Buffer Overflow (BO) tests
2 posters
Page 1 of 1
Buffer Overflow (BO) tests
Inspired from these two threads:
http://forums.comodo.com/comodo-memory-firewall-beta-corner/buffer-overflow-testing-application-t12541.0.html;msg88339
http://forums.comodo.com/news-announcements-feedback-cis/all-vulnerable-from-comodo-bo-tester-for-cis-v40141842828-t55897.0.html
Here are my own tests on Windows XP, 32-bit. All third party programs are tested with default configuration:
Hardware DEP applied to all programs and services:
Stack execution: Protected with default-deny pop-up (see below)
Heap execution: Protected with default-deny pop-up (see below)
Ret2Libc: Vulnerable
Comodo Internet Security 4.0.141842.828:
Stack execution: Protected with pop-up (see below)
Heap execution: Protected with pop-up (see below)
Ret2Libc: Protected with pop-up (see below)
DefenseWall 3.00:
Stack execution: Vulnerable
Heap execution: Vulnerable
Ret2Libc: Vulnerable
Online Armor Premium Personal Firewall v4.0.0.44:
Stack execution: Error (Vulnerable if allow test) - see below
Heap execution: Error (Vulnerable if allow test) - see below
Ret2Libc: Error (Vulnerable if allow test) - see below
GeSWall 2.9 Professional Edition:
Stack execution: Vulnerable
Heap execution: Vulnerable
Ret2Libc: Vulnerable
Malware Defender 2.6.0:
Stack execution: Error (Vulnerable if permit test) - see below
Heap execution: Error (Vulnerable if permit test) - see below
Ret2Libc: Error (Vulnerable if permit test) - see below
Not too sure what to make of Online Armor and Malware Defender. At best, you could view it as a partial pass? I'm not sure how to interpret those pop-ups. Does anyone have an idea? I suspect that if I click "Block" or "Deny", it means I am not letting the test run in the first place? And that's why the tests come up as Errors, rather than a Pass.
Please note that by simply using Windows' built-in security (DEP), you can pass 2 out of the 3 tests.
Anyway, feel free to ask questions or make comments. And definitely feel free to do the tests yourself - I may have made some mistakes along the way, or may have tested programs inappropriately (that is, the programs I tested do not have Buffer Overflow protection in the first place). I know Sandboxie would fail all the tests, as it doesn't have BO protection. However, Sandboxie would prevent any changes to your REAL system (and the changes in the virtualised environment would be easily discarded with a couple of clicks). I'm not sure if DefenseWall or GeSWall etc would do the same against these kinds of attacks, as they aren't really virtualising anything (whereas Sandboxie is).
Finally, my own personal security setup/approach easily blocks/contains these types of attacks.
http://forums.comodo.com/comodo-memory-firewall-beta-corner/buffer-overflow-testing-application-t12541.0.html;msg88339
http://forums.comodo.com/news-announcements-feedback-cis/all-vulnerable-from-comodo-bo-tester-for-cis-v40141842828-t55897.0.html
Here are my own tests on Windows XP, 32-bit. All third party programs are tested with default configuration:
Hardware DEP applied to all programs and services:
Stack execution: Protected with default-deny pop-up (see below)
Heap execution: Protected with default-deny pop-up (see below)
Ret2Libc: Vulnerable
Comodo Internet Security 4.0.141842.828:
Stack execution: Protected with pop-up (see below)
Heap execution: Protected with pop-up (see below)
Ret2Libc: Protected with pop-up (see below)
DefenseWall 3.00:
Stack execution: Vulnerable
Heap execution: Vulnerable
Ret2Libc: Vulnerable
Online Armor Premium Personal Firewall v4.0.0.44:
Stack execution: Error (Vulnerable if allow test) - see below
Heap execution: Error (Vulnerable if allow test) - see below
Ret2Libc: Error (Vulnerable if allow test) - see below
GeSWall 2.9 Professional Edition:
Stack execution: Vulnerable
Heap execution: Vulnerable
Ret2Libc: Vulnerable
Malware Defender 2.6.0:
Stack execution: Error (Vulnerable if permit test) - see below
Heap execution: Error (Vulnerable if permit test) - see below
Ret2Libc: Error (Vulnerable if permit test) - see below
Not too sure what to make of Online Armor and Malware Defender. At best, you could view it as a partial pass? I'm not sure how to interpret those pop-ups. Does anyone have an idea? I suspect that if I click "Block" or "Deny", it means I am not letting the test run in the first place? And that's why the tests come up as Errors, rather than a Pass.
Please note that by simply using Windows' built-in security (DEP), you can pass 2 out of the 3 tests.
Anyway, feel free to ask questions or make comments. And definitely feel free to do the tests yourself - I may have made some mistakes along the way, or may have tested programs inappropriately (that is, the programs I tested do not have Buffer Overflow protection in the first place). I know Sandboxie would fail all the tests, as it doesn't have BO protection. However, Sandboxie would prevent any changes to your REAL system (and the changes in the virtualised environment would be easily discarded with a couple of clicks). I'm not sure if DefenseWall or GeSWall etc would do the same against these kinds of attacks, as they aren't really virtualising anything (whereas Sandboxie is).
Finally, my own personal security setup/approach easily blocks/contains these types of attacks.
Last edited by ssj100 on 2/5/2010, 10:58; edited 1 time in total
Re: Buffer Overflow (BO) tests
I just do not understand Buffer overflow attacks..
I do not understand:
1.exactly what they are.
2.How big a threat they are.
3..Am i protected.
With that level of ignorance,question #3 seems most likely "no"
So,#2 becomes a even more major concern.
noor
I do not understand:
1.exactly what they are.
2.How big a threat they are.
3..Am i protected.
With that level of ignorance,question #3 seems most likely "no"
So,#2 becomes a even more major concern.
noor
Guest- Guest
Re: Buffer Overflow (BO) tests
1. To be honest, I struggle to fully understand exactly what they are also:
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1048483,00.html
http://en.wikipedia.org/wiki/Buffer_overflow
2. Not really sure myself
3. I think you are protected, since you use Sandboxie and Shadow Defender combined with a good security approach. The huge advantage of virtualisation is that it allows (almost) anything to occur, but nothing happens on the REAL system.
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1048483,00.html
http://en.wikipedia.org/wiki/Buffer_overflow
2. Not really sure myself
3. I think you are protected, since you use Sandboxie and Shadow Defender combined with a good security approach. The huge advantage of virtualisation is that it allows (almost) anything to occur, but nothing happens on the REAL system.
Last edited by ssj100 on 2/5/2010, 11:11; edited 1 time in total
Re: Buffer Overflow (BO) tests
Yes, regardless, it should be noted that DefenseWall and GeSWall both clearly failed all 3 tests. So those who just rely on these software may want to re-think their security strategy.
Re: Buffer Overflow (BO) tests
Just tested "Wehntrust (Buffer Overflow protection)" and it fails all 3 tests. Is there something I'm missing with this application?
And also just tested DefencePlus 2.20: completely crashed my VM and subsequently couldn't even restart. This was unexpected and certainly not a good look for DefencePlus. I note that on the DefencePlus web-site, they say that it does not run in VM's. However, it certainly appears to function just fine in VirtualBox and is able to block a real exploit as described here:
https://ssj100.forumotion.com/security-f7/buffer-overflow-exploit-writing-tutorial-t97.htm#590
And also just tested DefencePlus 2.20: completely crashed my VM and subsequently couldn't even restart. This was unexpected and certainly not a good look for DefencePlus. I note that on the DefencePlus web-site, they say that it does not run in VM's. However, it certainly appears to function just fine in VirtualBox and is able to block a real exploit as described here:
https://ssj100.forumotion.com/security-f7/buffer-overflow-exploit-writing-tutorial-t97.htm#590
Re: Buffer Overflow (BO) tests
@DefenseWall: really failed? Just because one process spawns another one it does not mean the new process harms the system while in supervision of DefenseWall.
See your result and comment here, "runs everything untrusted - conditional PASS (exploit still runs)"
See your result and comment here, "runs everything untrusted - conditional PASS (exploit still runs)"
Ruhe- Valued Member
- Posts : 261
Join date : 2010-04-16
Location : Germany
Re: Buffer Overflow (BO) tests
Ruhe wrote:@DefenseWall: really failed? Just because one process spawns another one it does not mean the new process harms the system while in supervision of DefenseWall.
See your result and comment here, "runs everything untrusted - conditional PASS (exploit still runs)"
Did you actually test this yourself? DefenseWall fails all 3 tests. Not surprising, since it's well known DefenseWall does not block buffer overflow exploits. Sure, DefenseWall may be able to contain the exploit, but it can't block it from running. I don't think we'll ever know how well DefenseWall is at mitigating buffer overflow exploits.
Re: Buffer Overflow (BO) tests
We have to differentiate between 'blocking the exploit from running' and 'let it run but not harm the system'. 2nd is what DW is doing, hopefully.
Ruhe- Valued Member
- Posts : 261
Join date : 2010-04-16
Location : Germany
Re: Buffer Overflow (BO) tests
Ruhe wrote:We have to differentiate between 'blocking the exploit from running' and 'let it run but not harm the system'. 2nd is what DW is doing, hopefully.
Exactly. DefenseWall is at most "containing" the exploit. Just like Sandboxie. The best way would be to block the exploit from running in the first place and Microsoft's Hardware DEP (and a few third party applications) can do this. However, I'm pretty sure Hardware DEP is easily bypassed.
Similar topics
» Buffer Overflow Clarification
» Buffer overflow exploit writing tutorial
» Matousec tests - Comodo scores 100%
» Buffer overflow exploit writing tutorial
» Matousec tests - Comodo scores 100%
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum
|
|