4

Do all new OSes implement the no execute bit in order to overcome vulnerabilities that could be used to execute malicious code? for example, is it implemented in Win7? Does that mean that the traditional way of stack & heap overflow exploits are no longer effective?

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Adban
  • 259
  • 2
  • 9
  • There are techniques to avoid this, such as return-oriented-programming (ROP). – CodesInChaos Nov 06 '12 at 10:43
  • This is not really a programming question (unless you're an OS programmer at Microsoft or Linux or... ) On the other hand, this would be nicely on topic for the security experts over at [Security.se]. (Don't cross post, flag it for a moderator and ask to have it migrated). – AviD Nov 06 '12 at 11:09
  • Whilst the mitigations are good, there are so many ways that programmers can still get things wrong. And, if all else fails, you can always go [install a Sophos AV and have it disable ASLR and image integrity](https://lock.cmpxchg8b.com/sophailv2.pdf)[pdf] for you! :) – Polynomial Nov 14 '12 at 07:05

3 Answers3

7

"Traditional Way" could mean anything. I'm assuming you're referring to a buffer overflow where the return address is replaced with an attacker controlled address on the memory to execute artbitrary code. Yes, this is mitigated by the NX bit. But, no. This does not stop attackers from using other mechanisms such as Return oriented programming which uses ROP gadgets to chain instructions to effectively execute code of their choice.

I had the same question before, but I realized that stack and heap overflows will not become extinct in the near future. Windows, Linux, Solaris and other popular OSs have protection mechanisms enabled which greatly reduce these attacks. On the other hand, think of mobile platforms. Firmware, Baseband code usually written ages ago in C, are still susceptible to these attacks, and those systems may not have the protection mechanisms mentioned above.

This answer, is an excellent read to learn more about the protection mechanisms. Your specific question about NX is also covered there

Community
  • 1
sudhacker
  • 4,260
  • 5
  • 23
  • 34
2

One way to overcome the no execute bit is to use different overflow targets entirely. People focus too much on the shell code style overflow vulnerabilities, and ignore a large portion of the vulnerabilities that are out there. For example, you can overflow into other arrays and even strings. You don't need to corrupt the stack or heap state to exploit a buffer overflow, you just have to make the program do something it wasn't meant to do. You can overflow into:

  • Shell strings
  • SQL strings
  • Any string containing an interpreted language
  • Cryptographic keys or data that is only in plaintext in memory

None of these things requires executing any shell code in the exploited process. Many of the same techniques (e.g. spraying, sentinel sleds) apply.

Eric Wimberley
  • 81
  • 2
1

Windows has had Data Execution Protection since XP SP 2, but it's not always enabled by default, and it can be disabled for specific applications.

So, many stack cracking exploits will be blocked, but probably not all of them.

As for "all news OSes", YMMV. It's better to ask about specific ones.

Roddy
  • 111
  • 2