Windows "Atom Bombing" Attack
Earlier this week, Ensilo released a blog describing a new code injection attack via Windows Atom Tables [1]. The attack is pretty ingenious and could be used to inject malicious code into running processes or read data from running processes.
Overall, the problem of code injection isn't new, and there are different methods to accomplish code injection. Code injection in its simple form doesn't lead to privilege escalation, nor does it expose your system to new exploits. However, it is a technique that an attacker may use to hide code they are executed as a result of an exploit. Most security tools will whitelist software that you commonly run. Some will even check if the software is modified after it is executed.
Atom tables are a Windows feature meant to allow software to store data, and in some cases to share data with other applications. A user has read/write access to all atom table data created by processes that the user initiated. The result is that malware that the user runs may retrieve data stored to atom tables by other software, or it may modify it to execute malicious code.
Overall, there is no fix expected for this problem. This isn't even a security vulnerability in its current form. Users can always run code and code a user runs typically does have some access to other processes run by the same user (sometimes limited by sandboxing).
So what does this all mean for you? Not much. It was always bad to run malware, and this is yet another way how malware can hide on your system. There is nothing you have to change in the way you are doing things due to this issue. Future versions of anti-malware may be able to intercept respective API calls to inspect any read/write access to these atom tables.
[1] http://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments
Anonymous
Oct 28th 2016
8 years ago
It's neither a feature NOR a vulnerability!
If you have write access to (the virtual memory of) another process you can create a remote thread there or issue an ALPC.
Since Windows only grants access to other processes of your own userid you gain NOTHING: instead of this rather clumsy double indirect code execution you can run the shellcode direct in you own process!
JFTR: instead of an atom string you can also use a registry entry, a (named) pipe, a mailslot, shared memory (for example the buffer used by OutputDebugString()), environment variables etc. to transfer a string from one process into another.
Anonymous
Oct 29th 2016
8 years ago
Maybe you can explain how other OSs handle this?
Anonymous
Oct 30th 2016
8 years ago
Anonymous
Apr 23rd 2017
7 years ago