Heap Feng Shui in JavaScript and HeapLib
Written by on May 1st, 2007 in Ajax News.
Alexander Sotirov has gone deep into JavaScript internals in IE. Really deep. His focus was on exploits, but there is knowledge that help us understand why Array.join is better than string += “foo” for large amounts of data.
Introduction
The exploitation of heap corruption vulnerabilities on the Windows platform has become increasingly more difficult since the introduction of XP SP2. Heap protection features such as safe unlinking and heap cookies have been successful in stopping most generic heap exploitation techniques. Methods for bypassing the heap protection exist, but they require a great degree of control over the allocation patterns of the vulnerable application.
This paper introduces a new technique for precise manipulation of the browser heap layout using specific sequences of JavaScript allocations. We present a JavaScript library with functions for setting up the heap in a controlled state before triggering a heap corruption bug. This allows us to exploit very difficult heap corruption vulnerabilities with great reliability and precision.
We will focus on Internet Explorer exploitation, but the general techniques presented here are potentially applicable to any other browser or scripting environment.
HeapLib, a JavaScript heap manipulation library, came out of this work:
-
-
// Create a heapLib object for Internet Explorer
-
var heap = new heapLib.ie();
-
-
heap.gc(); // Run the garbage collector before doing any allocations
-
-
// Allocate 512 bytes of memory and fill it with padding
-
heap.alloc(512);
-
-
// Allocate a new block of memory for the string "AAAAA" and tag the block with "foo"
-
heap.alloc(”AAAAA”, “foo”);
-
-
// Free all blocks tagged with "foo"
-
heap.free(”foo”);
-
Source: Ajaxian
Original Article: http://ajaxian.com/archives/heap-feng-shui-in-javascript-and-heaplib