Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/30/2009
02:18 PM
50%
50%

Heap Spraying: Attackers' Latest Weapon Of Choice

Difficult to detect reliably, heap spraying was behind an exploit of IE and Adobe Reader

It Begins with JavaScript

"Every time you download a Web page," Zorn says, "it can contain JavaScript, which is executable code. It's perfectly valid for JavaScript to allocate objects. So attackers use JavaScript to propagate copies of malicious objects and then exploit some known bug in the browser to execute malicious code."

Such an approach may not work every time; there is always an element of luck involved. But if the attacker lures enough users to the page, enough of the attempts will succeed, and enough machines would be compromised to cause nuisance or damage.

Adds Zorn: "The interesting thing about heap spraying is that, from the attacker's point of view, it's easy to implement. The actual spray is just a loop written in JavaScript, and the exploit code is a JavaScript string. Ten lines of code in JavaScript are sufficient to create a heap-spray attack."

Kittens of Doom

It's disturbing enough to know how little effort it takes to create a heap spray, but browsers are not the only programs at risk. Any program that enables JavaScript execution is vulnerable. Attacks on Adobe Reader and Acrobat proved that PDF files, which users consider passive and read-only, can be a source of heap-spraying attacks, too.

"Applications such as Adobe Reader have evolved to be more dynamic," Livshits says. "They allow some scripting, to support more extensibility, and rely on languages such as JavaScript to enable that. This is a widespread phenomenon, and, as a result, heap spraying as an attack vector is also widespread. In fact, another program susceptible to this is Flash, since you can embed script in a Flash player in a similar way. So it's important to understand it's not just Web pages that are vulnerable."

Just about any form of data can be used for exploitation, Zorn says. To drive this point home during the Usenix Security Symposium, the researchers displayed a slide titled "Kittens of Doom: Is No Data Sacred?"

"We wanted to convey that the most innocent of files can be used for exploitation," Livshits says. "This is an apparently harmless image of a kitten, but there is a malicious payload in the comment field of the image that initiates a heap-spraying attack on the browser.

"Not every heap-spraying attack works, so it's possible the data you receive had passed harmlessly through other users, because the spray worked but the exploit failed. What's benign to another user else could be a problem for you."

All Roads Lead to Shell Code

Given that any data can be used for exploitation, the researchers took the perspective that they should examine all objects on the heap. In some cases, data can look like code and vice versa, making it even more difficult to reliably identify harmful objects.

The first breakthrough for the team came when they decided that, instead of looking at individual instructions in an object, they would analyze its control flow.

"The ultimate goal of these objects is to get to the shell code." Zorn says, "That's what we call the code that causes actual damage. If the object can't direct control to the shell code, the attack fails.

"If there is an object and, no matter where we jump into it, we almost always end up going to the same place, then it qualifies as suspicious. Now, there could be non-malicious objects in the heap that contain what look like instructions -- but it's very unlikely that they will also try to make you go to the same place. So control flow is a semantic property that helped us zero in on malicious objects."

This approach proved more reliable than other detection schemes, with only a 10 percent false-positive rate. The researchers, though, were aiming for zero false-positives, if possible.

"We are talking about stopping the program each time we detect a suspicious object," Livshits says. "If objects are actually harmless 10 percent of the time, it's an unacceptable amount of disruption to the user." Profile of an Exploit

Fortunately, there is another characteristic of heap spraying the researchers could leverage: To be successful, attackers have to allocate thousands of objects into the heap. This understanding led to the researchers' second breakthrough: the notion of the global heap metric index, an aggregate of measurements across all heap objects.

"In a spray attack, we don't have just a few suspicious objects." Zorn says. "There are thousands, representing a large percentage of the heap. So we came up with an index that would indicate the health of the entire heap—essentially a measure of the fraction of the heap that contains suspicious objects."

A few suspicious objects won't raise an alarm. But a high density of suspicious objects is a reliable indication of a heap-spraying attack. The global heap metric index dramatically reduced the false-positive rate.

"We take advantage of the very scheme attackers depend on for exploitation," Zorn says. "In order for such attacks to work, they must allocate many, many objects; so we monitor whether a significant percentage of the heap contains suspicious objects."

Previous
2 of 3
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Virginia a Hot Spot For Cybersecurity Jobs
Jai Vijayan, Contributing Writer,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17612
PUBLISHED: 2019-10-15
An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
CVE-2019-17613
PUBLISHED: 2019-10-15
qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in...
CVE-2019-17395
PUBLISHED: 2019-10-15
In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
CVE-2019-17602
PUBLISHED: 2019-10-15
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
CVE-2019-17394
PUBLISHED: 2019-10-15
In the Seesaw Parent and Family application 6.2.5 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.