By pass

Bypassing SEHOP

Stéfan Le Berre
s.leberre@sysdream.com

Damien Cauquil
d.cauquil@sysdream.com

Table of contents
0. Introduction...............................................................................................................3 1. SEHOP specifications (short version).......................................................................3 2. Dealing with SEHOP whenexploiting a stack overflow...........................................6
2.1. Breaking out the classical exploitation scheme........................................................................6 2.2. The tricky part...........................................................................................................................7

3. Proof OfConcept.......................................................................................................7
3.1. Target program & constraints...................................................................................................7 3.2. crash and exploitation...............................................................................................................8

4.Conclusion.................................................................................................................9 5. Credits......................................................................................................................10 6. Bibliography............................................................................................................10

0. Introduction
Microsoft has recently implemented in many Windowsversions a new security feature named « Structured Exception Handling Overwrite Protection » [1 & 2]. Those systems are: • • • Microsoft Windows 2008 SP0 Microsoft Windows Vista SP1 Microsoft Windows 7

We did not found any known attack aiming at defeating this new feature but only many papers describing the feature itself and its robustness. Indeed, SEHOP seems to be so reliable that Microsoftreleased a patch in order to activate this security feature by default on all programs. Is it already the end of stack overflows under Microsoft Windows? Not yet, but under some circumstances, as we will explain below.

1. SEHOP specifications (short version)
SEHOP is an extension of Structured Exception Handling and implements more security checks on SEH structures used by programs. The corefeature of SEHOP checks the chaining of all SEH structures present on the process stack and especially the last one, which should have a special handler value pointing right onto a function located in ntdll. Here is a classical SEH chain:

Each SEH structure points to the next structure and the last one contains a specific handler pointing to ntdll!_except_handler4. When exploiting by overwriting agiven SEH structure onto the stack, the next SEH pointer is overwritten in order to contain some bytecode and the SEH handler is overwritten to point to a sequence of « POP POP RET » instructions located in a non-SafeSEH module.

The validation algorithm used in SEHOP has been exposed by A. Sotirov during Black Hat in year 2008 [3]. Let's have a look at it: BOOL RtlIsValidHandler(handler) { if(handler is in an image) { if (image has the IMAGE_DLLCHARACTERISTICS_NO_SEH flag set) return FALSE; if (image has a SafeSEH table) if (handler found in the table) return TRUE; else return FALSE; if (image is a .NET assembly with the ILonly flag set) return FALSE; // fall through } if (handler is on a non-executable page) { if (ExecuteDispatchEnable bit set in the process flags) return TRUE; else// enforce DEP even if we have no hardware NX raise ACCESS_VIOLATION; } if (handler is not in an image) { if (ImageDispatchEnable bit set in the process flags) return TRUE; else return FALSE; // don't allow handlers outside of images } // everything else is allowed return TRUE; } [...] // Skip the chain validation if the DisableExceptionChainValidation bit is set if (process_flags & 0x40 == 0) {...