ASLR Bypass Techniques Appearing More Frequently in Attacks

Attackers are increasingly dodging the address space layout randomization [ASLR] mechanisms used to thwart buffer overflow attacks.

According to researchers with FireEye, recent APT attacks have utilized many different ASLR bypass techniques during the past year. The most popular way is loading a non-ASLR module. There are two popular non-ASLR modules used in Internet Explorer zero-day exploits, including the recent CVE-2013-3893 and CVE-2013-1347 vulnerabilities.

“MSVCR71.DLL, JRE 1.6.x shipped an old version of the Microsoft Visual C Runtime Library which was not compiled with the /DYNAMICBASE option,” explained FireEye researcher Xiaobo Chen. “By default, this DLL will be loaded into the IE process at a fixed location in following OS and IE combination: Windows 7 and Internet explorer 8 [and] Windows 7 and Internet explorer 9.”

The other popular module is HXDS.DLL, shipped from MS Office 2010/2007, is not compiled with ASLR. This is the most frequently used ASLR bypass for IE 8 and IE 9 on Windows 7. This DLL will be loaded when the browser loads a page with ‘ms-help://’ in the URL, Chen noted.

The non-ASLR module technique requires however that IE 8 and IE 9 are running with old software like JRE 1.6 and Microsoft Office 2007.

Another ASLR bypass technique involves the modification of the BSTR length/null terminator. According to Chen, this technique only applies to certain types of vulnerabilities that can overwrite memory.

“The arbitrary memory write does not directly control EIP,” he blogged. “Most of the time, the exploit overwrites some important program data, like function pointers, to achieve code execution. The good thing about these types of vulnerabilities is that they can corrupt the length of a BSTR such that using the BSTR can access memory outside of its original boundaries. Such accesses may disclose memory addresses that can be used to pinpoint libraries suitable for ROP. Once the exploit has bypassed ASLR in this way, it may then use the same memory corruption bug to control EIP.”

A similar technique is the modification of the array object length in that they both require a certain class of vulnerabilities. However in this case, once the attacker is able to change the length, he or she will also be able to arbitrarily read/write memory, Chen noted. This has been used in a number of recent exploits, including CVE-2013-0634 (Adobe Flash Player) and CVE-2013-1690 (Firefox).

Despite the increasing use of different bypass techniques, FireEye Senior Malware Researcher Dan Caselden said ASLR is still a worthwhile means of protection.

“ASLR forces attackers to add an extra step to their exploits, which further complicates exploit development,” he said. “Many high-profile zero-days still don’t attempt to fully bypass ASLR with information leaks, instead relying on shortcuts that limit the scope of their attacks.”