Flaw in Vista’s ASLR
For the exploit writers on Windows platform, one of the protection mechanism in Vista that they have to faced with is Address Spaces Layout Randomization (ASLR). ASLR is the security feature that prevent the attacker exploit the vulnerable programs by arrange randomly the address spaces of stack, heap, library and so on. This make the attacker hard to predict the key entity in exploitation phase – such as return address, function pointer – so the rate of successful of the exploit will become in low rate. (This is the reason why I hate ASLR, lol)
But before the final version of Vista will be released, Ali Rahbar from Sysdream had analyzed Vista’s ASLR and he found some flaw in it.
But 32 possibilities is not much, and for buffer overflow exploitation, in some situations it is really feasible to do a brute force on the 32 possible values. But why has Microsoft used only 32 out of 256 possibilities
The flaw is that M$ use 8 bits in the randomization. Instead they use all of 8 bits, they just used 5 bits – 256 possibilities compare with 32 possibilities. This will let the attacker bruteforce easier than it should be. The original article can be found here Analysis-of-Microsoft-Windows-Vista’s-ASLR
From the attacker’s point of view, this flaw degrade the protection of Vista. In Vista, the attacker have to faced with ASLR, DEP, /GS and /SAFESEH. It is quite difficult to break all of these protections to gain the code execution. However, if they can overcome ASLR which is an important one, things will become more easier.
Trirat Kira Puttaraksa