By Jaikumar Vijayan
July 23, 2007
An issue largely ignored because the security risk was deemed only
theoretical might soon become a significant and dangerous security risk,
according to Web application security vendor Watchfire Inc.
The company has developed new proof-of-concept code that it says can use
whats generally seen as a relatively benign coding flaw -- it's known as
a dangling pointer -- to launch remote-code execution attacks. A
dangling pointer, like a buffer-overflow flaw, can exist in a large
number of software products.
Watchfire, which was recently acquired by IBM, is set to demonstrate its
attack code running against a vulnerability in Microsoft Corp.s IIS 5.1
server software at next weeks BlackHat conference in Las Vegas. Dangling
pointers are used by software programmers, especially in C and C++, to
point to certain locations in memory where objects -- such as a string
or a number or an array -- may exist, said Danny Allan, director of
security research at Watchfire.
When you are writing code and you create a reference to an object in
memory, it's a pointer, Allan said, A pointer knows exactly where in
memory a specific piece of information is stored."
A dangling pointer condition can arise if that object in memory is
somehow destroyed or overwritten while the pointer itself is allowed to
exist in the code. If that piece of memory has been erased, and the
pointer doesnt know it has been erased, then you have a dangling
pointer, Allan said, noting that such dangling pointers can cause
systems to become unstable or crash.
Though the issue is well understood, dangling pointers for the most part
have been considered more a software quality issue than a security risk,
Allan said. One reason is that dangling pointers have been considered
difficult to exploit, he said. It is one of the reasons why the flaw in
Microsoft's IIS 5.1 software exploited by Watchfire -- even though it
was reported in 2005 -- was not patched until Watchfire demonstrated its
proof of code, he said.
To exploit the issue, hackers would need to be able to alter the pointer
and make it point to some other location in memory where they have
introduced malicious code, Allan said. Or they would need to overwrite
the memory location to which the pointer is pointing with malicious
code, he said.
Both approaches are extremely challenging but can be done, Allan said,
pointing to the code that Watchfire plans to demonstrate next week. It
takes advantage of a now-patched remotely exploitable dangling pointer
flaw in Microsofts IIS 5.1 server software. The demonstration will
involve Watchfire running its own code on a vulnerable IIS server.
Though the payload in the demonstration is innocuous, attackers would be
able to run code of their choice on a vulnerable system using a similar
exploit, he said.
We have the ability to run anything we want on that machine. I have root
access to the box to do whatever I like, he said.
Watchfires remotely exploitable attack code shows how dangling pointers
can be every bit as dangerous as buffer overflows, Allan said. In
addition, the flaw can be almost as ubiquitous as buffer overflows,
Allan said. We know that dangling pointers are very common, but there
are no statistics on [them] in vulnerability databases maintained by
organizations such as CERT because they are not considered a security
issue, he said.
There are several tools available, including Valgrind and Mudflap, that
can find application memory problems such as dangling pointers, he
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com