Watchfire Researchers Teach An Old Bug New Tricks
On Wednesday, Johnathan Afek, a Senior Security Researcher for automated software vulnerability assessment vendor Watchfire, stood in front of an audience of several hundred developers and security professionals at the Black Hat and demonstrated an attack that did all three. His presentation explored a variety of techniques for exploiting a type of bug known as a "dangling pointer." At the end of presentation, he exploited a dangling pointer to take control of a Microsoft IIS webserver as the audience watched.
Dangling pointers are a common coding error that causes the affected software to refer to a code object that has already been deleted or is invalid. By effectively replacing the missing object with malicious code, an attacker can force the software to run it, much like the more well known "buffer overflow" bug. Previously, however, it was widely believed that such an attack was theoretically possible but almost impossible to pull off as a practical matter.
Indeed, the existence of the specific IIS bug Afek used in his demonstration is old news. Microsoft publicly disclosed it 18 months earlier, in December 2005, but had considered it a low priority and did not patch it until Watchfire informed them that they had discovered a way to exploit it.
"When we first told them we were able to exploit it, Microsoft was interested but skeptical, and asked for a proof of concept," Watchfire Director of Security Research Danny Allan told CRN. "When we gave it to them, they were very fascinated because this is the first known exploit of a dangling pointer, and they were very quick to fix it."
"I don't know if this is the first exploit like this, but I don't know a lot of people who were aware of this," said one Black Hat attendee who asked not to be identified. "I certainly know that our development team hasn't been paying that much attention to it."
Allan emphasized that while the demonstration used IIS, the specific bug and exploit in that case were not the their real target. "What is of more interest is that the research team has discovered a repeatable methodology that they can apply to dangling pointers," he said. "Depending on context, this could be the tip of the iceberg. I mean, dangling pointers are known to be prevalent, and no one has really put any focus into exploiting them before."
Because they have been considered a relatively low priority and have not attracted much attention in the past, no one really knows exactly how common dangling pointers are or how many applications might be vulnerable. Moreover, both Afek and a number of attendees at the presentation noted that the particular characteristics of general class of dangling pointer bugs renders it very difficult for developers to test for them in a systematic way.
"This is the sort of thing where you can write perfectly good code, but if you're living in a process with a bad implementation of something else, it can effect you," said one developer in the audience.
According to Afek, these vulnerabilities highlight an underlying problem in the way developers deal with code flaws. "I think that every serious bug should treated as a major security issue, and developers do not need to wait until these types of bugs are proved to be exploitable."
Another attendee noted that this presents developers with a conundrum. "It takes a lot of engineering time to go through and root cause every crash, so if you say everyone has to do that, then you've increased your maintenance costs," he said. "If you say forget it, it's too expensive, there's an asymmetry there because the hackers are going to care, and they're going to be the ones exposing it. The head-in-the-sand managers are going to learn it the hard way."