New hacking technique exploits common programming error

By Dennis Fisher, Executive Editor 23 Jul 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Researchers at Watchfire Inc. say they have discovered a reliable method for exploiting a common programming error, which until now had been considered simply a quality problem and not a security vulnerability.

This is a bit of a Pandora's box and once we open it, it will be just the tip of the iceberg. Danny Allan, security researcher, Watchfire Inc.

Jonathan Afek and Adi Sharabani of Watchfire stumbled upon the method for remotely exploiting dangling pointers by chance while they were running the company's AppScan software against a Web server. The server crashed in the middle of the scan and after some investigation, the pair found that a dangling pointer had been the culprit. This wasn't a surprising result, given that these coding errors are well-known for causing crashes at odd times. But after some further experimentation, Afek and Sharabani found that they could cause the crash intentionally by sending a specially crafted URL to the server and began looking for a way to run their own code on the target machine.

Afek, a senior security researcher at Watchfire, will give a presentation on the technique at the Black Hat Briefings in Las Vegas in August.

Dangling pointers are errors in software code that fail to refer to a valid object. Often the object that was referenced was deleted without changing the value of the pointer.

Dangling pointers are quite common, but security experts and developers have said for years that there is no practical way to exploit them, so they've been considered quality-assurance problems and not security flaws.

But now that has changed.

"The common thought is that this kind of problem isn't exploitable. But we looked at this and thought, wouldn't it be neat if we could implement our own code on this server?" said Danny Allan, research director at Watchfire, based in Waltham, Mass. "The problem before was, you had to override the exact location that the pointer was pointing to. It was considered impossible. But we discovered a way to do this with generic dangling pointers and run our own shell code."

Afek and Sharabani's discovery is a major step forward and a scary one at that, given the ubiquity of this kind of coding error. The researchers initially were able to exploit the problem on Microsoft Corp.'s IIS 5.1, but Allan said that the technique works on any application in which there is a dangling pointer. Microsoft, of Redmond, Wash., addressed the problem in IIS with one of the July security bulletins, MS07-041 .

"The outcome is much like a buffer overflow. It's very severe," Allan said. "This is a bit of a Pandora's box and once we open it, it will be just the tip of the iceberg. This is a very prevalent problem, especially in low-level languages. A lot of times you might not know there's a dangling pointer."

Thomas Ptacek, of New York-based Matasano Security, said that although he has not seen Watchfire's research results, they sound credible and could be an important advance.

"If it's a new way to reliably exploit this, it's an important step because it's not just one vulnerability, it's a new class of bugs," Ptacek said. "Right now we're at a place where people don't take dangling pointers very seriously, but a lot of us have just been waiting for someone to come up with a reliable way to do this."

Dangling pointers are an especially scary problem for C++ programmers, Ptacek said.

When Watchfire first alerted Microsoft's security response team to what Afek and Sharabani had found, they were met with skepticism, and understandably so, Allan said. The company had known since 2005 about the IIS bug that caused the crash, but it was considered a simple denial-of-service problem and not remotely exploitable.

"This used to be theoretical and academic. But once we gave them the proof-of-concept code, they were very concerned," Allan said. "They were very interested in the research behind it."

Allan pointed out that Java-based applications are not vulnerable to this exploit because the language has a built-in mechanism for deallocating memory.

Tags: Emerging Information Security Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Emerging Information Security Threats Modern malware, stealthy botnets, adapt quickly, expert says New ransomware Trojan pushes victims to buy software Bruce Schneier on outsourcing, awareness training US-CERT warns of BlackBerry snooping software Marcus Ranum on cyberwarfare, infosec careers Researchers find thousands of flawed embedded devices Enterprise botnets contain thousands of malware variants Nuke and pave to eradicate botnets Rand study urges caution on cyberwarfare attacks Hathaway joins Harvard to contribute to DOD project

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary DNS rebinding attack  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) man in the browser  (SearchSecurity.com) phlashing  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) pulsing zombie  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary