Overview
Microsoft Windows 8 introduced a change in how system-wide mandatory ASLR is implemented. This change requires system-wide bottom-up ASLR to be enabled for mandatory ASLR to receive entropy. Tools that enable system-wide ASLR without also setting bottom-up ASLR will fail to properly randomize executables that do not opt in to ASLR.
Description
Address Space Layout Randomization (ASLR) Starting with Windows Vista, a feature called ASLR was introduced to Windows that helps prevent code-reuse attacks. By loading executable modules at non-predictable addresses, Windows can help to mitigate attacks that rely on code being at predictable locations. Return-oriented programming (ROP) is an exploit technique that relies on code that is loaded to a predictable or discoverable location. One weakness with the implementation of ASLR is that it requires that the code is linked with the /DYNAMICBASE flag to opt in to ASLR. |
Impact
Windows 8 and newer systems that have system-wide ASLR enabled via EMET or Windows Defender Exploit Guard will have non-DYNAMICBASE applications relocated to a predictable location, thus voiding any benefit of mandatory ASLR. This can make exploitation of some classes of vulnerabilities easier. |
Solution
The CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workaround: |
Enable system-wide bottom-up ASLR on systems that have system-wide mandatory ASLR |
Vendor Information
CVSS Metrics
Group | Score | Vector |
---|---|---|
Base | 0 | AV:--/AC:--/Au:--/C:--/I:--/A:-- |
Temporal | 0 | E:ND/RL:ND/RC:ND |
Environmental | 0 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
References
- https://blogs.technet.microsoft.com/srd/2010/12/08/on-the-effectiveness-of-dep-and-aslr/
- https://msdn.microsoft.com/en-us/library/bb384887.aspx
- https://support.microsoft.com/en-us/help/2458544/the-enhanced-mitigation-experience-toolkit
- https://blogs.technet.microsoft.com/srd/2013/12/11/software-defense-mitigating-common-exploitation-techniques/
- https://blogs.technet.microsoft.com/mmpc/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
Acknowledgements
This issue was reported by Will Dormann of the CERT/CC, with assistance from Matt Miller of Microsoft.
This document was written by Will Dormann.
Other Information
CVE IDs: | None |
Date Public: | 2017-11-16 |
Date First Published: | 2017-11-17 |
Date Last Updated: | 2017-11-20 03:07 UTC |
Document Revision: | 41 |