Researchers from Hewlett Packard's Zero Day Initiative have released exploit code for a flaw in Microsoft's Address Space Layout Randomisation (ASLR) system, despite the lack of a patch from the company since the issue was disclosed.
Announced publicly by HP Security Research back in February, the flaw bypasses protection against memory-targeted attacks known as Address Space Layout Randomisation - which, as the name suggests, randomises the layout of an application or operating system's address space, preventing exploits from targeting particular memory locations. The flaw, and related issues with Microsoft's Internet Explorer web browser, was discovered by HP's Zero Day Initiative team members Brian Gorenc, Abdul-Aziz Hariri, and Simon Zuckerbraun, and won $125,000 - donated to educational organisations - from Microsoft's Mitigation Bypass Bounty and Blue Hat Bonus programmes. 120 days after being disclosed privately to Microsoft, the issue was publicly announced by HP - but details of how to exploit the flaw kept private until Microsoft could release a patch.
Now, more than half a year after Microsoft was informed of the flaw, HP has released full details to the public - despite there still being no patch released. 'Releasing this level of detail about an unfixed bug is not something we normally do, nor do we do it lightly. To be very clear, we are not doing this out of spite or malice,
' claimed HP's Dustin Childs in a blog post
announcing the release at the RECon security conference in Montreal this week. 'We would prefer to release this level of detail only after the bug is patched. However, since Microsoft confirmed in correspondence with us they do not plan to take action from this research, we felt the necessity of providing this information to the public. We do so in accordance with the terms of our own ZDI vulnerability-disclosure programme.
HP claims Microsoft has provided two reasons for its refusal to produce a patch: that 32-bit versions of Internet Explorer benefit less from ASLR than 64-bit versions, and that a separate MemoryProtect mitigation system offers similar protection as evidenced by a decrease of case submissions regarding Internet Explorer. 'What is lost here is that the bypass described and submitted also works for 32-bit systems, which is the default configuration on millions of systems. To demonstrate this, we have released proof-of-concept (PoC) code to demonstrate this bypass on Windows 7 and Windows 8.1,
' Childs notes of the first excuse, adding of the second that 'MemoryProtection only fully mitigates a subset of use-after-free (UAF) vulnerabilities. Is an ineffective ASLR mitigation worth a “slight decrease” in UAF vulnerability submissions to Microsoft? It seems that for Microsoft, the answer is yes. UAF vulnerabilities still exist in IE and the ease at which ASLR can be broken only makes IE a more attractive target for attackers.
The white paper
(PDF warning) includes the exploit code discussed by Childs in the blog post. Thus far, Microsoft has not responded to HP's release.