Vulnerability Note VU#817544
Windows 8 and later fail to properly randomize every application if system-wide mandatory ASLR is enabled via EMET or Windows Defender Exploit Guard
Overview
Microsoft Windows 8 introduced a change in how system-wide mandatory ASLR is implemented. This change requires system-wide bottom-up ASLR to be enabled for mandatory ASLR to receive entropy. Tools that enable system-wide ASLR without also setting bottom-up ASLR will fail to properly randomize executables that do not opt in to ASLR.
Description
Address Space Layout Randomization (ASLR) Starting with Windows Vista, a feature called ASLR was introduced to Windows that helps prevent code-reuse attacks. By loading executable modules at non-predictable addresses, Windows can help to mitigate attacks that rely on code being at predictable locations. Return-oriented programming (ROP) is an exploit technique that relies on code that is loaded to a predictable or discoverable location. One weakness with the implementation of ASLR is that it requires that the code is linked with the /DYNAMICBASE flag to opt in to ASLR. |
Impact
Windows 8 and newer systems that have system-wide ASLR enabled via EMET or Windows Defender Exploit Guard will have non-DYNAMICBASE applications relocated to a predictable location, thus voiding any benefit of mandatory ASLR. This can make exploitation of some classes of vulnerabilities easier. |
Solution
The CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workaround: |
Enable system-wide bottom-up ASLR on systems that have system-wide mandatory ASLR
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel] "MitigationOptions"=hex:00,01,01,00,00,00,00,00,00,00,00,00,00,00,00,00 Note that importing this registry value will overwrite any existing system-wide mitigations specified by this registry value. The bottom-up ASLR setting specifically is the second 01 in the binary string, while the mandatory ASLR setting is the first 01. Also note that in the past, enabling system-wide mandatory ASLR could cause problems if older AMD/ATI video card drivers are in use. This issue was addressed in the Catalyst 12.6 drivers released in June, 2012. |
Vendor Information (Learn More)
Vendor | Status | Date Notified | Date Updated |
---|---|---|---|
Microsoft Corporation | Affected | 16 Nov 2017 | 17 Nov 2017 |
CVSS Metrics (Learn More)
Group | Score | Vector |
---|---|---|
Base | 0.0 | AV:--/AC:--/Au:--/C:--/I:--/A:-- |
Temporal | 0.0 | E:ND/RL:ND/RC:ND |
Environmental | 0.0 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
References
- https://www.kb.cert.org/vuls/id/421280
- https://insights.sei.cmu.edu/cert/2012/06/amd-video-drivers-prevent-the-use-of-the-most-secure-setting-for-microsofts-exploit-mitigation-exper.html
- https://blogs.technet.microsoft.com/srd/2010/12/08/on-the-effectiveness-of-dep-and-aslr/
- https://msdn.microsoft.com/en-us/library/bb384887.aspx
- https://support.microsoft.com/en-us/help/2458544/the-enhanced-mitigation-experience-toolkit
- https://blogs.technet.microsoft.com/srd/2013/12/11/software-defense-mitigating-common-exploitation-techniques/
- https://blogs.technet.microsoft.com/mmpc/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
Credit
This issue was reported by Will Dormann of the CERT/CC, with assistance from Matt Miller of Microsoft.
This document was written by Will Dormann.
Other Information
- CVE IDs: Unknown
- Date Public: 16 Nov 2017
- Date First Published: 17 Nov 2017
- Date Last Updated: 19 Nov 2017
- Document Revision: 40
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.