Home page logo

bugtraq logo Bugtraq mailing list archives

Re: machine independent protection from stack-smashing attack
From: Yarrow Charnot <ycharnot () IDENTIKEY COM>
Date: Mon, 11 Sep 2000 09:55:35 +0400

Microsoft purposely doesn't allow pages to be non-executable,
leaving an easily exploitable hole to allow NSA hack into any Windows
server or workstation exploiting buffer overflows.

Can you rephrase that ? I _hope_ I didn't understand it right !

Well, let me describe it in three steps.

Step 1. VirtualProtectEx behaviour:

VirtualProtectEx (hProcess, lpAddress, dwSize, PAGE_EXECUTE_READ, &oldattr)

has exactly the same effect as

VirtualProtectEx (hProcess, lpAddress, dwSize, PAGE_READONLY, &oldattr)

(READONLY or READWRITE doesn't matter)

In other words, if the attribute READ is set, the page is automatically made
EXECUTABLE. If you trace NT and 9X kernels up to the point where they set
that attribute, they ignore your request to make it READ-ONLY
(NON-EXECUTABLE) on purpose. What purpose? Who on Earth would want to keep
your data segments executable??? If you want to make it executable, one call
to this function enables it for you! Why did they restrict its behaviour
completely disallowing *READ ONLY* pages???

15 years of software reverse engineering experience allow me to easily
distinguish between a mistake in the code and a backdoor inserted on
purpose. I don't believe M$ would want to keep themselves constantly hurt by
all the scandals caused by "hackers" exploiting buffer overflows in their M$
LookOut, M$ Internet Exploder, M$ Ward, Windoze kernel etc with such a
simple solution in their own hands as removing that EXEC flag from all DATA
sections. I don't buy that bullshit about Java or "other programming
languages" that "require" your stack to be executable.

Step 2. The US Government restricts export of more secure than B2 operating
systems. Therefore the US companies in order to keep their software (and
hardware) exportable are forced to keep it all hackable (exploitable,
breakable, whatever you call it - not "too secure" that is).

Step 3. As an example, ASIO (the Australian equivalent to CIA and SS) has
made the Australian parliament pass the law (!!!) allowing them (literally
and legally) *hack* into any computer, cover their tracks or presence, deny
the fact they have done anything and not to be held responsible for any of
their actions that include destruction or modification of the data or code
in those computer systems. Doesn't make you wonder?

Freaky? - Indeed. News? - Not really.

And if a reliable source of randomness is really such a problem,

Geee thanks !


- Yarrow Charnot

Identikey - The Key To Internet Security
The views expressed in this message are those of the
individual sender, except where the sender specifically
states them to be the views of Identikey (Australia) Pty Ltd.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]