Google Researcher Ships Exploit to Defeat ASLR+DEP

A prominent security researcher has released an exploit that uses a new technique to defeat ALSR + DEP on Microsoft’s Windows operating system.

The exploit, released by Google security researcher “SkyLined,” uses the ret-into-libc technique to bypass DEP (Data Execution Prevention) and launch code execution attacks on x86 platforms. 

A prominent security researcher has released an exploit that uses a new technique to defeat ALSR + DEP on Microsoft’s Windows operating system.

The exploit, released by Google security researcher “SkyLined,” uses the ret-into-libc technique to bypass DEP (Data Execution Prevention) and launch code execution attacks on x86 platforms. 

SkyLined (real name Berend-Jan Wever) is best known for introducing heap-spraying in Web browsers, a technique used in exploits to facilitate arbitrary code execution.  He previously worked at Microsoft before leaving in 2008 to work on security Google’s Chrome browser.

“I am releasing this because I feel it helps explain why ASLR+DEP are not a mitigation to put a lot of faith in, especially on x86 platforms,” SkyLined wrote on his blog.  “32-bits does not provide sufficient address space to randomize memory to the point where guessing addresses becomes impractical, considering heap spraying can allow an attacker to allocate memory across a considerable chunk of the address space and in a highly predictable location,” he added.

The code in this exploit shows how to abuse this to perform a ret-into-libc attack when you can predict or, through information leakage, determine the location of modules (exe, dll) in the process’ memory.

The source code for the Internet Exploiter 2 exploit has been posted online [zip file].

Microsoft introduced ASLR (Address Space Layout Randomization) + DEP in Windows Vista, touting them as significant anti-exploit mechanisms but researchers have spent the better part of the last year finding ways around these mitigations.

At the 2008 Black Hat conference, hackers Mark Dowd and Alex Sotirov demonstrated the new methods to get around ASLR and DEB by using Java, ActiveX controls and .NET objects to load arbitrary content into Web browsers.

Suggested articles

Google Fixes 10 High-Risk Bugs in Chrome

Google has released a new version of its Chrome browser, fixing a number of high-risk security bugs and paying out $7,500 in bounties to researchers who reported bugs.

New Bug in Internet Explorer Used in Targeted Attacks

There’s a new flaw in all of the current versions of Internet Explorer that is being used in some targeted attacks right now. Microsoft has confirmed the bug and said it is working on a fix, but has no timeline for the patch release yet. The company did not rule out an emergency out-of-band patch, however.

Microsoft Releases Huge Patch Tuesday Update For 49 Bugs

Microsoft has released its largest-ever bundle of patches, pushing out 16 updates that fix a total of 49 individual vulnerabilities. The patches include updates for six critical vulnerabilities, most notably a huge fix for some remote code-execution bugs in various versions of Internet Explorer.

Discussion

  • Robert on

    Hmm, but this is a bug that was patched in 2005 in Internet Explorer 6. And it only works if ASLR is disabled or you find a way around ASLR. And on x64 machines, it is nearly impossible to make this work, and certainly not reliably. So, nothing to lose sleep over.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.