Flag: Tornado!
Hurricane!
|
|
Topic created on: January 13, 2009 01:55 CST by nezumi  .
wandering over windows kernel nezumi found very screwy code: W2K SP4 gives PEB/TEB r-w-x attributes, so, PEB and TEB are executable! easy to check it with OllyDbg (View -> Memory).
XP SP3 and S2K3 SP1 come without this bug, but what's about other systems? let's found out! I wrote a simple system info collector. please, download it and tell us the result. thanks!
current results:
W2K SP4 - PEB and TEB are executable;
XP SP3 - PEB and TEB are _not_ executable;
S2K3 SP1 - PEB and TEB are _not_ executable;
Vista SP1 - PEB and TIB are _not_executable
XP SP2 - PEB and TIB are _not_executable
|
its not about the operating system version whether you can execute PEB or TEB (they are actual data) - its about whether DEP (Data Exceution Prevention) is enabled or not
for 32 bit DEP works via No-Execute (NE) bit and is only available if your processor supports the 36 bit extension (PAE, Page Address Extension)
for 64 bit all modern processors from AMD and Intel defaultly support the NE bit
-> you can also enable it in Windows to be active for Windows programs only or for all system-wide
paging (except the NE bit) does not know about executable or not, if you can read (page must be present and User/System bit must fit with your CPL) the page then you can execute it (not considering DEP)
greetings from Austria,
Kleissner
|
@Kleissner
I think nezumi is aware of how DEP works ;DDDD Otherwise he wouldn't be looking for vulnerabilities in it's internals right ?;>
|
actually I think he's not aware of DEP, I don't think the feature was invented in 2000 already?!?
taking an old version should not surprise you with such things...
|
Kleissner:
DEP is not the only mechanism preventing code execution. long before NX/XD there was PaX and its NT portcalled BufferShield. old x86 support executable attribute for segments, but not for pages, so it's possible to splint the flat memory into pieces of segments with executable bit set (for code) and unset (for data). it worked well.
nowdays hardware NX/XD bits allow us to make any page executable or not-executable. basically, DEP is a very simple thing. even W^X is harder :-)
I'm just trying to find a memory block with r-w-x attributes. do not ask me what's it for. you know the answer :-) NT 4.0 and W2K have no DEP support, but they do have r-w-x PEB/TEB blocks. had XP the same r-w-x it would be.. oh, man! instead of using VirtualProtect | VirtualAlloc it would be possible to copy shell-codes into PEB/TEB. but, this bug has been fixed and neither XP nor S2K3 are not vulnerable this way.
P.S. special thanks to neoxfx, Gynvael Coldwind and omeg for testing different OSes.
|
nobody uses segmentation any more, not in Windows, not anywhere else; -> flat memory model
and DEP is not preventing code execution but data execution, acutally, honestly ;)
what are you talking about? r-w-x? we have just page flags (page table entry and such stuff) and nothing else
=> I'm talking about processor features they prevent you executing stuff, and you?
if you do not have DEP in Windows = no execute flag enabled then you can execute every memory that is readable IN WINDOWS
greetings
|
|
Actually, just about every modern x86 based operating system uses segmentation. It isn't used much for actual memory management, but it is used for privilege separation. The only difference between ring 0 and 3 is the DPL set in your segment register. Also, it was either a patch to one of Redhat's kernels (this may be Solar Designer's patch) that used segmentation *specifically* to disallow execution on the stack. That's how the protection worked before the N^X bit existed.
|
do you think I'm stupid? are you all noobs?
AS I WROTE JUST FLAT MEMORY MODEL or don't you know what that is? Man I wrote an OS it is annoying here "do you know this" "do you know that" n00bs
you don't have to teach me, look at my page if you don't know me; I already wrote an full OS with paging and all that stuff, including memory management, ATA/ATAPI drivers, FAT, NTFS, blah
where do you got your information? read the intel manual or let it go
HONESTLY
I mean look just at the first post "XP SP3 and S2K3 SP1 come without this bug" and "XP SP3 - PEB and TEB are _not_ executable;" you are stupid besserwisser come on
noobs
|
"nobody uses segmentation any more, not in Windows, not anywhere else; -> flat memory model"
What about NACL? It uses segmentation.
HONESTLY, I think you should consider changing your attitude, because the way you write has nothing to do with professionalism. Otherwise, continuing this discussion is pointless.
|
YOU are not professional its perfectly okay saying nobody uses segmentation, and with that I mean segmentation in its way to protect memory ranges using base and limit address, if you do not understand that, I'm sorry but you do not have any experience with Operating System development
a flat memory model means to set limit to max. = 4 GB and base to zero and just use the segments for different PLs, for those people who have no idea
|
Kleissner,
Maybe you're right.. Coldwin has not done any OS development, he is a noob, is that what you're trying to say?
From what I know he has contributed a lot of things to the reversing community. He is one of the person I have much respect and I enjoy reading his stuff.. How about you? After being here for years, I have not seen you contributing anything so far, and sorry to say that I just realized your existence after reading your comments that mean nothing other than showing that you think you're smarter than the people here who have contributed so much. Maybe you are. But talk is cheap, contribute something useful or learn how to respect others and they might teach you something useful.
|
Ohya,
I need to "share" with you something, especially about this:
"and DEP is not preventing code execution but data execution, acutally, honestly ;)" - Kleissner
Code can become data, Data can become code...
If you don't understand what I am trying to say, I think it's pointless for you to waste your time posting here...
|
I am sorry, my words were a bit hard, please don't take it personal.
of course you're right, its more about contribution rather than words, this is why I am here and posting.
|
flat memory model does not means there is no segments
there are, be sure. talking about app level, win32 uses two selectors: 1Bh for CS, and 23h for SS, DS and ES. they all have base zero and FFFFFFFFh limit, so basically they are _almost_ the same. mov eax ss:[esp-4] and mov eax ds:[esp-4] _almost_ the same, but... there is a trap. CPU allows us to load 0..3 selectors to DS, ES, FS, GS registers. as result any access to memory with DS/ES/FS/GS causes access violation. but you can't load 0..3 to CS or SS. so. there is the difference.
and don't forget FS. yeah, yeah, basically it's just a pointer to memory block mapped to flat address space, however, it's very popular segment.
meanwhile. consider the following code:
xor eax, eax
mov eax, fs:[eax]
and compare it with:
mov eax, fs
mov ds, eax
xor eax,eax
mov eax, [eax]
mov eax, SS:[eax]
don't remove SS unless you want to crash your system.
well, are you still thinking there is no segments?
GetThreadSelectorEntry(),NtSetLdtEntries() mean nothing for you? um? try to write your own debugger to understand you really need GetThreadSelectorEntry() to translate FS content as linear addresses (like OllyDbg does it).
|
Note: Registration is required to post to the forums.
|
|
|
|
There are 31,328 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}