Buffer Overflow (BO) tests

View previous topic View next topic Go down

Buffer Overflow (BO) tests

Post by ssj100 on 2/5/2010, 10:45

Inspired from these two threads:
http://forums.comodo.com/comodo-memory-firewall-beta-corner/buffer-overflow-testing-application-t12541.0.html;msg88339
http://forums.comodo.com/news-announcements-feedback-cis/all-vulnerable-from-comodo-bo-tester-for-cis-v40141842828-t55897.0.html

Here are my own tests on Windows XP, 32-bit. All third party programs are tested with default configuration:

Hardware DEP applied to all programs and services:

Stack execution: Protected with default-deny pop-up (see below)
Heap execution: Protected with default-deny pop-up (see below)

Ret2Libc: Vulnerable

Comodo Internet Security 4.0.141842.828:

Stack execution: Protected with pop-up (see below)
Heap execution: Protected with pop-up (see below)
Ret2Libc: Protected with pop-up (see below)


DefenseWall 3.00:

Stack execution: Vulnerable
Heap execution: Vulnerable
Ret2Libc: Vulnerable

Online Armor Premium Personal Firewall v4.0.0.44:

Stack execution: Error (Vulnerable if allow test) - see below
Heap execution: Error (Vulnerable if allow test) - see below
Ret2Libc: Error (Vulnerable if allow test) - see below


GeSWall 2.9 Professional Edition:

Stack execution: Vulnerable
Heap execution: Vulnerable
Ret2Libc: Vulnerable

Malware Defender 2.6.0:

Stack execution: Error (Vulnerable if permit test) - see below

Heap execution: Error (Vulnerable if permit test) - see below

Ret2Libc: Error (Vulnerable if permit test) - see below


Not too sure what to make of Online Armor and Malware Defender. At best, you could view it as a partial pass? I'm not sure how to interpret those pop-ups. Does anyone have an idea? I suspect that if I click "Block" or "Deny", it means I am not letting the test run in the first place? And that's why the tests come up as Errors, rather than a Pass.

Please note that by simply using Windows' built-in security (DEP), you can pass 2 out of the 3 tests.

Anyway, feel free to ask questions or make comments. And definitely feel free to do the tests yourself - I may have made some mistakes along the way, or may have tested programs inappropriately (that is, the programs I tested do not have Buffer Overflow protection in the first place). I know Sandboxie would fail all the tests, as it doesn't have BO protection. However, Sandboxie would prevent any changes to your REAL system (and the changes in the virtualised environment would be easily discarded with a couple of clicks). I'm not sure if DefenseWall or GeSWall etc would do the same against these kinds of attacks, as they aren't really virtualising anything (whereas Sandboxie is).

Finally, my own personal security setup/approach easily blocks/contains these types of attacks.


Last edited by ssj100 on 2/5/2010, 10:58; edited 1 time in total

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Buffer Overflow (BO) tests

Post by Guest on 2/5/2010, 10:57

I just do not understand Buffer overflow attacks..
I do not understand:
1.exactly what they are.
2.How big a threat they are.
3..Am i protected.

With that level of ignorance,question #3 seems most likely "no"
So,#2 becomes a even more major concern.

noor

Guest
Guest


Back to top Go down

Re: Buffer Overflow (BO) tests

Post by ssj100 on 2/5/2010, 11:05

1. To be honest, I struggle to fully understand exactly what they are also:
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1048483,00.html
http://en.wikipedia.org/wiki/Buffer_overflow

2. Not really sure myself

3. I think you are protected, since you use Sandboxie and Shadow Defender combined with a good security approach. The huge advantage of virtualisation is that it allows (almost) anything to occur, but nothing happens on the REAL system.


Last edited by ssj100 on 2/5/2010, 11:11; edited 1 time in total

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Buffer Overflow (BO) tests

Post by Guest on 2/5/2010, 11:11

Thanks!!
Fingers crossed in any event!!

noor

Guest
Guest


Back to top Go down

Re: Buffer Overflow (BO) tests

Post by ssj100 on 5/5/2010, 16:21

Yes, regardless, it should be noted that DefenseWall and GeSWall both clearly failed all 3 tests. So those who just rely on these software may want to re-think their security strategy.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Buffer Overflow (BO) tests

Post by ssj100 on 15/6/2010, 04:42

Just tested "Wehntrust (Buffer Overflow protection)" and it fails all 3 tests. Is there something I'm missing with this application?

And also just tested DefencePlus 2.20: completely crashed my VM and subsequently couldn't even restart. This was unexpected and certainly not a good look for DefencePlus. I note that on the DefencePlus web-site, they say that it does not run in VM's. However, it certainly appears to function just fine in VirtualBox and is able to block a real exploit as described here:
http://ssj100.fullsubject.com/security-f7/buffer-overflow-exploit-writing-tutorial-t97.htm#590

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Buffer Overflow (BO) tests

Post by Ruhe on 15/6/2010, 11:48

@DefenseWall: really failed? Just because one process spawns another one it does not mean the new process harms the system while in supervision of DefenseWall.

See your result and comment here, "runs everything untrusted - conditional PASS (exploit still runs)"
avatar
Ruhe
Valued Member
Valued Member

Posts : 261
Join date : 2010-04-16
Location : Germany

View user profile

Back to top Go down

Re: Buffer Overflow (BO) tests

Post by ssj100 on 15/6/2010, 12:02

Ruhe wrote:@DefenseWall: really failed? Just because one process spawns another one it does not mean the new process harms the system while in supervision of DefenseWall.

See your result and comment here, "runs everything untrusted - conditional PASS (exploit still runs)"

Did you actually test this yourself? DefenseWall fails all 3 tests. Not surprising, since it's well known DefenseWall does not block buffer overflow exploits. Sure, DefenseWall may be able to contain the exploit, but it can't block it from running. I don't think we'll ever know how well DefenseWall is at mitigating buffer overflow exploits.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Buffer Overflow (BO) tests

Post by Ruhe on 15/6/2010, 13:49

We have to differentiate between 'blocking the exploit from running' and 'let it run but not harm the system'. 2nd is what DW is doing, hopefully.
avatar
Ruhe
Valued Member
Valued Member

Posts : 261
Join date : 2010-04-16
Location : Germany

View user profile

Back to top Go down

Re: Buffer Overflow (BO) tests

Post by ssj100 on 15/6/2010, 13:53

Ruhe wrote:We have to differentiate between 'blocking the exploit from running' and 'let it run but not harm the system'. 2nd is what DW is doing, hopefully.

Exactly. DefenseWall is at most "containing" the exploit. Just like Sandboxie. The best way would be to block the exploit from running in the first place and Microsoft's Hardware DEP (and a few third party applications) can do this. However, I'm pretty sure Hardware DEP is easily bypassed.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Buffer Overflow (BO) tests

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum