A researcher has demonstrated that two use-after-free (UAF) mitigations introduced recently by Microsoft, Heap Isolation and Delay Free, can be bypassed.
UAF vulnerabilities can be highly dangerous and regular anti-virus solutions are not very efficient when it comes to protect against such memory corruption exploits. Low-level operating system protections are much more efficient, but they’re not perfect either.
UAF exploits and mitigations
One of the most problematic memory corruption exploits is return-oriented programming (ROP), a code reuse technique often employed by attackers to disable protections such as Data Execution Prevention (DEP). Microsoft has implemented some anti-ROP mitigations in its Enhanced Mitigation Experience Toolkit (EMET), but as researchers demonstrated on numerous occasions, the security tool can be bypassed.
In the past, attackers often leveraged stack buffer overflows as the initial vulnerability when mounting a ROP attack chain. However, since stack buffer overflow bugs have become less useful due to recent mitigations, malicious actors are increasingly relying on use-after-free as the initial vector.
In the summer of 2014, Microsoft updated Internet Explorer with two new clever mitigations: Heap Isolation and Delay Free. However, as Bromium security researcher Jared DeMott demonstrated at the ShmooCon hacker convention over the weekend, these mitigations can be bypassed as well.
“Heap Isolation creates a new heap,” the researcher explained in a blog post. “A heap is a place that a program uses to create/free internal data as needed throughout execution. This new isolated heap houses many internal Internet Explorer objects, while objects likely to be under the influence of attacks (like strings created via Java Script) will still be allocated on the typical default heap. Thus, if a UaF condition appears, the attacker should not be able to replace the memory of the dangling pointer with malicious data.”
Because it’s difficult to perfectly separate the two object groups, Microsoft developed Delay Free, a mitigation which ensures that an object’s memory is not released right away.
“Even though the program has asked the allocator to free a chunk of memory, the object is not freed, but is instead put on a list to be freed later,” DeMott said. “That way even if an attacker knows of an object type on both heaps that could be used to replace the memory backing a dangling reference, they cannot since the memory has not actually been freed yet.”
“The memory will not be truly freed until the following conditions are meet: there are no references to the object on the stack and there are at least 100,000 bytes waiting to be freed, or the per-thread call stack unwinds fully to its original starting point,” the expert noted.
Bypassing Heap Isolation and Delay Free
DeMott, who in February 2014 demonstrated that EMET 4.1 could be bypassed, believes these new protections are definitely helpful in mitigating UAF attacks. However, they are not 100% efficient.
The researcher has managed to bypass them by using what he calls a “long lived” dangling pointer.
“If an attacker can locate a UaF bug that involves code that maintains a heap reference to a dangling pointer, the conditions to actually free the object under the deferred free protection can be met (no stack references or call chain eventually unwinds),” DeMott wrote in his blog post.
In his presentation at ShmooCon, DeMott described a scenario in which the attacker crafts a malicious website and gets the victim to visit it (via watering hole, phishing, ad-redirects, malicious Wi-Fi, etc.). When the user visits the site, the attacker exploits Internet Explorer with a zero-day involving UAF.
“Specifically, the attacker needs to innovate a bit more and find a UaF that meets the properties described in the UaF bypass research; for example, a ‘long-lived’ dangler pointer is required, since the Isolated Heap and Delayed free are fairly effective against short-lived UaFs. Finding this type of UaF is not at all unlikely, and I showed an example of one such bug,” DeMott told SecurityWeek.
The researcher has published a Python script that demonstrates the attack method.
DeMott told SecurityWeek that the research is specific to Internet Explorer, but pointed out that all browser vendors are working on UAF protections similar to Heap Isolation and Delay Free.
“In fact, I suspect OS vendors will look to put something like this in place more generically for other applications where applicable,” the researcher explained in an email.
The expert informed Microsoft of this findings and even sent them a copy of his ShmooCon slides in early December. The company thanked him.
Microsoft is well aware that its mitigation mechanisms can be bypassed. Whenever researchers demonstrated ways to bypass or disarm EMET in the past, the company pointed out that the goal of the mitigations is “to make it more difficult, expensive and time consuming, and therefore less likely, for attackers to exploit a system.”
High-tech and low-tech attacks
UAF vulnerabilities are currently a popular attack vector, but DeMott believes we should expect to see a new type of memory corruption bugs in the future.
“Attack patterns seem to be cyclic when you look at computer security history. For a time, attackers will be ‘high-tech’ and exploit complicated bugs like UaFs. But as that gets too difficult, they will go back to tricking users into providing passwords over the internet (‘low-tech’),” DeMott said. “But then after some time, attackers always seem to innovate again. And the cycle will ‘wash, rinse, and repeat.’ There will always be this tug-of-war: people will always want/need security better than what OS vendors natively provide. Security companies will always be there to assist with whatever the current threat landscape looks like.”
The researcher believes that while products like EMET do a fairly good job at mitigating weaker attacks, a different approach is needed against sophisticated zero-day attacks. Bromium’s approach, implemented in the Bromium vSentry solution, is to isolate the entire browser/process through micro-virtualization.
