A prominent security researcher has released an exploit that uses a new technique to defeat ALSR + DEP on Microsoft’s Windows operating system.
The exploit, released by Google security researcher “SkyLined,” uses the ret-into-libc technique to bypass DEP (Data Execution Prevention) and launch code execution attacks on x86 platforms.
SkyLined (real name Berend-Jan Wever) is best known for introducing heap-spraying in Web browsers, a technique used in exploits to facilitate arbitrary code execution. He previously worked at Microsoft before leaving in 2008 to work on security Google’s Chrome browser.
“I am releasing this because I feel it helps explain why ASLR+DEP are not a mitigation to put a lot of faith in, especially on x86 platforms,” SkyLined wrote on his blog. ”32-bits does not provide sufficient address space to randomize memory to the point where guessing addresses becomes impractical, considering heap spraying can allow an attacker to allocate memory across a considerable chunk of the address space and in a highly predictable location,” he added.
The code in this exploit shows how to abuse this to perform a ret-into-libc attack when you can predict or, through information leakage, determine the location of modules (exe, dll) in the process’ memory.
The source code for the Internet Exploiter 2 exploit has been posted online [zip file].
Microsoft introduced ASLR (Address Space Layout Randomization) + DEP in Windows Vista, touting them as significant anti-exploit mechanisms but researchers have spent the better part of the last year finding ways around these mitigations.
At the 2008 Black Hat conference, hackers Mark Dowd and Alex Sotirov demonstrated the new methods to get around ASLR and DEB by using Java, ActiveX controls and .NET objects to load arbitrary content into Web browsers.