[ISN] 'Dangling pointers' more dangerous than thought, says security vendor

From: InfoSec News (alerts@private)
Date: Mon Jul 23 2007 - 22:06:54 PDT


By Jaikumar Vijayan
July 23, 2007 

An issue largely ignored because the security risk was deemed only 
theoretical might soon become a significant and dangerous security risk, 
according to Web application security vendor Watchfire Inc.

The company has developed new proof-of-concept code that it says can use 
whats generally seen as a relatively benign coding flaw -- it's known as 
a dangling pointer -- to launch remote-code execution attacks. A 
dangling pointer, like a buffer-overflow flaw, can exist in a large 
number of software products.

Watchfire, which was recently acquired by IBM, is set to demonstrate its 
attack code running against a vulnerability in Microsoft Corp.s IIS 5.1 
server software at next weeks BlackHat conference in Las Vegas. Dangling 
pointers are used by software programmers, especially in C and C++, to 
point to certain locations in memory where objects -- such as a string 
or a number or an array -- may exist, said Danny Allan, director of 
security research at Watchfire.

When you are writing code and you create a reference to an object in 
memory, it's a pointer, Allan said, A pointer knows exactly where in 
memory a specific piece of information is stored."

A dangling pointer condition can arise if that object in memory is 
somehow destroyed or overwritten while the pointer itself is allowed to 
exist in the code. If that piece of memory has been erased, and the 
pointer doesnt know it has been erased, then you have a dangling 
pointer, Allan said, noting that such dangling pointers can cause 
systems to become unstable or crash.

Though the issue is well understood, dangling pointers for the most part 
have been considered more a software quality issue than a security risk, 
Allan said. One reason is that dangling pointers have been considered 
difficult to exploit, he said. It is one of the reasons why the flaw in 
Microsoft's IIS 5.1 software exploited by Watchfire -- even though it 
was reported in 2005 -- was not patched until Watchfire demonstrated its 
proof of code, he said.

To exploit the issue, hackers would need to be able to alter the pointer 
and make it point to some other location in memory where they have 
introduced malicious code, Allan said. Or they would need to overwrite 
the memory location to which the pointer is pointing with malicious 
code, he said.

Both approaches are extremely challenging but can be done, Allan said, 
pointing to the code that Watchfire plans to demonstrate next week. It 
takes advantage of a now-patched remotely exploitable dangling pointer 
flaw in Microsofts IIS 5.1 server software. The demonstration will 
involve Watchfire running its own code on a vulnerable IIS server. 
Though the payload in the demonstration is innocuous, attackers would be 
able to run code of their choice on a vulnerable system using a similar 
exploit, he said.

We have the ability to run anything we want on that machine. I have root 
access to the box to do whatever I like, he said.

Watchfires remotely exploitable attack code shows how dangling pointers 
can be every bit as dangerous as buffer overflows, Allan said. In 
addition, the flaw can be almost as ubiquitous as buffer overflows, 
Allan said. We know that dangling pointers are very common, but there 
are no statistics on [them] in vulnerability databases maintained by 
organizations such as CERT because they are not considered a security 
issue, he said.

There are several tools available, including Valgrind and Mudflap, that 
can find application memory problems such as dangling pointers, he 

Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Mon Jul 23 2007 - 22:20:02 PDT