Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRE
T//
NOFORN
Pique Analysis Report
20150828-267-CanSecWest13-DEP-ASLR-WO-ROP-JIT
Ra
y
theon Blackbird Technolo
g
i
es,
Inc. 1 28 Au
g
ust 2015
Use or disclosure of data contained on this sheet is su
bje
ct to the restrictions on the title
page
of this document.
SECRE
T//
NOFORN
1.0 (U) Analysis Summary
(S//NF) This report is based on a CanSecWest 2013 briefing slide deck prepared by NSFOCUS,
an international enterprise security systems provider. The slide deck provides very little context
to the Windbg screenshots that make up most of the deck. The slide deck starts with an
explanation of the security issues surrounding fixed address assignments of critical elements
from NT 4 through Windows 8 and how those fixed addressed are leveraged to exploit systems.
(S//NF) The slide deck points out that despite ASLR, there are still fixed address items that can
be used with predictable off-sets to reach the APIs of interest. In particular, the technique
leverages KUSER_SHARED_DATA, Wow64SharedInformation, and LdrHotPatchRoutine. The
limitation of this approach is it is restricted to 32-bit processes running on x64 Windows, and has
been patched beginning with Windows 8. There are some well-formed code samples in the slide
deck and while this technique may make an interesting PoC, we naturally defer to the Sponsor on
pursuing a PoC with such restrictions in terms of the bit-ness of targeted processes and OS
versions.
2.0 (U) Description of the Technique
(S//NF) The technique leverages fixed addressed structures in post ASLR Windows Vista and
Windows 7 platforms and offsets to exploit 32-bit processes running in x64 bit versions of those
OSes.
3.0 (U) Identification of Affected Applications
(U) Windows Vista and Widows 7.
4.0 (U) Related Techniques
(S//NF) Buffer overflow.
5.0 (U) Configurable Parameters
(S//NF) Offsets and buffer sizes.
6.0 (U) Exploitation Method and Vectors
(S//NF) Buffer overflow.
7.0 (U) Caveats
(U) Windows Vista and Windows 7 only.

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh