NULL pointer exploit excites researchers
- 18 April, 2008 08:13
In 1996 it was Aleph One's astounding paper, "Smashing the Stack for fun and Profit" that introduced a generation of Information Security researchers, and eventually the world at large, to the inherent exploitability of buffer overflows and introduced techniques that would form the basis of proving that a vulnerability was exploitable (as well as the basis of any number of exploits themselves).
In 2008 it is Mark Dowd's paper "Application-Specific Attacks: Leveraging the ActionScript Virtual Machine" that looks set to have a similar effect on the field of Information Security. Already the small but growing group of Information Security experts that have had the chance to read and digest the contents of the paper are expressing an excited concern, depending on how they are interpreting the contents of the paper.
If your local expert doesn't seem jumpy or on edge, then it is more than likely that they have not had the chance to read or comprehend the scope of what has been presented in the paper.
While the Flash vulnerability described in the paper has been patched by Adobe it is the presentation of a reliable exploit for NULL pointer [[xref:http://www.owasp.org/index.php/Null-pointer_dereference |dereferencing|new]] that has the researchers who have read the paper excited.
In simple terms a NULL pointer dereference is when a software application tries to access a memory address that has been declared to have the value NULL (a special value that tells software that there is nothing there, as there is a real but critical difference between '', ' ', '0', NULL, or any other number of means of representing nothing). In most cases, the application should stop running and crash whenever a NULL value in memory is accessed by the program, but it has been found that it is possible to force some applications to access and execute arbitrary memory locations whenever a NULL pointer is accessed. The only problem has been that it was considered extremely difficult to achieve, and not so easy to develop a generic approach for. That has now changed, with Dowd effectively providing a framework that could be used to probe for exploitable NULL pointer dereferences across multiple platforms - essentially a generic attack / vulnerability finder for this class of vulnerability.
By effectively opening up this class of vulnerability for much easier investigation and attack (attacking memory flaws is still a difficult job) it is going to lead to a rush to develop tools to automate the process of looking for this type of flaw and correcting or exploiting it depending on the approach of the developer. While it was known that buffer overflows were best avoided prior to Aleph One's paper, it wasn't really until after the paper that people really understood the risks associated with them. This paper is likely to do the same for NULL pointer dereferencing.
If NULL pointers are so dangerous, why do developers continue to use them? There is really nothing better for declaring that there is nothing there and it is a useful initial setting for software variables as it ensures memory is available for when there are real values to be entered into memory by the application.
Aside from the sheer technical brilliance of the whitepaper, what has many amazed is how Mark utilises a number of innovative steps to force Flash to overwrite its own runtime code in memory such that he then controls how code can then access and manipulate the local system, running as both interpreted code and system level instructions inside the same small attack package.
With careful design, what Mark has presented is not far off being cross platform and if it had been used to attack systems rather than demonstrate the vulnerability that had been patched, then it could have been one of the most dangerous pieces of code since the Morris Worm. By publicly sharing what he has discovered, Mark is encouraging greater awareness of this particular vulnerability class and research into its risks.
Mark politely declined to be interviewed for this article, citing terms of his employment, but was pleased to see that information about his discovery was being spread to the widest audience possible.