{"id":1062,"date":"2010-02-03T20:12:34","date_gmt":"2010-02-03T19:12:34","guid":{"rendered":"http:\/\/www.mitternachtshacking.de\/blog\/1062-aslr-dep-in-zukunft-wirkungslos"},"modified":"2016-10-09T20:52:28","modified_gmt":"2016-10-09T19:52:28","slug":"aslr-dep-in-zukunft-wirkungslos","status":"publish","type":"post","link":"https:\/\/www.mitternachtshacking.de\/blog\/1062-aslr-dep-in-zukunft-wirkungslos","title":{"rendered":"ASLR, DEP in Zukunft wirkungslos?"},"content":{"rendered":"<p>Dave Aitel <a href=\"http:\/\/seclists.org\/dailydave\/2010\/q1\/40\">schrieb heute<\/a> auf seiner <a href=\"http:\/\/lists.immunitysec.com\/mailman\/listinfo\/dailydave\">Dailydave-Mailingliste<\/a>:<\/p>\n<ul>\n<ul>Not so long ago,<\/ul>\n<\/ul>\n<p><a href=\"http:\/\/en.wikipedia.org\/wiki\/Address_space_layout_randomization\">ASLR<\/a><\/p>\n<ul>\n<ul>and<\/ul>\n<\/ul>\n<p><a href=\"http:\/\/en.wikipedia.org\/wiki\/Data_Execution_Prevention\">DEP<\/a><\/p>\n<ul>were gaining wide acceptance. Execshield was on almost all Linux systems, and the &#8222;golden age&#8220; of buffer overflow exploitation looked like it was coming to a close.<\/ul>\n<ul>[&#8230;]<\/ul>\n<ul>Today, Immunity released a working version of the Aurora exploit for Windows 7 and IE8 today to CANVAS Early Updates. It does this by playing some very odd tricks with Flash&#8217;s JIT compiler. This technique is extendible to almost all similar vulnerabilities. In other words, ASLR and DEP are not longer the shield they once were.<\/ul>\n<p>Wenn das alles so stimmt (Dave Aitel will prim\u00e4r sein Canvas verkaufen, da ist einiges mit Vorsicht zu genie\u00dfen) schlie\u00dfe ich zwei Sachen daraus:<\/p>\n<ol>\n<li>Just-in-Time Compiler sind b\u00f6se, weil die meisten JIT Compiler ASLR und\/oder DEP abschalten und damit Angriffe erleichtert werden.<\/li>\n<li>ASLR und DEP sind l\u00e4ngst nicht die goldenen Schilde die vor allen m\u00f6glichen Programmierfehlern und Schlampereien der Entwickler sch\u00fctzen, insbesondere was Puffermanagement angeht, sobald der Anwender z.B. Flash, Java, etc. verwendet.<\/li>\n<\/ol>\n<p>Ob da jetzt Adobe (wie bei Apple) der B\u00f6se ist oder der Flash JIT nur verwendet wird, weil er weit verbreitet ist, kann ich noch nicht sagen. Die Canvas Early Updates in denen das bisher released wurde sind derart teuer, die will ich mir nicht leisten. Aber ich denke es lohnt sich nicht nur f\u00fcr Exploitprogrammierer, das Thema zu beobachten.<\/p>\n<p><strong>Nachtrag:<\/strong><\/p>\n<p><a href=\"http:\/\/www.theregister.co.uk\/2010\/02\/03\/microsoft_windows_protection_bypass\/\">The Register<\/a> hat das Thema aufgegriffen.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Dave Aitel schrieb heute auf seiner Dailydave-Mailingliste: Not so long ago, ASLR and DEP were gaining wide acceptance. Execshield was on almost all Linux systems, and the &#8222;golden age&#8220; of buffer overflow exploitation looked like it was coming to a close. [&#8230;] Today, Immunity released a working version of the Aurora exploit for Windows 7 [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[8],"tags":[],"_links":{"self":[{"href":"https:\/\/www.mitternachtshacking.de\/blog\/wp-json\/wp\/v2\/posts\/1062"}],"collection":[{"href":"https:\/\/www.mitternachtshacking.de\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mitternachtshacking.de\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mitternachtshacking.de\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mitternachtshacking.de\/blog\/wp-json\/wp\/v2\/comments?post=1062"}],"version-history":[{"count":0,"href":"https:\/\/www.mitternachtshacking.de\/blog\/wp-json\/wp\/v2\/posts\/1062\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.mitternachtshacking.de\/blog\/wp-json\/wp\/v2\/media?parent=1062"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mitternachtshacking.de\/blog\/wp-json\/wp\/v2\/categories?post=1062"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mitternachtshacking.de\/blog\/wp-json\/wp\/v2\/tags?post=1062"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}