Exploiting Flash Reliably

mark April 12th, 2008

Adobe released a patch recently for the Flash Player application that addresses several vulnerabilities, one of which I discovered. Although it initially seemed like the ability to exploit this bug was fairly limited, I found an interesting methodology that I was able to use to reliably exploit the bug. I have documented the details of it for interested readers here.

Enjoy!

7 Responses to “Exploiting Flash Reliably”

  1. # Julianoon 15 Apr 2008 at 1:08 am

    Awesome! I really enjoyed the paper. Congratulations.

  2. # Rhyson 16 Apr 2008 at 2:46 pm

    Whoa, Thomas Ptacek hit it on the head. Mark you really are a robot from the future sent to kill the mother of the person who will grow up to challenge SkyNet!

    http://www.matasano.com/log/1032/this-new-vulnerability-dowds-inhuman-flash-exploit/

    Quite a few hurdles surpassed to get reliable remote code execution here, ultimately with a unique use of the ActionScript bytecode. I hope it’s a wake up call for the many prevalent script (Ruby, Python, ECMAScript etc) interpreters that absolved themselves of all security issues because of a view memory corruption only happens in C/C++ code.

  3. # Benjaminon 16 Apr 2008 at 11:53 pm

    Interesting read. I’m not entirely clear how you handled the cross-browser case; you mentioned using the same technique to write two different words in memory. If you write to an address that hits AS3_argmask in IE, aren’t you corrupting memory at some (possibly unrelated) location in FireFox?

    I know Opera uses the NS plugin API, but I don’t know if that means that it loads the Flash plugin at the same address. If it does then the exploit would work the same as for FireFox.

  4. # Nathan McFeterson 17 Apr 2008 at 4:38 am

    Mark,

    Covered this on the ZDNet Zero Day Security blog. This vulnerability is absurdly cool. Hell of a find, would like to chat with you about it sometime, as I wonder if the application of your exploit technique is limited to Flash, or if some of the concepts could be extended to other null pointer dereference issues.

    -Nate

  5. # markon 17 Apr 2008 at 12:57 pm

    @Benjamin: Yes, if you do multiple overwrites, you overwrite some other data in each of the browsers.. but it turned out not to matter. (Also, your shellcode can return the corrupted address to their original state.)

    @Nathan: Cool, thanks :). Yeah, you can email me if you have any questions..

  6. # dmmon 18 Apr 2008 at 4:30 pm

    Mark,

    It looks if simply modify ‘SceneCount’ will cause DoABC tag not executed ? What else should I considered when create such SWF file?

    Thanks.

  7. # markon 21 Apr 2008 at 7:31 am

    @dmm: As the paper mentions, you need a ShowFrame tag.

Permanent Link | Trackback URI | Comments RSS

Leave a Reply