dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
5
share rss forum feed


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
reply to redwolfe_98

Re: IE Zero-Day

Also see:
»blogs.technet.com/b/srd/archive/···ers.aspx
Hat Tip to Wilders



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

2 recommendations

That's the same link that chachazz See Profile posted

(Look in the "quoted" part)
--
Don't feed trolls--it only makes them grow!



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17

Noted



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 recommendation

Well I only know 'cause I clicked on both, That's where I got my quote from.
--
Don't feed trolls--it only makes them grow!



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17

Some slight duplication of effort never hurt anybody. Better than no information • voila



trparky
Apple... YUM
Premium,MVM
join:2000-05-24
Cleveland, OH
kudos:2

Not to sound like an idiot, but wouldn't referencing an object after it's been removed or freed up (made null) cause a Null Reference Exception? I know that that happens when I try to access Object variables when I've not set it to something with "New Object()".

This happens in VB.NET, C#, and even Java.
--
Tom
Boycott AT&T uVerse! | Tom's Android Blog | AOKP (The Android Open Kang Project)



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 edit

said by trparky:

Not to sound like an idiot, but wouldn't referencing an object after it's been removed or freed up (made null) cause a Null Reference Exception?

I haven't looked into it in any detail but apparently there's some rather clever techniques that can be used to access deallocated memory. Take a look at the EMET manual as it has basic explanations of some common tricks.
--
Don't feed trolls--it only makes them grow!


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico
reply to trparky

I'm not big on code, trparky See Profile When I was an IE MVP, I could have asked the IE Team at MS. I no longer have that option accessible to me.

What we have in this thread is the latest information.

I suspect we will know more in the forthcoming days if MS will issue an out-of-band patch or perhaps a FixIt.



trparky
Apple... YUM
Premium,MVM
join:2000-05-24
Cleveland, OH
kudos:2

1 recommendation

Oh shit, I think I know how this exploit may work.

There's an attack technique which is used to overwrite the Structured Exception Handler which would, in any other case, catch the Null Reference Exception and handle it cleanly so that the program would not appear to crash.

But in the case of this exploit, it would overwrite the Structured Exception Handler using either a Stack-based Buffer Overflow or Heap Spray attack. Then, something would be used to trigger (a call to a null Object, in this case) the Exception Handler and since it's been overwritten with arbitrary code, the program would then be vulnerable to attack.

All of which EMET helps guard a program against.
--
Tom
Boycott AT&T uVerse! | Tom's Android Blog | AOKP (The Android Open Kang Project)



trparky
Apple... YUM
Premium,MVM
join:2000-05-24
Cleveland, OH
kudos:2

There's something called Structured Exception Handling Overwrite Protection or SEHOP. It does this by preventing attackers from being able to use the SEH overwrite technique by verifying that the thread’s exception handler list is intact before allowing any of the registered exception handlers to be called or executed. This mitigation technique is made possible by a side-effect of overwriting the SEH. The side-effect is that the pointer in the program’s memory stack is corrupted in the process of overwriting the SEH, thus the integrity of the exception handling chain is broken.

An Exception Handler is anything that may include the use of TRY, CATCH, and FINALLY.

I did a presentation on various exploit techniques for my end of class project for my CompTIA Security+ prep class. I covered the use of EMET extensively so I had to actually do some research into how many of these attacks work on a basic level.
--
Tom
Boycott AT&T uVerse! | Tom's Android Blog | AOKP (The Android Open Kang Project)



trparky
Apple... YUM
Premium,MVM
join:2000-05-24
Cleveland, OH
kudos:2

Many of Microsoft's newer programs have these exploit protections baked into the compiled code of the program. But, this only happens with programs that have been compiled with recent versions of the Microsoft Visual C++ Compiler.

My guess is that Internet Explorer 9 and 10, which aren't vulnerable, have been compiled with Visual C++ 2010 or newer and the older versions are still being compiled with pre-2010 C++ compiler thus not having the protections baked into the compiled code.
--
Tom
Boycott AT&T uVerse! | Tom's Android Blog | AOKP (The Android Open Kang Project)



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to trparky

said by trparky:

But in the case of this exploit, it would overwrite the Structured Exception Handler using either a Stack-based Buffer Overflow or Heap Spray attack.

...

All of which EMET helps guard a program against.

That is my understanding as well.
--
Don't feed trolls--it only makes them grow!


Lagz
Premium
join:2000-09-03
The Rock

2 edits
reply to trparky

said by trparky:

Oh shit, I think I know how this exploit may work.

There's an attack technique which is used to overwrite the Structured Exception Handler which would, in any other case, catch the Null Reference Exception and handle it cleanly so that the program would not appear to crash.

But in the case of this exploit, it would overwrite the Structured Exception Handler using either a Stack-based Buffer Overflow or Heap Spray attack. Then, something would be used to trigger (a call to a null Object, in this case) the Exception Handler and since it's been overwritten with arbitrary code, the program would then be vulnerable to attack.

All of which EMET helps guard a program against.

I wonder if flash or IE uses standard exception handlers or do they write their own? My instructor in C# told us to write our own exception handling when possible rather than throw standard exceptions, this might be why. When I was first introduced to exceptions I was like, HELL YEA I don't have to write as much code now. We had been writing our own exception handling up to that point. I wonder if they are just throwing standard exceptions if that's a result from laziness or management hurriedly wanting code pushed out the door?
--
When somebody tells you nothing is impossible, ask him to dribble a football.