Didier Stevens

Monday 17 January 2011

Quickpost: “It Does No Harm…” or Does It?

Filed under: Quickpost,Vulnerabilities — Didier Stevens @ 0:00

You often read about people who use many different security applications to protect their systems. Not only anti-virus, anti-spyware, firewall, HIPS, …, but also some other tools like anti-keyloggers, … And sometimes, when they argue about the additional protection such tools bring, you can read the following: “it does no harm…”.

Well, this time, I’ve a clear example where using a supplemental security tool does harm, even when it adds real protection.

When installed, this tool (which I’m not going to name here because of SEO reasons), installs a Windows explorer shell extension (we’ve discussed the risks of these shells before). The problem with this tool’s shell extension (a DLL), is that it is compiled without the dynamic base flag set. In other words, it doesn’t support ASLR.

On a default Windows Vista or Windows 7 install, all the DLLs of explorer.exe support ASLR. Even if a vulnerability is found in explorer.exe, it won’t be possible to bypass DEP and ASLR by borrowing code from a DLL to build an exploit with ROP gadgets. Unless you’ve installed this security tool, which adds a DLL with a fixed address to explorer.exe’s code space. Then an attacker can find ROP gadgets in this shell extension’s DLL.

This security tool harms the security of your system by opening it up to ROP exploits.

And shell extensions are not only loaded into explorer.exe. They find their way into many applications. For example, when you work with the common dialog control (like using the file open dialog)  in an application, shell extensions also get loaded into these applications. So this extension can get loaded into Adobe Reader, Microsoft Office applications, …

The risk this security tool brings to your system is not theoretical. There are malicious PDFs in the wild that use ROP gadgets.

Quickpost info

Blog at WordPress.com.