Heap Spraying vs. Heap Feng Shui

[Symantec]

Heap Spraying vs. Heap Feng Shui
<p>When SkyLined released in 2004 one of the first proof-of-concept exploits introducing the “Heap Spraying” technique, he commented [1] his code in this way:<br />
<br />
<blockquote>“The JavaScript creates a large amount of heap-blocks filled with 0x0D byte nopslides followed by the shellcode. This is to make sure [0x0D0D0D0D] == 0x0D0D0D0D. It's not the most efficient thing in the world but it works like a charm for most IE bugs.”</blockquote></p>

<p>Well, it was not the most efficient thing in the world, but it has been proven to work so well that it actually is the most copied-and-pasted piece of code used to exploit many of the Internet Explorer vulnerabilities discovered since 2004. <br />
So, I was surprised to come across an exploit in the wild that uses a different heap manipulation technique. The malicious code was hosted on a Russian domain (hxxp://crun[REMOVED].info) and was part of one of the typical web attacker toolkits developed by Eastern European gangs. The code exploited the CVE-2006-4777 vulnerability related to the DirectAnimation.PathControl component (DAXCTLE.OCX) for Internet Explorer. It tries to execute a shellcode that downloads and runs a malicious executable.</p>

<p>The heap allocation code used in this exploit was quite advanced and completely different from the conventional Heap Spraying code used in the attacks that I’ve seen so many times. In this case, the exploit page (keyframe.html) used a special compact heap manipulation library named “heapLib.js” which after some investigations introduced me to the mystical world of the “Heap Feng Shui”. <br />
In fact, the JavaScript library turned out to be part of one interesting papers [2] presented at Black Hat 2007 some months ago. I realized suddenly that it was another sad case of copy-and-paste where the bad guys abused the code release at Black Hat and replaced the original harmless shellcode with a malicious payload shown in this picture:</p>

<p><br />
<a href="http://www.symantec.com/enterprise/security_response/weblog/upload/2007/06/Heap%20Spray%20lg.html" onclick="window.open('http://www.symantec.com/enterprise/security_response/weblog/upload/2007/06/Heap%20Spray%20lg.html','popup','width=577,height= 790,scrollbars=no,resizable=no,toolbar=no,director ies=no,location=no,menubar=no,status=no,left=0,top =0'); return false"><img src="http://www.symantec.com/enterprise/security_response/weblog/upload/2007/06/Heap%20Spray%20sm.jpg" width="370" height="507" /></a></p>

<p><br />
The bottom shows the original proof-of-concept code while the top shows the altered code (which includes a link to a malicious file to download and a different shellcode). It’s always a shame seeing malware writers misusing the findings and efforts of individual researchers to do such bad things. It’s just another proof of how limited their skills are. The bad guys were also too lazy to remove messages and comments from the original code, which is now going to be distributed on many malicious sites with the original author’s name still inside the code.</p>

<p>The good news is that the vulnerability exploited in this attack was already patched by MS06-067; the bad news is that malware authors now know and will use this new technique. Heap Feng Shui really takes heap exploitation for browsers to the next level and it’s a powerful method that allows the creation of more efficient and reliable exploits in the future.</p>

<p>[1] - http://www.edup.tudelft.nl/~bjwever/advisory_iframe.html.php<br />
[2] - http://www.determina.com/security.research/presentations/index.html#bh-eu07</p>
http://www.symantec.com/enterprise/security_response/weblog/2007/06/heap_spraying_vs_heap_feng_shu.html
http://www.symantec.com/enterprise/security_response/weblog/2007/06/heap_spraying_vs_heap_feng_shu.html
Mon, 18 Jun 2007 05:00:00 -0800