Windows function disables exploit protection
Security experts Chris Valasek and Ryan Smith have revealed how they are able to bypass Windows' heap-exploitation mitigation feature. They have presented their findings at the hacker conference Infiltrate. Their discovery allowed them to exploit a vulnerability in Internet Information Services (IIS) 7 (since patched) to inject malicious code and prove that Microsoft's initial assessment that exploitation of the vulnerability could at worst only crash the server was wide of the mark.
That's not to say that getting round heap-exploitation mitigation is straightforward. Under normal circumstances it detects memory areas which have been modified by heap overflows and terminates the process involved to prevent the worst case scenario – execution of malicious code. This is usually reliable, but not where the low-fragmentation heap (LFH) memory allocation function introduced in Vista is in use. LFH is intended to reduce memory fragmentation and improve application performance.
The researchers discovered that LFH completely disables heap-exploitation mitigation – why this should be the case is not currently clear. If an attacker is able to force a vulnerable application to use LFH, he can then use a heap overflow to write malicious code to memory and execute it unchallenged. In the case of IIS, the researchers achieved this by sending a specific sequence of FTP commands to the server.
Researcher Chris Valasek told The Register, "Unlike other exploitation techniques of the past, you need to know more about the underlying operating system and the application that's being run to figure out how to enable [LFH] and how to use it to your advantage." LFH is not active by default and activating it is often extremely complicated.
Other protection features in Windows are also now considered to have been cracked. Address space layout randomisation (ASLR) has been overcome by JIT spraying, and data execution prevention (DEP) by return oriented programming.