-1

There are all sort of coding best practices to prevent stack overflow attack but that is not what this question is about. What I want to know is how to prevent a legit non-admin user running a piece of code that will deliberately cause stack/heap overflow to gain admin access? What can a system admin can do to block such attempts? I know DEP being one method but from what I read it can't stop all attacks.

My focus is Windows systems.

strongline
  • 620
  • 3
  • 10

2 Answers2

2

A process needs to be run with administrator privileges in order to be vulnerable to an attack that grants arbitrary administrator code execution or shell access.

The general vector is either a system process, built-in service, or third party service running as SYSTEM or with some administrator account.

Update your system and applications often, and don't give your users access to run arbitrary code with admin rights.

Hyppy
  • 15,608
  • 1
  • 38
  • 59
  • 1
    The first statement in your answer is incorrect – strongline Jun 04 '15 at 14:31
  • 2
    @strongline No, it isn't. – Hyppy Jun 04 '15 at 14:36
  • 1
    You are both right. It does take escalated privileges to execute code, but it's certainly possible if you have physical access to escalate privileges. See Encyclopaedia Of Windows Privilege Escalation - Brett Moore presentation on Youtube as an example of priv escalation attacks. – Jim B Jun 04 '15 at 16:56
  • @JimB Which stack or heap overflow allows for privilege escalation without requiring a privileged process to run the code in the overflowed memory space? – Hyppy Jun 04 '15 at 17:04
  • 1
    @hyppy here's an old example (one of the first hits) https://security.ias.edu/multiple-intel-desktop-board-models-bitmap-processing-buffer-overflow-vulnerability – Jim B Jun 04 '15 at 17:31
  • @JimB: That's a hardware (actually, BIOS) vulnerability, which is effectively running at above OS privilege levels. – Hyppy Jun 04 '15 at 17:33
  • Show me where it says you have to have escalated privileges to exploit. The OP was about non admin users. Your answer implies that simply not giving your users admin access will somehow magically remove the ability to exploit vulnerabilities in drivers or apps to gain escalated access. That is exactly why I said you were both right. You do need privs to inject code but that's the point of a priv escalation . Here is another http://www.symantec.com/security_response/vulnerability.jsp?bid=55793 both of these are preventable. – Jim B Jun 04 '15 at 17:43
  • @jimb I said vulnerable. Vulnerable. Vulnerable to an attack. The BIOS, OS, or some process has to be vulnerable to allow for user land processes to escalate privileges through a stack or heap overflow. You just posted a vulnerable system process. Congrats, you agreed with me. I never said that the end user has to have admin privileges to exploit a vulnerability. That's why it's called privilege escalation. Go take your bull elsewhere. – Hyppy Jun 04 '15 at 17:53
  • I suggest you reread the vulnerability details- this is not an privileged executable or process. That's why its called privilege escalation attack. Your statement was "A process needs to be run with administrator privileges in order to be vulnerable ". What process was running with admin privileges in this disclosure? – Jim B Jun 04 '15 at 18:12
  • It's light on details, but it's right there in the title: Windows Kernel. – Hyppy Jun 04 '15 at 18:14
  • So (again) where was there a process running as an elevated access account? This is a non admin process exploiting a call to execute code as privileged. I suggest you watch the YouTube presentation to gain some insite into basic security concepts, like buffer overflows and escalated privilege exploits. – Jim B Jun 04 '15 at 23:33
  • You just can't let go can you? – Hyppy Jun 04 '15 at 23:41
  • Not when it comes to security , I was willing to leave as both of you had points, but when you continue act as if you can invent your own facts I take exception, especially when its demonstrably wrong. – Jim B Jun 05 '15 at 03:48
0

Use EMET https://technet.microsoft.com/en-us/security/jj653751 to help prevent those types of attacks, This includes ROP and overflow mitigations. These restrictions are important so EMET automates the configuration of the settings. It also mitigates a large number of other attacks.

Jim B
  • 24,081
  • 4
  • 36
  • 60