Prevalence of memory corruption exploits

07 Apr 2013

When security folks think of hacking and malware attacks they tend to think of memory corruption exploits as being the common attack vector. This is a misconception, and I believe will become more of a misconception as defenses improve.

What are memory corruption exploits? Basically anything that ends up calling shellcode, which means if you see a discussion that involves any of the following terms, they are probably talking about a memory corruption exploit:

  • Buffer overflows
  • Format string vulnerabilities
  • Use after free, double-free, heap feng shui
  • Fuzzing

The defenses on Windows for these can be best seen in the BlackHat USA 2012 presentation by Ken Johnson and Matt Miller titled Exploit Mitigation Improvements in Windows 8. There are two great diagrams there showing the protections against stack and heap vulnerabilities to mitigate the ability to get control of the instruction pointer, and then a slide to show the mitigations in place to get arbitrary code execution even if an attack can control the instruction pointer.

Let's look at some popular worms and exploits and the infection vectors they used. I tried to choose some of the more famous and notable malware samples (with help from the Timeline of notable computer viruses and worms from wikipedia), with the assumption that these are more popular and have been more successful. I probably missed some of your favorites (like a lot of Chinese exploits). Let me know if I missed any infection vectors used by the malware listed or miscategorized them. Dates represent when the infection first became public. "Email attachment" means it was simply a .exe (possibly with a different extension) sent in an email.

MalwareMemory Corruption ExploitOther infection vector
Morris worm: November 2, 1988
First worm. Infected Unix systems.
Buffer overflow against finger daemon Used rsh and rexec against trusted machines and ones that it could guess passwords for.
Used debug mode command of sendmail to infect remote hosts.

ILOVEYOU: May 5, 2000
.vbs (Visual Basic Script) file sent via email
Email attachment

Sadmind: May 8, 2001
Infected both Solaris and Windows web servers
VU#28934: Solaris buffer overflow MS00-078: Directory travel attack on Windows IIS, to simply do something like: "GET /scripts/../../winnt/system32/cmd.exe /c+dir"

CodeRed: July 13, 2001
Followed up by CodeRed II on August 4, 2001, which used the same infection vector but a different payload.
MS01-033 Buffer overflow in IIS

Nimda: September 18, 2001
Used same infection vectors as Sadmind and CodeRed plus some additional ones.
Email attachment
Infected all .exe files with itself, so if these copied to other systems, those systems would be infected.
Searched all network shares for any directories containing .DOC and .EML files and then created a hidden "RICHED20.DLL" in that directory that would be loaded via DLL search path hijacking.

SQL Slammer: January 25, 2003
Only 376 bytes, it is entirely memory resident (never written to disk).
MS02-039 SQL Server buffer overflow

Blaster: August 11, 2003
Only infected Windows 2000 or Windows XP (32 bit) because the affected program was compiled with the /GS flag in Windows 2003 (did cause crash though).
MS03-026 DCOM RPC buffer overflow

Sobig: January 2003 Email attachment

Bagle: January 18, 2004 Email attachment

Mydoom: January 26, 2004 Email attachment
Copied itself to Kazaa (file sharing app for you kids reading this) shared directory with the name of an enticing executable

Netsky: January 18, 2004 Email attachment

Sasser: April 30, 2004 CVE-2003-0533 Buffer overflow in LSASS

Storm: January 17, 2007 Email attachment
Links to download

Conficker: November 2008 MS08-067 RPC handling buffer overflow Autoruns file for execution from plugged in USB and network shares

Operation Aurora: January 12, 2010 MS10-002 IE memory corruption, see Metasploit post

Stuxnet: June 2010 MS08-067 Same as used by Conficker
CVE-2010-2743 Privilege escalation via Keyboard layout file, see this for more.
MS10-046 LNK file execution on USBs
MS10-061 Arbitrary file write via print spooler
MS10-092 Privilege escalation via Task Scheduler due to CRC32 hash collision of a file
CVE-2010-2772, SSA-027884: Default passwords for SQL Server
SSA-110665 DLL Hijacking of Step7 software when loading .s7p files

Duqu: September 1, 2011
.doc file
MS11-087 True Type Font integer overflow

Flashback: April 2, 2012
Mac malware, infection vectors identified by Kaspersky
Fake download
CVE-2008-5353 Deserialization issue
CVE-2011-3544 Custom toString allowing privileged execution of Java, see Metasploit code
CVE-2012-0507 Logic flaw in handling array (not memory corruption according to technet post)

Flame: May 28, 2012
See CrySyS report
KB 2718704 Windows update flaw, more info here
MS10-046 LNK file execution on USBs
MS10-061 Arbitrary file write via print spooler

Miniduke: February 13, 2013
.doc file
CVE-2013-0640 PDF exploit

I compiled this list to allow people to see the types of attacks EMET protects against ("Memory Corruption Exploits") and all the threats it does nothing against. I think EMET and the rest of the protections Microsoft has implemented on the OS and within Visual Studio to thwart memory corruption exploits are amazing and important, but never lose sight of the forest for the trees. There are other threats that are not memory corruption exploits, and as these protections become prevalent (become the default without the need for EMET), the memory corruption exploits will become less prevalent. Almost all of the threats on the right hand side can be thwarted by proper white-listing (the exception is the default SQL Server password vulnerability used by Stuxnet).