[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <9B9E7EA67E1B1342B2D25F3FD1B32930034A888B@BE35.exg3.exghost.com>
Date: Mon, 1 Mar 2010 21:19:57 -0500
From: "Larry Seltzer" <larry@...ryseltzer.com>
To: "Berend-Jan Wever" <berendjanwever@...il.com>,
"Full-disclosure" <full-disclosure@...ts.grok.org.uk>,
<bugtraq@...urityfocus.com>
Subject: Re: Internet Exploiter 2 - bypassing DEP
Thanks SkyLined. I was confused a bit but I held off writing anything
till I understood it better.
Getting back on to the point I think you were trying to make, you imply
that 32-bit address space is insufficient for the randomization in ASLR.
Actually now don't they only use 256 randomization slots? The point of
it is that if you're going to crash the system 255 out of 256 times it's
not worth attacking.
Larry Seltzer
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of
Berend-Jan Wever
Sent: Monday, March 01, 2010 7:41 PM
To: Full-disclosure; bugtraq@...urityfocus.com
Subject: Re: [Full-disclosure] Internet Exploiter 2 - bypassing DEP
It seems my English is not as good as I thought and I accidentally led
Ryan Naraine <http://blogs.zdnet.com/security/?p=5573> , Larry Seltzer
<http://skypher.com/index.php/2010/03/01/internet-exploiter-2-dep/#comme
nts> and probably others to come to conclusions such as that I released
a weaponized 0-day that bypasses both ASLR+DEP in current versions of
MSIE and Windows using a completely new technique and that I did so as a
Google employee.
However, let me try to explain better and to correct any ambiguity I may
have created in my first blog post:
- I have recently released an exploit that I developed in 2005 (before I
was employed by either MS or Google).
- I am releasing this as an individual as part of my new-years
resolution
<http://skypher.com/index.php/2010/01/02/new-years-resolutions/> to
dump random stuff from my harddisk onto the tubes. (I have a personal
interest in security outside of my work, every now and then I find
enough time to work on and release stuff like this).
- The exploit targets a bug that was fixed in 2005
<http://skypher.com/wiki/index.php?title=Www.edup.tudelft.nl/~bjwever/ad
visory_msie_R6025.html.php> , that only affected MSIE 6.0 and earlier.
- The exploit shows how to implement the well known ret-into-libc
technique (using a heap spray) to bypass DEP.
- The exploit does not contain anything that is not already public,
other than how to implement a ret-into-libc using a heap-spray to
exploit complex memory corruption bugs such as the DHTML race condition
it targets.
- The exploit does not bypass ASLR.
- Using ret-into-libc to bypass DEP affects any application that has a
vulnerability that allows an attacker to use a ret-into-libc attack -
this is not MSIE specific.
I hope this helps clarify some things. But, not being a native English
speaker, I may inadvertently have said things completely wrong again. I
look forward to correcting my mistakes as they show up on other news
sites in the future.
Cheers,
SkyLined
Berend-Jan Wever <berendjanwever@...il.com>
http://skypher.com/SkyLined
On Mon, Mar 1, 2010 at 4:51 PM, Berend-Jan Wever
<berendjanwever@...il.com> wrote:
Hey all,
I released a version of my Internet Exploiter 2 exploit from 2005 that
bypasses DEP. If you are familiar with my Internet Exploiter series of
exploits and/or are interested in how to use heap-spraying to bypass
DEP, you may like this:
http://skypher.com/index.php/2010/03/01/internet-exploiter-2-dep/
Cheers,
SkyLined
Berend-Jan Wever <berendjanwever@...il.com>
http://skypher.com/SkyLined
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists