Another Universal ASLR Bypass Demonstrated

I’ve talked about ASLR issues in the past due to Windows/Linux implementation issues. It’s become more common to see these issues get exploited lately, though still surprisingly few times.

The most recent bypass was with Adobe Reader X and you can read about it here.

Basically some address doesn’t get randomized (VirtualAllocEx maps don’t randomize for some reason) and so they can insert their own ROP code.

There is no way to solve this without Windows picking up slack and randomizing more areas of address space/ specific calls (ie: what PaX does for mmap() base addresses and the hardened toolchain.)

Thankfully this shouldn’t bypass the Reader sandbox and it should be avoidable without Javascript enabled. EMET users are also safe against ASLR bypasses because they’ll benefit from EAF, though EAF is trivially bypassed.

A reminder that implementation flaws in something like ASLR are still around today even though it’s been years since PaX demonstrated the technique.

This vulnerability is pretty interesting and actually makes use of an issue in the sandbox having to do with the IPC handling of syscalls. For more on that you can read the actual post. While the way the sandbox is handled provides an avenue of attack the fault here is most definitely on Windows.