Nytro Posted November 10, 2013 Report Share Posted November 10, 2013 INTERPRETER EXPLOITATION: POINTER INFERENCE AND JITSPRAYINGABSTRACTAs remote exploits have dwindled and perimeter defenses have become the standard, remote client-side attacksare the next best choice for an attacker. Modern Windows operating systems have quelled the explosion of clientsidevulnerabilities using mitigation techniques such as data execution prevention (DEP) and address space layoutrandomization (ASLR). This work will illustrate two novel techniques to bypass DEP and ASLR mitigations. Thesetechniques leverage the attack surface exposed by the advanced script interpreters or virtual machines commonlyaccessible within the browser. The first technique, pointer inference, is used to find the memory address of a stringof shellcode within the ActionScript interpreter despite ASLR. The second technique, JIT spraying, is used to writeshellcode to executable memory by leveraging predictable behaviors of the ActionScript JIT compiler bypassingDEP. Future research directions and countermeasures for interpreter implementers are discussed.INTRODUCTIONThe difficulty in finding and exploiting a remote vulnerability has motivated attackers to devote their resources tofinding and exploiting client side vulnerabilities. This influx of different client side attackers has pushed Microsoftto implement robust mitigation techniques to make exploiting these vulnerabilities much harder. Sotirov and Dowd[1] have described in detail each of the mitigation techniques and their default configurations on versions ofWindows through Windows 7 RC. Their work shows some of the techniques available to bypass these protectionsand how the design choices made by Microsoft has influenced the details of these bypasses. One thing that standsout throughout this paper is how ripe a target the browser is for exploitation – the attacker can use multiple plugins,picking and choosing specific exploitable features, to set-up a reliable exploit scenario.The classic web browser, bursting at the seams with plug-ins, could not have been designed with more exploitationpotential. It requires a robust parser to parse and attempt to salvage 6 versions of mark-up. With the advent of“Web 2.0”, a browser must now include a high performance scripting environment with the ability to rewrite thoseparsed pages dynamically. The library exposed to the scripting runtime continues to grow. Additionally, mostbrowsers are now taking advantage of recent JIT and garbage collection techniques to speed up Javascriptexecution. All this attack surface and we haven’t begun to discuss the plug-ins commonly installed.Rich internet applications (RIAs) are not going away and Adobe currently maintains a hold over the marketDownload:http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf Quote Link to comment Share on other sites More sharing options...
