HITB2012AMS Day 2 – Ghost in the Allocator | Corelan Cybersecurity ResearchCorelan Cybersecurity Research

HITB2012AMS Day 2 – Ghost in the Allocator

Published May 25, 2012 |

Ghost in the Allocator – Abusing the Windows 7 / 8 Low Fragmentation Heap

Rps20120525 160340 957

After introducing himself, Steven Seeley, Senior Penetration Tester and Security Researcher at Stratsec starts his presentation by sharing the talk agenda:

Why target the heap manager
Heap terms
Some Windows 7 theory
WIndows 7 exploitation
Changes introduced in Windows 8 Heap
Windows 8 possible exploitation technique

Steven explains that he wanted to do a talk on the heap manager because it’s often used in mature apps, and knowledge is not widespread (yet). People like Halvar, Ben, Nico, Brett, Chris (and many others) made it cool :)

There’s a couple of heap exploits available (CVE 2012-0003, 2010-3972, 2008-0356, 2005-1009). What they all have in common is that they are quite complex. It’s a challenge to write heap exploits. You’ll have to deal with safe unlinking, base randomization, removal of static pointers, and many more protection systems part of the heap manager today.

The Windows 7 front end allocator (Low Fragmentation Heap) utilizes bins that contains all chunks of a specific size. A “NextOffset” is used to determine the next chunk to be allocated. Each _heap_subsegment_ has its own mgmt structure for that particular bin size. There’s an 8 byte structure for the heap chunk (4 bytes are encoded). It gets activated on 18 consecutive allocations for a particular bin size.

The back end allocator is different:

Steven explains that the LFH heap data structure looks like a heap within a heap, and contains of a chain of arrays and structures, segments, subsegments, and so on.

Windows 7 Heap exploits

Ben Hawkes came up with a good idea to trigger an arbitrary free. Chris Valasek came up with the idea that you can cause an arbitrary allocation on top of an object of structure. Steve added a technique to cause consecutive static allocations. Before going into the details, he explains that the Windows 7 Heap is still deterministic to a certain extent. You still need a variety of primitives to help with exploitation (soft/hard leak of a controlled size), arbitrary writes, the ability to trigger a free of a particular size (to create a hole in the heap), to ability to trigger the heap cache, and so on.

To write an exploit, you’ll have to reverse parts of the application to understand how allocations & frees occur and how you can potentially trigger your own allocations/frees. It requires the detection of object creation and what triggers the creation of these objects. Doing all of that work, Steven says, is by far the hardest work of the exploit writing process.

Steven continues by explaining how the technique discovered by Ben Hawkes works

Rps20120525 162308 956

The next exploiting technique demonstrated is the FreeEntryOffset (Chris Valasek).

Rps20120525 162803 500

Rps20120525 162859 509

Finally, he shares details about a technique he discovered himself, while playing with a double free condition, and trying to get the heap manager to return the same address for consecutive allocations. The advantage of his technique is that you don’t need to set up a hole in the heap or perform large seeding operations. It’s used when you can only allocate objects after a chunk has been overflown. You still need to have the ability to trigger arbitrary allocations of an object/struct and multiple chunks, and you need to find a virtual function call that will gets called later on (to gain control over EIP).

Changes in Windows 8

A first big change is that the UserBlocks datastructure changed, and a bunch of objects were added (including GuardPagePresent etc). LFH still gets triggered on 0x12 consecutive allocations (or 0x11if allocated and freed). The techniques discovered by Chris and Ben no longer work. He continues by explaining some routines related with the busyBitmap and the bitmap index, and highlights some important routines related with allocations and frees. (All details can be found in his slides, don’t worry… )

Possible exploitation under Windows 8

Steven was playing with the concept of 3 null dword writes targeting the UserBlocks header to form an arbitrary allocation, when Chris Valasek mentioned that you potentially can overwrite the entire UserBlocks header. If an application allows to trigger 17 or 18 allocations, you can probably do more allocations. This might help making things more predictable again. We have to avoid to damage certain parts (_lfh_block_zone), but you can overwrite starting from certain UserBlocks.

Chunks may not be deterministic, but subSegments and UserBlocks are. Only after the 2nd UserBlocks, we can overwrite the UserBlocks header. Then you need to be able to trigger arbitrary allocations. To do that, you could target UserBlocks.FirstAllocationOffset, UserBlocks.BlockStride, UserBlocks.BusyBitmap (overwriting the BusyBitmap.Buffer ptr & set it to any ptr that points to a NULL/low value (static & writable).) To reliably reach the UserBlocks header, you need to know the offset/distance, which makes it difficult to achieve at this point (but maybe not impossible). An advantage, if you can pull this off, is that you may not need an info leak.

Rps20120525 165215 161

Rps20120525 165639 415

Great work Steven, keep things coming !

Finally,

this was the last talk I attended at Hack In The Box Amsterdam 2012. I would like to take the opportunity to thank the HITB Crew for having me, everyone I met for being so kind, and YOU, for visiting www.corelan.be and reading this page.

Posted in Cons and Seminars | Tagged 18 allocations, allocator, bin, BlockStride, BusyBitmap, chunk, FirstAllocationOffset, FreeEntryOffset, ghost-in-the-7-allocator, heap, hitb2012ams, lfh, low fragmentation heap, peb, UserBlocks, windows, windows 7, windows 8, _heap_entry, _lfh_block_zone_

Corelan Cybersecurity Research

:: Knowledge is not an object, it's a flow ::

HITB2012AMS Day 2 – Ghost in the Allocator