Berend-Jan Wever (Mar 01)