ssj100 Security Forums
Would you like to react to this message? Create an account in a few clicks or log in to continue.

Structured Exception Handling Overwrite Protection (SEHOP)

3 posters

Go down

Structured Exception Handling Overwrite Protection (SEHOP) Empty Structured Exception Handling Overwrite Protection (SEHOP)

Post by Ruhe 26/6/2010, 00:36

Windows Vista Service Pack 1, Windows 7, Windows Server 2008 and Windows Server 2008 R2 now include support for Structured Exception Handling Overwrite Protection (SEHOP). This feature is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. This protection mechanism is provided at run-time. Therefore, it helps protect applications regardless of whether they have been compiled with the latest improvements, such as the /SAFESEH option. We recommend that Windows users who are running any of the above operating systems enable this feature to improve the security profile of their systems.
By default, SEHOP is enabled in Windows Server 2008 R2 and in Windows Server 2008. By default, SEHOP is disabled in Windows 7 and in Windows Vista.


Microsoft about SEHOP

Thread at Wilders


Here a .reg file:

Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
"DisableExceptionChainValidation"=dword:00000000
Ruhe
Ruhe
Valued Member
Valued Member

Posts : 261
Join date : 2010-04-16
Location : Germany

Back to top Go down

Structured Exception Handling Overwrite Protection (SEHOP) Empty SEHOP - Structured Exception Handling Overwrite Protection

Post by nick s 27/6/2010, 11:09

I was unaware of SEHOP until the other day when I saw this blog:

Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP

SEHOP is enabled by default on Windows Server 2008+ and disabled by default on Vista SP1+ and Windows 7. SEHOP provides an additional layer of buffer (stack) overflow protection. From the Technet blog...

Roughly 20% of the exploits included in the latest version of the Metasploit framework make use of the SEH overwrite technique. SEH overwrites are also commonly used by exploits that target the increasing number of browser-based vulnerabilities[4].
SEHOP can be bypassed under certain conditions when having opted out of DEP for all programs and services...

Bypassing SEHOP

SEHOP Bypass PDF

SEHOP POC (usage: from an elevated command prompt execute sehpoc.exe and then execute smashit.exe)

Despite the bypass, the author concludes that...

SEHOP is not the ultimate protection against stack overflows if used alone. Since this SafeSEH
extension was released, too many people consider it as unbreakable. We just demonstrated that it is
possible to bypass the Structured Exception Handling Overwrite Protection under some
circumstances.

But SEHOP is an excellent native security feature when used in conjunction with ASLR and DEP,
we cannot deny it.
SEHOP can be enabled on Vista SP1+ and Windows 7 by applying the following patch...

How to enable Structured Exception Handling Overwrite Protection (SEHOP) in Windows operating systems

nick s
Valued Member
Valued Member

Posts : 14
Join date : 2010-04-18

Back to top Go down

Structured Exception Handling Overwrite Protection (SEHOP) Empty Re: Structured Exception Handling Overwrite Protection (SEHOP)

Post by ssj100 28/6/2010, 04:48

Thanks for the information. I'll definitely be checking this thread out when I eventually move to Windows 7 in the future. I think this is the most important conclusion drawn:

...SEHOP is an excellent native security feature when used in conjunction with ASLR and DEP...

Not to mention (as with LUA/RUA/SUA, SRP/AppLocker, DEP, ASLR) it's completely free for life, generally won't cause conflicts, and pretty much won't consume system resources.

By the way, I'm moving this thread to "Windows Hardening".
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Structured Exception Handling Overwrite Protection (SEHOP) Empty Re: Structured Exception Handling Overwrite Protection (SEHOP)

Post by Sponsored content


Sponsored content


Back to top Go down

Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum