A new generic method for exploiting a common problem in software code that was previously thought to be prohibitively difficult to attack is generating a wave of concern and surprise in the security community.
The new method is the work of Mark Dowd, a researcher on IBM ISS's X-Force team, and it can be used to reliably exploit NULL pointer dereferences, a very common condition in many applications.
The condition occurs when an application tries to access a location in memory that has nothing in it, which results in it returning a value of NULL. Programs typically crash when this happens, but Dowd has found a way to exploit the condition—specifically designed for Flash, but also possible in other applications—whenever the application forgets to check whether the memory allocation failed. The attacker then has the ability to control where in memory the application writes to, within some specific constraints.
"People have assumed that these high-level languages weren't vulnerable to memory corruption because they don't work directly with memory. What Mark did that's even creepier than the NULL pointer thing is he found a way to make them vulnerable to memory corruption," said Thomas Ptacek , a principal at Matasano Security, who wrote a long explanation of Dowd's paper recently. "So when you think about it, that means that the status of high-level languages as safe is no longer true."
"NULL pointers have been one of the holy grails because you see them all the time," Ptacek said. "Writing the exploit is very difficult. But writing the second one is difficult, and writing the third one it starts to get easier. What Mark did is go ten steps beyond where any other vulnerability researcher would have stopped. It's amazing. And it's a much bigger deal because nothing is written in C anymore, so finding that these high-level languages are vulnerable is huge."
Dowd's paper, published earlier this month, deals specifically with a recent flaw that IBM ISS discovered in the Flash player. In it, he shows how an attacker could use the NULL pointer issue to compromise a machine, and says that the attack should work on both Firefox and Internet Explorer. He also adds that the ASLR feature in Windows Vista, which provides binaries with a random address in memory to avoid exploitation, does not prevent the attack because Flash is not compiled with a specific switch ASLR requires.