July 29, 2016 By Mark Yason 3 min read

Segment Heap is a new native heap implementation introduced in Windows 10 that is enabled in Windows apps (formerly called Modern/Metro apps) and certain system processes. This blog post discusses CVE-2016-0117, a vulnerability in the Windows PDF library (WinRT PDF) that triggered my research of the Segment Heap.

Early this year, Microsoft patched a vulnerability I discovered in WinRT PDF. The vulnerability is interesting in that it can be used to perform an arbitrary write to Edge’s content process memory, one of the critical elements for remote code execution. But another interesting aspect of the vulnerability is that to perform a reliable arbitrary write in the Edge content process, one needs to perform precise layout manipulation of a heap that is managed by the new heap implementation in Windows 10.

About CVE-2016-0117

The vulnerability (CVE-2016-0117, MS16-028) is in WinRT PDF’s PostScript interpreter for Type 4 (PostScript Calculator) functions. PostScript Calculator functions use a subset of the PostScript language operators, which use the PostScript operand stack when performing their functions.

The PostScript operand stack is a vector containing 0x65 CType4Operand pointers. Each CType4Operand is a data structure consisting of one DWORD that represents the type and one DWORD representing the value in the PostScript operand stack.

The PostScript operand stack and the CType4Operands are allocated from the MSVCRT heap:

The issue is that the PostScript interpreter fails to validate if the PostScript operand stack index is past the end of the PostScript operand stack (PostScript operand stack index is 0x65). This leads to a dereference of a CType4Operand pointer located right after the end of the PostScript operand stack.

An Opportunity for Attackers

If an attacker is able to implant a target address right after the end of the PostScript operand stack, the attacker will be able to perform a memory write to the target address via a PostScript operation that pushes a value in the PostScript operand stack.

In the illustration below, multiple integers (1094795585 or 0x41414141) are pushed to the PostScript operand stack, with the last 0x41414141 pushed to invalid index 0x65 of the PostScript operand stack:

Below is a WinDbg session when WinDbg is attached to the Edge content process when the vulnerability was triggered:

The first item to notice is the address (marked orange) of the memory write operation. It is not controlled in this particular run because heap layout manipulation was not performed. On the other hand, the high 32 bits of the value to write (red) is controlled; its value is from the PostScript Calculator function in the PDF.

Segment Heap

The next item to notice in the WinDbg session is the PostScript operand stack address (blue). When information about it is dumped, the heap (green) where the PostScript operand stack is allocated is displayed. The MSVCRT heap address is then dumped and verified to be the same heap where the PostScript operand stack was allocated. Finally, the heap listing of the Edge content process shows that the MSVCRT heap is managed by the Segment Heap.

Reliably implanting the target address right after the end of the PostScript operand stack requires precise heap layout manipulation, which in this case necessitates some level of understanding of how the Segment Heap works. Certain cases, such as the tactic that I will discuss in my talk, require deep understanding of some of Segment Heap’s internals.

Learn More at Black Hat USA

I will present my research on the internals and the security mechanisms of the Segment Heap at the upcoming Black Hat USA 2016 conference. If you’re a security researcher writing proof-of-concept code, seeking to understand the internals of the Segment Heap, or just interested to see how this new heap implementation works, please drop by at my talk, “Windows 10 Segment Heap Internals.” It will be held Aug. 4, 2016, at 9:45 a.m in the South Seas CDF room.

More from Software Vulnerabilities

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis

13 min read - The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. This analysis was performed in collaboration with the Randori and X-Force Adversary Services teams, by Valentina Palmiotti, Fabius Watson, and Aaron Portnoy. Research motivations…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today