lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <432498141.20070402170639@Zoller.lu>
Date: Mon, 2 Apr 2007 17:06:39 +0200
From: Thierry Zoller <Thierry@...ler.lu>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Windows .ANI LoadAniIcon Stack Overflow

Dear Larry,

You are a stubborn guy are you? _Again_, I am not talking Software DEP
but Hardware-enforced DEP. Read: 2 different things.

This is my last email within this regard, I see no point in trying to
give you further information that might help you estimate risk, as you
seem resistant to help or pointers beyond your comprehension or
current believe.

You reference the correct page but then completely miss the point,
please read the page entirely. Your pasted information related to
software DEP not Hardware enforced DEP (which is NX bit)

Quote (wiki) :
If the x86 processor supports this feature in hardware, then the NX features
are turned on automatically in Windows XP/Server 2003 by default. If the
feature is not supported by the x86 processor, then no protection is given.

"Software DEP" is unrelated to the NX bit, and is what Microsoft calls
their enforcement of Safe Structured Exception Handling. Software DEP/SafeSEH
simply checks when an exception is thrown to make sure that the exception is
registered in a function table for the application, and requires the program
to be built with it. This is likely a countermeasure to handle an exploit
possible because of the way DEP handles NX faults; while most other
technologies simply terminate the program unquestioningly, DEP raises
an exception. It is not possible for a program to truly recover from
an attack because program flow is destroyed in an unrecoverable manner.


On the very same MS you reference page :

Hardware-enforced DEP
Hardware-enforced DEP marks all memory locations in a process as non-executable unless the location explicitly contains executable code.
A class of attacks exists that tries to insert and run code from non-executable memory locations. DEP helps prevent these attacks by
intercepting them and raising an exception.

Hardware-enforced DEP relies on processor hardware to mark memory with an attribute that indicates that code should not be executed
from that memory. DEP functions on a per-virtual memory page basis, and DEP typically changes a bit in the page table entry (PTE)
to mark the memory page.

Processor architecture determines how DEP is implemented in hardware and how DEP marks the virtual memory page. However,
processors that support hardware-enforced DEP can raise an exception when code is executed from a page that is marked with
the appropriate attribute set.

Advanced Micro Devices (AMD) and Intel have defined and shipped Windows-compatible architectures that are compatible with DEP.

Beginning with Windows XP SP2, the 32-bit version of Windows uses one of the following:
•       The no-execute page-protection (NX) processor feature as defined by AMD.
•       The Execute Disable Bit (XD) feature as defined byIntel.


List of CPUS with NX bit (curtosy of Wikipedia)
    * AMD Athlon 64
    * AMD Athlon 64 X2
    * AMD Athlon 64 FX
    * AMD Opteron
    * AMD Sempron (ab Paris)
    * AMD Turion 64
    * AMD Turion 64 X2
    * Intel Celeron D
    * Intel Celeron M (ab Dothan-Kern)
    * Intel Core Duo
    * Intel Core Solo
    * Intel Core 2 Duo
    * Intel Core 2 Extreme
    * Intel Pentium 4 (ab Prescott F/J-Typ)
    * Intel Pentium D
    * Intel Pentium Extreme Edition
    * Intel Pentium M (ab Dothan, neuere Modelle)
    * Transmeta Efficeon
    * VIA C7

That said, Michal Majchrowicz pointed out return-to-libc style still
works with DEP enabled, yes, but what about ASLR activated in Vista?

Anyways, George already tested it, can somebody else confirm whether
this is an issue or non-issue on Vista with NX capable CPUs?


-- 
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45  2E57 28B3 75DD 0AC6 F1C7

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ