October 04, 2004

Defeating the Windows Server 2003 Stack

I just finished reading an excellent paper by David Litchfield on "Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server". What is funny is that his findings are actually an echo of those I've seen from people like Greg Hoglund who are already trampling the .data segment to defeat the canary for rootkits.

What I think makes this paper valuable isn't on talking about how to defeat the W2K3 stack, but how to protect it. The most obvious conclusion, which has been made by other developers who have looked at this, is to use VirtualProtect on the segment of .data that is holding the stack cookie. Doing so prevents an attacker from modifying the cookie and walking the stack on demand.

Anyways. Good read. Most stuff from David is. Happy reading!

Posted by SilverStr at October 4, 2004 10:42 AM | TrackBack