Address space layout randomization (ASLR) is a security technique involved in protection from buffer overflow attacks. Many recent APT (Advanced Persistent Threat) attacks have utilized many different ASLR bypass techniques during the past year, according to Researchers at FireEye.
Many exploits and malware attacks rely on the ability of the programmer to accurately identify where specific processes or system functions reside in memory. In order for an attacker to exploit or leverage a function, they must first be able to tell their code where to find the function or process to exploit.
The goal of ASLR is to introduce randomness into addresses used by a given task. It involves randomly arranging the positions of key data areas of a program, including the base of the executable and the positions of the stack, heap, and libraries, in a process's address space.
Today a lot of attention is brought to client side exploits especially inside web browsers. Normally the exploitation is done through the oldest known method of spraying the heap.
According to Researchers, the easiest and most popular way to defeat ASLR protection is - loading a non-ASLR module. Such attacks were recently used in Internet Explorer (IE) Zero-Day Exploit CVE-2013-3893 and some other vulnerabilities i.e. CVE2013-1347, CVE-2012-4969, CVE-2012-4792.
But there is a limitation that the non-ASLR module technique requires that IE 8 and IE 9 must be running with old software such as JRE 1.6, Office 2007/2010.
Another ASLR bypass technique involves the modification of the BSTR length/null terminator. But this technique only applies to specific types of vulnerabilities that can overwrite memory, such as buffer overflow, arbitrary memory write, and increasing/decreasing the content of a memory pointer. The Adobe XFA 0day exploit (CVE-2013-0640) uses this technique to find the AcroForm.api base address and builds a ROP chain dynamically to bypass ASLR and DEP.
"The good thing about these types of vulnerabilities is that they can corrupt the length of a BSTR such that using the BSTR can access memory outside of its original boundaries. Such accesses may disclose memory addresses that can be used to pinpoint libraries suitable for ROP. Once the exploit has bypassed ASLR in this way, it may then use the same memory corruption bug to control EIP."
According to Microsoft, these types of bugs typically use JavaScript to trigger the flaw, as well as heap-spray to abuse the memory, and bypass ASLR. ASLR bypassing has become more and more common in Zero-Day attacks.
Many exploits and malware attacks rely on the ability of the programmer to accurately identify where specific processes or system functions reside in memory. In order for an attacker to exploit or leverage a function, they must first be able to tell their code where to find the function or process to exploit.
The goal of ASLR is to introduce randomness into addresses used by a given task. It involves randomly arranging the positions of key data areas of a program, including the base of the executable and the positions of the stack, heap, and libraries, in a process's address space.
Today a lot of attention is brought to client side exploits especially inside web browsers. Normally the exploitation is done through the oldest known method of spraying the heap.
According to Researchers, the easiest and most popular way to defeat ASLR protection is - loading a non-ASLR module. Such attacks were recently used in Internet Explorer (IE) Zero-Day Exploit CVE-2013-3893 and some other vulnerabilities i.e. CVE2013-1347, CVE-2012-4969, CVE-2012-4792.
But there is a limitation that the non-ASLR module technique requires that IE 8 and IE 9 must be running with old software such as JRE 1.6, Office 2007/2010.
Another ASLR bypass technique involves the modification of the BSTR length/null terminator. But this technique only applies to specific types of vulnerabilities that can overwrite memory, such as buffer overflow, arbitrary memory write, and increasing/decreasing the content of a memory pointer. The Adobe XFA 0day exploit (CVE-2013-0640) uses this technique to find the AcroForm.api base address and builds a ROP chain dynamically to bypass ASLR and DEP.
"The good thing about these types of vulnerabilities is that they can corrupt the length of a BSTR such that using the BSTR can access memory outside of its original boundaries. Such accesses may disclose memory addresses that can be used to pinpoint libraries suitable for ROP. Once the exploit has bypassed ASLR in this way, it may then use the same memory corruption bug to control EIP."
According to Microsoft, these types of bugs typically use JavaScript to trigger the flaw, as well as heap-spray to abuse the memory, and bypass ASLR. ASLR bypassing has become more and more common in Zero-Day attacks.
No comments:
Post a Comment