W5.1 - Pointer Subterfuge

What is pointer subterfuge?

A class of attacks that exploit how programs use pointers by manipulating pointer values to redirect program execution to attacker-controlled code

What are the two main types of pointer subterfuge attacks?

• Function pointer attacks - overwriting function pointers to redirect execution to shellcode
• Data pointer attacks - modifying data pointers to achieve arbitrary memory writes

What is a pointer in programming?

A variable that stores the memory address of another variable, function, array element, or data structure

What are the main memory segments in UNIX executables?

• Text segment - executable code (read-only)
• Data segment - initialized global variables and constants
• BSS segment - uninitialized global variables
• Heap - dynamically allocated memory
• Stack - local variables and function call information

Where are initialized global variables stored?

In the data segment

Where are uninitialized global variables stored?

In the BSS (Block Started by Symbols) segment

What does BSS stand for?

Block Started by Symbols

Where are local variables stored?

On the stack

Where are static local variables stored?

In the data segment if initialized, BSS segment if uninitialized

What are the three prerequisites for a buffer overflow to overwrite a pointer?

• Buffer must be in the same memory segment as target pointer
• Buffer must be at lower memory address than target pointer
• Buffer must be susceptible to overflow (no bounds checking)

Why are function pointers particularly vulnerable to attacks?

Because they directly control program execution flow - when overwritten with malicious addresses, they can redirect execution to shellcode

What is the difference between static and indirect function calls in assembly?

• Static calls use immediate values as displacement (secure, cannot be overwritten)
• Indirect calls reference memory locations that can be overwritten (vulnerable)

What is an arbitrary memory write vulnerability?

A condition where an attacker can write arbitrary values to arbitrary memory locations by controlling both the target address and the value to be written

How does an arbitrary memory write attack work?

By overflowing a buffer to overwrite both a pointer variable (target address) and a value variable, then when the code executes *ptr = val, it writes attacker-controlled data to an attacker-chosen location

What is the Global Offset Table (GOT)?

A mechanism in ELF binaries that contains absolute addresses of library functions to enable position-independent code and dynamic linking

How does the GOT work during program execution?

• Initially points to runtime linker (RTL)
• First function call goes through RTL which resolves real address
• RTL updates GOT entry with actual function address
• Subsequent calls go directly to function through GOT

Why is the GOT vulnerable to attacks?

Because GOT entries are at fixed, predictable addresses and can be overwritten to redirect function calls to shellcode

How can you find GOT entry addresses?

Use the objdump command with --dynamic-reloc flag on the executable

What are virtual functions in C++?

Function members declared with the virtual keyword that enable polymorphism through runtime dispatch rather than compile-time binding

What is the difference between virtual and non-virtual function calls?

• Non-virtual functions use static binding (base class function called)
• Virtual functions use dynamic binding (derived class function called based on object type)

What is a Virtual Function Table (VTBL)?

An array of function pointers used by C++ compilers to implement virtual function dispatch at runtime

What is a Virtual Pointer (VPTR)?

A pointer stored in each object's header that points to the object's class VTBL

How can attackers exploit virtual pointers?

• Overwrite VPTR to point to attacker-controlled VTBL
• Overwrite function pointers within legitimate VTBL
• Both result in arbitrary code execution when virtual functions are called

What is the primary defense against pointer subterfuge?

Eliminate the root vulnerabilities that allow memory to be improperly overwritten through proper input validation and bounds checking

What are common sources of vulnerabilities that enable pointer subterfuge?

• Buffer overflows
• Dynamic memory management errors
• Format string vulnerabilities

What is W^X protection?

Write XOR Execute - a mitigation where memory pages can be either writable OR executable, but never both

What is a limitation of W^X protection?

It cannot prevent return-to-libc attacks or return-oriented programming (ROP) attacks

What is ASLR?

Address Space Layout Randomization - loads shared libraries and other components into different memory locations at each program execution

What is a limitation of ASLR?

It can be bypassed through information leakage attacks that reveal memory addresses

Why are pointer subterfuge attacks particularly dangerous?

• Bypass traditional defenses like stack canaries
• Enable precise control over memory writes
• Target critical program infrastructure
• Facilitate complex exploit chains

What is the relationship between buffer location and target pointer for successful attacks?

The buffer must be at a lower memory address than the target pointer so that overflow will reach and overwrite the pointer

How do GOT attacks differ from direct function pointer attacks?

GOT attacks target the dynamic linking mechanism itself, affecting all calls to specific library functions rather than individual function pointers

What makes virtual pointer attacks unique to C++?

They exploit the object-oriented programming mechanism of virtual function dispatch, which is specific to C++ and similar OOP languages

What is shellcode in the context of pointer subterfuge?

Malicious executable code that attackers inject and redirect program execution to through pointer manipulation

Why must the buffer and target pointer be in the same memory segment?

Because buffer overflows can only overwrite contiguous memory within the same segment - they cannot cross segment boundaries

What happens when a corrupted function pointer is called?

Instead of executing the intended function, the program jumps to the attacker-controlled address, typically executing shellcode

How does pointer subterfuge enable "write-what-where" capabilities?

By controlling both the pointer (where to write) and the value variable (what to write) through buffer overflow

What is the significance of the runtime linker (RTL) in GOT attacks?

The RTL is responsible for resolving function addresses and updating GOT entries, making the GOT a high-value target for redirection attacks

What is the difference between overwriting VPTR vs VTBL entries?

• VPTR overwrite changes which table the object uses
• VTBL entry overwrite changes specific function addresses within the table
• Both achieve code execution but through different mechanism