Re: Anyone looked at the canary stack protection in Win2k3?

[Ivan Arce <ivan.arce () corest com>]

You might want to take a look at Gerardo Richarte's paper:
"Bypassing Stackshield and StackGuard protection"
http://www.coresecurity.com/common/showdoc.php?idx=242&idxseccion=11

Abstract:
Stack shielding technologies have been developed to protect programs against 
exploitation of stack based buffer overflows. Among different types of 
protections, we can separate two mayor groups. Those that modify the 
environment where applications are executed, for example PaX now integrated 
into the OpenWall project, and those that alter the way programs are 
compiled. We will focus on the last groups, specially in StackGuard, 
StackShield, and Microsoft's new stack smashing protection.

Techniques that exploit stack based buffer overflows on protected programs 
and environment have been presented in the past. Here we'll describe how the 
studied protections work, and then we'll present four more tricks to bypass 
stack smashing protections, some of which are extentions of older 
techniques, and some we think are novel.



Mark Feldman wrote:
> In-Reply-To: <000101c34eaa$ecf34a80$0101a8c0@gfserver>
>
> Hi thomas
> There is no need for a tool like IDA pro when you've got source code 
> available under your Visual C++ 7.0 CRT\SRC directory.
> The security check is enabled by adding the /GS option to the compiler's 
> command line.
>
> These two links will explain microsoft's stack smashing protection:
>
> http://std.dkuug.dk/JTC1/SC22/WG21/docs/papers/2003/n1462.pdf
>
> http://msdn.microsoft.com/library/default.asp?url=/library/en-
> us/dv_vstechart/html/vctchCompilerSecurityChecksInDepth.asp
>
>
> Regards,
> Mark Feldman <mkfeldman () myway com>
>
> > From: "Andrew Thomas" <andrew () generator co za>
> > To: <vuln-dev () lists securityfocus com>
> > Subject: Anyone looked at the canary stack protection in Win2k3?
> > Date: Sun, 20 Jul 2003 12:37:03 +0200
> >
> > I've looked a bit at a single disassembly that I got 
> > (IDA Pro) of the package. It's quite cute that MS have
> > started creating a 'fix' to reduce the probability
> > of programmatic errors in their code having as great
> > an impact as they could.
> >
> > Any comments on their canary generator? It seems to 
> > generate enough randomness, with use of:
> > GetSystemTimeAsFileTime
> > GetCurrentProcessId
> > GetCurrentThreadId
> > GetTickCount
> > QueryPerformanceCounter
> >
> > all nicely xor'ed together. But then again, I am not
> > an expert in these matters.