Protecting against Heap Spraying Techniques by Blocking Known Shell Code Exploits
| Check Point Reference: | SBP-2006-12 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | SmartDefense Research Center | |
| Industry Reference(s): | CVE-2006-4868 CVE-2006-4777 CVE-2006-4446 CVE-2006-3730 CVE-2006-3638 CVE-2006-2766 |
|
| Protection Provided by: |
VPN-1
|
|
| Who is Vulnerable? Microsoft Internet Explorer | ||
| Vulnerability Description A shell code is a relocatable piece of machine code used as the payload in the exploitation of a software bug. This exploit typically allows an unauthorized user to communicate with the computer via the operating system's command line as a result of exploiting a vulnerability in software running on the machine. Shell codes can be stored in a process' memory space and executed as a result of the attacker gaining control of the program counter using different vulnerabilities. A remote attacker could implant a shell code on a target system using heap spray exploitation method. Heap spraying is a new and increasingly popular technique to exploit vulnerabilities in internet browsers (e.g. Internet Explorer, Firefox). |
||
|
Vulnerability Details Microsoft Internet Explorer (IE) is prone to multiple code execution vulnerabilities. These vulnerabilities exist in various Active X control objects and in many Dynamic Link Library (DLL) files. The most effective way to exploit these vulnerabilities is by implanting a shell code in a specially crafted DLL file or COM object, using the heap spray technique. Heap spraying takes place when the vulnerable program (e.g. Microsoft Internet Explorer) 'calls' or 'jumps' into invalid memory. By convincing a user to visit a specially crafted web page, a remote attacker could trigger these vulnerabilities to deny service from legitimate users (by causing the victim's Web browser to crash), execute arbitrary code and take complete control over an affected system. A scenario where a shell code was implanted using heap sparying is described on CPAI-2006-127 and on CPAI-2006-128. |
Protection Overview
The update addresses Internet Explorer vulnerabilities by blocking a large number of known shell code exploits. Depending on the traffic mix, activating this protection may result in performance degradation.
In order for the protection to be activated, update your VPN-1/InterSpect product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.
To configure the defense, select your product from the list below and follow the related protection steps.
VPN-1 NGX R62
How Can I Protect My Network?
1. In the SmartDefense tab, click Web Intelligence > HTTP Client Protections > Microsoft Internet Explorer Vulnerabilities > Block Heap Spray Remote Shell Code Execution. 
2. In the Block Heap Spray configuration pane, under Block Heap Spray Settings > Mode, check Active. 
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Web Client Enforcement Violation
Attack Information: Heap spray remote shell code execution
VPN-1 NGX R61, R60, VPN-1 NG with Application Intelligence R55W
How Can I Protect My Network?
1. In the Web Intelligence tree, click HTTP Client Protections > Microsoft Internet Explorer Vulnerabilities.
2. Select Block Heap Spray Remote Shell Code Execution.
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Web Client Enforcement Violation
Attack Information: Heap spray remote shell code execution
VPN-1 NG with Application Intelligence R55
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Web > HTTP Client Protections > Microsoft Internet Explorer Vulnerabilities.
2. Select Block Heap Spray Remote Shell Code Execution.
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
Rule #99841 will appear on the SmartView Tracker.
VPN-1 VSX NGX
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Web > HTTP Client Protections > Microsoft Internet Explorer Vulnerabilities.
2. Select Block Heap Spray Remote Shell Code Execution.
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
Rule #99841 will appear on the SmartView Tracker.
InterSpect NGX
How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the Web Intelligence page of the profile.
2. In the Web Intelligence tree, click HTTP Client Protections > Microsoft Internet Explorer vulnerabilities.
3. Select Block Heap Spray Remote Shell Code Execution.
4. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Web Client Enforcement Violation
Attack Information: Heap spray remote shell code execution
InterSpect 2.0
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Web > HTTP Client Protections > Microsoft Internet Explorer vulnerabilities.
2. Select Block Heap Spray Remote Shell Code Execution.
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Web Client Enforcement Violation
Attack Information: Heap spray remote shell code execution