[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <432498141.20070402170639@Zoller.lu>
Date: Mon, 2 Apr 2007 17:06:39 +0200
From: Thierry Zoller <Thierry@...ler.lu>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Windows .ANI LoadAniIcon Stack Overflow
Dear Larry,
You are a stubborn guy are you? _Again_, I am not talking Software DEP
but Hardware-enforced DEP. Read: 2 different things.
This is my last email within this regard, I see no point in trying to
give you further information that might help you estimate risk, as you
seem resistant to help or pointers beyond your comprehension or
current believe.
You reference the correct page but then completely miss the point,
please read the page entirely. Your pasted information related to
software DEP not Hardware enforced DEP (which is NX bit)
Quote (wiki) :
If the x86 processor supports this feature in hardware, then the NX features
are turned on automatically in Windows XP/Server 2003 by default. If the
feature is not supported by the x86 processor, then no protection is given.
"Software DEP" is unrelated to the NX bit, and is what Microsoft calls
their enforcement of Safe Structured Exception Handling. Software DEP/SafeSEH
simply checks when an exception is thrown to make sure that the exception is
registered in a function table for the application, and requires the program
to be built with it. This is likely a countermeasure to handle an exploit
possible because of the way DEP handles NX faults; while most other
technologies simply terminate the program unquestioningly, DEP raises
an exception. It is not possible for a program to truly recover from
an attack because program flow is destroyed in an unrecoverable manner.
On the very same MS you reference page :
Hardware-enforced DEP
Hardware-enforced DEP marks all memory locations in a process as non-executable unless the location explicitly contains executable code.
A class of attacks exists that tries to insert and run code from non-executable memory locations. DEP helps prevent these attacks by
intercepting them and raising an exception.
Hardware-enforced DEP relies on processor hardware to mark memory with an attribute that indicates that code should not be executed
from that memory. DEP functions on a per-virtual memory page basis, and DEP typically changes a bit in the page table entry (PTE)
to mark the memory page.
Processor architecture determines how DEP is implemented in hardware and how DEP marks the virtual memory page. However,
processors that support hardware-enforced DEP can raise an exception when code is executed from a page that is marked with
the appropriate attribute set.
Advanced Micro Devices (AMD) and Intel have defined and shipped Windows-compatible architectures that are compatible with DEP.
Beginning with Windows XP SP2, the 32-bit version of Windows uses one of the following:
The no-execute page-protection (NX) processor feature as defined by AMD.
The Execute Disable Bit (XD) feature as defined byIntel.
List of CPUS with NX bit (curtosy of Wikipedia)
* AMD Athlon 64
* AMD Athlon 64 X2
* AMD Athlon 64 FX
* AMD Opteron
* AMD Sempron (ab Paris)
* AMD Turion 64
* AMD Turion 64 X2
* Intel Celeron D
* Intel Celeron M (ab Dothan-Kern)
* Intel Core Duo
* Intel Core Solo
* Intel Core 2 Duo
* Intel Core 2 Extreme
* Intel Pentium 4 (ab Prescott F/J-Typ)
* Intel Pentium D
* Intel Pentium Extreme Edition
* Intel Pentium M (ab Dothan, neuere Modelle)
* Transmeta Efficeon
* VIA C7
That said, Michal Majchrowicz pointed out return-to-libc style still
works with DEP enabled, yes, but what about ASLR activated in Vista?
Anyways, George already tested it, can somebody else confirm whether
this is an issue or non-issue on Vista with NX capable CPUs?
--
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists