Next Page >>
address space layout randomization
Monitor makes memory pages mapped above the 2GB available with read or
read/write access to user-space programs running in a Guest operating
system. By leveraging this vulnerability it is possible to bypass
security mechanisms of the operating system such as Data Execution
Prevention (DEP) [1], Safe Structured Error Handling (SafeSEH) [2] and
Address Space Layout Randomization (ASLR) [3] designed to prevent
exploitation of security bugs in applications running on Windows
operation systems.
Thus applications with bugs that are not exploitable when running in
non-virtualized operating systems become exploitable if running within a
II. Overview
During an audit of the memcached v1.2.7 source code, it was
found that the software divulges its stack, heap, and shared library
memory locations. This effectively disables address space layout
randomization (ASLR) [5] protection, making potential buffer overflow
vulnerabilities much easier to exploit. The same behavior exists in
MemcacheDB v1.2.0.
code with the privileges of the process using libclamav. In the case of
the clamd program, this will result in code execution with the
privileges of the clamav user. Unsuccessful exploitation results in the
clamd process crashing.
Address Space Layout Randomization (ASLR) and non-executable memory
protection technologies (such as DEP, NX, XD, PaX, etc) can help
mitigate exploitation of this type of vulnerability.
IV. DETECTION
Summarizing, the system protections are:
- Non executable stack/heap,...
- Random stack/heap base address
- ASLR (Address Space Layout Randomization)
- ASCII Armor (libraries mapped under 16MB, so null byte in its address)
- CPSHELL - a hardened shell that only allows to run specific commands and a
very restricted sub-range of ASCII chars.
Even if we are not reinventing the wheel, I honestly think that the
1. This address is constant across all versions of Windows.
2. The attacker can write code and data to this address.
3. Code at this address is readable and executable.
A global variable in Alien Arena's executable would be ideal for this situation
since the Alien Arena developers did not link this executable for ASLR or DEP.
Since it's a global variable and ASLR is disabled, the address will remain
constant across all versions of Windows for this version of Alien Arena, and
since DEP is not enabled, its content is executable.
When the client receives a UDP packet on port 27901 that specifies a list of
Summarizing, the system protections are:
- Non executable stack/heap,...
- Random stack/heap base address
- ASLR (Address Space Layout Randomization)
- ASCII Armor (libraries mapped under 16MB, so null byte in its address)
- CPSHELL - a hardened shell that only allows to run specific commands and a very restricted sub-range of ASCII chars.
Even if we are not reinventing the wheel, I honestly think that the exploitation scenario is far from "confortable"... At the end a P.o.C. exploit has been released for those who want to check that the vulnerability is really exploitable.
maliciously crafted .atp and .wrf files to a vulnerable WebEx user. When
opened, these files trigger a reliably exploitable stack based buffer
overflow. Code execution is trivially achieved on the .wrf case because
WebEx Player allocates a function pointer on the stack that is
periodically used in what seems to be a callback mechanism, and also
because DEP and ASLR are not enabled. In the .atp case an exception
handler can be overwritten on the stack, and most registers can be
trivially overwritten.
4. *Vulnerable packages*
The personality subsystem in the Linux kernel has a PER_CLEAR_ON_SETID
setting that does not clear the ADDR_COMPAT_LAYOUT and MMAP_PAGE_ZERO
flags when executing a setuid or setgid program, which makes it
easier for local users to leverage the details of memory usage to (1)
conduct NULL pointer dereference attacks, (2) bypass the mmap_min_addr
protection mechanism, or (3) defeat address space layout randomization
(ASLR). (CVE-2009-1895)
The load_flat_shared_library function in fs/binfmt_flat.c in the
flat subsystem in the Linux kernel allows local users to cause a
denial of service (NULL pointer dereference and system crash) or
CVE-2011-0726
Kees Cook reported an issue in the /proc/pid/stat implementation. Local
users could learn the text location of a process, defeating protections
provided by address space layout randomization (ASLR).
CVE-2011-1010
Timo Warns reported an issue in the Linux support for Mac partition tables.
Local users with physical access could cause a denial of service (panic)
15220d08 70785c5c // DLL UNC PATH "\\xpl8.nu\1"
15220d0c 6e2e386c
15220d10 00315c75
Data is sprayed in such a manner we know that, despite of ASLR, at
0xXXXXX020, 0xXXXXX420,0xXXXXX820,0xXXXXXc20 our block can be located.
As you can see a couple of gadgets are used, since this is a ROP
exploit, however esp is not controlled at all. I'm taking advantage of
common code generated by c++ compilers to control parameters and execution.
PER_CLEAR_ON_SETID setting that does not clear the ADDR_COMPAT_LAYOUT
and MMAP_PAGE_ZERO flags when executing a setuid or setgid program,
which makes it easier for local users to leverage the details of
memory usage to (1) conduct NULL pointer dereference attacks, (2)
bypass the mmap_min_addr protection mechanism, or (3) defeat address
space layout randomization (ASLR). (CVE-2009-1895)
Stack-based buffer overflow in the parse_tag_11_packet function in
fs/ecryptfs/keystore.c in the eCryptfs subsystem in the Linux kernel
before 2.6.30.4 allows local users to cause a denial of service
(system crash) or possibly gain privileges via vectors involving a
Starring
Xen 3.2.0, DomU (an ordinary virtual machine, paravirtualized),
Dom0 (privileged administrative domain) running on FC8 with NX,
ASLR and SELinux enabled, The Evil Hacker, and a certain vulnerability
in the Frame Buffer backend.
Plot
The Evil Hacker escapes from DomU and gets into Dom0. Using clever
CVE-2011-0726
Kees Cook reported an issue in the /proc/pid/stat implementation. Local
users could learn the text location of a process, defeating protections
provided by address space layout randomization (ASLR).
CVE-2011-1016
Marek Olšák discovered an issue in the driver for ATI/AMD Radeon video
chips. Local users could pass arbitrary values to video memory and the
reschedules publication to March 16, stating that the advisory will be
published as "user release" if no reply is received.
. 2011-03-10:
VLC team requests two additional weeks for the release of fixes, and
asks whether the vulnerabilities are exploitable with ASLR.
. 2011-03-14:
Core agrees to postpone publication, confirms that the bugs are
exploitable with ASLR, and requests a concrete date for the release.
Bank-clients, business software, antivirus software – all of them use ActiveX (for IE)
for clients and here have been and are still many vulnerabilities.
Vendors make steps to defend us from it. Software vendors patch vulnerabilities and OS vendors
use new mechanisms to prevent attacks at all. But security researchers are trying to find way to bypass these mechanisms.
The new versions of browsers (Internet Explorer 8 and FireFox 3.5) use permanent DEP.
And the new versions of OS use the ASLR mechanism. All this makes the old methods of attacks impossible.
But on BlackHat DC 2010 the interesting way to bypass DEP and ASLR in browsers (not only)
and Just-In-Time compilers was presented. This method is called JIT-SPRAY. But here was no one public PoC until now.
In this text we are describe how to write a shellcode for new JIT-Spray attacks and make universal STAGE 0 shellcode
that gives control to any common shellcode from MetaSploit, for example.
We have not made a special new development release, nor are we
planning one. We do agree that Windows' default DLL search path
handling is dumb, so we have added code in our source repository to
improve that. It will be included in our next regular release (maybe
in a month or so), along with other proactive security improvements
such as enabling Windows ASLR and DEP support.
Cheers,
Fyodor
IV. Binary Analysis & Exploits/PoCs
---------------------------------------
In-depth binary analysis of the vulnerability and a code execution exploit
with ASLR and DEP bypass are available through the VUPEN Binary Analysis &
Exploits Service :
http://www.vupen.com/english/services/ba-index.php
The specific flaw exists within Internet Explorer that allows malicious
users to leak information about the memory layout of an Internet
Explorer process. When creating a new 'Option' HTML Element, the 'index'
field of the object is not set to zero and can be used to leak the
location of the global variable table. This can be used to defeat ASLR
or to remove the need for heap spraying while exploiting a remote code
execution flaw.
-- Vendor Response:
iDefense testing has demonstrated that this vulnerability is highly
exploitable, which is consistent with most type confusion
vulnerabilities.
As with most memory corruption vulnerabilities, exploitation mitigation
technologies like DEP and ASLR substantially increase the difficulty of
exploiting this vulnerability.
IV. DETECTION
iDefense has confirmed the existence of this vulnerability in all
IV. Binary Analysis & Exploits/PoCs
---------------------------------------
In-depth binary analysis of the vulnerability and a code execution exploit
with ASLR and DEP bypass are available through the VUPEN Binary Analysis &
Exploits Service :
http://www.vupen.com/english/services/ba-index.php
this to be performed without resulting in a segmentation fault, the
t1lib
library must read from a region wich is actually mapped, which
empirically
occures with a probability of around 10% of the cases on a machine
with ASLR
enabled.
- --[ Mitigation:
Instead of fixing the Type 1 library, the xpdf team has decided to
vulnerability, an attacker needs to convince a user to open a malicious
file.
Labs testing has demonstrated this vulnerability is highly exploitable.
However, on systems where they are present, anti-exploitation
technologies like DEP and ASLR make the vulnerability extremely
difficult to exploit in a reliable way.
IV. DETECTION
iDefense has confirmed the existence of this vulnerability in Excel
>> of
>> JS> "vulnerabilities" rather more of "annoyances". Although I don't deny
>> the
>> JS> fact that certain DoS attacks *may lead* or *may serve as hints* to
>> other
>> JS> more serious exploits, but that's a different topic and with ASLR in
>> the
>> JS> scene, a very grey area of discussion.
>>
>>
>>
>>> of
>>> JS> "vulnerabilities" rather more of "annoyances". Although I don't deny
>>> the
>>> JS> fact that certain DoS attacks *may lead* or *may serve as hints* to
>>> other
>>> JS> more serious exploits, but that's a different topic and with ASLR in
>>> the
>>> JS> scene, a very grey area of discussion.
>>>
>>>
>>>
>
> * Using debuggers to speed up exploit development
> (Tutorial Part 5)
> http://www.corelan.be:8800/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/
>
> * Bypassing Stack Cookies, Safeseh, NX/DEP and ASLR
> (Tutorial Part 6)
> http://www.corelan.be:8800/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/
>
> * Writing stack based unicode exploits
> (Tutorials Part 7)
place 255 chars of HTML code (no slash) inside the filename. This can
lead to injecting JavaScript into UI using crafted file-send-request
packet. It's possible to trigger various actions from GUI JavaScript
code such as saving and running any file on victim's host. Internal
protocols are abused for these purposes. No 'security' mechanisms like
ASLR or DEP will stop this attack because it's JS code. No user
interaction needed.
PoC:
file name that loads external x.js code:
As the TempAEDR->AEDR.Num is used as the index, the attacker can write 4
bytes to an address higher than the AEDRList's address. Since this index
is added to the AEDRList address, an attacker can also specify a large
value which allows him to overflow the integer in the adding calculation,
effectively writing to any address mapped by the process.
Other protection mechanisms, such as ASLR, could make this exploitation
method less reliable.
Various other memory corruption vulnerabilities have been identified
in SearchForRecord_r_64(), LastRecord64(), CDFsel64() and other functions.
In cooperation with the vendor all identified vulnerable function have
Just a few cents - DoS in webbrowsers doesn't fall under the category of
"vulnerabilities" rather more of "annoyances". Although I don't deny the
fact that certain DoS attacks *may lead* or *may serve as hints* to other
more serious exploits, but that's a different topic and with ASLR in the
scene, a very grey area of discussion.
Case in point: XSS can be of various kinds and most of them (I'm talking of
about 99.99%) can be attributed to the design of the web
technologies/protocols specifications (http, ajax, etc etc...you name it)
and the browsers can only do that much. Hence its not feasible for a
Nowadays, the days of ASLR and DEP, any memory leak is welcome.
Yesterday, Stefano Di Paola posted the following tweet
http://twitter.com/WisecWisec/status/17254776077. After elaborating that
weird behaviour I discovered a flaw in mshtml.dll, exploitable via
Internet Explorer. In VBScript/JScript there are at least two functions
that make use of timers: setTimeout and setInterval. According to the
documentation, the return value should be a Timer ID.In Chrome and FF
this ID is pure sequential (1,2,3,4...) but in IE I was getting "weird"
IDs. Later on I discovered that those IDs turned out to be a heap
attacker. This is not very nice to exploit, however arbitrary code
execution is still possible. For example, multiple successive
single-byte-writes on a global function pointer can be used to gain
control of the instruction pointer.
Due to the nature of the vulnerability, a good exploit can bypass most
OS security features (non-exec-stack, ASLR, etc.) as well as compiler
features (stack canaries,...).
Proof-of-Concept
----------------
Next Page>>
|
