Structured Exception Handling Overwrite Protection (SEHOP)

View previous topic View next topic Go down

Structured Exception Handling Overwrite Protection (SEHOP)

Post by Ruhe on 26/6/2010, 00:36

Windows Vista Service Pack 1, Windows 7, Windows Server 2008 and Windows Server 2008 R2 now include support for Structured Exception Handling Overwrite Protection (SEHOP). This feature is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. This protection mechanism is provided at run-time. Therefore, it helps protect applications regardless of whether they have been compiled with the latest improvements, such as the /SAFESEH option. We recommend that Windows users who are running any of the above operating systems enable this feature to improve the security profile of their systems.
By default, SEHOP is enabled in Windows Server 2008 R2 and in Windows Server 2008. By default, SEHOP is disabled in Windows 7 and in Windows Vista.


Microsoft about SEHOP

Thread at Wilders


Here a .reg file:

Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
"DisableExceptionChainValidation"=dword:00000000
avatar
Ruhe
Valued Member
Valued Member

Posts : 261
Join date : 2010-04-16
Location : Germany

View user profile

Back to top Go down

SEHOP - Structured Exception Handling Overwrite Protection

Post by nick s on 27/6/2010, 11:09

I was unaware of SEHOP until the other day when I saw this blog:

Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP

SEHOP is enabled by default on Windows Server 2008+ and disabled by default on Vista SP1+ and Windows 7. SEHOP provides an additional layer of buffer (stack) overflow protection. From the Technet blog...

Roughly 20% of the exploits included in the latest version of the Metasploit framework make use of the SEH overwrite technique. SEH overwrites are also commonly used by exploits that target the increasing number of browser-based vulnerabilities[4].
SEHOP can be bypassed under certain conditions when having opted out of DEP for all programs and services...

Bypassing SEHOP

SEHOP Bypass PDF

SEHOP POC (usage: from an elevated command prompt execute sehpoc.exe and then execute smashit.exe)

Despite the bypass, the author concludes that...

SEHOP is not the ultimate protection against stack overflows if used alone. Since this SafeSEH
extension was released, too many people consider it as unbreakable. We just demonstrated that it is
possible to bypass the Structured Exception Handling Overwrite Protection under some
circumstances.

But SEHOP is an excellent native security feature when used in conjunction with ASLR and DEP,
we cannot deny it.
SEHOP can be enabled on Vista SP1+ and Windows 7 by applying the following patch...

How to enable Structured Exception Handling Overwrite Protection (SEHOP) in Windows operating systems

nick s
Valued Member
Valued Member

Posts : 14
Join date : 2010-04-18

View user profile

Back to top Go down

Re: Structured Exception Handling Overwrite Protection (SEHOP)

Post by ssj100 on 28/6/2010, 04:48

Thanks for the information. I'll definitely be checking this thread out when I eventually move to Windows 7 in the future. I think this is the most important conclusion drawn:

...SEHOP is an excellent native security feature when used in conjunction with ASLR and DEP...

Not to mention (as with LUA/RUA/SUA, SRP/AppLocker, DEP, ASLR) it's completely free for life, generally won't cause conflicts, and pretty much won't consume system resources.

By the way, I'm moving this thread to "Windows Hardening".

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Structured Exception Handling Overwrite Protection (SEHOP)

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum