Engineering Heap Overflow Exploits with JavaScript

1. Engineering Heap Overflow Exploits with JavaScript
2.  
3. Link: https://securityevaluators.com/knowledge/papers/engineeringheapoverflow.pdf
4.  
5. ---------------------------------------------------------------------------------
6. This paper presents a new technique for exploiting heap
7. overflows in JavaScript interpreters. Briefly, given a heap
8. overflow, JavaScript commands can be used to insure that
9. a function pointer is reliably present for smashing, just
10. after the overflown buffer. A case study serves to highlight
11. the technique: the Safari exploit that the authors
12. used to win the 2008 CanSecWest Pwn2Own contest.
13. 1 Introduction
14. Many buffer and integer overflow vulnerabilities allow
15. for a somewhat arbitrary set of values to be written at a
16. relative offset to a pointer on the heap. Unfortunately for
17. the attacker, often the data following the pointer is unpredictable,
18. making exploitation difficult and unreliable.
19. The most ideal heap overflow, in terms of full attacker
20. control over the quantity and values of overflow bytes,
21. can be virtually unexploitable if nothing interesting and
22. predictable is waiting to be overwritten.
23. Thanks to safe unlinking protections, the heap metadata
24. structures are often no longer a viable target for
25. overflows. Currently, application specific data is usually
26. needed as an overflow target, where normal program flow
27. results in the calling of a function pointer that has been
28. overwritten with an attacker supplied shellcode address.
29. However, such exploits are in no way guaranteed to be
30. reliable. It must be the case that pointers yet to be accessed
31. are sitting on the heap after the overflown buffer,
32. and no other critical data or unmapped memory lies in
33. between, the smashing of which would result in a premature
34. crash. Such ideal circumstances can certainly be
35. rare for an arbitrary application vulnerability.
36. However, given access to a client-side scripting language
37. such as JavaScript, an attacker may be able to create
38. these ideal circumstances for vulnerabilities in applications
39. like web browsers. In [2], Sotirov describes how
40. to use JavaScript allocations in Internet Explorer to allow
41. for attacker control over the target heap. In this paper
42. we describe a new technique, inspired by his Heap
43. Feng Shui, that can be used to reliably position function
44. pointers for later smashing with a heap overflow.
45. This paper contains a description of the technique followed
46. by an account of its application to a WebKit vulnerability
47. discovered by the authors and used to win the
48. 2008 CanSecWest Pwn2Own contest.
49. ---------------------------------------------------------------------------------