Flaw in Vista’s ASLR

For the exploit writers on Windows platform, one of the protection mechanism in Vista that they have to faced with is Address Spaces Layout Randomization (ASLR). ASLR is the security feature that prevent the attacker exploit the vulnerable programs by arrange randomly the address spaces of stack, heap, library and so on. This make the attacker hard to predict the key entity in exploitation phase – such as return address, function pointer – so the rate of successful of the exploit will become in low rate. (This is the reason why I hate ASLR, lol)

But before the final version of Vista will be released, Ali Rahbar from Sysdream had analyzed Vista’s ASLR and he found some flaw in it.

But 32 possibilities is not much, and for buffer overflow exploitation, in some situations it is really feasible to do a brute force on the 32 possible values. But why has Microsoft used only 32 out of 256 possibilities

The flaw is that M$ use 8 bits in the randomization. Instead they use all of 8 bits, they just used 5 bits – 256 possibilities compare with 32 possibilities. This will let the attacker bruteforce easier than it should be. The original article can be found here Analysis-of-Microsoft-Windows-Vista’s-ASLR

From the attacker’s point of view, this flaw degrade the protection of Vista. In Vista, the attacker have to faced with ASLR, DEP, /GS and /SAFESEH. It is quite difficult to break all of these protections to gain the code execution. However, if they can overcome ASLR which is an important one, things will become more easier.

Trirat Kira Puttaraksa

  • Nomad

    In this article i mess a little kernel debugging to know how does windows generate this random address. May be the answer to the question is there…

  • duke

    ASLR “flaw” found on a very old Windows Vista Beta 2

  • dj_m

    First, this paper covers stack randomization, not preferred load randomization of the binary.

    Second, I’ve tried this and although EBP only varies by 32, there is additional offset from the base of the stack that gives you more than 1/256.

    Ali Rahbar needs to redo his analysis.

  • Michael Spurlock

    Isn’t this optional for programmers anyway?

  • jaba_breakjail

    the link to the original article is broken.