Slashdot Mirror

← Back to Stories (view on slashdot.org)

Defeating XP SP2 Heap Protection

Posted by michael on from the secure-by-design dept.

hobo2k writes "XP SP2 included canary values and hardware-implemented execution protection in order to avoid exploitable buffer overruns. Now Positive Technologies has released an article describing one way that protection could be bypassed. To solve the problem, they provide a program which disables the small allocation heap as described here. CNET reports that SP2 has been foiled."

56 of 242 comments (clear)

  1. i know the drill by numike · · Score: 5, Funny

    firefox

    1. Re:i know the drill by freeJustin · · Score: 4, Informative

      mayve you didnt read correctly this is a core issue, so to rephrase "I know the drill, *nix"

    2. Re:i know the drill by eomnimedia · · Score: 3, Insightful

      Actually:

  2. You don't mean..?! by Rosco+P.+Coltrane · · Score: 2, Funny

    Now Positive Technologies has released an article describing one way that protection could be bypassed.

    A security problem in Windows? no way...

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
  3. SP2 what? by warderz · · Score: 2, Funny

    Protection? What protection?

    1. Re:SP2 what? by A+beautiful+mind · · Score: 5, Funny

      it's like putting on a second condom AFTER sex when the first one proved to be leaking.

      --
      It takes a man to suffer ignorance and smile
      Be yourself no matter what they say
    2. Re:SP2 what? by ozbird · · Score: 4, Funny

      To take the analogy further, does that make Linux the morning-after pill?

    3. Re:SP2 what? by NanoGator · · Score: 2, Funny

      "it's like putting on a second condom AFTER sex when the first one proved to be leaking."

      Oh....

      Er.. could we use metaphors that most of us could wrap our minds around?

      --
      "Derp de derp."
    4. Re:SP2 what? by Anonymous Coward · · Score: 2, Funny

      > > it's like putting on a second condom AFTER sex when the first one proved to be leaking.

      > To take the analogy further, does that make Linux the morning-after pill?

      No. Linux is like masturbation. And BSD is like necrophilia.

    5. Re:SP2 what? by wxjones · · Score: 3, Funny

      Actually, running Linux is like wearing a plaid hat with earflaps. Best birth control known to man! Come to think of it, its Saturday night and I'm posting on slashdot...using Linux. At least my ears are warm.

      --
      My SIG is a P226
    6. Re:SP2 what? by SmittyTheBold · · Score: 2, Funny

      Yeah, so sorry about the AIDS you already contracted.

      Remember: the only safe computing is NO COMPUTING. If you feel like you have to use a computer, then staying off-line is the only sure way to stay disease-free. There's nothing shameful about it; you'll not go blind.

      Now, since I know you kids are going to want to play your Counter Strike anyway, it's best to make sure you only game with people you already know and trust. Don't deathmatch with that hussy you found at the airport bar, and never accept files from strangers. You don't know who else they've swapped files with.

      --
      ± 29 dB
  4. Just hold down Ctrl. by agent+dero · · Score: 4, Funny

    C'mon, this has been known for a while ;)

    --
    Error 407 - No creative sig found
  5. NX bit? by Anonymous Coward · · Score: 3, Interesting

    I read the .PDF pretty carefully, but I still don't understand how DEP (data execution protection via the NX bit in the page tables) fails to prevent this exploit. The 1016 bytes of memory is on the heap, isn't it? So how is any code you put there going to be executed?

    1. Re:NX bit? by Anonymous Coward · · Score: 3, Insightful

      The program disables the small allocation heap (meaning that the 1016 bytes of exploit code would be loaded into some other heap), which leads me to believe that perhaps the NX bit was only set for the small allocation heap pages. This will probably get fixed pretty quickly.

    2. Re:NX bit? by YU+Nicks+NE+Way · · Score: 4, Informative

      The article description is a bit deceptive. NX is independent of DEP here. The alleged exploit only works for the small heap on machines without NX, not for machines with NX. NX stops this exploit cold.

    3. Re:NX bit? by Deathlizard · · Score: 2, Insightful

      I agree. After reading the PDF, it seems that they were focusing on the software DEP system rather then the hardware (NX) DEP.

      For those not in the know, XPSP2 has two forms of DEP. Hardware and Software. If your Processor supports it, WinXP uses Hardware DEP in the form of the NX bit to protect your PC. If the NX bit is not available on your CPU (Most CPU's fall under this category) then it defaultes to the Software DEP, or "sandboxing" as they put it.

      If anyone wants to try and exploit this on an NX capable PC it would be interesting to see if it works. The Software DEP definetly is going to need some more work done to it though.

      --
      In Soviet Russia, Trojan exploits YOU!
    4. Re:NX bit? by hobo2k · · Score: 2, Informative

      I don't have the hardware to actually test it, but I believe the 2nd code sample is supposed to deal with NX. The stack/heap never get executed. Instead it modifies the stack such that when the function returns the C library function 'system' is called with an arbitrary command line to execute.

  6. Re:Can you blame them? by grolschie · · Score: 4, Funny

    > Microsoft and security?

    > Chalk and cheese?

    Don't you mean simply "swiss cheese"? ;-)

  7. This is way wrong. by A+beautiful+mind · · Score: 4, Interesting

    "Published 28th January 2005."

    And

    "In October 2004 it was discovered by MaxPatrol team that it is possible to defeat Microsoft® Windows® XP SP2 Heap protection and Data Execution Prevention mechanism."

    This is too much time to fix something. I can agree with some delayed disclosure but not anything above a month.

    --
    It takes a man to suffer ignorance and smile
    Be yourself no matter what they say
    1. Re:This is way wrong. by jschottm · · Score: 4, Insightful

      This is too much time to fix something. I can agree with some delayed disclosure but not anything above a month.

      The CNET article states that they didn't report it to Microsoft until Dec 22. Which is close enough to the holidays that a substantial part of many businesses staff are out until the 1st of Jan.

      Anything that modifies core memory access/rights such as this needs extensive testing. It's most likely an easy fix, but you should be well aware of the outrage that would occur if they released a fix that ended up breaking things. Recall the rushed fix to OpenSSH that was distributed only to be replaced days later with a proper fix, leading to all manner of confusion as to which versions were vulnerable and not?

      Given that this is a relatively minor problem - the attacker would have to have another sucessful attack vector to be able to use this, I'm glad Microsoft is [theoretically] taking the time to do this right. If you're really that worried about it, you can run the software provided by a mostly unknown Russian company that they freely admit will affect the system negatively. And pray that there's no bugs in their code and that it's not malicious...

  8. It shouldn't be a suprise. by TeeJS · · Score: 4, Interesting
    that it's easier to bypass a patch over a hole, than get through a barrier that was built solidly from the beginning. I have a mental image of a steel door with a big piece of cardboard taped to it....

    --
    T.J. Schmitz - the man, the myth, the legend - o
    1. Re:It shouldn't be a suprise. by ZorbaTHut · · Score: 3, Informative

      I disagree. Refactoring sounds like a much better solution. And I highly doubt this is a serious bug that affects the whole design - why would the introduction of a new CPU flag require the complete reconstruction of an entire OS kernel? Or more?

      I don't see how you could possibly suggest a full redesign and rewrite and then, in the same post, complain that fast fixes are rarely 100% correct. As if the rewrite won't be a thousand times worse!

      --
      Breaking Into the Industry - A development log about starting a game studio.
    2. Re:It shouldn't be a suprise. by TheLink · · Score: 2, Insightful

      Well that's fine if people who really know what they are doing do the redesign and rewrite.

      If it's the same people who didn't spot the serious bug that affects the _whole_ design, the odds are much worse that starting again would actually help much.

      Ask a crappy team to redesign and rewrite and they'll just come up with more crap. Let's be nice and say the team is good only the politics/process is broken, whatever, you still end up with more crap.

      So far the evidence is that more often than not the same people who wrote insecure software will still _rewrite_ insecure software even if they start anew. Go look at Bugtraq over the years.

      It's hard for most programmers to write secure software in certain programming languages - C being the most infamous example. Trouble is most still keep doing so for various reasons.

      --
  9. Re:And this by archen · · Score: 3, Insightful

    I'm surprised about the reporting that SP2 has been "foiled". SP2 is supposed to be a step to make xp more secure, not invincible. There's a lot more to SP2 than the heap protection.

  10. Re:And this by Anonymous Coward · · Score: 4, Funny

    I'm shocked! I have been reading all these independent studies, and according to Forrester, Windows users have fewer vulnerabilities. Check it out yourself, if you don't believe!
    http://www.microsoft.com/windowsserversy stem/facts /analyses/default.mspx#EHAA

    It's a fact. So this vulnerability, and the dozen others I've been patching at the work, are just some kind of imagination. Or maybe Linux / BSD / OS X users have just amazing amounts of vulnerabilities (counted together, OS & apps).

    I'm drunk. And it's not a surprise. Every hardcore Linux geek (like myself), who has to maintain Windows networks for living, have more drinking problems than those who are using solely operating systems and software which are free as speech (as opposed to beer).

    Responsible for security of Windows network? Next recommendation for security enhancements: different operating systems, no more IE. If there are costs, then they're definitely worth it. Microsoft has proved that they don't care. All they care is money, monopoly and marketing (FUD / brainwashing / propaganda).

  11. I wonder.... by futuresheep · · Score: 3, Insightful

    I wonder what Nick McGrath's opinion on this is, and who is HE holding accountable?

  12. Re:Is that link to MS correct by DarkMantle · · Score: 5, Funny

    You expect the links and the article to be related?

    You expect too much from the editors.

    --
    DarkMantle I been bored, so I started a blog.
  13. Re:In hardware? by Anonymous Coward · · Score: 5, Informative
    How many of these rely on the hardware to protect them?

    Ummm... all of them?

    Memory protection requires hardware support to work, and every version of UNIX, Linux, NT (right from the beginning) and Win9x all use hardware support to implement memory protection.

    It seems that you have hardware memory protection mixed up with the NX (no execute) bit. All that the NX bit does is nothing more than mark memory allocated on the heap as non executable. The application is completely free to allocate executable memory, just that a normal malloc() does not cut it for this purpose.

    This is a very good feature. The reason is that 99.99% of apps never need to execute code created on the heap. The only exceptions are things that JIT code like the Java VM.

    Many buffer overruns that result in exploits rely on heap memory being executable. By requiring a very small set of programs to be fixed, you can eliminate a whole type of security flaw. Is it the be all and end all? No its not. But it sure helps.

  14. Re:Linux/NX/AMD64 by DaHat · · Score: 5, Informative

    Last I checked it already was.

    http://news.zdnet.com/2100-3513_22-5227102.html/
    http://linuxgazette.net/107/pramode.html/
    http://kerneltrap.org/node/3240?PHPSESSID=262a094f ee677def32a8cc4d1b858f99/
    http://searchenterpriselinux.techtarget.com/origin alContent/0,289142,sid39_gci969248,00.html/

    Just to name a few

    --
    Help Brendan pay off his student loans
  15. And yet by HackNack · · Score: 3, Funny

    When asked about the problem Steve Ballmer said that Linux sucks.

    1. Re:And yet by SirTalon42 · · Score: 2, Interesting

      Linux has for a good while. It also has 'Execute-Shield' which also makes buffer overflows much harder (implemented in software, and I believe works on more than just x86/x86_64).

  16. foiled? by gardyloo · · Score: 3, Funny

    CNET reports that SP2 has been foiled.

    Shouldn't that read tin-foiled? C'mon, slashdot, standards?

  17. Re:In hardware? by Anonymous Coward · · Score: 2, Informative

    Most modern RISC processors have NX. I'm not sure if Alphas do, but most likely. Sparcs do.

  18. Yep... by rbochan · · Score: 2, Funny

    ...probably Nick McGrath ;o)

    --
    ...Rob
    The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
  19. Re:And this by ScrewMaster · · Score: 4, Insightful

    Yeah. A bit sensationalist, I suppose. And SP2 did live up to the ideal of making Windows more secure, but the typical user mentality operates more in the realm of absolutes. "I want perfect security, and SP2 isn't perfect so therefore it's useless." Good security is a process, a continuing evolution, and that's true no matter what OS you use. Would I plug an XP SP2 box right into my cable modem? Not unless I was setting up a honeypot. But it is an improvement.

    --
    The higher the technology, the sharper that two-edged sword.
  20. Fixed Quickly? by EventHorizon · · Score: 3, Interesting

    The patch may be quick. It will still take a long time to deploy.

    Anyway you have to wonder about this kind of technical oversight. If you are implementing an NX heap, you obviously need to NX the WHOLE heap for it to be useful.

    Basically it looks like Microsoft is incapable of secure development at the core OS layer. I find that absolutely mind boggling given their resources.

    1. Re:Fixed Quickly? by peasleer · · Score: 3, Insightful

      Don't make it sound like Linux is problem free either. Just this morning, *11* Linux kernel vulnerabilities were posted to security focus. Yes, the number of vulnerabilities in Linux have historically been fewer in number, but no operating system is perfect. Windows does what it does well: Providing a stable (yes, XP is stable,) operating environment for beginning to advanced users.

      --
      Mythos : Logos :: Slashdot : Intelligence
    2. Re:Fixed Quickly? by TelJanin · · Score: 3, Insightful

      And how long will it take to fix the Linux problems, compared to the Windows problem descibed in the article?

      Linux way of fixing things:
      1) Discover there is a problem
      2) Send a patch to kernel maintainers
      3) Kernel is patched

      Windows way of fixing things:
      1) Discover problem
      2) Tell Microsoft
      3) Two months later, when Microsoft has done nothing, tell the world
      4) Get possibly sued by Microsoft (if MS can to a Russian company)
      5) After several viruses have exploited the vulnerability, Microsoft makes a patch that won't install correctly.

    3. Re:Fixed Quickly? by Zeinfeld · · Score: 2, Insightful
      Thanks to the abortion thread, this is the first comment that actually addresses the real issue.

      The patch may be quick. It will still take a long time to deploy.

      No, Windows has had automatic update for years now. Every machine I have is fully current with patches.

      What would be the proportion of Linux systems running with heap protection?

      --
      Looking for an Information Security student project suggestion?
      Try http://dotcrimeManifesto.com/
  21. plus, there's a chicken-and-egg impediment by js7a · · Score: 4, Interesting

    I don't think Windows users should lose too much sleep over this. How is an exploit supposed to unprotect the heap segment in order to execute the buffer overrun code -- before such code has been executed?

    1. Re:plus, there's a chicken-and-egg impediment by LO0G · · Score: 4, Interesting

      Exactly: In order to exploit this, you need to find a program with:

      1) An exploitable memory overwrite error in a system component.
      2) A heap allocation pattern that exactly matches the pattern demonstrated here.

      If you don't have BOTH of these criteria met, then it won't matter.

      Software DEP was never intended as anything more than a really big speedbump.

      As a PoC, it's interesting, but as "the end of XP SP2?" I don't think so....

  22. stackguards should be last line of defence by auzy · · Score: 2, Insightful

    This is probably a good thing, because it proves that even with stackguarding, etc.. Treating your system as if they dont exist is the best thing you can do. Microsoft unfortunately chooses to use stackguarding as a first line of defence to allow them to take their time patching software, which is a terrible idea.

    So basically, nothing has changed in the security world in the past year. The only thing is that the attitude of programmers have in some cases, become slacker because of technologies like this, believing they can get away with it now.

    If you ask me though personally, I'm betting Microsoft didn't run major tests on the security of DEP anyway, only simpler ones

  23. I blogged another way too by bluefoxlucid · · Score: 5, Interesting

    I did blog on another way using only a stack overflow on my blog. My way was more "all existing exploits work as-is after just a little extra step" than "exploits still exist that get around DEP" though.

    My way was to just slap DEP in the face by using a ret2libc with a constructed stack frame that gave the shellcode a nice, clean, executable area of memory to execute in, then copied the memory there, then returned to it. This is done by 1) Return to VirtualAlloc(), 2) Return to memcpy(), 3) return to shellcode.

    They noticed this in October; it took me until January and I'm not a security expert.

    --
    Support my political activism on Patreon.
  24. For the geeks... by Jugalator · · Score: 3, Interesting

    ... the juicy bits are here. Scroll down to the bottom for the appendices where there are C code examples on how to bypass these measures.

    --
    Beware: In C++, your friends can see your privates!
  25. So, will M$ take a stand? by cvd6262 · · Score: 2, Insightful

    Since MS claims Linux companies can't be held responsible for Linux security, will MS claim responsibility for this?

    --

    I'd rather have someone respond than be modded up.

  26. Re:And this by louarnkoz · · Score: 3, Informative
    Code execution protection is one of the security features of XP/SP2. The design concept in XP/SP2 is to have a succession of protection layers, e.g. running the firewall to block ports, requiring authentications on RPC ports that are open, blocking some form of communications, etc. None of these protections is entirely foolproof: some ports will remain open, some passwords will be guessed, etc. But it is much harder for an attacker to breach several protections than just one.

    The code execution protection is one of these protection layers, pretty much the last one when everything else has been breached and a buffer has overflown. It prevents the class of exploits that load code in a data buffer and somehow jump into it. But there is still a way through, using a stack overflow to rewrite a return pointer or a function pointer and direct it to an existing procedure, e.g. one in libc.

    Protecting against such exploits is very hard, and the problem is by no means specific to Windows. Don't expect a quick fix.

  27. Re:Don't forget... by Anonymous Coward · · Score: 2, Insightful

    If you really read comments at +3, you're reading the same stupid-ass crap that gets posted in every fucking story.

    What's the mother fucking point of reading the comments if you're going to let other people decide for you which ones are good enough to read?

  28. Re:And this by cnettel · · Score: 2, Insightful
    Isn't the point of the canary values even mentioned in the post to actually catch stack overruns? They are a far more expensive thing to do, but I was under the impression that they still are used quite extensively in SP2. Basically, if you put in a random value (varying between each function call, ideally, probably between each machine session or so in SP2) between the stack buffer and the return pointer, and that value is checked before RET is called, it gets much harder to overrun the buffer, beat the RET check and get the code to jump back to the wrong place.

    Naturally, the only real solution is to avoid the overruns by sensible code. But, if one would be ready to believe that this level of checking would be enough to put native compiled code written by idiots on par with Java or .NET code written by idiots in the area of buffer overrun, it would be a cheap choice, performance-wise.

  29. What the shit? by Anonymous Coward · · Score: 2, Interesting

    Okay, so in order to disable the heap protection either the user has to execute arbitrary code while running under the context of a user with sufficient permissions, or be enticed to follow a fairly obscure set of instructions to edit the registry.

    How the shit is this a vulnerability exactly? The only way to exploit it is to have already 0wned the machine so there would be no need to disable memory protection at any scope.

    Also, as mentioned, this doesn't work correctly on hardware that supports NX. There is no pure software method to carry out NX and all existing measures, such as DEP, can be defeated through complex means. Microsoft makes no claims to the methodology being 100% secure, but it will help stop 60% of buffer overrun scenarios which account for the vast majority of said vulnerabilities. But that is the only way to carry it out in code without imposing huge amounts of overhead, which would still be defeatable without hardware support. Developers practically have to go out of their way in order to embed such vulnerabilities. These proofs of concept are irrelevant; they are not representative of the forms of vulnerabilities accidentally introduced into software.

    In other words, another non-story from the shit-eaters at Snatchrot.

  30. Re:An agrarian view on alternatives for XP SP2 by bluefoxlucid · · Score: 4, Informative

    BSD is under the BSD license. You may rewrite it, steal their code, and not give it out.

    You can build things with GCC and not GPL them.

    You can build things and link to libraries that are GPL and not GPL them.

    So, you can develope apps for linux, using only your own code and any code that BSD people threw under the BSD license, and build them against open source libraries to use those, and have an MS style EULA and closed source.

    --
    Support my political activism on Patreon.
  31. Re:How does linux fix this? by bluefoxlucid · · Score: 2, Insightful

    "1. The 2.6 kernels have exec-shield support, which is a kind of emulation of the NX bit for processors that don't support it in hardware."

    Exec Shield protects the stack, unless something's mapped above it, or unless it thinks you need an executable stack. It protects other things, randomly; the protections randomly fail. Spender also has a working exploit that takes out ES, but he can't distribute it or disclose the method because (as he needs food) he sold it for $1000 to a security firm.

    The stack can be used for code or for some data. The stack can be stuffed with 0x02020202 (NOPNOPNOPNOP) so that the shellcode can be shifted off and you either A) jump to the shellcode, or B) jump to NOPs and run to the shellcode. For things using the stack for data (like shell returns to preexisting code that's not randomly placed under most systems), you can rely on the stack being aligned to 16 bytes. "/bin/sh /bin/sh /bin/sh /bin/sh /bin/sh "

    PaX has proper NX protections.

    "2. Modern distros do address-space randomization which stops ret2libc type attacks."

    You need to use GrSecurity's brute force deterrance to do this on fork()ing daemons like apache, else the randomization is breakable. PaX' can be broken in 216 seconds; the one from ES normally can be broken in one step by stack stuffing (64k or 2M rand, one of those two).

    Brute force deterrance is useless for small randomization, because you can use a certain trick to evade them involving holding off the attack until you set up for doing it several times in parallel.

    PaX has better ASLR.

    "3. Linux doesn't have exception handlers so these don't need protecting."

    Your right, the OS doesn't. The programmer has to code for exceptions and signals. The OS can't protect them, but you can create a compiler modification that does so. It's pointless though, really. The same things in PaX that kill your normal exploit kill your mucking with signal handlers.

    --
    Support my political activism on Patreon.
  32. Incorrect by Mark_MF-WN · · Score: 3, Informative

    He compared it to the morning after pill. The morning after pill doesn't "abort" anything -- it simply causes the egg to fail to implant itself in the uterus. This is EXACTLY what IUDs and "The Pill" do, and what happens in 90% of all fertilizations anyway. The morning after pill is just interventive birth-control. It has absolutely nothing to do with abortions.

  33. Question about the stack by wirelessbuzzers · · Score: 2, Interesting

    The method of attack for most stack buffer-overflows is to write enough data into a stack-allocated object to clobber the return pointer, which is allocated above it.

    So why not make the stack grow upwards instead of downwards?

    --
    I hereby place the above post in the public domain.
    1. Re:Question about the stack by pe1chl · · Score: 2, Informative

      This decision was made long ago, when there was only a single address space and it was convenient to have the program at a fixed address at the beginning of memory, and the stack fixed at the end.

      The "stack grows down" has been embedded in the hardware design and now it cannot be changed easily.

  34. Re:In hardware? by omry_y · · Score: 2, Insightful

    You didn't hear anything about buffer overflow in DOS simply because there are much simpler way to run arbitrary code, whenever you want.
    you can simply register an interrupt handler, for the clock, if you need to do something every clock tick, or to int21 (dos function calls) if you want to do something when a program calls dos functions.

    --
    Omry.
  35. Re:Don't forget... by Badanov · · Score: 2, Insightful
    I like -1, raw and uncut. It gives me a far broader picture of what is boing said about a particular subject.

    If you browse at +3, you will miss a lot of funny as well as lot of rather intelligent posts you wouldn't get to see at +3.

    Also, reading at -1 raw and uncut shows in rather stark clarity that the moderating system at slashdot is broken

    --
    Dawn of the Dead