| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 2 Apr 2007 10:05:19 -0700
From: "George Ou" <george_ou@...architect.net>
To: "'Thierry Zoller'" <Thierry@...ler.lu>, <full-disclosure@...ts.grok.org.uk>
Subject: Re: Windows .ANI LoadAniIcon Stack Overflow
" You reference the correct page but then completely miss the point, please
read the page entirely. Your pasted information related to software DEP not
Hardware enforced DEP (which is NX bit)
Quote (wiki) :
If the x86 processor supports this feature in hardware, then the NX features
are turned on automatically in Windows XP/Server 2003 by default. If the
feature is not supported by the x86 processor, then no protection is given."
Thierry,
That wiki quote is very vague. I'm telling you for a fact that DEP is
mostly turned off in Windows XP and Vista by default. It's only turned on
for a few "essential windows programs and services" and that excludes things
like Internet Explorer which is unfortunate since hardware-enforced DEP has
blocked nearly all of the generic zero-day exploits in Internet Explorer.
This is why I have always recommended that people fully enable DEP
protection and use hardware that supports NX/XD.
George
-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Thierry
Zoller
Sent: Monday, April 02, 2007 8:07 AM
To: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
Dear Larry,
You are a stubborn guy are you? _Again_, I am not talking Software DEP
but Hardware-enforced DEP. Read: 2 different things.
This is my last email within this regard, I see no point in trying to
give you further information that might help you estimate risk, as you
seem resistant to help or pointers beyond your comprehension or
current believe.
You reference the correct page but then completely miss the point,
please read the page entirely. Your pasted information related to
software DEP not Hardware enforced DEP (which is NX bit)
Quote (wiki) :
If the x86 processor supports this feature in hardware, then the NX features
are turned on automatically in Windows XP/Server 2003 by default. If the
feature is not supported by the x86 processor, then no protection is given.
"Software DEP" is unrelated to the NX bit, and is what Microsoft calls
their enforcement of Safe Structured Exception Handling. Software
DEP/SafeSEH
simply checks when an exception is thrown to make sure that the exception is
registered in a function table for the application, and requires the program
to be built with it. This is likely a countermeasure to handle an exploit
possible because of the way DEP handles NX faults; while most other
technologies simply terminate the program unquestioningly, DEP raises
an exception. It is not possible for a program to truly recover from
an attack because program flow is destroyed in an unrecoverable manner.
On the very same MS you reference page :
Hardware-enforced DEP
Hardware-enforced DEP marks all memory locations in a process as
non-executable unless the location explicitly contains executable code.
A class of attacks exists that tries to insert and run code from
non-executable memory locations. DEP helps prevent these attacks by
intercepting them and raising an exception.
Hardware-enforced DEP relies on processor hardware to mark memory with an
attribute that indicates that code should not be executed
from that memory. DEP functions on a per-virtual memory page basis, and DEP
typically changes a bit in the page table entry (PTE)
to mark the memory page.
Processor architecture determines how DEP is implemented in hardware and how
DEP marks the virtual memory page. However,
processors that support hardware-enforced DEP can raise an exception when
code is executed from a page that is marked with
the appropriate attribute set.
Advanced Micro Devices (AMD) and Intel have defined and shipped
Windows-compatible architectures that are compatible with DEP.
Beginning with Windows XP SP2, the 32-bit version of Windows uses one of the
following:
The no-execute page-protection (NX) processor feature as defined by
AMD.
The Execute Disable Bit (XD) feature as defined byIntel.
List of CPUS with NX bit (curtosy of Wikipedia)
* AMD Athlon 64
* AMD Athlon 64 X2
* AMD Athlon 64 FX
* AMD Opteron
* AMD Sempron (ab Paris)
* AMD Turion 64
* AMD Turion 64 X2
* Intel Celeron D
* Intel Celeron M (ab Dothan-Kern)
* Intel Core Duo
* Intel Core Solo
* Intel Core 2 Duo
* Intel Core 2 Extreme
* Intel Pentium 4 (ab Prescott F/J-Typ)
* Intel Pentium D
* Intel Pentium Extreme Edition
* Intel Pentium M (ab Dothan, neuere Modelle)
* Transmeta Efficeon
* VIA C7
That said, Michal Majchrowicz pointed out return-to-libc style still
works with DEP enabled, yes, but what about ASLR activated in Vista?
Anyways, George already tested it, can somebody else confirm whether
this is an issue or non-issue on Vista with NX capable CPUs?
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists