Use After Free (UAF) Vulnerabilities: Explain it Like I’m 5
With the latest high severity vulnerability in Chrome (CVE-2023-5472), use-after-free vulnerabilities have made the news again, and not everyone understands exactly what it means. Use-after-free (UAF) vulnerabilities are related to errors in memory storage, specifically dynamic memory known as the heap. Unlike the stack, which functions almost like a stack of plates (hence the name), where the latest added plate is also the first to be removed; the heap is designed for much larger amounts of data. This heap can be of any size based on what the programmer sets it to.
Once data is added to the heap, it is referenced via headers that act like a ledger, indicating what sections of memory are used and what are free. These headers indicate just the starting block of allocated memory. Now this is where the vulnerability comes in: if the block of memory is moved or deleted but the header is not updated, a UAF occurs. This incorrect header is known as a dangling pointer.
If the attacker can identify which block the dangling pointer is pointing to, they can add malicious code in that location. Once the program tries to get the incorrectly updated header, the malicious code will execute. When done successfully, this will result in arbitrary code execution, but when done improperly it can result in a denial-of-service, via data corruption or crashing the program.
The solution to these from the application developer’s standpoint is to always ensure that pointers are reset or updated after an action, and must take into account other pointer variables that point to the same location. There are plenty of tools that do this, so that you don’t have to dig through the code by hand. For the user, it highlights the need to always keep your software up to date and to avoid running suspicious programs, as most exploits can be delivered via fake updates or email attachments. To see your exposure if a zero-day where to occur, schedule a demo to see Glassportal in action: demo@glassportal.io
