“Dangling pointers”, a software vulnerability once considered slight, might soon become a significant threat, according to security vendor Watchfire.
The company has developed new proof-of-concept code that it said can use what's generally seen as a relatively benign coding flaw to launch remote code execution attacks. A dangling pointer, like a buffer overflow, can exist in a large number of software products.
Watchfire, which was recently acquired by IBM, is set to demonstrate its attack against Microsoft's IIS 5.1 server software at next week's Black Hat conference in Las Vegas. Dangling pointers are used by software programmers, especially in C and C++, to point to locations in memory where objects - such as a string or a number or an array - may exist, said Danny Allan, director of security research at Watchfire.
"When you are writing code and you create a reference to an object in memory, it's a pointer," Allan said, "A pointer knows exactly where in memory a specific piece of information is stored."
A dangling pointer can arise if that object in memory is somehow destroyed or overwritten while the pointer itself is allowed to exist in the code. "If that piece of memory has been erased, and the pointer doesn't know it has been erased, then you have a dangling pointer," Allan said, noting that such pointers can cause systems to become unstable or crash.
Though the issue is well understood, dangling pointers for the most part have been considered more a software quality issue than a security risk, Allan said. One reason is that dangling pointers have been considered difficult to exploit, he said. It is one of the reasons why the flaw in IIS exploited by Watchfire - even though it was reported in 2005 - was not patched until Watchfire demonstrated its attack code, he said.
To exploit the issue, hackers would need to be able to alter the pointer and make it point to some other location in memory where they have introduced malicious code, Allan said. Or they would need to overwrite the memory location to which the pointer is pointing with malicious code, he said.
Both approaches are extremely challenging but can be done, Allan said, pointing to the code that Watchfire plans to demonstrate next week. The demonstration will involve Watchfire running its own code on a vulnerable IIS server. Though the payload in the demonstration is innocuous, attackers would be able to run code of their choice on a vulnerable system using a similar exploit, he said.
"We have the ability to run anything we want on that machine. I have root access to the box to do whatever I like," he said.
Watchfire's attack shows how dangling pointers can be every bit as dangerous and ubiquitous as buffer overflows, Allan said. "We know that dangling pointers are very common, but there are no statistics on [them]" in vulnerability databases maintained by organisations such as CERT because they are not considered a security issue, he said.
There are several tools available, including Valgrind and Mudflap, that can find application memory problems such as dangling pointers, he added.