Defeating the stack protection mechanism in Windows 2003 Server

David Litchfield has released an excellent paper on how to defeat Windows Server 2003 as it relates to their stack protection mechanisms.

This is really against the .NET compiler which supports the /gs flag (which is now on by default btw) which is used to build in stack protection.

He has some brilliant suggestions for Microsoft on how to solve these problems, and significantly reduce these threats. My favorite is the fact you can overwrite the cookies Microsoft uses to prevent the stack from getting overflowed.

It is quite simple really. Microsoft injects a cookie into the stack (an unsigned int) that can be checked against a stored location in the .data section of the module. If they don't match, we have an overflow. Here is the problem. You can overwrite the information in .data, rendering the check useless. His recommendation? Use VirtualProtect on the memory page and make it read only. No duh! Why didn't I think of that.

This is great as it solves a different problem I was having in my kernel-mode driver. I totally forgot about things like VirtualProtect (and MmSecureVirtualMemory in the kernel), which will allow me to lock a page of memory I need to prevent tampering in.

Thanks for the insight David! Great paper.