Badaslr: Exceptional cases of ASLR aiding exploitation
Address Space Layout Randomization (ASLR) is de-facto standard exploit mitigation in our daily life software. The simplest idea of unpredictably randomizing memory layout significantly raises the bar for memory exploitation due to the additionally required attack primitives such as information leakage. Ironically, although exceptional,there are rare edge cases where ASLR becomes handy for memory exploitation. In this talk, I will explain such theoretical set of cases which I refer it as BadASLR.
In particular, I will introduce four categories of BadASLR: (i) aiding free chunk reclamation in heap spraying attack, (ii) aiding stack pivoting in frame-pointer null poisoning attack, (iii) reviving the exploitability of invalid pointer
referencing bug, and (iv) introducing wild-card ROP gadgets in x86/x64 position independent code environment. To evaluate if BadASLR can be an actual plausible scenario, I use real-world bug bounty cases, CTF/wargame challenges. Surprisingly, I have found multiple vulnerabilities in commercial software where ASLR becomes handy for attacker. With BadASLRcases, I have succeeded in exploiting peculiar vulnerabilities, and received total 10,000 USD as bug bounty reward including one CVE assignment.