Date: Sun, 9 Feb 2003 00:39:05 -0500
From: Peter Huang <[email protected]>
To: David Litchfield <[email protected]>
Subject: breakpoint the stack buffer overflow from executing malicious code like SQL Slammer worm
Hi, David and others:
For the past few days, I have done a few experiments and some research on
ways to prevent the buffer overflow exploitation. I believe the following
compiler option (if implemented and used) should make the exploitation of
stack buffer overflow by "jmp esp" method impossible (as far as I know) to
execute a piece of malicious code on Intel-Inside PC. The buffer
vulnerability, if exists, still overflows to be trapped by this mechanism if
being pumped too much.
For a function like:
Void testVoid (void)
{
do something here and the stack overflows such as sprintf in ssnetlib.dll
in SQL 2000 server (pre-SP3)
}
The compiler inserts the following opcodes before "ret".
Mov ecx, [esp]
Cmp word ptr [ecx], 0FFE4h ; check for "jmp esp"
Jnz realRet
Mov byte ptr [esp+4], 0cch ; stack has been overflowed and function
; will breakpoint (no need to go on anyway)
RealRet:
ret
For a function like:
Void testParametered(int I, int i2, int i3 ...)
{
do something here and the stack overflows such as sprintf in ssnetlib.dll
in SQL 2000 server (pre-SP3)
}
The compiler inserts the following opcode before "ret"
Mov byte ptr[esp+4], 0cch ; if return address is not overwritten,
; then this will be discarded by opcode such
as
; "add esp, xx" down the execution path.
; Otherwise, the exploitation code injected
onto the stack,
; which happens before this move, will
; cause a breakpoint trap to happen due to the
; "jmp esp" method exploited by the buffer
overflow.
Ret
Normally, both above functions continue normally. However, if the stack is
overflowed due to some software bugs under exploitation attack, then the
mechanism listed above will generate breakpoint trap and the execution of
malicious code is stopped.
Unfortunately, it will definitely increase the executable image size and
some runtime hit (should not be much because of the cache lines are still
valid etc.). Some might think that this creates some false illusion of
security. However, it does dam the overflow to what has been overflowed and
prevent the overflow from spreading so that we do not have to hear others
say:" dam it".
Here is what I got:
Best regards
Peter Huang
http://members.rogers.com/yinrong/articles/Prevent.htm
