Overview

While viruses and malware often take center stage in the public discourse surrounding malicious file uploads, they’re far from the only threats we should be mindful of.

Critical vulnerabilities like Use-After-Free are frequently discovered in the applications (i.e., programs) we lean on to render and process important files. Such vulnerabilities can be exploited without the involvement of any viruses or malware, and if we don’t diligently address them, we can fall victim to targeted attacks with specially crafted malicious files.

What is a Use-After-Free Vulnerability?

A Use-After-Free vulnerability is a type of security flaw that occurs when a program continues to use a pointer (or a reference to memory) that has already been freed or deallocated from memory. By exploiting a Use-After-Free flaw, an attacker can induce undefined behavior in a vulnerable program.

This can give the attacker control over the program’s behavior, allowing them to leak data, escalate their own application privileges, execute arbitrary code, crash the application (i.e., Denial of Service), or cause damage in a variety of other ways.

Understanding Use-After-Free Vulnerabilities

Use-After-Free vulnerabilities fundamentally pertain to the way in which programs allocate and deallocate memory.

Applications cyclically release memory to efficiently manage limited resources, ensure high-quality performance, and maintain system stability.

Resource Management

Physical memory (RAM) in any computing environment is limited, and memory deallocation ensures other applications running on the same system can assign memory for their own unique processes. It’s not just about “spreading the wealth”; without memory deallocation, RAM would inevitably be exhausted, and memory leaks would occur as a result, leaving the entire system unstable or unresponsive.

Performance and Stability

The performance and stability of an application is directly impacted by RAM availability. RAM prevents applications from needing to swap data in and out of disk-based virtual memory, which would slow down an application’s performance significantly. The stability and responsiveness of a system depends on the efficient cooperation of applications running on that system, and RAM allocation impacts this state.

Mechanics of Memory Deallocation

When an application frees memory, that memory is returned to the program’s memory pool. This pool is managed by a memory manager. From here, the application (or other programs running on the same system) can reuse the program for future allocations.

It’s important to note that freed memory doesn’t physically move. Instead, it stays in the same location, and it receives some form of designation indicating it’s available for reuse.

When memory becomes available for reuse, the application that originally deallocated that memory doesn’t “own” it anymore. If that application attempts to access the memory it dealt with, it can lead to conflicts with other programs attempting to access the same memory. Use-After-Free vulnerabilities arise, effectively, from conflicts memory access.

Consequences of Use-After-Free Vulnerabilities

Conflicts in memory reuse can cause undefined behavior to occur within a program.

If this conflict occurs organically (meaning the vulnerability was unintentionally exploited), undefined behavior can cause an application to crash, leading to an unintentional denial of service scenario. It can also cause an application to print random values while seemingly working correctly, resulting in an arduous debugging process.

If this conflict occurs intentionally (meaning the vulnerability was intentionally exploited by a threat actor), it can allow an attacker to directly manipulate the freed memory in conflict. Sophisticated attackers are often capable of predicting and subsequently controlling the reallocation of freed memory, allowing them to insert malicious code (or data) into the application. Doing so can allow them to execute arbitrary code within the application, corrupt the application’s data structures, or crash the application, leading to an intentional denial of service scenario.

Example: CVE-2021-44710 – Use-After Free Vulnerability in Adobe Acrobat Reader DC

Let’s now look at a real-world example of a Use-After-Free vulnerability which was, several years ago, identified in a popular, mainstream application.

In 2021, a Use-After-Free vulnerability was discovered in Adobe Acrobat Reader DC (impacting versions 21.007.20099, 20.004.30017, and 17.011.30204, among several others). This vulnerability was quickly patched with security updates, but at the time, an expedient exploitation of this vulnerability could have led to arbitrary code execution in the context of the current application user. It could also have led to denial of service, security feature bypass and privilege escalation.

The vulnerability lay within the application’s processing of Format event actions. By tricking a user into opening a specially crafted JavaScript injection PDF file (supplied to the user) within one of the vulnerable application versions, an attacker could have executed code in the application’s memory buffer.

If the affected user had escalated privileges within the application (e.g., admin privileges), a successful attack could’ve allowed the attacker to make changes to the application, leak sensitive data from the application, or cause a wide range of other negative outcomes.

Mitigating Use-After-Free Attacks

General Threat Prevention

First and foremost, preventing the exploitation of Use-After-Free vulnerabilities (and many other application flaws) starts with the timely installation of application updates. Vulnerabilities like CVE-2021-44710 are typically patched in an urgent timeline following the discovery and successful replication of the vulnerability.

The longer we wait to update applications handling sensitive data in our network, the more time we give attackers to exploit zero-day vulnerabilities in our current application version.

Cloudmersive Advanced Virus Scanning: Deterministic Threat Detection

On the other hand, proactively preventing the exploitation of Use-After-Free vulnerabilities is possible with a deterministic approach to content threat detection. With proactive deterministic threat detection, we can search for hidden threats within the files threat actors specially design to exploit application vulnerabilities.

In the case of CVE-2021-44710, for example, we could prevent threat actors from exploiting the Use-After-Free vulnerability by categorically disallowing PDFs with JavaScript injections from entering our system.

The Cloudmersive Advanced Virus Scan API offers 360-degree content protection, applying deterministic threat detection in conjunction with traditional signature-based virus and malware scanning (this latter service references a continuously updated list of more than 17 million signatures). All file contents processed through the Advanced Virus Scan API are examined beyond the file extension to ensure file contents rigorously conform with expected file formatting standards.

JavaScript injection PDFs used in the CVE-2021-44710 example will be identified as invalid files despite containing valid PDF extensions. This will prevent those files from reaching unsuspecting users who might unwittingly open them and initiate targeted attacks.

Contact Us

For more information on how the Cloudmersive Advanced Virus Scan API can protect your network from targeted malicious attacks, please feel free to reach out to a member of our team.