Jump to content
Tuts 4 You

DEP/ASLR Implementation Progress in Popular Third-party Windows Applications

Teddy Rogers

By Teddy Rogers

 Share

About This File

Vulnerabilities that corrupt memory typically result in the execution of arbitrary code by redirecting the program flow to a writable memory area containing instructions defined by an attacker.

DEP (Data Execution Prevention) is a generic defensive measure that prevents the execution of writable memory, first added to Windows in XP Service Pack 2 in August 2004. In a default configuration, Windows applications have to inform the operating system that they want DEP enabled in their context. The most popular method of enabling DEP on pre-Vista systems is a call to the "SetProcessDEPPolicy()" function. On Windows Vista and newer systems, an executable can communicate its DEP choice by simply setting the NX_COMPAT (0x100) flag in the "DllCharacteristics" field of a PE (Portable Executable).

While DEP renders the exploit development process more complex and time consuming, code execution can still be achieved by constructing a chain of function calls to fixed executable addresses inside the address space of the target process (technique known as "return-into-libc"). In order to encumber such techniques, ASLR (Address Space Layout Randomization) was introduced with the release of Windows Vista in early 2007. If a PE file has the DYNAMIC_BASE (0x40) flag set in its "DllCharacteristics" field, the address at which the PE is loaded is randomized on each system boot. This significantly lowers the chances for a return-into-libc attack to succeed. However, note that a single module for which ASLR is not applied can at times be enough for code execution to succeed. If both DEP and ASLR are correctly deployed, the ease of exploit development decreases significantly, code execution being sometimes impossible to achieve in one attempt.

This paper intends to depict the evolution and current state of DEP and ASLR support in popular third-party Windows applications.

Windows XP SP3 and Windows 7, both running on a 32-bit platform, were used as testing environments. Sixteen of the most popular* third-party Windows applications were tested. Only applications, which had at least one memory corruption vulnerability publicly disclosed within the last two years, were chosen.

While performing ASLR compatibility tests, if DEP was found to be disabled in a tested application, code execution was considered achievable regardless of ASLR support. ASLR is, therefore, irrelevant in such cases and was not tested in detail.

 Share
Previous File An Approach Towards Disassembly of Malicious Binary Executables
Next File Efficient and Fine-grained Address Space Randomization

User Feedback

Recommended Comments

JMC31337

JMC31337 49

Posted (edited)

Interesting .. because with a x86 app running under WoW I can force the mem base of the loaded exe to 0x10000

this is mapped as RW but allows code execution as though RWX

First two images shows a typical standard dll characteristic which random mem maps 

C3B307CE-6243-4451-971C-CBF3C3EA26A9.jpeg.23919944b4fd6816aed9040470a52bae.jpeg

2B328B46-A057-4786-AB9B-26FAA61F4F35.jpeg.b6c78ef92266dc4b4d8fde7b2008baf6.jpeg

the other two I forced a dll characteristic of 0 and force it to 0x10000 and I can execute any opcode despite the RW mapping

662299D6-45FE-43A6-962C-759E379135C5.jpeg.0e60261ac0ced1964d17bdb1c5f6c6fc.jpeg

 

91C2B1C5-93F0-40AF-80F6-BC479199976F.jpeg.bc45e90b72f1dcca83dff02b4bcd03c4.jpeg

1) Since it is mapped as RW shouldnt DEP prevent any execution?
2) what is that first 0x10000 page called?

ive seen something about dos-compatibility but I’d like to know 


379F44FC-5736-4484-A94C-205FF9073762.jpeg.60f6fee52dbaa58882041dad37d7e0b0.jpeg

Edited by JMC31337
Link to comment
Share on other sites
JMC31337

JMC31337 49

Posted (edited)

And I just found out my GlobalAlloc API memory which is mapped in RW space also has RWE ability 

Update:

Apparently after setting DllCharacteristics in a PE file to 0 for x86 apps the first page 0x10000 is used as a heap... this heap from my fuzzing around is used by user32/imm32/gdi32full type dll

if i 00 out the entire region then any dll that loads which is not a user32-type dll (imm32, gdi32full, user32) will crash sometimes...

manually 00'ng out this heap and using x64dbg to manually load dll (symbols section) will reproduce the crash..

 other times the crash is continuable under the debugger..

crashes types seen: Heap corruption, Out of Mem, critical errors

 

Edited by JMC31337
Link to comment
Share on other sites
JMC31337

With updates as of Dec 1st, noticed the DllCharacteristics 0 trick will not work unless GlobalAlloc API memory is used... despite the GlobAlloc being RW mapped it’s still RWE capable {shrug}

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...