News Stay informed about the latest enterprise technology news and product updates.

New hacking technique exploits common NULL programming error

A researcher has discovered a new hacking technique that exploits a programming vulnerability common in many applications.

A new generic method for exploiting a common problem in software code that was previously thought to be prohibitively difficult to attack is generating a wave of concern and surprise in the security community.

People have assumed that these high-level languages weren't vulnerable to memory corruption because they don't work directly with memory.
Thomas Ptacek,
principalMatasano Security

The new method is the work of Mark Dowd, a researcher on IBM ISS's X-Force team, and it can be used to reliably exploit NULL pointer dereferences, a very common condition in many applications.

The condition occurs when an application tries to access a location in memory that has nothing in it, which results in it returning a value of NULL. Programs typically crash when this happens, but Dowd has found a way to exploit the condition—specifically designed for Flash, but also possible in other applications—whenever the application forgets to check whether the memory allocation failed. The attacker then has the ability to control where in memory the application writes to, within some specific constraints.

And while the ability to reliably exploit these conditions is a major advance, researchers say, the other important aspect of Dowd's work is that it puts the lie to the belief that high-level programming languages such as Java, JavaScript, C# and others are not vulnerable to memory corruption. Flash, where Dowd tested his exploit, is written in ActionScript, a scripting language based on JavaScript. It has been commonly thought that, in general, only low-level languages such as C are vulnerable to memory-corruption attacks. That no longer seems to be the case.

Hacking techniques:
Security Wire Weekly Special - New hacking technique: In an interview at the Gartner IT Summit in Washington, Yuval Ben-Itzhak, chief technology officer of security vendor Finjan, talks about a newly discovered hacking technique.

Hacking technique exploits common programming error: Researchers at Watchfire Inc. say they discovered a new technique that exploits a common dangling pointer error.

New hacking technique shields attackers: A new report issued by UK-based security vendor Finjan shows that attackers are using IP addresses to mask a malicious Web page and avoid detection.

Google hacking exposes a world of security flaws: In this tip, contributor Scott Sidel examines Goolag, a open source security tool that assists security pros in finding flaws in websites through Google hacking.

"People have assumed that these high-level languages weren't vulnerable to memory corruption because they don't work directly with memory. What Mark did that's even creepier than the NULL pointer thing is he found a way to make them vulnerable to memory corruption," said Thomas Ptacek , a principal at Matasano Security, who wrote a long explanation of Dowd's paper recently. "So when you think about it, that means that the status of high-level languages as safe is no longer true."

Ptacek points out that many of today's applications, from Web browsers to server platforms, are written using a combination of these languages, and JavaScript is especially prominent in Web applications. So the ability to exploit these common conditions in the myriad high-level languages floating around today is a significant advance.

"NULL pointers have been one of the holy grails because you see them all the time," Ptacek said. "Writing the exploit is very difficult. But writing the second one is difficult, and writing the third one it starts to get easier. What Mark did is go ten steps beyond where any other vulnerability researcher would have stopped. It's amazing. And it's a much bigger deal because nothing is written in C anymore, so finding that these high-level languages are vulnerable is huge."

Dowd's paper, published earlier this month, deals specifically with a recent flaw that IBM ISS discovered in the Flash player. In it, he shows how an attacker could use the NULL pointer issue to compromise a machine, and says that the attack should work on both Firefox and Internet Explorer. He also adds that the ASLR feature in Windows Vista, which provides binaries with a random address in memory to avoid exploitation, does not prevent the attack because Flash is not compiled with a specific switch ASLR requires.

Dig Deeper on Secure software development