FreeBSD gets ASLR

February 14, 2019 ~ hucktech ~ Leave a comment

Yay! Finally ASLR for FreeBSD is here. https://t.co/gJPo9VPm1O

— The Best Linux Blog In the Unixverse (@nixcraft) February 11, 2019

FreeBSD Commit "Implement Address Space Layout Randomization (ASLR) … <snip>" https://t.co/fDFSITFhC5 #security

— FreeBSD Help (@FreeBSDHelp) February 11, 2019

Implement Address Space Layout Randomization (ASLR)

With this change, randomization can be enabled for all non-fixed
mappings. It means that the base address for the mapping is selected
with a guaranteed amount of entropy (bits). If the mapping was
requested to be superpage aligned, the randomization honours the
superpage attributes.[…]

https://svnweb.freebsd.org/base?view=revision&revision=343964

CERT/CC VU #817544 : Windows ASLR Vulnerability

November 20, 2017 ~ hucktech ~ Leave a comment

U.S. Department of Homeland Security US-CERT National Cyber Awareness System: Windows ASLR Vulnerability

Original release date: November 20, 2017

The CERT Coordination Center (CERT/CC) has released information on a vulnerability in Windows Address Space Layout Randomization (ASLR) that affects Windows 8, Windows 8.1, and Windows 10. A remote attacker could exploit this vulnerability to take control of an affected system. US-CERT encourages users and administrators to review CERT/CC VU #817544 and apply the necessary workaround until a patch is released.

https://www.us-cert.gov/ncas/current-activity/2017/11/20/Windows-ASLR-Vulnerability

http://www.kb.cert.org/vuls/id/817544

Linux Kernel: exclude EFI from KASLR VA space randomization

April 6, 2017 ~ hucktech ~ Leave a comment

Greg Kroah-Hartman of the Linux Foundation submitted version 4.10 of a 81-part(!) patch to the Linux kernel by Baoquan He of Red Hat.

[PATCH 4.10 65/81] x86/mm/KASLR: Exclude EFI region from KASLR VA space randomization

4.10-stable review patch. If anyone has any objections, please let me know.

commit a46f60d76004965e5669dbf3fc21ef3bc3632eb4 upstream.

Currently KASLR is enabled on three regions: the direct mapping of physical memory, vamlloc and vmemmap. However the EFI region is also mistakenly included for VA space randomization because of misusing EFI_VA_START macro and assuming EFI_VA_START < EFI_VA_END. (This breaks kexec and possibly other things that rely on stable addresses.) The EFI region is reserved for EFI runtime services virtual mapping which should not be included in KASLR ranges. In Documentation/x86/x86_64/mm.txt, we can see:

ffffffef00000000 – fffffffeffffffff (=64 GB) EFI region mapping space

EFI uses the space from -4G to -64G thus EFI_VA_START > EFI_VA_END, Here EFI_VA_START = -4G, and EFI_VA_END = -64G. Changing EFI_VA_START to EFI_VA_END in mm/kaslr.c fixes this problem.

More info: see the linux-efi/linux-kernel list.

checksec: x64dbg plugin to check security settings

March 26, 2017March 26, 2017 ~ hucktech ~ Leave a comment

checksec – a x64dbg plugin to check security settingshttps://t.co/lWcZ7qzQmL by my buddy @klks84

— Jacob Soo (@_jsoo_) March 26, 2017

    Initial Release supports checking of
    SafeSEH
    DEP
    ASLR
    /GS (Not 100% reliably)
    Control Flow Guard
    Signature

https://github.com/klks/checksec

Metaphor: Android statefright

March 27, 2016 ~ hucktech ~ Leave a comment

Generic Stagefright exploit for CVE-2015-3864 released !
git clone https://t.co/r3IS7vw6ZA
Vulnerable % by country: https://t.co/MDybVZPZgS

— Zuk (@ihackbanme) March 27, 2016

Metaphor – Stagefright with ASLR bypass By Hanan Be’er from NorthBit Ltd.

Metaphor’s source code is now released! The source include a PoC that generates MP4 exploits in real-time and bypassing ASLR. The PoC includes lookup tables for Nexus 5 Build LRX22C with Android 5.0.1. Server-side of the PoC include simple PHP scripts that run the exploit generator – I’m using XAMPP to serve gzipped MP4 files. The attack page is index.php. The exploit generator is written in Python and used by the PHP code.

https://blog.zimperium.com/reflecting-on-stagefright-patches/

https://github.com/NorthBit/Metaphor

Click to access NorthBit-Metaphor.pdf