• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Preventing Exploits post from Bugtraq

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses

View previous topic :: View next topic  
Author Message
b4rtm4n
Trusted SF Member
Trusted SF Member


Joined: 26 May 2002
Posts: 16777206
Location: Bi Mon Sci Fi Con

Offline

PostPosted: Tue Feb 04, 2003 4:47 pm    Post subject: Preventing Exploits post from Bugtraq Reply with quote

You do all subscribe to Bugtraq don't you?? Wink

I thought that this was worthy of reposting in sfdc in its entirity.

Quote:

From: David Litchfield [mailto:david@ngssoftware.com]
Sent: 04 February 2003 05:09
To: bugtraq@securityfocus.com; ntbugtraq@listserv.ntbugtraq.com;
vulnwatch@vulnwatch.org
Subject: Preventing exploitation with rebasing


Defeating Exploits
**************
The ideas in this "paper" present a method for defeating exploits; not
the actual vulnerability. Before getting to the details let's consider
slammer (again).

What made slammer so successful?
The overriding factor that made slammer so successful was it's ability
to spread. What made it's spread a foregone conclusion was the fact that
every vulnerable SQL Server/MSDE had a "jmp esp" instruction at address
0x42B0C9DC. This was the address that was used to gain control of the
SQL Server's path of execution to a point where the worm's payload, the
"arbitrary code", would be executed.

This address is in a dynamic link library (DLL) , sqlsort.dll which has
an "image base" of 0x42AE0000.

Every image file, DLL or executable, has an "Image Base" and this base
is the preferred location where the file should be loaded into memory by
the Windows Loader. [I don't want to digress, here, as to what happens
if there's a conflict. See the references at the end.] Now if this Image
Base on one particular system had been 0x42AF0000 then the worm would
have failed to infect this particular box; the "jmp esp" instruction
that should've been at 0x42B0C9DC on this system would be found at
0x42B1C9DC so the worm would have been off target. The SQL Server
running on this system, whilst still being "vulnerable" to the buffer
overflow vulnerability would have been invulnerable to this worm. Sure -
the SQL Server may have crashed - but it would not have been
compromised.

It's like sickle cell. Someone born with the gene that causes sickle
cell anaemia, a blood disorder that affects many people of a West
African origin, or carriers of the gene, sickle cell trait, do not
suffer from the ill affects of malaria, a disease caused by a parasite
and most commonly spread by mosquitoes. Whilst someone with sickle cell
trait can still catch malaria, the gene mutates the haemoglobin in their
blood in such a way that they are invulnerable to the debilitating side
effects and syptoms of the disease such as mental confusion, coma and
death. There is an obvious evolutionary advantage to sickle cell trait;
remember that the evolution of the species cares not about how long a
person lives, only that they live long enough to pass on their genes.
(Those with anaemia may suffer from crises, periods of acute pain so the
trade off is somewhat questionable.)

In areas where malaria is a common cause of death, being a carrier of
the sick cell gene can help ensure that this person lives long enough to
have progeny. This is Darwinian natural selection in progress.

Rebasing
*******
The problem with operating systems is that they all have pretty much the
same "genetic code" which makes each and every one of them vulnerable to
a new exploit. So we need to make them different and this can be
achieved through rebasing. Rebasing is the process of changing the Image
Base of an image file. By doing this the DLL/EXE is loaded into a
different location in the virtual address space.

Going back to Slammer, had I have rebased sqlsort.dll giving it a new
base of 0x41410000 my box would have been invulnerable to the worm. If
another worm were written, though, that used an address that contained a
"jmp esp" instruction in kernel32.dll then I would be vulnerable. So I
rebase kernel32.dll. But then another worm uses another DLL so I rebase
that one, too. Eventually I've rebased all of the DLLs used by SQL
Server mutating it's "genetic code", making it considerably different to
any other SQL Server install on the planet. In fact if I rebase every
DLL on my system and every executable then I can make my box almost
invulnerable to a given exploit, past, present or future. It's not that
my box is invulnerable to a buffer overflow vulnerability - it's just
invulnerable to the exploits for it. To gain control of a system
protected in such a way would require that the author of the exploit
know the location of loaded DLLs.

So how easy is it to rebase DLLs and executables? Very. Microsoft have
provided a function to do this, ReBaseImage(), exported by imagehlp.dll.
If you rebase an image the new base must be on a 64K boundary - i.e. if
the image base mod 64000 !=0 the base is not valid.

The only other problem is Windows File Protection. Once you've rebased a
copy of the DLL you need to copy the new DLL over the old one but
Windows File Protection won't allow you to do this. To get around the
problem use the MoveFileEx and specifying the
MOVEFILE_DELAY_UNTIL_REBOOT flag. Doing this will add a registry value,
"PendingFileRenameOperations" to
HKLM\System\CurrentControlSet\Control\Session Manager\. You then need to
add another DWORD value "AllowProtectedRenames" and set it to 1. Then
restart the system. On reboot the new DLLs, with their new image bases,
will be loaded. For example - here is sample output of listdlls after
kernel32.dll and ws2_32.dll have been rebased.


Copyright (C) 1997-2000 Mark Russinovich http://www.sysinternals.com

------------------------------------------------------------------------
----
--
WINLOGON.EXE pid: 208
Command line: winlogon.exe

Base Size Version Path
0x01000000 0x2e000
\??\C:\WINNT\system32\winlogon.exe
0x77f80000 0x7b000 5.00.2195.5400 C:\WINNT\System32\ntdll.dll
0x78000000 0x46000 6.01.9359.0000 C:\WINNT\system32\MSVCRT.dll
0x4a4a0000 0xb1000 5.00.2195.6011 C:\WINNT\system32\KERNEL32.dll
0x77db0000 0x5b000 5.00.2195.5992 C:\WINNT\system32\ADVAPI32.dll
0x77d30000 0x71000 5.00.2195.5419 C:\WINNT\system32\RPCRT4.dll
0x54530000 0x13000 5.00.2195.4874 C:\WINNT\system32\WS2_32.dll
..
..

Now all the way through this I've been saying things like "almost
invulnerable" etc. Here's the reason. For some vulnerabilities it may be
sufficient to overwrite a saved return address, function pointer or
whatever by only a few bytes. For example assume a saved return address
is 0x44784500 and at address 0x44784536 is a "jmp ebx" instruction and
ebx points to our code. Then we only need to overwrite the saved return
address by 1 byte - with 0x36. So knowledge of the DLL load address is
not needed. However, this scenario is going to happen so infrequently
(if ever) that it does not detract from the idea of rebasing your
system. There may other ways to bypass this method.

Some ideas to further help prevent exploits from working.

Use addresses such as 0x**000000 or 0x00**0000 for the new image base.
With there being a NULL in much of the image's address space this will
help. (This of course won't make a difference with unicode overflows)

Ensure at least one (core) DLL has a base of 0x00119400 . This will
ensure that a common stack location 0x00120000 has been assigned forcing
the OS to chose another location for the stack. You get the idea.

Feel free to mail me/lists with comments.

Cheers,
David Litchfield
NGSSoftware Ltd
http://www.ngssoftware.com/


MSDN Info
ReBaseImage()
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/debug/b
ase/
rebaseimage.asp
MoveFileEx()
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/fileio/
base
/movefileex.asp
Back to top
View user's profile Send private message Send e-mail
flw
Forum Fanatic
Forum Fanatic


Joined: 27 May 2002
Posts: 16777215
Location: U.S.A.

Offline

PostPosted: Tue Feb 04, 2003 7:41 pm    Post subject: Reply with quote

For those that don't subscribe to bugtraq but wish go here http://www.securityfocus.com/cgi-bin/sfonline/subscribe.pl

I think this is b4rtm4n's most important point to those new to security

Lists you can subcribe to currently are:
(more details on each one if your not sure what it is for at the url above)

ARIS Users
* BugTraq
Bugtraq-ES
Bugtraq-JP
cisspstudy
FOCUS-BSD
* FOCUS-IDS
FOCUS-IH
* FOCUS-LINUX
* FOCUS-MS
* FOCUS-SUN
FOCUS-UNIX-OTHER
FOCUS-VIRUS
* Forensics
Honeypots
* Incidents
Libnet
Linux-SecNews
MS-SecNews
* Pen-Test
SecEvents
SecPapers
SecProg
SecTools
* Secure Shell
SECURITY-BASICS
Security Certification
Security Jobs
SecurityFocus News
Vuln-Dev
Web Application Security

*=high volume email updates
Back to top
View user's profile Send private message Visit poster's website
b4rtm4n
Trusted SF Member
Trusted SF Member


Joined: 26 May 2002
Posts: 16777206
Location: Bi Mon Sci Fi Con

Offline

PostPosted: Sat Feb 08, 2003 1:18 am    Post subject: Reply with quote

I've been trying to think of a witty reposte here but flw has provided the concice list that I wish I had access to 4 years ago.

If you can handle the volume subscribe to all!
Back to top
View user's profile Send private message Send e-mail
flw
Forum Fanatic
Forum Fanatic


Joined: 27 May 2002
Posts: 16777215
Location: U.S.A.

Offline

PostPosted: Sat Feb 08, 2003 2:38 am    Post subject: Reply with quote

Quote:
If you can handle the volume subscribe to all!


If someone decides to do this you'll have more mail than you could ever read. You may even think your under some sort of spam attack. Mad
Back to top
View user's profile Send private message Visit poster's website
b4rtm4n
Trusted SF Member
Trusted SF Member


Joined: 26 May 2002
Posts: 16777206
Location: Bi Mon Sci Fi Con

Offline

PostPosted: Sun Feb 09, 2003 12:23 am    Post subject: Reply with quote

Thats wot the office net link is 4 WinkWinkWink
Back to top
View user's profile Send private message Send e-mail
Jason
Forum Fanatic
Forum Fanatic


Joined: 19 Sep 2002
Posts: 16777215


Offline

PostPosted: Sun Feb 09, 2003 3:38 am    Post subject: Reply with quote

What i do is subscribe to about 8 of the groups, never post etc, but store all the downloaded messages on Outlook. When i need an exploit or some ideas, doing a search of the downloaded messages can provide some useful info.

J
Back to top
View user's profile Send private message Send e-mail
igir3dsk1
Just Arrived
Just Arrived


Joined: 28 Sep 2002
Posts: 4
Location: 7h3 !n73rn37 :)

Offline

PostPosted: Sun Feb 09, 2003 3:51 am    Post subject: Reply with quote

I subscribed to 5 and I dont have enough space to save them, not in my msn account. Very Happy

-r-
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register