Foreword

Abstract: This paper describes a technique that can be applied in certain situations to gain arbitrary code execution through software bugs that would not otherwise be exploitable, such as NULL pointer dereferences. To facilitate this, an attacker gains control of the top-level unhandled exception filter for a process in an indirect fashion. While there has been previous work[1,3] illustrating the usefulness in gaining control of the top-level unhandled exception filter, Microsoft has taken steps in XPSP2 and beyond, such as function pointer encoding[4], to prevent attackers from being able to overwrite and control the unhandled exception filter directly. While this security enhancement is a marked improvement, it is still possible for an attacker to gain control of the top-level unhandled exception filter by taking advantage of a design flaw in the way unhandled exception filters are chained. This approach, however, is limited by an attacker's ability to control the chaining of unhandled exception filters, such as through the loading and unloading of DLLs. This does reduce the global impact of this approach; however, there are some interesting cases where it can be immediately applied, such as with Internet Explorer.

Disclaimer: This document was written in the interest of education. The authors cannot be held responsible for how the topics discussed in this document are applied.

Thanks: The authors would like to thank H D Moore, and everyone who learns because it's fun.

Update: This issue has now been addressed by the patch included in MS06-051. A complete analysis has not yet been performed to ensure that it patches all potential vectors.

With that, on with the show...