Exploits leveraging memory corruption vulnerabilities typically require some knowledge about the target environment, such as the binary, OS, and allocator. These insights are required to e.g. prepare the heap and deploy ROP chain gadgets. As a result, exploits typically target client-side software such as browsers and phones. When server-side software vulnerabilities are exploited, they usually target distributed software where the deployed binary and environment is at least partially known.
Due to the constraint of knowledge requirements, a large attack-surface is rarely reported to be successfully exploited: Memory corruption exploits against server-side software with no access to the source code or binary. This includes open-source libraries with known CVE’s being compiled into an unknown environment. An additional challenge is dealing with load-balanced environments. Even if an attacker can defeat ASLR in one request, they have no guarantee that they are targeting the same worker in a follow-up request.
Google’s Cloud Vulnerability Research team (CVR) presents vulnerabilities in a third-party JPEG 2000 image library called Kakadu. We outline the challenges an external attacker would face in exploiting these vulnerabilities in an unknown environment and how to overcome them with a technique we internally call “Conditional Corruption” that allowed us to craft a self-modifying image for exploitation and achieve Remote-Code-Execution impact.
In a 2007 study, Kakadu outperformed other JPEG 2000 libraries and described itself as the leading JPEG 2000 development kit. It is likely that major companies are affected by the vulnerabilities we reported, including a Google service.
Simon Scannell is a self-taught Vulnerability Researcher and is part of Google's Cloud Vulnerability Research team. He enjoys writing exploits and traveling in his free time. Previous work included WordPress, Zimbra, Counter-Strike: Global Offensive and the Linux Kernel
Anthony Weems is a Staff Security Engineer on Google's Cloud Vulnerability Research team.