Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

ASLR Bypass Techniques Appearing More Frequently in Attacks

Attackers are increasingly dodging the address space layout randomization [ASLR] mechanisms used to thwart buffer overflow attacks.

Attackers are increasingly dodging the address space layout randomization [ASLR] mechanisms used to thwart buffer overflow attacks.

According to researchers with FireEye, recent APT attacks have utilized many different ASLR bypass techniques during the past year. The most popular way is loading a non-ASLR module. There are two popular non-ASLR modules used in Internet Explorer zero-day exploits, including the recent CVE-2013-3893 and CVE-2013-1347 vulnerabilities.

“MSVCR71.DLL, JRE 1.6.x shipped an old version of the Microsoft Visual C Runtime Library which was not compiled with the /DYNAMICBASE option,” explained FireEye researcher Xiaobo Chen. “By default, this DLL will be loaded into the IE process at a fixed location in following OS and IE combination: Windows 7 and Internet explorer 8 [and] Windows 7 and Internet explorer 9.”

The other popular module is HXDS.DLL, shipped from MS Office 2010/2007, is not compiled with ASLR. This is the most frequently used ASLR bypass for IE 8 and IE 9 on Windows 7. This DLL will be loaded when the browser loads a page with ‘ms-help://’ in the URL, Chen noted.

Advertisement. Scroll to continue reading.

The non-ASLR module technique requires however that IE 8 and IE 9 are running with old software like JRE 1.6 and Microsoft Office 2007.

Another ASLR bypass technique involves the modification of the BSTR length/null terminator. According to Chen, this technique only applies to certain types of vulnerabilities that can overwrite memory.

“The arbitrary memory write does not directly control EIP,” he blogged. “Most of the time, the exploit overwrites some important program data, like function pointers, to achieve code execution. The good thing about these types of vulnerabilities is that they can corrupt the length of a BSTR such that using the BSTR can access memory outside of its original boundaries. Such accesses may disclose memory addresses that can be used to pinpoint libraries suitable for ROP. Once the exploit has bypassed ASLR in this way, it may then use the same memory corruption bug to control EIP.”

A similar technique is the modification of the array object length in that they both require a certain class of vulnerabilities. However in this case, once the attacker is able to change the length, he or she will also be able to arbitrarily read/write memory, Chen noted. This has been used in a number of recent exploits, including CVE-2013-0634 (Adobe Flash Player) and CVE-2013-1690 (Firefox).

Despite the increasing use of different bypass techniques, FireEye Senior Malware Researcher Dan Caselden said ASLR is still a worthwhile means of protection.

“ASLR forces attackers to add an extra step to their exploits, which further complicates exploit development,” he said. “Many high-profile zero-days still don’t attempt to fully bypass ASLR with information leaks, instead relying on shortcuts that limit the scope of their attacks.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Shane Barney has been appointed CISO of password management and PAM solutions provider Keeper Security.

Edge Delta has appointed Joan Pepin as its Chief Information Security Officer.

Vats Srivatsan has been appointed interim CEO of WatchGuard after Prakash Panjwani stepped down.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.