Defeating Windows XP SP2 Heap protection

There are a couple of interesting articles out that discuss how you can bypass the security measures Microsoft has added for heap overflow protection in XP SP2.

The first article, written by Alexander Anisimov, shows how you can not only write to arbitrary memory regions and cause code execution, you can bypass the DEP (Data Execution Protection) that was added in SP2.

The second article, written by Nicolas Falliere, shows how you can use critical section related linking structures stored on the process's default heap to produce a n*4-byte overwrite and bypass Windows heap protections.

Interesting stuff. It looks like Nicolas has fed from Alexander's research to make a more predictable heap overflow that doesn't require the heap to have an active and unlocked lookaside table for the operation to succeed. His method introduced does not use the overwriting of heap-management structures at all to produce a four-byte overwrite. Instead he uses a process's critical section and waits for the predictable destruction of it to then overwrite the heap. This works because no sanity checks are performed on these particular backward and forward pointers. I would never have thought about this vector. Apparently, neither did Microsoft.

Pretty interesting approach. Happy reading!