Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass

acid · Jan 31, 2005, 19:04

Published 28th January 2005.
Problem
In October 2004 it was discovered by MaxPatrol team that it is possible to defeat Microsoft® Windows® XP SP2 Heap protection and Data Execution Prevention mechanism. As a result it is possible to implement:

Arbitrary memory region write access (smaller or equal to 1016 bytes)
Arbitrary code execution
DEP bypass.

Details are described in the article by our expert: PDF format, HTML format.
Solution
As a temporary security measure we've developed simple utility PTmsHORP, which allows restriction of lookaside list creation, governed by a special global flag.
Download PTmsHORP (21 Kb)
During the first execution this program shows the list of applications which already have this flag set. In order to activate this safety flag for other applications you just need to add the name of the executable file to the list. Any time you can review or modify the list of protected applications by running PTmsHORP again.
Warning. The flag, while enabled, may decrease the application performance.

http://www.maxpatrol.com/ptmshorp.asp

Jan 31, 2005, 19:04	#1
acid Administrator Join Date: Sep 2001 Location: Yerevan, Armenia Posts: 7,086 Blog Entries: 15 Rep Power: 10 Reputation: 251	Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass Published 28th January 2005. Problem In October 2004 it was discovered by MaxPatrol team that it is possible to defeat Microsoft® Windows® XP SP2 Heap protection and Data Execution Prevention mechanism. As a result it is possible to implement: Arbitrary memory region write access (smaller or equal to 1016 bytes) Arbitrary code execution DEP bypass. Details are described in the article by our expert: PDF format, HTML format. Solution As a temporary security measure we've developed simple utility PTmsHORP, which allows restriction of lookaside list creation, governed by a special global flag. Download PTmsHORP (21 Kb) During the first execution this program shows the list of applications which already have this flag set. In order to activate this safety flag for other applications you just need to add the name of the executable file to the list. Any time you can review or modify the list of protected applications by running PTmsHORP again. Warning. The flag, while enabled, may decrease the application performance. http://www.maxpatrol.com/ptmshorp.asp __________________ Chat with acid

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Default Passwords	acid	Software Security	4	Feb 12, 2006 06:01
Microsoft: SP2 Will Not Install on Pirated Copies of XP	acid	Software Security	9	Nov 6, 2004 19:30