Hi,

Ive done a limited amount of research on vulnerability analysis and exploit development, and I have a couple of querys about how relevant typical exploits like buffer overlows and format string attacks are today.

Being more specific, most modern operating systems ship with some kind of ASLR, which from what ive seen isnt at all easy to bypass. I would be interested if theres any papers on how it can actually be defeated? Plus theres things avaliable on top of this like stack protection,  grsecurity and selinux locking things down further.

With this in mind, getting shellcode working in a modern OS seems 'near impossible'? Dont get me wrong 5 years ago it seemed incredibly dangerous and easy to do. But from what ive read it seems to be getting to the point where all you can do now is crash a program i.e DoS.

So am I correct in this line of thought? I suppose crashing a program can be considered just as serious, but being able to executing arbitrary code from an OS level vulneratbility or a running process seems to be fading away? Any other attack vectors relevant to these kind of vulnerabilities?

Thanks,

Jack

All of these features are basically raising the security bar on security.  With each thing, the amount of skill and effort it takes to get a working exploit rises.  That's the basic point of all the security stuff we throw out there.  Whether it's firewalls or service hardening or whatever, if there is a person motivated enough and skilled enough with a lot of free time on his/her hands, eventually they will either figure out how to get in or give up to find something more fun. 

There was discussion at DEFCON of how to defeat some of these things.  If you read this article http://arstechnica.com/news.ars/post/20080811-the-sky-isnt-falling-a-look-at-a-new-vista-security-bypass.html there is the discussion that talks what tntcoda said.  The things that I read that seemed most important is that a portion of all of this depends on software developers doing the right thing.  This is also implied with the grsecurity software here: http://www.grsecurity.net/confighelp.php.

In my opinion, we as security people can keep putting up barriers, but when we look at software development, even the folks that the developers frequently look up to such as Microsoft, are opting out of their own security measures (see the first article referenced).  If we are running OS's with only the base services enabled and fully patched, I think that the bar is pretty high up there, but as soon as you start installing software on there, the attack vector just gets bigger.  With Vista as an example, I am pretty confident that many people that got bothered by UAC just turned that puppy off and there goes another layer of protection.  Knowing that IE has opted out of additional security features along with this, and your attack space has gotten larger.

In my opinion, if we want to make sure that the systems are security, it needs to be a multi-pronged approach.  1) it needs to be convenient for the user, 2) it needs to be built into the OS, 3) it needs to be enforced by the applications.  Developers are going to need to start writing code that doesn't opt out of DEP (Data Execution Protection) and ASLR(Address Space Layout Randomization), but sometimes that's hard, and we're willing to compromise. We all compromise some, I am sure that I'm not the only one that's hit the "remind me later" button on Acrobat when I'm trying to read a PDF off of a site that I trust. The compromise is what really gets us in trouble i think.

Thanks alot for all the info guys, makes alot of sense. Will have a read through the papers posted

you never did say what ports were open on that NT box.  its quite a stretch to say NT4 is secure.

wow oct is shaping up to be a great month.

and consider the thread fully hijacked 

DCOM exploit didnt work?

reboot it!!

did you determine the service pack level?

also, if you've tried other exploits and they failed you need to reboot it so those services can start back up, NT is notorious for crashing services after failed exploit attempts.