Firm finds danger in dangling pointers
New buffer overflow threat
In December 2005, technology consultant Inge Henriksen announced he had found a flaw in Microsoft's flagship web server platform, Internet Information Server (IIS) 5.1.
Yet, because the vulnerability appeared impossible to exploit, Microsoft put off patching the issue.
The programming problem represented a fairly common developer mistake, but one that is generally thought to cause instability, not insecurity. Known as a dangling, or wild, pointer, the flaw was caused by an IIS service process that attempted to use memory that was already freed by the program. At the time, exploiting the flaw only appeared to crash the program.
"In other words, this is not a buffer/stack overflow exploit and it will therefore not enable anyone to execute code on the web server," Henriksen wrote on his blog at the time. "But then again, I'm not sure on this issue and someone might prove me wrong."
As it turns out, Henriksen and Microsoft were both wrong. More than a year and a half later, two researchers at security-audit firm Watchfire discovered a way to exploit the dangling point issue. What's more, the researchers - Jonathan Afek and Adi Sharabani - have found a method of exploiting a broad class of dangling pointers and plan to detail the process next week at the Black Hat Security Briefings in Las Vegas.
The discovery means that developers and security researchers need to start considering dangling pointers as security problems as serious as buffer overflows, said Danny Allan, director of security research for Watchfire.
"The dangling pointer was reported to Microsoft in 2005, and they never patched it - that is indicative where dangling pointers are right now," Allan said. "It remained unpatched for two years because they didn't consider it a security problem, but a quality problem."
A dangling pointer is a software bug that occurs when a programmer creates an object in memory, uses the object, frees up the memory for reuse and then mistakenly tries to access the object again. The portion of memory previously allocated to the object may no longer have the expected data. Instead, the memory likely has meaningless data, or in the case of an exploitable dangling pointer, could have malicious code.
While other researchers have found exploitable dangling pointers, most developers believe that the flaw is a quality-control issue, not a security problem, Watchfire's Allan said.
"That is where most companies are today," he said. "They don't patch these things very quickly."
In the case of the IIS 5.1 flaw, it took Microsoft 21 months to patch the issue. While some security experts didn't rule out the possibility that the IIS flaw could be used to execute code, Microsoft apparently agreed with Henriksen's assessment and promptly put patching the flaw on the back burner, promising to fix the issue in Windows XP Service Pack 3, which at the time was a year away.
Microsoft's Security Response Centre also had other problems. Less than two weeks later, zero-day details on a vulnerability in the handling of the Windows Meta File (WMF) format had leaked to the Internet, and the software giant had to scramble to develop a patch.
The software giant fixed the IIS flaw as part of its regularly schedule Patch Tuesday on 10 July. The software giant would only comment on the patch, not the flaw itself.
Security researchers have known that dangling pointers can be an exploitable vulnerability; it is not a new concept.
Last week, security firm iDefense published details on an exploitable dangling pointer flaw in the Opera web browser. The vulnerability was caused by the browser's misuse of application memory when removing BitTorrent transfers from the transfer list.
Determining whether such vulnerabilities can be exploited is not a trivial task, said Sean Larsson, security intelligence engineer for Internet and security services firm VeriSign, iDefense' parent company.
"There are more reported buffer overflow vulnerabilities than dangling pointer vulnerabilities," Larsson stated in an e-mail interview with SecurityFocus. "However, that doesn't necessarily mean that dangling pointer vulnerabilities are not common. Depending on the behaviour of the program, a dangling pointer vulnerability might not even result in a crash, which makes it difficult to detect."
Opera patched the vulnerability in an update released last week in coordination with iDefense's announcement.
Watchfire called such announcements the "tip of the iceberg".
The security-audit firm would give few details before the Black Hat presentation, but did say that the applications most in danger are web servers and operating systems, followed by client software used to access the internet, such as web browsers. Also, programming languages that automatically clean up memory when an object is deleted - called implicit garbage collection - will not be affected by dangling pointers.
"It is very technical and sophisticated, more so than exploiting a buffer overflow," Allan said. "Any application that is remotely accessible to me is my biggest target. Any software that does not have implicit garbage collection is going to be a target."
"My guess is there will be a lot of research into dangling pointers in the future," he said.
This article originally appeared in Security Focus.
Copyright © 2007, SecurityFocus