TID-206: Memory Management Protections Subverted

Threat Description

While the use of memory permissions, such as non-executable stack and heap memory, can prevent threat actors from injecting and executing malicious code, it is still possible to leverage a process’s existing code to perform a malicious function. For example, Return Oriented Programming (ROP) is a technique used by threat actors where once a process’s stack can be overwritten, a series of “returns” to portions of code within the process can be leveraged to cause an intended malicious function. This can include “returns” to existing libraries (e.g., libc), or other instruction sequences already in memory of that process.

The exploitation of this threat may be possible through TID-219, and may also be enabled by the exploitation of TID-219.

Threat Maturity and Evidence

Known Exploitable Weakness
ATT&CK Technique: Process Injection: Proc Memory (T1055.09)
“Proc memory injection involves enumerating the memory of a process via the /proc filesystem (/proc/[pid]) then crafting a return-oriented programming (ROP) payload with available gadgets/instructions.”

CWE

CVE

CVE-2024-28115
“FreeRTOS is a real-time operating system for microcontrollers. FreeRTOS Kernel versions through 10.6.1 do not sufficiently protect against local privilege escalation via Return Oriented Programming techniques should a vulnerability exist that allows code injection and execution. These issues affect ARMv7-M MPU ports, and ARMv8-M ports with Memory Protected Unit (MPU) support enabled (i.e. configENABLE_MPU set to 1). These issues are fixed in version 10.6.2 with a new MPU wrapper.”