The entropy for force relocated images comes from bottom-up ASLR which is only enabled by default if the EXE was built with /dynamicbase. Try turning on bottom-up ASLR as well.
-
-
Thanks. I'm pretty sure that Bottom-up ASLR is enabled along with Mandatory ASLR. But eqnedt32.exe is always loaded at the same location.pic.twitter.com/zFgmbByCEP
1 reply 0 retweets 0 likes -
I believe "on by default" means "use the default system policy" which means bottom-up ASLR will only be enabled if the EXE was linked with /dynamicbase (which this one does not, I believe). Sound right,
@markwo?3 replies 0 retweets 1 like -
Yeah, that's right. I was seeing what Will describes last night until I enabled bottom-up ASLR for this process in Exploit Guard
1 reply 0 retweets 0 likes -
Is there any way to enable Bottom-up ASLR on a system-wide basis? If not, then it would seem that Mandatory ASLR only really adds protection for apps that opt in. Which seems sort of non-Mandatory to me...
1 reply 0 retweets 3 likes -
It is possible to enable bottom-up ASLR system-wide, but I'm not sure if it can be done via the WDEG UI,
@markwo might know. Agree with your feedback here. I passed it on to the team.1 reply 0 retweets 2 likes -
Actually, with Windows 7 and EMET System-wide ASLR, the loaded address for eqnedt32.exe is different on every reboot. But with Windows 10 with either EMET or WDEG, the base for eqnedt32.exe is 0x10000 EVERY TIME. Conclusion: Win10 cannot be enforce ASLR as well as Win7!pic.twitter.com/Jp10nqk1NQ
4 replies 60 retweets 100 likes -
Replying to @wdormann @epakskape and
Hi Will, I'm reporting on this flaw for
@DataBreachToday ... Did you find it after digging into the Embedi "skeletons" blog post? Just curious, cheers.1 reply 0 retweets 0 likes -
Replying to @mathewjschwartz @epakskape and
Yep, I was looking into what mitigations would have protected users against the eqnedt32 vulnerability when I noticed the problem.
3 replies 0 retweets 1 like -
Replying to @wdormann @epakskape and
Thanks again, Will, I’ve updated my piece at end with your response:http://bit.ly/2zTCPl0
1 reply 0 retweets 0 likes
Probably worth updating again to reflect that bottom-up ASLR provides the entropy to mandatory ASLR starting with Win8. Bottom-up is not a superset of mandatory ASLR. IOW, if you want mandatory ASLR on Win8+, you need *both*, and not just the latter.
-
-
Replying to @wdormann
Updated with your comments and clarifications — thank you.http://bit.ly/2zTCPl0
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.