Connect with us

Hi, what are you looking for?



ASLR Bypass Techniques Appearing More Frequently in Attacks

Attackers are increasingly dodging the address space layout randomization [ASLR] mechanisms used to thwart buffer overflow attacks.

Attackers are increasingly dodging the address space layout randomization [ASLR] mechanisms used to thwart buffer overflow attacks.

According to researchers with FireEye, recent APT attacks have utilized many different ASLR bypass techniques during the past year. The most popular way is loading a non-ASLR module. There are two popular non-ASLR modules used in Internet Explorer zero-day exploits, including the recent CVE-2013-3893 and CVE-2013-1347 vulnerabilities.

“MSVCR71.DLL, JRE 1.6.x shipped an old version of the Microsoft Visual C Runtime Library which was not compiled with the /DYNAMICBASE option,” explained FireEye researcher Xiaobo Chen. “By default, this DLL will be loaded into the IE process at a fixed location in following OS and IE combination: Windows 7 and Internet explorer 8 [and] Windows 7 and Internet explorer 9.”

The other popular module is HXDS.DLL, shipped from MS Office 2010/2007, is not compiled with ASLR. This is the most frequently used ASLR bypass for IE 8 and IE 9 on Windows 7. This DLL will be loaded when the browser loads a page with ‘ms-help://’ in the URL, Chen noted.

Advertisement. Scroll to continue reading.

The non-ASLR module technique requires however that IE 8 and IE 9 are running with old software like JRE 1.6 and Microsoft Office 2007.

Another ASLR bypass technique involves the modification of the BSTR length/null terminator. According to Chen, this technique only applies to certain types of vulnerabilities that can overwrite memory.

“The arbitrary memory write does not directly control EIP,” he blogged. “Most of the time, the exploit overwrites some important program data, like function pointers, to achieve code execution. The good thing about these types of vulnerabilities is that they can corrupt the length of a BSTR such that using the BSTR can access memory outside of its original boundaries. Such accesses may disclose memory addresses that can be used to pinpoint libraries suitable for ROP. Once the exploit has bypassed ASLR in this way, it may then use the same memory corruption bug to control EIP.”

A similar technique is the modification of the array object length in that they both require a certain class of vulnerabilities. However in this case, once the attacker is able to change the length, he or she will also be able to arbitrarily read/write memory, Chen noted. This has been used in a number of recent exploits, including CVE-2013-0634 (Adobe Flash Player) and CVE-2013-1690 (Firefox).

Despite the increasing use of different bypass techniques, FireEye Senior Malware Researcher Dan Caselden said ASLR is still a worthwhile means of protection.

“ASLR forces attackers to add an extra step to their exploits, which further complicates exploit development,” he said. “Many high-profile zero-days still don’t attempt to fully bypass ASLR with information leaks, instead relying on shortcuts that limit the scope of their attacks.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.