Defeating Windows XP SP2 buffer overflow protection

| TrackBacks (11) |
Windows XP SP2 is built with some memory protection features to prevent the exploitation of buffer overflows. Definitely a good idea, but unfortunately, they're not perfect and the guys at Maxpatrol have figured out how to bypass them them:
And the second weak spot the manipulation of the lookaside lists doesn`t assume any header sanity checking, there isn`t even a simple cookie check there. Which, theoretically, results in possibility to overwrite up to 1016 bytes in an arbitrary memory location.

The exploitation scenario could proceed as follows:
if, during the overflow the concidental memory block is free and is residing in the lookaside list, then it becomes possible to replace the Flink pointer with an arbitrary value.
Then, if the memory allocation of this block happens, the replaced Flink pointer will be copied into the header of the lookaside list and during the next allocation HeapAlloc() will return this fake pointer.

The prerequisite for successful exploitation is existence of a free block in lookaside list which neighbors with the buffer we overflow.

I'm not an expert on this kind of memory exploit, but it looks to me like this is a simple implementation error on Microsoft's part. It should be relatively straightforward for them to fix, and since it's clear that they're trying to do the right thing, I'd expect them to fix it in some future SP.

The interesting question is what the working envelope of the bypass is. Does it totally defeat SP2's heap protection or are there a substantial number of vulnerabilities which can't be exploited this way? As I read this disclosure, the bug requires that the overflowable buffer be next to some block on the lookaside list, which requires a very specific allocation and freeing order. This suggests that only some fraction of programs will be vulnerable to this bypass technique.

11 TrackBacks

Listed below are links to blogs that reference this entry: Defeating Windows XP SP2 buffer overflow protection.

TrackBack URL for this entry: http://www.educatedguesswork.org/cgi-bin/mt/mt-tb.cgi/112

viagra vs levitra vs cialis from ceixnoirs.dyndns.org on July 18, 2005 3:58 AM

dosage levitra can women take levitra levitra reaction if the man takes it levitra picture levitra adds levitra comparison levitra over the counter levitra color best price on levitra 2003 billion cyalis levitra market sales viagra levitra medicine lev... Read More

xj cherokee doetsch shocks cherokee girls cherokee star collies cherokee county, ga cherokee language cherokee medical uniform jeep grand cherokee performance piper cherokee jeep cherokee flares cherokee parks jeep cherokee off road jeep cherokee xj se... Read More

horse cum blowing a horse cock horse fucking sex with animals zoophilia animal testing Read More

earn money from earn money on August 25, 2005 8:25 AM

earn money Read More

how ritalin affects your brain from best rated site for buying ritalin without a prescription on September 11, 2005 3:46 PM

ritalin effects addiction rehab ritalin history of ritalin ritalin online without prescription how do i get a prescription for ritalin buying ritalin online buy ritalin danger ritalin ritalin la vs ritalin drug class ritalin parents against ritalin inj... Read More

how to play poker from how to play poker on September 22, 2005 9:21 AM

how to play poker said no more on the subject, but she liv'st to days at me curiously sometimes, and I fear tha Read More

Sexgirlsrapepic from How to rape a womanfree videos on November 13, 2005 4:12 PM

Animal porno free clip Zoophilia sample vidéos Older mommy sluts Real moms photo gallery Read More

online pharmacy from online pharmacy on January 6, 2006 9:39 AM

relational overwrite!mortality reactivation!characterizations,viagra http://www.just-pills.com/ Read More