xinput1_3.dll in chrome folder is not build with ASLR
Reported by cimstor...@gmail.com, Sep 10 2012
Chrome Version : 21.0.1180.89 m URLs (if applicable) :C:\Users\cimsto\AppData\Local\Google\Chrome\Application\21.0.1180.89\xinput1_3.dll This is a dll that is a part of directX.You can find it in the home directory of chrome. On a new win 7 machine fully up to date is it not build with ASLR. When a file is not build with ASLR can it be used to bypass ASLR + DEP in chrome. Even with this file being just 80KB is it still a big chance for a ROP payload to be possible. I tested mona.py on it but it didn't work. This would be since mona relies on a simple algorithm. What steps will reproduce the problem? 1. Check if the dll is build with aslr, you can use things like PeStudio369 or a debugger. 2. 3. What is the expected result? That is is build with ASLR What happens instead? Its not build with ASLR Please provide any additional information below. Attach a screenshot if possible. This is something that an attacker might use in there exploit chain at Pwnium.
Sep 10 2012,
I think MS frowns on bundling DirectX DLLs with an application. The application is supposed to run the DirectX installer at install time instead so the latest versions of the proper DLLs are installed to the system path. Isn't Xinput DLL for Xbox 360 controllers? Is this for the gamepad API or something?
Sep 11 2012,
Yes this DLL will only be loaded when the user interacts with a gamepad. cc https://groups.google.com/a/chromium.org/forum/?fromgroups=#!topic/chromium-reviews/Ovp4dVRTu8c As it is being used by chrome, not building it with ASLR is a problem. From platform_data_fetcher_win.h "We include xinput1_3.dll with Chrome."
Mar 10 2013,
Nov 12 2014,
we should investigate whether we can bundle a version of xinput DLL that supports ASLR
Nov 13 2014,
MS hasn't updated this DLL since 2010, and last we asked things went nowhere. However, it does have a relocation section, so we should be able to use the process mitigations API to guarantee that it will be relocated on win7+, or we can get really ugly and just stomp on the prefered base address of the one we ship.
Sep 24 2015,
May 18 2016,
Sign in to add a comment