Defeating Microsoft Windows XP SP2 Heap protection

-------------------------------------------------------------------
This posting is provided "AS IS" with no warranties, and confers no
rights. You assume all risk for your use.
-------------------------------------------------------------------

Defeating Microsoft Windows XP SP2 Heap protection
and DEP bypass


Alexander Anisimov, Positive Technologies.
( anisimov[at]ptsecurity.com, http://www.ptsecurity.com )

Overview


Memory protection

Buffer overrun attacks are among the most common mechanisms, or
vectors, for intrusion into computers. In this type of exploit, the
attacker sends a long string to an input stream or control ¡V longer
than the memory buffer allocated to hold it. The long string injects
code into the system, which is executed, launching a virus or worm.



Windows XP Service Pack 2 uses two general categories of protection
measures to inhibit buffer-overrun attacks. On CPUs that support it,
the operating system can turn on the execution protection bit for
virtual memory pages that are supposed to hold only data. On all CPUs,
the operating system is now more careful to reduce both stack and heap
buffer overruns, using "sandboxing" techniques.



Execution Protection (NX)

On the 64-bit AMD K8 and Intel Itanium processor families, the CPU
hardware can mark memory with an attribute that indicates that code
should not be executed from that memory. This execution protection
(NX) feature functions on a per-virtual memory page basis, most often
changing a bit in the page table entry to mark the memory page.



On these processors, Windows XP Service Pack 2 uses the execution
protection feature to prevent the execution of code from data pages.
When an attempt is made to run code from a marked data page, the
processor hardware raises an exception immediately and prevents the
code from executing. This prevents attackers from overrunning a data
buffer with code and then executing the code; it would have stopped
the Blaster worm dead in its tracks.



Although the support for this feature is currently limited to 64-bit
processors, Microsoft expects future 32-bit and 64-bit processors to
provide execution protection.


Sandboxing

To help control this type of attack on existing 32-bit processors,
Service Pack 2 adds software checks to the two types of memory storage
used by native code: the stack, and the heap. The stack is used for
temporary local variables with short lifetimes; stack space is
automatically allocated when a function is called and released when
the function exits. The heap is used by programs to dynamically
allocate and free memory blocks that may have longer lifetimes.

The protection added to these two kinds of memory structures is called
sandboxing. To protect the stack, all binaries in the system have been
recompiled using an option that enables stack buffer security checks.
A few instructions added to the calling and return sequences for
functions allow the runtime libraries to catch most stack buffer
overruns. This is a case where a little paranoia goes a long way.

In addition, "cookies" have been added to the heap. These are special
markers at the beginning and ends of allocated buffers, which the
runtime libraries check as memory blocks are allocated and freed. If
the cookies are found to be missing or inconsistent, the runtime
libraries know that a heap buffer overrun has occurred, and raise a
software exception.



- from Microsoft.com

Heap Design



Heap is a reserved address space region at least one page large from
which the heap manager can dynamically allocate memory in smaller
pieces. The heap manager is represented by a set of function for
memory allocation/freeing which are localised in two places: ntdll.dll
and ntoskrnl.exe.



Every process at creation time is granted with a default heap, which
is 1MB large (by default) and grows automatically as need arise. The
default heap is used not only by the win32 apps, but also by many
runtime library functions which need temporary memory blocks. A
process may create and destroy additional private heaps by calling
HeapCreate()/HeapDestroy(). Use of the private heaps` memories is
established by calling HeapAlloc() and HeapFree().


[*] More detailed information about the heap management functions is
provided in the Win32 API documentation.



Memory in heaps is allocated by chunks called 'allocation units' or
'indexes' which are 8-byte large. Therefore, allocation sizes have a
natural 8-byte granularity. For example if an application needs a
24-byte block the number of allocation units it gets 3 allocation
units. In order to manage memory for every block a special header is
created, which also has a size divisible by 8 (fig. 1, 2). Therefore a
true memory allocation size is a total of the requested memory size,
rounded up towards a nearest value divisible by 8 and the size of the
header.

Replying to this thread as well, even if it is a repost:

This is not a vulnerability or a security hole in XP/DEP. It just means that
there is a possibility that if an application is written a certain way and
contains a vulnerability that XP's software DEP wouldn’t be able to stop a
buffer overflow from occurring were that vulnerability to be attacked.

Fact is XP SP2 is still far less likely to be vulnerable to buffer overflow
attacks than it's predecessors because DEP can stop a lot of types of buffer
overflows from occurring.

"anonymous" wrote:

-------------------------------------------------------------------
This posting is provided "AS IS" with no warranties, and confers no
rights. You assume all risk for your use.
-------------------------------------------------------------------

Defeating Microsoft Windows XP SP2 Heap protection
and DEP bypass


Alexander Anisimov, Positive Technologies.
( anisimov[at]ptsecurity.com, http://www.ptsecurity.com )

Overview


Memory protection

Buffer overrun attacks are among the most common mechanisms, or
vectors, for intrusion into computers. In this type of exploit, the
attacker sends a long string to an input stream or control – longer
than the memory buffer allocated to hold it. The long string injects
code into the system, which is executed, launching a virus or worm.



Windows XP Service Pack 2 uses two general categories of protection
measures to inhibit buffer-overrun attacks. On CPUs that support it,
the operating system can turn on the execution protection bit for
virtual memory pages that are supposed to hold only data. On all CPUs,
the operating system is now more careful to reduce both stack and heap
buffer overruns, using "sandboxing" techniques.



Execution Protection (NX)

On the 64-bit AMD K8 and Intel Itanium processor families, the CPU
hardware can mark memory with an attribute that indicates that code
should not be executed from that memory. This execution protection
(NX) feature functions on a per-virtual memory page basis, most often
changing a bit in the page table entry to mark the memory page.



On these processors, Windows XP Service Pack 2 uses the execution
protection feature to prevent the execution of code from data pages.
When an attempt is made to run code from a marked data page, the
processor hardware raises an exception immediately and prevents the
code from executing. This prevents attackers from overrunning a data
buffer with code and then executing the code; it would have stopped
the Blaster worm dead in its tracks.



Although the support for this feature is currently limited to 64-bit
processors, Microsoft expects future 32-bit and 64-bit processors to
provide execution protection.


Sandboxing

To help control this type of attack on existing 32-bit processors,
Service Pack 2 adds software checks to the two types of memory storage
used by native code: the stack, and the heap. The stack is used for
temporary local variables with short lifetimes; stack space is
automatically allocated when a function is called and released when
the function exits. The heap is used by programs to dynamically
allocate and free memory blocks that may have longer lifetimes.

The protection added to these two kinds of memory structures is called
sandboxing. To protect the stack, all binaries in the system have been
recompiled using an option that enables stack buffer security checks.
A few instructions added to the calling and return sequences for
functions allow the runtime libraries to catch most stack buffer
overruns. This is a case where a little paranoia goes a long way.

In addition, "cookies" have been added to the heap. These are special
markers at the beginning and ends of allocated buffers, which the
runtime libraries check as memory blocks are allocated and freed. If
the cookies are found to be missing or inconsistent, the runtime
libraries know that a heap buffer overrun has occurred, and raise a
software exception.



- from Microsoft.com

Heap Design



Heap is a reserved address space region at least one page large from
which the heap manager can dynamically allocate memory in smaller
pieces. The heap manager is represented by a set of function for
memory allocation/freeing which are localised in two places: ntdll.dll
and ntoskrnl.exe.



Every process at creation time is granted with a default heap, which
is 1MB large (by default) and grows automatically as need arise. The
default heap is used not only by the win32 apps, but also by many
runtime library functions which need temporary memory blocks. A
process may create and destroy additional private heaps by calling
HeapCreate()/HeapDestroy(). Use of the private heaps` memories is
established by calling HeapAlloc() and HeapFree().



[*] More detailed information about the heap management functions is
provided in the Win32 API documentation.



Memory in heaps is allocated by chunks called 'allocation units' or
'indexes' which are 8-byte large. Therefore, allocation sizes have a
natural 8-byte granularity. For example if an application needs a
24-byte block the number of allocation units it gets 3 allocation
units. In order to manage memory for every block a special header is
created, which also has a size divisible by 8 (fig. 1, 2). Therefore a
true memory allocation size is a total of the requested memory size,
rounded up towards a nearest value divisible by 8 and the size of the
header.