Flipping bits at ASLR
Didier Stevens points out quite an interesting discovery about Windows Vista and ASLR. With just the right touch of bit flipping (only one needed), it is possible to enable or disable ASLR support for an application.
While this might provide a valuable stepping off point for attacking applications that otherwise utilise ASLR to protect against memory overflow attacks, what is more interesting is that Windows File Protection (Windows Resource Protection on Vista) apparently doesn't check to see if this setting has changed on critical system software.
Windows File Protection is one of those unique system components that checks core Windows software for signs of modification or damage when they are accessed and replaces them / repairs them with known good copies from system repositories. This is the reason why deleted system files in XP reappear within a matter of seconds. With Vista's Windows Resource Protection, apparently it only identifies that something is wrong and doesn't automatically regenerate the damaged resource.
Either way, Windows apparently can't identify that this key protective mechanism has been modified on key applications. Of course, if an attacker had the free reign to change key system software in such a manner, they already control the system and there's little reason to open new holes for others to walk in through.
For the technically inclined, setting or unsetting the 0x4000 bit in the DLL Characteristics field of the PE header is what is required.
26 November 2007
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.Comments will soon be available for registered users.