• A Simple JavaScript Exploit Bypasses ASLR Protection On 22 CPU Architectures

    Here's How the attack works:

    The attack exploits the way microprocessors and memory interacts with each other.

    MMU, which is present in desktop, mobile and server chips and tasks to map where a computer stores programs in its memory, constantly checks a directory called a page table to keep track of those addresses.

    Devices usually store the page table in the CPU’s cache which makes the chip speedier and more efficient. But this component also shares some of its cache with untrusted applications, including browsers.
    Therefore, a piece of javascript code running on a malicious website can also write to that cache (side channel attack), allowing attackers to discover where software components, like libraries and RAM-mapped files, are located in virtual memory.

    With these location data in hands, any attacker can read portions of the computer's memory, which they could then use to launch more complex exploits, escalate access to the complete operating system, and hijack a computer system.

    The researchers successfully exploited AnC JavaScript attacks via up-to-date Chrome and Firefox web browsers on 22 different CPU micro-architectures in about 90 seconds, even despite ASLR protections built within those browsers, like broken JavaScript timers.

    The VUSec research team have published two research papers [1, 2] detailing the AnC attack, along with two video demonstration showing the attack running in a Firefox browser on a 64-bit Linux machine.
    In their attack, the researchers combined their AnC JavaScript with attack code that exploits a now-patched use-after-free vulnerability (CVE-2013-0753) in Firefox. Issues with AnC attacks are tracked through several CVE identifiers, including:
    • CVE-2017-5925 for Intel processors
    • CVE-2017-5926 for AMD processors
    • CVE-2017-5927 for ARM processors
    • CVE-2017-5928 for a timing issue affecting multiple browsers
    VUSec team already notified all the affected chipmakers and software firms, including Intel, AMD, Samsung, Nvidia, Microsoft, Apple, Google, and Mozilla, more than three months ago, but only now went public with their findings.
    "The conclusion is that such caching behavior and strong address space randomization are mutually exclusive," the paper concludes. "Because of the importance of the caching hierarchy for the overall system performance, all fixes are likely to be too costly to be practical." 
    "Moreover, even if mitigations are possible in hardware, such as separate cache for page tables, the problems may well resurface in software. We hence recommend ASLR to no longer be trusted as the first line of defense against memory error attacks and for future defenses not to rely on it as a pivotal building block."
    According to the team, the only way you can protect yourself against AnC attacks is to enable plug-ins, such as NoScript for Firefox or ScriptSafe for Chrome, to block untrusted JavaScript code on web pages from running in the browser.

    CopyRight: The Hacker News

    Post a comment

    Powered by Blogger.