Jump to content
Tuts 4 You

DEP/ASLR Implementation Progress in Popular Third-party Windows Applications

Sign in to follow this  

Teddy Rogers

About This File

Vulnerabilities that corrupt memory typically result in the execution of arbitrary code by redirecting the program flow to a writable memory area containing instructions defined by an attacker.

DEP (Data Execution Prevention) is a generic defensive measure that prevents the execution of writable memory, first added to Windows in XP Service Pack 2 in August 2004. In a default configuration, Windows applications have to inform the operating system that they want DEP enabled in their context. The most popular method of enabling DEP on pre-Vista systems is a call to the "SetProcessDEPPolicy()" function. On Windows Vista and newer systems, an executable can communicate its DEP choice by simply setting the NX_COMPAT (0x100) flag in the "DllCharacteristics" field of a PE (Portable Executable).

While DEP renders the exploit development process more complex and time consuming, code execution can still be achieved by constructing a chain of function calls to fixed executable addresses inside the address space of the target process (technique known as "return-into-libc"). In order to encumber such techniques, ASLR (Address Space Layout Randomization) was introduced with the release of Windows Vista in early 2007. If a PE file has the DYNAMIC_BASE (0x40) flag set in its "DllCharacteristics" field, the address at which the PE is loaded is randomized on each system boot. This significantly lowers the chances for a return-into-libc attack to succeed. However, note that a single module for which ASLR is not applied can at times be enough for code execution to succeed. If both DEP and ASLR are correctly deployed, the ease of exploit development decreases significantly, code execution being sometimes impossible to achieve in one attempt.

This paper intends to depict the evolution and current state of DEP and ASLR support in popular third-party Windows applications.

Windows XP SP3 and Windows 7, both running on a 32-bit platform, were used as testing environments. Sixteen of the most popular* third-party Windows applications were tested. Only applications, which had at least one memory corruption vulnerability publicly disclosed within the last two years, were chosen.

While performing ASLR compatibility tests, if DEP was found to be disabled in a tested application, code execution was considered achievable regardless of ASLR support. ASLR is, therefore, irrelevant in such cases and was not tested in detail.




User Feedback

Recommended Comments

JMC31337

Posted (edited)

Interesting .. because with a x86 app running under WoW I can force the mem base of the loaded exe to 0x10000

this is mapped as RW but allows code execution as though RWX

First two images shows a typical standard dll characteristic which random mem maps 

C3B307CE-6243-4451-971C-CBF3C3EA26A9.jpeg.23919944b4fd6816aed9040470a52bae.jpeg

2B328B46-A057-4786-AB9B-26FAA61F4F35.jpeg.b6c78ef92266dc4b4d8fde7b2008baf6.jpeg

the other two I forced a dll characteristic of 0 and force it to 0x10000 and I can execute any opcode despite the RW mapping

662299D6-45FE-43A6-962C-759E379135C5.jpeg.0e60261ac0ced1964d17bdb1c5f6c6fc.jpeg

 

91C2B1C5-93F0-40AF-80F6-BC479199976F.jpeg.bc45e90b72f1dcca83dff02b4bcd03c4.jpeg

1) Since it is mapped as RW shouldnt DEP prevent any execution?
2) what is that first 0x10000 page called?

ive seen something about dos-compatibility but I’d like to know 


379F44FC-5736-4484-A94C-205FF9073762.jpeg.60f6fee52dbaa58882041dad37d7e0b0.jpeg

Edited by JMC31337 (see edit history)

Share this comment


Link to comment
Share on other sites
JMC31337

Posted

And I just found out my GlobalAlloc API memory which is mapped in RW space also has RWE ability 

Share this comment


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...