Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - A Heap of Overflows? InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

A Heap of Overflows?

Published: 2012-07-19
Last Updated: 2012-07-20 12:12:54 UTC
by Mark Baggett (Version: 1)
1 comment(s)

The heap is a section of memory where applications can dynamically allocate and free memory space.   Heap Overflows occur when a computer application is able to overwrite the operating system's data structure at the beginning of a block of heap memory and then free that memory.     That data structure contains a double link lists with pointers to the previous and next block of memory.    When the memory block is freed an "unlink" function is called that uses those two overwritten pointers to find the previous and next blocks of allocated memory and change their pointer so they point to one another and no longer point to the block being freed.    To "safely unlink" a block of memory the OS should verify the pointers on previous and next blocks tpoint to the block being freed before it is unlinked.  WIthout this check an attacker can use the overwritten pointers to change a value in the memory location of their choosing to the value of their choosing and in most cases gain control of the program's execution.

Ben Hawkes did some analysis of the unlink functions inside the DLLs that are in Windows 8 and found that most of the core libraries in Windows are in fact verifying those pointers and safely unlinking the blocks.   That is good news!   The bad news is he found many instances of DLLs that are not using those core libraries and not safely unlinking memory.  

What does this mean?   I don't know.  But the research is pretty cool.  Mr Hawkes provided a list of DLL's that are not using safe unlinking.   They may or may not be exploitable.   That is yet to be seen.    It is worth a read.   http://www.inertiawar.com/win8_unlink/

Join me for SANS 504 Hacker Techniques, Exploits and Incident response in San Antonio Texas November 27th - December 2nd 2012 in San Antonio Texas!

Mark Baggett
On Twitter @markbaggett
 

1 comment(s)
Diary Archives