3,756 views
HITB2012AMS Day 2 – Ghost in the Allocator
Ghost in the Allocator – Abusing the Windows 7 / 8 Low Fragmentation Heap
After introducing himself, Steven Seeley, Senior Penetration Tester and Security Researcher at Stratsec starts his presentation by sharing the talk agenda:
- Why target the heap manager
- Heap terms
- Some Windows 7 theory
- WIndows 7 exploitation
- Changes introduced in Windows 8 Heap
- Windows 8 possible exploitation technique
Windows 7 Heap exploits
Ben Hawkes came up with a good idea to trigger an arbitrary free. Chris Valasek came up with the idea that you can cause an arbitrary allocation on top of an object of structure. Steve added a technique to cause consecutive static allocations. Before going into the details, he explains that the Windows 7 Heap is still deterministic to a certain extent. You still need a variety of primitives to help with exploitation (soft/hard leak of a controlled size), arbitrary writes, the ability to trigger a free of a particular size (to create a hole in the heap), to ability to trigger the heap cache, and so on.
To write an exploit, you’ll have to reverse parts of the application to understand how allocations & frees occur and how you can potentially trigger your own allocations/frees. It requires the detection of object creation and what triggers the creation of these objects. Doing all of that work, Steven says, is by far the hardest work of the exploit writing process.
Steven continues by explaining how the technique discovered by Ben Hawkes works
The next exploiting technique demonstrated is the FreeEntryOffset (Chris Valasek).
Finally, he shares details about a technique he discovered himself, while playing with a double free condition, and trying to get the heap manager to return the same address for consecutive allocations. The advantage of his technique is that you don’t need to set up a hole in the heap or perform large seeding operations. It’s used when you can only allocate objects after a chunk has been overflown. You still need to have the ability to trigger arbitrary allocations of an object/struct and multiple chunks, and you need to find a virtual function call that will gets called later on (to gain control over EIP).
Changes in Windows 8
A first big change is that the UserBlocks datastructure changed, and a bunch of objects were added (including GuardPagePresent etc). LFH still gets triggered on 0x12 consecutive allocations (or 0x11if allocated and freed). The techniques discovered by Chris and Ben no longer work. He continues by explaining some routines related with the busyBitmap and the bitmap index, and highlights some important routines related with allocations and frees. (All details can be found in his slides, don’t worry… )
Possible exploitation under Windows 8
Steven was playing with the concept of 3 null dword writes targeting the UserBlocks header to form an arbitrary allocation, when Chris Valasek mentioned that you potentially can overwrite the entire UserBlocks header. If an application allows to trigger 17 or 18 allocations, you can probably do more allocations. This might help making things more predictable again. We have to avoid to damage certain parts (_lfh_block_zone), but you can overwrite starting from certain UserBlocks.
Chunks may not be deterministic, but subSegments and UserBlocks are. Only after the 2nd UserBlocks, we can overwrite the UserBlocks header. Then you need to be able to trigger arbitrary allocations. To do that, you could target UserBlocks.FirstAllocationOffset, UserBlocks.BlockStride, UserBlocks.BusyBitmap (overwriting the BusyBitmap.Buffer ptr & set it to any ptr that points to a NULL/low value (static & writable).) To reliably reach the UserBlocks header, you need to know the offset/distance, which makes it difficult to achieve at this point (but maybe not impossible). An advantage, if you can pull this off, is that you may not need an info leak.
Great work Steven, keep things coming !
Finally,
this was the last talk I attended at Hack In The Box Amsterdam 2012. I would like to take the opportunity to thank the HITB Crew for having me, everyone I met for being so kind, and YOU, for visiting www.corelan.be and reading this page.
© 2012, Peter Van Eeckhoutte (corelanc0d3r). All rights reserved.