One of the most common security vulnerabilities in Windows software is the buffer overrun exploit. It works by feeding a well crafted data stream into a program that uses a stack based buffer without correctly checking the length of the data stream. By writing past the end of the buffer the overwrite can:

1. Store malicious assembler instructions in the stack’s memory pages
2. Change the current function’s return address on the stack so that the malicious instructions are executed instead of the original calling code hwne the function returns.

This technique for injecting code can be used to take control of the current process and possibly the whole PC if the program is running as a user with admin rights.

The problem originates from the fact that Intel’s early x86 processors would enforce the READ and WRITE flags on memory pages; but not the EXECUTE flag that is used for executable code pages. The memory pages used by a program’s stack never have the EXECUTE flag and step 2) above should fail because an attempt is being made to execute READ/WRITE data.

By the time Intel added the NX flag to enforce execution protection, many carelessly written programs relied on being able to execute code in a non-EXECUTE page. So when Microsoft added DEP (Data Execution Protection) in Windows XP SP2, they were unable to turn it on globally because of the large number of third party applications and add-ons that would fail.

Of course, there is one program in particular that would benefit from DEP – Internet Explorer. It’s used by more than half a billion people worldwide and can be subjected to buffer overrun attacks when visiting malicious or hacked web sites. Unfortunately, only a tiny percentage of the IE users around the world have DEP enabled. 

On Windows XP you cannot turn on DEP in Internet Explorer through the user interface, even if you turn on DEP globally like this in the Control panel System applet:

There are certain programs that are always excluded from DEP on Windows XP for compatibility reasons. IE is one of these programs because so many third party add-ons and OCXs failed to work correctly with DEP when Service Pack 2 was released.

Incidentally, HttpWatch works with DEP and is built with the /NXCOMPAT flag to indicate that it can safely be used when DEP is enabled.

On Windows Vista you can enable DEP in IE 7 by using this checkbox:

The checkbox cannot only be modified if you run IE 7 as the administrator:

So why doesn’t everyone do this and why isn’t it the default? That’s because there’s one major non compliant add-on that nearly everyone installs – the Sun Java runtime. When it’s installed and you have DEP enabled, IE 7 raises a DEP error if you visit a site that uses a Java applet:

Sun has acknowledged the problem, but the high priority bug has been open since April 2007:

http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6545701

Once this has been fixed the way is clear for DEP to be enabled for most IE users on Windows Vista.

In the meantime, IE 7 on Vista still offers much better protection against buffer overruns that Windows XP. That is because of two new features:

• Protected Mode – by default IE 7 runs in a low rights mode even if you are logged in as an administrator. A hijacked instance of IE therfore has limited access to other programs and data on the PC.
• Address Space Layout Randomization (ASLR) – on Windows Vista important system DLLs are placed at random locations in each process. The hacker can no longer rely on system functions being at known locations and would have to make a guess. Any incorrect guess causes the hijacked program to crash preventing continued execution of the malicious code.

WatiN (pronounced as What-in) is a browser automation library for .NET that was inspired by the Ruby based Watir and FireWatir frameworks. It allows C# and VB.Net applications to programatically interact with a browser to perform tasks such as going to a web page, filling out fields and clicking on buttons. The current version only works with IE, but version 2.0 will include support for Firefox.

We have previously discussed the use of Ruby, Watir and HttpWatch and version 6.0 now contains Watir sample code that works with both IE and Firefox. HttpWatch can also be used alongside WatiN to record HTTP traffic and performance statistics while running an automated script. We adapted the Getting Started WatiN sample to use HttpWatch to record the Google results page. The modified code is shown below:

// This code works with WatiN version 1.3
using System;
using WatiN.Core;
 
namespace WatiNTest
{
  class WatiNTestWithHttpWatch
  {
    [STAThread]
    static void Main(string[] args)
    {
        // Open a new Internet Explorer window and
        // goto the google website.
        IE ie = new IE("http://www.google.com");
 
        // Attach HttpWatch to this new instance of IE
        HttpWatch.Controller ct = new HttpWatch.Controller();
        HttpWatch.Plugin plugin = ct.IE.Attach((SHDocVw.IWebBrowser2)ie.InternetExplorer);
 
        // Start recording a log file in HttpWatch
        plugin.Record();
 
        // Find the search text field and type Watin in it.
        ie.TextField(Find.ByName("q")).TypeText("WatiN");
 
        // Click the Google search button.
        ie.Button(Find.ByValue("Google Search")).Click();
        ie.WaitForComplete();
 
        // Stop recording and save an HttpWatch log file
        plugin.Stop();
        plugin.Log.Save(@"c:\mydir\googlesearch.hwl");
 
        HttpWatch.Summary logSummary = plugin.Log.Entries.Summary;
 
        Console.WriteLine("\r\nElapsed time (secs) = " + logSummary.Time.ToString() +
                          " Downloaded bytes = " + logSummary.BytesReceived.ToString());
 
        // Uncomment the following line if you want to close
        // Internet Explorer and the console window immediately.
        //ie.Close();
    }
  }
}

The only non-trivial step required to add HttpWatch support, was to supply an IWebBrowser2 interface to the Attach method. This was achieved using the cast shown below:

HttpWatch.Plugin plugin = ct.IE.Attach((SHDocVw.IWebBrowser2)ie.InternetExplorer);

One problem you may run into is that WatiN does not work correctly with IE 7 Protected Mode on Vista. However, you can work around this by creating the instance of IE with HttpWatch and then attaching WatiN as shown below:

// This code works with WatiN version 1.3
using System;
using WatiN.Core;
 
namespace WatiNTest
{
  class WatiNTestWithHttpWatch
  {
    [STAThread]
    static void Main(string[] args)
    {
        // Create a new instance of IE with HttpWatch to avoid Protected Mode
        // issues
        HttpWatch.Controller ct = new HttpWatch.Controller();
        HttpWatch.Plugin plugin = ct.IE.New();
 
        // Attach WatiN to this instance of IE
        IE ie = IE.AttachToIE(Find.By("hwnd", plugin.Container.HWND.ToString()));
        ie.GoTo("http://www.google.com");
        plugin.Record();
 
        // Find the search text field and type Watin in it.
        ie.TextField(Find.ByName("q")).TypeText("WatiN");
 
        // Click the Google search button.
        ie.Button(Find.ByValue("Google Search")).Click();
        ie.WaitForComplete();
 
        // Stop recording and save an HttpWatch log file
        plugin.Stop();
 
        // If you are saving from protected mode IE 7 on Vista
        // you will need to use a location that is accessible from protected mode
        //plugin.Log.Save(@"C:\Users\\AppData\Local\Temp\low\googlesearch.hwl");
 
        HttpWatch.Summary logSummary = plugin.Log.Entries.Summary;
 
        Console.WriteLine("\r\nElapsed time (secs) = " + logSummary.Time.ToString() +
                          " Downloaded bytes = " + logSummary.BytesReceived.ToString());
 
        // Uncomment the following line if you want to close
        // Internet Explorer and the console window immediately.
        //ie.Close();
    }
  }
}

If you would like to try this out for yourself you would need to:

1. Download and install HttpWatch. These samples will work with the free Basic Edition
2. Download and install WatiN 1.3 (not 2.0 Beta)
3. Build a .Net project using the C# code shown above
4. Set a reference to the WatiN assembly as shown here
5. Set a reference to the HttpWatch Automation library as described in Automating HttpWatch with Visual Basic
6. Compile and the run the sample

UPDATE: See ‘Using HttpWatch with WatiN 2.1‘ for information about using the updated version of WatiN

HttpWatch version 6.0.17 is now available for download and includes support for the Firefox 3.1 Beta 1.

The version history lists the changes made in this update and you can find out more about the Firefox 3.1 Beta 1 on this page:

http://www.mozilla.com/en-US/firefox/all-beta.html