security - Bypassing Windows ASLR by determining the library address using shared pages -
i quite familiar aslr, today heard new interesting fact implementation of aslr in windows.
in order optimize performance if process , b load same dll windows load once physical memory , both processes share same instance via shared pages.
this old news .. interesting part both process , b load shared library in same virtual address (why ??).
it seems me local attack (e.g. privilege escalation) can bypass aslr following way:
1. create new dummy process 2. check address of dlls of interest (kernel32, user32 ..) 3. attack privileged process , bypass aslr information step 2.
i have done simple tests using olly , found shared libraries indeed loaded in same virtual address.
if case, aslr useless local exploitation ?
you correct, aslr little defense against local attacker. designed thwart hard-coded addresses in remote exploits.
edit: details in previous answer incorrect, though point above still stands. aslr-enabled dll's base address function of both: (1) random offset chosen windows set of 256 possible values @ boot time; , (2) order in dll loaded, known dlls randomized session manager during system startup. knowing random offset therefore not sufficient compute base address of arbitrary aslr'd dll. however, if able directly observe address of target dll in shared memory, describe, bets off anyway.
sources: http://www.symantec.com/avcenter/reference/address_space_layout_randomization.pdf windows internals, 6th edition
Comments
Post a Comment