Windows Segment Heap: Attacking the VS Allocator


Abstract :

Heap overflow and heap memory corruption in general, is a common vulnerability class used to breach the security boundaries provided by the operating system.

Since the early versions of windows, a ripe target for exploiting the heap corruption vulnerabilities used to be the allocator’s metadata. Because of that, heap allocators were hardened to prevent some of the commonly used attacks over time.

Fast forward to the present, and since the early versions of Windows 10, Microsoft has rolled a new heap implementation, the segment heap. In the segment heap, Microsoft has taken some of the past lessons and tried to mitigate and prevent the abuse of the allocator metadata.

In this talk, we will see how it’s possible to work around some of the implemented mitigations to exploit heap overflows by abusing the segment heap metadata. Specifically, we will target the VS allocator, which is one of the primary allocators in the segment heap. Some unique characteristics of the attacks:

-Pure attacks on the segment heap implementation: techniques can be used anywhere segment heap is utilized (eg kernelmode, usermode) regardless of the underlying heap configuration.

-There is no reliance on the actual overflow data. On the contrary, the attack can sometimes work better when dealing with totally random data.

-Finally, we also publish a windbg JS extension that exports various internal segment heap structures useful for exploit development.

Speaker:  Varnavas

Security Researcher at Blue Frost Security.