ASLR Protection could be bypassed by visiting a website. Millions of devices at risk

A group of security researcher has devised a new attack technique dubbed AnC attack that allows to bypass the ASLR Protection on 22 CPU architectures.

The  Address Space Layout Randomization (ASLR Protection) is a security mechanism used by operating systems to randomize the memory addresses used by key areas of processes, it makes hard for attackers to find the memory location where to inject their malicious code.

The ASLR is particularly effective against stack and heap overflows and is able to prevent arbitrary code execution triggered by any other buffer overflow vulnerability. The security measures are present in almost any modern operating system, including Windows, Linux, macOS, and Android.

The group of security researchers VUSec (Vrije University in the Netherlands) have discovered a bug in a chip that could be exploited to bypass ASLR Protection exposing millions of devices to cyber attacks, and the bad news is that the flaw cannot be fixed with a software update.

The experts of the VUSec have devised an attack technique, dubbed ASLR Cache or AnC, that can bypass ASLR protection on at least 22 processor micro-architectures from popular vendors. Chips of major vendors like Intel, AMD, ARM, Allwinner, Nvidia, and others are affected by the flaw.

VUSec has notified all the affected chip vendors and software firms, including Intel, AMD, Samsung, Nvidia, Microsoft, Apple, Google, and Mozilla, more than three months ago.

The ASLR protection bypass leverages on a simple JavaScript code that is able to determine the base addresses in memory where system and application components are executed neutralizing the Randomization process implemented by the ASLR Protection system.

A user can be hacked by simply visiting a malicious website.

ASLR Protection bypass

“The memory management unit (MMU) of modern processors uses the cache hierarchy of the processor in order to improve the performance of page table walks. This is fundamental to efficient code execution in modern processors. Unfortunately, this cache hierarchy is also shared by untrustred applications, such as JavaScript code running in the browser.” reads the description provided by the researchers. “We have built a side-channel attack, specifically an EVICT+TIME cache attack, that can detect which locations in the page table pages are accessed during a page table walk performed by the MMU.”

MMU is tasked to map the memory allocation of programs, it constantly checks the page table to keep track of the memory addresses assigned to the applications.

The page table is usually stored in the CPU’s cache to improve performance, but the directory also shares some of its cache with untrusted applications, including web browsers.

A javascript running on a malicious website can modify the content of the cache through a side channel attack, in this way an attacker can discover where software components, like libraries and RAM-mapped files, are located in the virtual memory.

Once obtained the memory addresses the attacker can map portions of the memory and launch further attacks, for example injecting malicious exploit codes, escalate access to the operating system, and take complete control of a machine.

The researchers demonstrated how to exploit the AnC JavaScript attacks via up-to-date Chrome and Firefox web browsers on 22 different CPU micro-architectures. The attack is very fast, just 90 seconds are sufficient to bypass the ASLR protection.

The VUSec research team have released two papers [1, 2] detailing the AnC attack, they also published two video PoC of the attack running in a Firefox browser on a 64-bit Linux machine.

The flaws related to the AnC attacks are tracked with the fallowing CVE identifiers:

  • CVE-2017-5925 for Intel processors
  • CVE-2017-5926 for AMD processors
  • CVE-2017-5927 for ARM processors
  • CVE-2017-5928 for a timing issue affecting multiple browsers

In order to protect our device against AnC attacks is to enable plug-ins, such as NoScript for Firefox or ScriptSafe for Chrome. In this way, untrusted JavaScript code on web pages will be blocked.

Pierluigi Paganini

(Security Affairs – hacking , ASLR Protection)

The post ASLR Protection could be bypassed by visiting a website. Millions of devices at risk appeared first on Security Affairs.

Source: Security Affairs @ February 17, 2017 at 04:10AM