Closed Bug 1446493 Opened 7 years ago Closed 7 years ago

Audit for Export Suppression Bypass Gadgets

Categories

(Core :: Security, enhancement)

Product:
Core
Component:
Security
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID
Tracking Flags:
Tracking Status
firefox61 --- affected

People

(Reporter: tjr, Unassigned)

References

Details

CFG Export Suppression prevents indirect calls to stuff like VirtualProtect. However, if one calls GetProcAddress("VirtualProtect") first; then it gets un-suppressed and you can indirect-call it. We should look for cases where we call GetProcessAddress and ensure they can't be abused as well as ensure we don't call it ourselves with protcted functions.
I got confused about this, so I wanted to document this somewhere. If a dll marks a function as exportsuppressed (as in https://github.com/trailofbits/cfg-showcase/blob/master/cfg_suppressed_export.cpp) then it is always suppressed. A process can opt in to all export suppression with https://msdn.microsoft.com/en-us/library/windows/desktop/mt654121(v=vs.85).aspx in which case things need to be resolved first with GetProcAddress. So this bug is actually invalid.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.