For a long time, Microsoft’s monthly Patch Tuesday security bulletins have periodically addressed use-after free vulnerabilities, the latest class of memory corruption bugs that have already found their way into a number of targeted attacks.
Microsoft has implemented mitigations to address memory related vulnerabilities that afford successful attackers control over the underlying computer. Most notably, Microsoft has stood behind its Enhanced Mitigation Experience Toolkit, or EMET, suggesting it on several occasions as a temporary mitigation for a vulnerability until the company could push out a patch to users.
Most recently, Microsoft brought new memory defenses to the browser, loading Internet Explorer with two new protections called Heap Isolation and Delayed Free, both of which take steps inside IE to frustrate and deny the execution of malicious code.
Researchers have had a growing interest in bypassing EMET and memory protections for some time, with some successful bypasses disclosed and ultimately addressed by Microsoft. And until the Operation Snowman attacks, they were exclusively the realm of white hats—as far as we know publicly.
As with the EMET protections, Heap Isolation and Delay Free were bound to attract some attention and last week at ShmooCon, a hacker conference in Washington, D.C., Bromium Labs principal security researcher Jared DeMott successfully demonstrated a bypass for both.
DeMott’s bypass relies on what he termed a weakness in Microsoft’s approach with the new protections. With Heap Isolation, a new heap is created housing sensitive internal IE objects, while objects such as JavaScript likely to be targeted remain in the default heap, he said.
DeMott’s bypass works through the use of what he calls a “long-lived dangling pointer.”
Tweet
“Thus if a UaF condition appears, the attacker should not be able to replace the memory of the dangling pointer with malicious data,” he wrote in a report published this week. This separation of good and bad data, however, isn’t realistic given the complexity of code and objects. Delayed Free then kicks in by delaying the release of an object to memory until there are no references to the object on the stack and 100,000 bytes are waiting to be freed, DeMott said.
Taking advantage of these conditions, DeMott’s bypass works through the use of what he calls a “long-lived dangling pointer.”
“If an attacker can locate a UaF bug that involves code that maintains a heap reference to a dangling pointer, the conditions to actually free the object under the deferred free protection can be met (no stack references or call chain eventually unwinds),” DeMott said. “And finding useful objects in either playground to replace the original turns out not to be that difficult either.”
DeMott’s bypass is a Python script which searches IE for all objects, sizes and whether an object is allocated to the default or isolated heap.
“This information can be used to help locate useful objects to attack either heap,” he wrote. “And with a memory garbage collection process known as coalescing the replacement object does not even have to be the same size as the original object.”
DeMott said an attack would be similar to other client-side attacks. A victim would have to be lured to a website via phishing or a watering hole attack and be infected with the exploit.
“If you have a working UaF bug, you have to make sure it’s of this long-live type and can basically upgrade it to an existing attack to bypasses these mitigations,” DeMott told Threatpost. “There’s no secret sauce, like every attack, it just depends on a good bug.”
DeMott said he expects use-after-free to be the next iteration of memory corruption attacks.
“There’s always a need [for attackers] to innovate,” DeMott said, pointing out that Microsoft deployed ASLR and DEP in response to years of buffer overflow and heap spray attacks, only to be thwarted by attackers with use-after-free vulnerabilities. “It’s starting to happen, it’s coming if it’s not already here.”