ssj100 Security Forums
Would you like to react to this message? Create an account in a few clicks or log in to continue.

Buffer Overflow (BO) tests

2 posters

Go down

Buffer Overflow (BO) tests Empty Buffer Overflow (BO) tests

Post by ssj100 2/5/2010, 10:45

Inspired from these two threads:
http://forums.comodo.com/comodo-memory-firewall-beta-corner/buffer-overflow-testing-application-t12541.0.html;msg88339
http://forums.comodo.com/news-announcements-feedback-cis/all-vulnerable-from-comodo-bo-tester-for-cis-v40141842828-t55897.0.html

Here are my own tests on Windows XP, 32-bit. All third party programs are tested with default configuration:

Hardware DEP applied to all programs and services:

Stack execution: Protected with default-deny pop-up (see below)
Heap execution: Protected with default-deny pop-up (see below)
Buffer Overflow (BO) tests 64405953
Ret2Libc: Vulnerable

Comodo Internet Security 4.0.141842.828:

Stack execution: Protected with pop-up (see below)
Heap execution: Protected with pop-up (see below)
Ret2Libc: Protected with pop-up (see below)
Buffer Overflow (BO) tests 54292597

DefenseWall 3.00:

Stack execution: Vulnerable
Heap execution: Vulnerable
Ret2Libc: Vulnerable

Online Armor Premium Personal Firewall v4.0.0.44:

Stack execution: Error (Vulnerable if allow test) - see below
Heap execution: Error (Vulnerable if allow test) - see below
Ret2Libc: Error (Vulnerable if allow test) - see below
Buffer Overflow (BO) tests 56291911

GeSWall 2.9 Professional Edition:

Stack execution: Vulnerable
Heap execution: Vulnerable
Ret2Libc: Vulnerable

Malware Defender 2.6.0:

Stack execution: Error (Vulnerable if permit test) - see below
Buffer Overflow (BO) tests 18917559
Heap execution: Error (Vulnerable if permit test) - see below
Buffer Overflow (BO) tests 51923426
Ret2Libc: Error (Vulnerable if permit test) - see below
Buffer Overflow (BO) tests 54551189

Not too sure what to make of Online Armor and Malware Defender. At best, you could view it as a partial pass? I'm not sure how to interpret those pop-ups. Does anyone have an idea? I suspect that if I click "Block" or "Deny", it means I am not letting the test run in the first place? And that's why the tests come up as Errors, rather than a Pass.

Please note that by simply using Windows' built-in security (DEP), you can pass 2 out of the 3 tests.

Anyway, feel free to ask questions or make comments. And definitely feel free to do the tests yourself - I may have made some mistakes along the way, or may have tested programs inappropriately (that is, the programs I tested do not have Buffer Overflow protection in the first place). I know Sandboxie would fail all the tests, as it doesn't have BO protection. However, Sandboxie would prevent any changes to your REAL system (and the changes in the virtualised environment would be easily discarded with a couple of clicks). I'm not sure if DefenseWall or GeSWall etc would do the same against these kinds of attacks, as they aren't really virtualising anything (whereas Sandboxie is).

Finally, my own personal security setup/approach easily blocks/contains these types of attacks.


Last edited by ssj100 on 2/5/2010, 10:58; edited 1 time in total
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Buffer Overflow (BO) tests Empty Re: Buffer Overflow (BO) tests

Post by Guest 2/5/2010, 10:57

I just do not understand Buffer overflow attacks..
I do not understand:
1.exactly what they are.
2.How big a threat they are.
3..Am i protected.

With that level of ignorance,question #3 seems most likely "no"
So,#2 becomes a even more major concern.

noor

Guest
Guest


Back to top Go down

Buffer Overflow (BO) tests Empty Re: Buffer Overflow (BO) tests

Post by ssj100 2/5/2010, 11:05

1. To be honest, I struggle to fully understand exactly what they are also:
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1048483,00.html
http://en.wikipedia.org/wiki/Buffer_overflow

2. Not really sure myself

3. I think you are protected, since you use Sandboxie and Shadow Defender combined with a good security approach. The huge advantage of virtualisation is that it allows (almost) anything to occur, but nothing happens on the REAL system.


Last edited by ssj100 on 2/5/2010, 11:11; edited 1 time in total
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Buffer Overflow (BO) tests Empty Re: Buffer Overflow (BO) tests

Post by Guest 2/5/2010, 11:11

Thanks!!
Fingers crossed in any event!!

noor

Guest
Guest


Back to top Go down

Buffer Overflow (BO) tests Empty Re: Buffer Overflow (BO) tests

Post by ssj100 5/5/2010, 16:21

Yes, regardless, it should be noted that DefenseWall and GeSWall both clearly failed all 3 tests. So those who just rely on these software may want to re-think their security strategy.
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Buffer Overflow (BO) tests Empty Re: Buffer Overflow (BO) tests

Post by ssj100 15/6/2010, 04:42

Just tested "Wehntrust (Buffer Overflow protection)" and it fails all 3 tests. Is there something I'm missing with this application?

And also just tested DefencePlus 2.20: completely crashed my VM and subsequently couldn't even restart. This was unexpected and certainly not a good look for DefencePlus. I note that on the DefencePlus web-site, they say that it does not run in VM's. However, it certainly appears to function just fine in VirtualBox and is able to block a real exploit as described here:
https://ssj100.forumotion.com/security-f7/buffer-overflow-exploit-writing-tutorial-t97.htm#590
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Buffer Overflow (BO) tests Empty Re: Buffer Overflow (BO) tests

Post by Ruhe 15/6/2010, 11:48

@DefenseWall: really failed? Just because one process spawns another one it does not mean the new process harms the system while in supervision of DefenseWall.

See your result and comment here, "runs everything untrusted - conditional PASS (exploit still runs)"
Ruhe
Ruhe
Valued Member
Valued Member

Posts : 261
Join date : 2010-04-16
Location : Germany

Back to top Go down

Buffer Overflow (BO) tests Empty Re: Buffer Overflow (BO) tests

Post by ssj100 15/6/2010, 12:02

Ruhe wrote:@DefenseWall: really failed? Just because one process spawns another one it does not mean the new process harms the system while in supervision of DefenseWall.

See your result and comment here, "runs everything untrusted - conditional PASS (exploit still runs)"

Did you actually test this yourself? DefenseWall fails all 3 tests. Not surprising, since it's well known DefenseWall does not block buffer overflow exploits. Sure, DefenseWall may be able to contain the exploit, but it can't block it from running. I don't think we'll ever know how well DefenseWall is at mitigating buffer overflow exploits.
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Buffer Overflow (BO) tests Empty Re: Buffer Overflow (BO) tests

Post by Ruhe 15/6/2010, 13:49

We have to differentiate between 'blocking the exploit from running' and 'let it run but not harm the system'. 2nd is what DW is doing, hopefully.
Ruhe
Ruhe
Valued Member
Valued Member

Posts : 261
Join date : 2010-04-16
Location : Germany

Back to top Go down

Buffer Overflow (BO) tests Empty Re: Buffer Overflow (BO) tests

Post by ssj100 15/6/2010, 13:53

Ruhe wrote:We have to differentiate between 'blocking the exploit from running' and 'let it run but not harm the system'. 2nd is what DW is doing, hopefully.

Exactly. DefenseWall is at most "containing" the exploit. Just like Sandboxie. The best way would be to block the exploit from running in the first place and Microsoft's Hardware DEP (and a few third party applications) can do this. However, I'm pretty sure Hardware DEP is easily bypassed.
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Buffer Overflow (BO) tests Empty Re: Buffer Overflow (BO) tests

Post by Sponsored content


Sponsored content


Back to top Go down

Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum