http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9027658 By Jaikumar Vijayan July 23, 2007 Computerworld An issue largely ignored because the security risk was deemed only theoretical might soon become a significant and dangerous security risk, according to Web application security vendor Watchfire Inc. The company has developed new proof-of-concept code that it says can use whats generally seen as a relatively benign coding flaw -- it's known as a dangling pointer -- to launch remote-code execution attacks. A dangling pointer, like a buffer-overflow flaw, can exist in a large number of software products. Watchfire, which was recently acquired by IBM, is set to demonstrate its attack code running against a vulnerability in Microsoft Corp.s IIS 5.1 server software at next weeks BlackHat conference in Las Vegas. Dangling pointers are used by software programmers, especially in C and C++, to point to certain locations in memory where objects -- such as a string or a number or an array -- may exist, said Danny Allan, director of security research at Watchfire. When you are writing code and you create a reference to an object in memory, it's a pointer, Allan said, A pointer knows exactly where in memory a specific piece of information is stored." A dangling pointer condition can arise if that object in memory is somehow destroyed or overwritten while the pointer itself is allowed to exist in the code. If that piece of memory has been erased, and the pointer doesnt know it has been erased, then you have a dangling pointer, Allan said, noting that such dangling pointers can cause systems to become unstable or crash. Though the issue is well understood, dangling pointers for the most part have been considered more a software quality issue than a security risk, Allan said. One reason is that dangling pointers have been considered difficult to exploit, he said. It is one of the reasons why the flaw in Microsoft's IIS 5.1 software exploited by Watchfire -- even though it was reported in 2005 -- was not patched until Watchfire demonstrated its proof of code, he said. To exploit the issue, hackers would need to be able to alter the pointer and make it point to some other location in memory where they have introduced malicious code, Allan said. Or they would need to overwrite the memory location to which the pointer is pointing with malicious code, he said. Both approaches are extremely challenging but can be done, Allan said, pointing to the code that Watchfire plans to demonstrate next week. It takes advantage of a now-patched remotely exploitable dangling pointer flaw in Microsofts IIS 5.1 server software. The demonstration will involve Watchfire running its own code on a vulnerable IIS server. Though the payload in the demonstration is innocuous, attackers would be able to run code of their choice on a vulnerable system using a similar exploit, he said. We have the ability to run anything we want on that machine. I have root access to the box to do whatever I like, he said. Watchfires remotely exploitable attack code shows how dangling pointers can be every bit as dangerous as buffer overflows, Allan said. In addition, the flaw can be almost as ubiquitous as buffer overflows, Allan said. We know that dangling pointers are very common, but there are no statistics on [them] in vulnerability databases maintained by organizations such as CERT because they are not considered a security issue, he said. There are several tools available, including Valgrind and Mudflap, that can find application memory problems such as dangling pointers, he added. _____________________________________________________ Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 30 hands-on training courses and 90 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 70 nations. Visit product displays by 30 top sponsors in a relaxed setting. Rates increase on June 1 so register today. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Mon Jul 23 2007 - 22:20:02 PDT