A paper has been released describing a number of weaknesses discovered in the Microsoft Windows 2003 stack protection implementation. These issues will affect applications compiled by the Visual Studio .NET compiler which implements these protection features by default. As demonstrated in the report, an attacker may be capable of exploiting these weaknesses to reliably trigger the execution of arbitrary code via an existing stack-based buffer overrun vulnerability. The stack protection scheme is similar to other implementations in that a canary or cookie value is calculated for each function and is placed on the stack directly below the saved return address. Prior to each function returning to the calling function, a routine is carried out to compare the canary value stored on the stack, with a registered canary value stored within global memory. If these values do not match, the program will be terminated after a series of error reporting functions are carried out. One described...
A paper has been released describing a number of weaknesses discovered in the Microsoft Windows 2003 stack protection implementation. These issues will affect applications compiled by the Visual Studio .NET compiler which implements these protection features by default. As demonstrated in the report, an attacker may be capable of exploiting these weaknesses to reliably trigger the execution of arbitrary code via an existing stack-based buffer overrun vulnerability. The stack protection scheme is similar to other implementations in that a canary or cookie value is calculated for each function and is placed on the stack directly below the saved return address. Prior to each function returning to the calling function, a routine is carried out to compare the canary value stored on the stack, with a registered canary value stored within global memory. If these values do not match, the program will be terminated after a series of error reporting functions are carried out. One described weakness in this implementation lies in the fact that exception handling structures are stored within stack memory. As a result, it would be theoretically possible for an attacker to overrun a buffer within a vulnerable program, corrupting the canary value and return address, and continuing until an exception handler pointer has been corrupted. Then, by triggering an exception prior to the cookie validation routine being called, it may be possible to redirect the flow of execution in such a way that a payload located in the stack, heap, or other locations of memory, may be executed. Other weaknesses have also been described, such as the registered 32 bit canary value stored within global memory is writeable by the application. As a result, an attacker able to manipulate global memory may be capable of modifying the cookie to match that of a value overwritten by a stack-based buffer overrun.
