[ISN] Meet the future of Windows security exploits

From: InfoSec News (isnat_private)
Date: Wed Nov 28 2001 - 23:57:27 PST

  • Next message: InfoSec News: "[ISN] Court upholds ban on DVD-cracking code"

    By John Leyden
    Posted: 28/11/2001 at 14:26 GMT
    Buffer overflow bugs, for years the most prevalent type of security
    vulnerability, will become a thing of the past as crackers realise the
    potential of different ways to exploiting Windows machines.
    Sloppy programming practices (the root cause of buffer overflow
    vulnerabilities) give rise to security bugs where arbitrary and
    malicious code can be injected into a system, through a carefully
    crafted malformed data entry.
    Generally, this spurious input is much longer than a program expects,
    causing code to overflow the buffer and enter parts of a system where
    it may be subsequently executed. The technique has been successful
    used against both Unix and NT machines on numerous occasions.
    Halvar Flake, "Reverse Engineer" at Black Hat Consulting, said such
    standard stack-smashing overflows are getting rarer in well-audited
    code, so crackers will turn to fresh ways of executing arbitrary code.
    During a well received presentation at last week's Black Hat
    conference in Amsterdam, Flake showed how heap overflow attacks could
    be used to write more or less arbitrary data to more or less arbitrary
    locations. He described these as Third Generation Exploits on NT/Win2k
    Platforms, something explained in greater detail here, and although he
    told us it's a term he invented himself, we're happy to go along with
    it since we liked the cut of his jib.
    Such third generation exploits mean it is possible to subvert the
    logic of a Windows app by modifying its variables.
    He also outlined future cracker strategies involving creating a large
    number of threads in a multithreaded environment, which make an
    exploit "80-90 per cent reliable and independent of NT/Win2000/XP
    version, service pack and hot fix".
    Heap overflow exploits (such as format string bugs and particularly
    malloc()/free()-manipulations) give attackers two powerful techniques.
    Such tactics have been used, and documented, on *nix platforms and the
    value of Flake's work is to highlight the risk of the exploitation of
    the technique on NT/Win2k boxes.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Nov 29 2001 - 13:53:41 PST