HTML5 Heap Sprays, Pwn All The Things

HTML5 Heap Sprays, Pwn All The Things

Thursday, September 20, 2012
Anibal Sacco & Federico Muttis
EuSecWest 2012

Heap spraying has been widely used for nearly 10 years by exploit writers. This very technique usually makes the difference between the impact of a vulnerability being or not massively exploited. However, there is a silent arms race being fought between exploit writers and the most security-conscious software vendors (browser and OS vendors, with others lagging), and the most popular heap spray technique have lost their lethality.

In this talk we are going to release and describe the details of a new heap spray technique that takes advantage of the so popular HTML5 emerging stack. This fact makes the technique functional on the latest versions of most popular browsers (like Chrome, Firefox, IE9/10, Safari) not only in computers but also in smartphones in a reliable, fast and multi-threaded fashion. In addition, we will disclose several different methods to accomplish the same goal on some other widely used applications by leveraging weaknesses in its defense in-depth mechanisms.

Finally, we will be able to avoid the heap spray protections of browsers by abusing a browser independent scheme and take advantage of the lack of protections on other software. We will demonstrate our chops principally targetting browsers but also SQL engines, media centers, network devices, and then some.