Impressing Girls with Vista Memory Protection Bypasses
mark August 7th, 2008
Hi there,
Alex Sotirov and I are presenting at BlackHat USA today on bypassing the Windows Vista memory protections in the context of the web browser in a speech titled "How to Impress Girls with Browser Memory Protection Bypasses". Specifically, we will be discussing how rich browser functionality can be utilized to help lessen the impact of memory protections (and in some cases, completely negate them). Some of the techniques we will be discussing are known ones, whereas others are new approaches that we haven’t seen discussed in public forums before.
We have written an extensive paper documenting how the various memory protections function, and how to break them. The paper that accompanies the speech is available here (we also have slides and code available). Some of the more interesting topic areas we will be covering include:
- "Stack Spraying", an alternative method to heap spraying with some additional benefits
- Exploiting poor permissions, such as Java’s RWX memory allocator, and
- Utilizing .NET binaries to map data at an attacker-controlled memory location with arbitrary page protections applied to that data.
Finally, we did some field testing and found that this kind of research does occasionally impress girls, but ongoing research in this area is needed. Therefore, Alex and I will continue this research, starting right here in Vegas. :)
Mark I’m really impressed, and I’m a girl! Let me know how the rest of this part of the research goes!
Captivating work fellas, just curious to know whether the .Net/Java exploits be used on Linux to gain access to root.
wicked cool. Thank you for your research.
Microsoft: wise up.
So, any comments on the sensationalistic articles on the subject?
I mean notably a trainwreck of an article like:
http://www.neowin.net/news/main/08/08/08/vista39s-security-rendered-completely-useless-by-new-exploit
Followed of course by a veritable echo-chamber of the usual suspects, as well as a number of others:
http://osnews.com/story/20167/Vista_s_Security_Rendered_Completely_Useless_By_New_Exploit
http://www.gizmodo.com.au/2008/08/windows_vista_pwned_by_web_exploit_that_cant_be_stopped-2.html
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1324395,00.html
http://it.slashdot.org/article.pl?sid=08/08/08/1155208
Not that any of the above are ever terribly trustworthy, but it seems to me that as far as public understanding of security issues goes the press before the talk has done far more to confuse than to inform. As it stands the popular advice ranges from switching to XP for security, running Firefox instead, disabling DEP (!), and other things that in this context achieve very little other than trouble people. I imagine you guys didn’t have all that much say in the basic reporting, but if you did give out the initial info you might want to consider more carefully choosing what to announce next time.
Let me take care of the girls, so you guys can go on with your research without beeing distracted ;-)
Now without kidding.
When your findings have been verified by the “Big Guys”, and I´m not refering to MS only, it wil sure rock the OS-world.
And maybe even the whole internet.
Paranoia everywhere.
Or am I over-exagarating
Nicely done! The art of memory mgmt never dies!
Too bad MS took VMS made WNT and dropped 2 of the most precious layers of security, we could have avoided 20years of exposure.
@mb: We didn’t have anything to do with any of those stories.
@mark Although, I think you do have a moral responsibility to state that they are, in fact, internet hilarious.
damn you mark dowd! you killed the interwebs again!
Where can I download source code?
good to see that SOMEBODY is doing their jobs.. (not microsoft)
I’m partly along in the paper, and I’ve got to call shenanigans on some of this. In particular, the gs4() function you provide as an example is highly contrived, and uses an internal buffer without any good need of having one. In fact, if one of my team presented me with that sort of brain-dead coding during a code review, I’d send him or her packing, along with a pair of flaming ears. How would your attack have fared against a properly-written gs4(), I’m wondering?
@Brook: Hey, thanks for your commentary. Alex actually wrote the part about GS, but I’ll have a go at fielding this one I suppose :). I would agree that the example is somewhat contrived (although I have to say, I’ve seen code like this many times before..). He could perhaps of modified it slightly to make it more realistic, but it doesn’t really matter - the point of the example was to demonstrate that integer arguments are not copied below local variables by GS, and hence can be overwritten. This is a pretty important limitation of the GS protections, and one that I have exploited a few times before. Whether the specific example is believable or not is neither here nor there - if you have a situation where you have a stack overflow and integer-based arguments, there might be the chance for exploitation.
Has anyone form MS been in contact with you? Do you plan to publish specifics about this? If so, when and in what forum?
Thanks, keep up the good work.
@Frank: We were in contact with MS before the speech and gave them advanced copies of our material. The specifics of the attacks we describe are published in the paper/slides linked from this blog.
Oh, crap. I’ve just got root on my Linux box…
Remember
There’s two meanings. I fall into both. The code hacker, who lives to program and does it the hard way, and the system hacker, who loves finding exploitable features in systems to gain access, does so, notifies the sysadmin and patches the hole.