Slashdot Mirror

← Back to Stories (view on slashdot.org)

Defeating XP SP2 Heap Protection

Posted by michael on from the secure-by-design dept.

hobo2k writes "XP SP2 included canary values and hardware-implemented execution protection in order to avoid exploitable buffer overruns. Now Positive Technologies has released an article describing one way that protection could be bypassed. To solve the problem, they provide a program which disables the small allocation heap as described here. CNET reports that SP2 has been foiled."

19 of 242 comments (clear)

  1. i know the drill by numike · · Score: 5, Funny

    firefox

    1. Re:i know the drill by freeJustin · · Score: 4, Informative

      mayve you didnt read correctly this is a core issue, so to rephrase "I know the drill, *nix"

  2. Re:SP2 what? by A+beautiful+mind · · Score: 5, Funny

    it's like putting on a second condom AFTER sex when the first one proved to be leaking.

    --
    It takes a man to suffer ignorance and smile
    Be yourself no matter what they say
  3. Just hold down Ctrl. by agent+dero · · Score: 4, Funny

    C'mon, this has been known for a while ;)

    --
    Error 407 - No creative sig found
  4. Re:Can you blame them? by grolschie · · Score: 4, Funny

    > Microsoft and security?

    > Chalk and cheese?

    Don't you mean simply "swiss cheese"? ;-)

  5. This is way wrong. by A+beautiful+mind · · Score: 4, Interesting

    "Published 28th January 2005."

    And

    "In October 2004 it was discovered by MaxPatrol team that it is possible to defeat Microsoft® Windows® XP SP2 Heap protection and Data Execution Prevention mechanism."

    This is too much time to fix something. I can agree with some delayed disclosure but not anything above a month.

    --
    It takes a man to suffer ignorance and smile
    Be yourself no matter what they say
    1. Re:This is way wrong. by jschottm · · Score: 4, Insightful

      This is too much time to fix something. I can agree with some delayed disclosure but not anything above a month.

      The CNET article states that they didn't report it to Microsoft until Dec 22. Which is close enough to the holidays that a substantial part of many businesses staff are out until the 1st of Jan.

      Anything that modifies core memory access/rights such as this needs extensive testing. It's most likely an easy fix, but you should be well aware of the outrage that would occur if they released a fix that ended up breaking things. Recall the rushed fix to OpenSSH that was distributed only to be replaced days later with a proper fix, leading to all manner of confusion as to which versions were vulnerable and not?

      Given that this is a relatively minor problem - the attacker would have to have another sucessful attack vector to be able to use this, I'm glad Microsoft is [theoretically] taking the time to do this right. If you're really that worried about it, you can run the software provided by a mostly unknown Russian company that they freely admit will affect the system negatively. And pray that there's no bugs in their code and that it's not malicious...

  6. It shouldn't be a suprise. by TeeJS · · Score: 4, Interesting
    that it's easier to bypass a patch over a hole, than get through a barrier that was built solidly from the beginning. I have a mental image of a steel door with a big piece of cardboard taped to it....

    --
    T.J. Schmitz - the man, the myth, the legend - o
  7. Re:And this by Anonymous Coward · · Score: 4, Funny

    I'm shocked! I have been reading all these independent studies, and according to Forrester, Windows users have fewer vulnerabilities. Check it out yourself, if you don't believe!
    http://www.microsoft.com/windowsserversy stem/facts /analyses/default.mspx#EHAA

    It's a fact. So this vulnerability, and the dozen others I've been patching at the work, are just some kind of imagination. Or maybe Linux / BSD / OS X users have just amazing amounts of vulnerabilities (counted together, OS & apps).

    I'm drunk. And it's not a surprise. Every hardcore Linux geek (like myself), who has to maintain Windows networks for living, have more drinking problems than those who are using solely operating systems and software which are free as speech (as opposed to beer).

    Responsible for security of Windows network? Next recommendation for security enhancements: different operating systems, no more IE. If there are costs, then they're definitely worth it. Microsoft has proved that they don't care. All they care is money, monopoly and marketing (FUD / brainwashing / propaganda).

  8. Re:Is that link to MS correct by DarkMantle · · Score: 5, Funny

    You expect the links and the article to be related?

    You expect too much from the editors.

    --
    DarkMantle I been bored, so I started a blog.
  9. Re:In hardware? by Anonymous Coward · · Score: 5, Informative
    How many of these rely on the hardware to protect them?

    Ummm... all of them?

    Memory protection requires hardware support to work, and every version of UNIX, Linux, NT (right from the beginning) and Win9x all use hardware support to implement memory protection.

    It seems that you have hardware memory protection mixed up with the NX (no execute) bit. All that the NX bit does is nothing more than mark memory allocated on the heap as non executable. The application is completely free to allocate executable memory, just that a normal malloc() does not cut it for this purpose.

    This is a very good feature. The reason is that 99.99% of apps never need to execute code created on the heap. The only exceptions are things that JIT code like the Java VM.

    Many buffer overruns that result in exploits rely on heap memory being executable. By requiring a very small set of programs to be fixed, you can eliminate a whole type of security flaw. Is it the be all and end all? No its not. But it sure helps.

  10. Re:Linux/NX/AMD64 by DaHat · · Score: 5, Informative

    Last I checked it already was.

    http://news.zdnet.com/2100-3513_22-5227102.html/
    http://linuxgazette.net/107/pramode.html/
    http://kerneltrap.org/node/3240?PHPSESSID=262a094f ee677def32a8cc4d1b858f99/
    http://searchenterpriselinux.techtarget.com/origin alContent/0,289142,sid39_gci969248,00.html/

    Just to name a few

    --
    Help Brendan pay off his student loans
  11. Re:SP2 what? by ozbird · · Score: 4, Funny

    To take the analogy further, does that make Linux the morning-after pill?

  12. Re:NX bit? by YU+Nicks+NE+Way · · Score: 4, Informative

    The article description is a bit deceptive. NX is independent of DEP here. The alleged exploit only works for the small heap on machines without NX, not for machines with NX. NX stops this exploit cold.

  13. Re:And this by ScrewMaster · · Score: 4, Insightful

    Yeah. A bit sensationalist, I suppose. And SP2 did live up to the ideal of making Windows more secure, but the typical user mentality operates more in the realm of absolutes. "I want perfect security, and SP2 isn't perfect so therefore it's useless." Good security is a process, a continuing evolution, and that's true no matter what OS you use. Would I plug an XP SP2 box right into my cable modem? Not unless I was setting up a honeypot. But it is an improvement.

    --
    The higher the technology, the sharper that two-edged sword.
  14. plus, there's a chicken-and-egg impediment by js7a · · Score: 4, Interesting

    I don't think Windows users should lose too much sleep over this. How is an exploit supposed to unprotect the heap segment in order to execute the buffer overrun code -- before such code has been executed?

    1. Re:plus, there's a chicken-and-egg impediment by LO0G · · Score: 4, Interesting

      Exactly: In order to exploit this, you need to find a program with:

      1) An exploitable memory overwrite error in a system component.
      2) A heap allocation pattern that exactly matches the pattern demonstrated here.

      If you don't have BOTH of these criteria met, then it won't matter.

      Software DEP was never intended as anything more than a really big speedbump.

      As a PoC, it's interesting, but as "the end of XP SP2?" I don't think so....

  15. I blogged another way too by bluefoxlucid · · Score: 5, Interesting

    I did blog on another way using only a stack overflow on my blog. My way was more "all existing exploits work as-is after just a little extra step" than "exploits still exist that get around DEP" though.

    My way was to just slap DEP in the face by using a ret2libc with a constructed stack frame that gave the shellcode a nice, clean, executable area of memory to execute in, then copied the memory there, then returned to it. This is done by 1) Return to VirtualAlloc(), 2) Return to memcpy(), 3) return to shellcode.

    They noticed this in October; it took me until January and I'm not a security expert.

    --
    Support my political activism on Patreon.
  16. Re:An agrarian view on alternatives for XP SP2 by bluefoxlucid · · Score: 4, Informative

    BSD is under the BSD license. You may rewrite it, steal their code, and not give it out.

    You can build things with GCC and not GPL them.

    You can build things and link to libraries that are GPL and not GPL them.

    So, you can develope apps for linux, using only your own code and any code that BSD people threw under the BSD license, and build them against open source libraries to use those, and have an MS style EULA and closed source.

    --
    Support my political activism on Patreon.