Heap spraying explained

In computer security, heap spraying is a technique used in exploits to facilitate arbitrary code execution. The part of the source code of an exploit that implements this technique is called a heap spray.[1] In general, code that sprays the heap attempts to put a certain sequence of bytes at a predetermined location in the memory of a target process by having it allocate (large) blocks on the process's heap and fill the bytes in these blocks with the right values.

Operation

A heap spray does not actually exploit any security issues but it can be used to make a vulnerability easier to exploit. A heap spray by itself cannot be used to break any security boundaries: a separate security issue is needed.

Exploiting security issues is often hard because various factors can influence this process. Chance alignments of memory and timing introduce a lot of randomness (from the attacker's point of view). A heap spray can be used to introduce a large amount of order to compensate for this and increase the chances of successful exploitation. Heap sprays take advantage of the fact that on most architectures and operating systems, the start location of large heap allocations is predictable and consecutive allocations are roughly sequential. This means that the sprayed heap will roughly be in the same location each and every time the heap spray is run.

Exploits often use specific bytes to spray the heap, as the data stored on the heap serves multiple roles. During exploitation of a security issue, the application code can often be made to read an address from an arbitrary location in memory. This address is then used by the code as the address of a function to execute. If the exploit can force the application to read this address from the sprayed heap, it can control the flow of execution when the code uses that address as a function pointer and redirects it to the sprayed heap. If the exploit succeeds in redirecting control flow to the sprayed heap, the bytes there will be executed, allowing the exploit to perform whatever actions the attacker wants. Therefore, the bytes on the heap are restricted to represent valid addresses within the heap spray itself, holding valid instructions for the target architecture, so the application will not crash. It is therefore common to spray with a single byte that translates to both a valid address and a NOP or NOP-like instruction on the target architecture. This allows the heap spray to function as a very large NOP sled (for example, 0x0c0c0c0c is often used as non-canonical NOP[2])

History

Heap sprays have been used occasionally in exploits since at least 2001,[3] [4] but the technique started to see widespread use in exploits for web browsers in the summer of 2005 after the release of several such exploits which used the technique against a wide range of bugs in Internet Explorer.[5] [6] [7] [8] [9] The heap sprays used in all these exploits were very similar, which showed the versatility of the technique and its ease of use, without need for major modifications between exploits. It proved simple enough to understand and use to allow novice hackers to quickly write reliable exploits for many types of vulnerabilities in web browsers and web browser plug-ins. Many web browser exploits that use heap spraying consist only of a heap spray that is copy-pasted from a previous exploit combined with a small piece of script or HTML that triggers the vulnerability.

Implementation

JavaScript

Heap sprays for web browsers are commonly implemented in JavaScript and spray the heap by creating large strings. The most common technique used is to start with a string of one character and concatenate it with itself over and over. This way, the length of the string can grow exponentially up to the maximum length allowed by the scripting engine. Depending on how the browser implements strings, either ASCII or Unicode characters can be used in the string. The heap spraying code makes copies of the long string with shellcode and stores these in an array, up to the point where enough memory has been sprayed to ensure the exploit works.

VBScript

Occasionally, VBScript is used in Internet Explorer to create strings by using the String function.

ActionScript

In July 2009, exploits were found to be using ActionScript to spray the heap in Adobe Flash.[10] [11]

Images

Though it has been proven that heap-spraying can be done through other means, for instance by loading image files into the process,[12] this has not seen widespread use (as of August 2008).

HTML5

In September 2012, a new technique was presented on EuSecWest 2012.[13] Two CORE researchers, Federico Muttis and Anibal Sacco, showed that the heap can be sprayed with a very high allocation granularity through the use of technologies introduced with HTML5. Specifically, they used the low-level bitmap interface offered by the canvas API, and web workers to do it more quickly.

Detection and prevention

See also

Notes and References

  1. Web site: Youtube title: Heap Spray Exploit Technique. John Hays, Security Training Engineer. September 2, 2016. Palo Alto Networks Live Community. November 14, 2018. from official "Palo Alto Networks Live Community" YouTube channel was titled "Heap Spray Exploit Technique".
  2. Web site: Exploit writing tutorial part 11 : Heap Spraying Demystified. corelanc0d3r. December 31, 2011. Corelan Team. 15 January 2014. https://web.archive.org/web/20150425014200/https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/#0x0c0c0c0c. 25 April 2015. dead.
  3. http://seclists.org/bugtraq/2001/Jul/533 "cami": telnetd exploit code
  4. https://web.archive.org/web/20061014043509/http://research.eeye.com:80/html/advisories/published/AD20010618.html eEye Digital Security – Research
  5. http://skypher.com/wiki/index.php?title=Www.edup.tudelft.nl/~bjwever/advisory_iframe.html.php InternetExploiter 1: MSIE IFRAME src&name parameter BoF exploit
  6. http://skypher.com/wiki/index.php?title=Www.edup.tudelft.nl/~bjwever/details_msie_ani.html.php InternetExploiter 3: MSIE .ANI file "anih" header BoF exploit
  7. http://skypher.com/wiki/index.php?title=Www.edup.tudelft.nl/~bjwever/advisory_msie_R6025.html.php InternetExploiter 2: MSIE DHTML Object handling race condition exploit
  8. Web site: FrSIRT - Microsoft Internet Explorer javaprxy.dll COM Object Vulnerability / Exploit (Security Advisories) . 2008-03-25 . https://web.archive.org/web/20080327215920/http://www.frsirt.com/english/advisories/2005/0935 . 2008-03-27 . dead .
  9. Web site: FrSIRT - Microsoft Internet Explorer "Msdds.dll" Remote Code Execution / Exploit (Security Advisories) . 2008-03-25 . https://web.archive.org/web/20071219141218/http://www.frsirt.com/english/advisories/2005/1450 . 2007-12-19 . dead .
  10. http://roeehay.blogspot.com/2009/08/exploitation-of-cve-2009-1869.html Roee Hay: Exploitation of CVE-2009-1869
  11. Web site: FireEye Malware Intelligence Lab: Heap Spraying with Actionscript . 2014-04-22 . https://web.archive.org/web/20140501235406/http://www.fireeye.com/blog/technical/cyber-exploits/2009/07/actionscript_heap_spray.html . 2014-05-01 . dead .
  12. https://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#Sutton Michael Sutton & Greg MacManus, Punk Ode—Hiding Shellcode in Plain Sight, Black Hat 2006
  13. http://exploiting.wordpress.com/2012/10/03/html5-heap-spray-eusecwest-2012/ HTML5 Heap Spray. EUSecWest 2012
  14. http://research.microsoft.com/en-us/projects/nozzle/ Nozzle project from Microsoft Research aims to detect and prevent heap spraying
  15. https://lirias.kuleuven.be/bitstream/123456789/265421/1/fulltext.pdf BuBBle: A Javascript Engine Level Countermeasure against Heap-Spraying Attacks