2

The MapUserPhysicalPages API takes an address allocated using VirtualAlloc with MEM_PHYSICAL and MEM_RESERVE and remaps the pages to a sequence of physical page frame numbers. This is designed to provide AWE support for processes.

To me, this seems like a case where the remapping would cause memory to get placed upon fixed virtual addresses, thus potentially leading to a situation where ASLR could be bypassed by targeting known memory areas.

Am I correct in this assumption? Would the potential for bypass be at user-mode ASLR level or KASLR level?

Polynomial
  • 27,674
  • 12
  • 80
  • 107
  • How are controlling the mapped content? – Remus Rusanu Mar 05 '14 at 11:00
  • @RemusRusanu You wouldn't control the mapped content. The use-case would be to utilise pointer leaks from the static allocation to set up a ROP chain or similar, e.g. looking for a `pop eax; mov eax, [eax]; mov [esp+0x??], eax; ret` gadget to load the value of a pointer within the allocated block into the ROP chain, allowing the payload to discover a known-offset VA within a module. – Polynomial Mar 05 '14 at 11:11
  • The remapping doesn't change the layout of the virtual address space, not from what the documentation says at any rate. You have to call `VirtualAlloc` to reserve the virtual address space before you can call `MapUserPhysicalPages`. If the call to `VirtualAlloc` specified a fixed virtual address, that could allow ASLR to be bypassed, but best practice is to allow the system to assign the virtual address for you. – Harry Johnston Mar 05 '14 at 20:21
  • @HarryJohnston I suspect that may be true for user-mode ASLR, but what about KASLR? Are there potential issues with "forcing" kernel memory allocations into a predictable zone by allocating chunks of physical memory back to the process? – Polynomial Mar 09 '14 at 11:03
  • Even when in kernel mode, you're seeing a virtual address space; MSDN refers to the part of the virtual address space shared by all processes as "system space" but this isn't the same as physical memory. I've never heard of any way to take advantage of knowing which physical pages contain certain content, though of course that doesn't mean there isn't one. I don't see how ROP could be relevant, though, since the instruction pointer is never a physical address (subject to the obvious but irrelevant nitpick). – Harry Johnston Mar 09 '14 at 19:58

0 Answers0