Dangling Pointer Jonathan Afek, 1/8/07, BlackHat USA 1 Table of Contents What is a Dangling Pointer? Code Injection Object Overwriting Demonstration Remediation Summary Q&A 2 What is a Dangling Pointer? Invalid Pointer: Real Life Example Dangling Dangerous Pointer1 Pointer2 Pointer3 Pointer Exploitable Common Application Code: Pointer3 = new Object(); … delete Pointer3; Overwrite Deleted … Object Object NewObject Data the object Object Pointer3->func(); 3 What is a Dangling Pointer? Assembly – Memory Layout – Registers – Assembly code 4 Where are We What is a Dangling Pointer? Code Injection Object Overwriting Demonstration Remediation Summary Q&A 5 Code Injection – The Layout of an Object Class_A: Instance_A memory Class_A VFTable vfunc_A1 Code classVFTABLE PointerClass_A vfunc_A1 address Assembly code {member_of_A vfunc_A2 address int member_of_A;vfunc_A 3 address public : vfunc_A2 Code virtual long vfunc_A1(); { Assembly code ... virtual long vfunc_A2(); MOV EAX,… [ECX] this.vfunc_A3();virtual long vfunc_A3(); ... static void sfunc_A();CALL [EAX + 8] vfunc_A3 Code } void funcA(); … Assembly code }; 6 Code Injection – The Double Reference Exploit Exploit Overview: – Free the Object – Overwrite the Object – Execute a Virtual Function 77 Code Injection – The Double Reference Exploit Object Allocated Object De-allocated Shellcode Overwriting Object Finding a “VFTable” VFunc3 Executed Application Code: ECX – Original Object EAX – “VFTABLE” a->v_func3();a =delete new a;A(); “VFTABLE” “VFTABLE” Pointer Memory Junk MOV EAX,… [ECX] Memory Junk CALL [EAX + 8] Pointer OriginalFreed Space Object … SHELLCODE Memory Junk Memory Junk CALL/JMP ECX 8 Where are We What is a Dangling Pointer? Code Injection Object Overwriting Demonstration Remediation Summary Q&A 9 Object Overriding Allocation Implementation – C-Runtime heap – C-Runtime functions • Malloc • Free • New • Delete • Etc. 1010 Object Overriding Allocation implementation details – Lookaside List: Cache De-allcated Memory • A list for each size (8-1024) (8) • First Allocation Priority AAnother De-Allocated De-Allocated Buffer Buffer Next BufferNULL Pointer 40 Bytes 40 bytes Bytes Lookaside list base pointer 11 Object Overriding Exploit Review Overwriting – Search for Allocations Pointer3Dangling • Disassembly Pointer • Same Size • Controllable Content Application Code: Pointer3 = new Object(); … delete Pointer3; Overwrite Deleted … NewObject Data the object Object Pointer3->func(); 1212 Object Overriding – The VFTABLE Exploit Empty the Lookaside List Free the Buffer Allocate a Buffer Free the Object Insert Content Execute a VFunc MOV EAX,… [ECX] ECX – Original Object EAX – “VFTABLE” CALL [EAX + 8] “VFTABLE” … “VFTABLE” Pointer NULL SHELLCODE New Buffer Pointer Original Object Rest of CALL/JMP EAX SHELLCODE 13 Object Overriding – The Lookaside Exploit Empty the Lookaside Free One Buffer Allocate Two Buffers Free the Other Insert Shellcode Free the Object Trigger the Bug TheThe De-Allocated Shellcode ObjectBuffer AA VFTABLE Function NULL Pointer Shellcode… GAME OVER!!! 1414 Object Overriding – The Lookaside Exploit Executing NULL – NO Problem 15 15 Summary Double Reference Exploit – Controllable First DWORD – Static Address VFTABLE Exploit – Controllable Allocations – No First DWORD – Static Address Lookaside Exploit – Controllable Allocations – No First DWORD – No Static Address – Destructor Execution 16 Where are We What is a Dangling Pointer? Code Injection Object Overwriting Demonstration Remediation Summary Q&A 17 Demonstration Putting it Together – De-Allocate – Inject – Trigger 18 Where are We What is a Dangling Pointer Code Injection Object Overwriting Demonstration Remediation Summary Q&A 19 Remediation Known Protection Mechanisms – NX Bit – ASLR VFTABLE Sanitation Safe Programming 20 Summary Technical Background – Memory Allocations – Objects Implementation Exploits – Double Reference Exploit – VFTABLE Exploit – Lookaside Exploit Demonstration – Microsoft IIS 5.1 Dangling Pointer – Only Object Oriented Objects 21 More Information www.Watchfire.com 22 Questions Ask Away… 23.