Comments on: Exploiting Flash Reliably http://taossa.com/index.php/2008/04/12/exploiting-flash-reliably/ Continued ramblings on software security and code auditing Fri, 30 Jul 2010 13:37:38 +0000 http://wordpress.org/?v=2.0.5 by: mark http://taossa.com/index.php/2008/04/12/exploiting-flash-reliably/#comment-22758 Mon, 21 Apr 2008 07:31:00 +0000 http://taossa.com/index.php/2008/04/12/exploiting-flash-reliably/#comment-22758 @dmm: As the paper mentions, you need a ShowFrame tag. @dmm: As the paper mentions, you need a ShowFrame tag.

]]> by: dmm http://taossa.com/index.php/2008/04/12/exploiting-flash-reliably/#comment-22615 Fri, 18 Apr 2008 16:30:00 +0000 http://taossa.com/index.php/2008/04/12/exploiting-flash-reliably/#comment-22615 Mark, It looks if simply modify ‘SceneCount’ will cause DoABC tag not executed ? What else should I considered when create such SWF file? Thanks. Mark,

It looks if simply modify ‘SceneCount’ will cause DoABC tag not executed ? What else should I considered when create such SWF file?

Thanks.

]]> by: mark http://taossa.com/index.php/2008/04/12/exploiting-flash-reliably/#comment-22530 Thu, 17 Apr 2008 12:57:00 +0000 http://taossa.com/index.php/2008/04/12/exploiting-flash-reliably/#comment-22530 @Benjamin: Yes, if you do multiple overwrites, you overwrite some other data in each of the browsers.. but it turned out not to matter. (Also, your shellcode can return the corrupted address to their original state.) @Nathan: Cool, thanks :). Yeah, you can email me if you have any questions.. @Benjamin: Yes, if you do multiple overwrites, you overwrite some other data in each of the browsers.. but it turned out not to matter. (Also, your shellcode can return the corrupted address to their original state.)

@Nathan: Cool, thanks :). Yeah, you can email me if you have any questions..

]]> by: Nathan McFeters http://taossa.com/index.php/2008/04/12/exploiting-flash-reliably/#comment-22511 Thu, 17 Apr 2008 04:38:00 +0000 http://taossa.com/index.php/2008/04/12/exploiting-flash-reliably/#comment-22511 Mark, Covered this on the ZDNet Zero Day Security blog. This vulnerability is absurdly cool. Hell of a find, would like to chat with you about it sometime, as I wonder if the application of your exploit technique is limited to Flash, or if some of the concepts could be extended to other null pointer dereference issues. -Nate Mark,

Covered this on the ZDNet Zero Day Security blog. This vulnerability is absurdly cool. Hell of a find, would like to chat with you about it sometime, as I wonder if the application of your exploit technique is limited to Flash, or if some of the concepts could be extended to other null pointer dereference issues.

-Nate

]]> by: Benjamin http://taossa.com/index.php/2008/04/12/exploiting-flash-reliably/#comment-22487 Wed, 16 Apr 2008 23:53:00 +0000 http://taossa.com/index.php/2008/04/12/exploiting-flash-reliably/#comment-22487 Interesting read. I’m not entirely clear how you handled the cross-browser case; you mentioned using the same technique to write two different words in memory. If you write to an address that hits AS3_argmask in IE, aren’t you corrupting memory at some (possibly unrelated) location in FireFox? I know Opera uses the NS plugin API, but I don’t know if that means that it loads the Flash plugin at the same address. If it does then the exploit would work the same as for FireFox. Interesting read. I’m not entirely clear how you handled the cross-browser case; you mentioned using the same technique to write two different words in memory. If you write to an address that hits AS3_argmask in IE, aren’t you corrupting memory at some (possibly unrelated) location in FireFox?

I know Opera uses the NS plugin API, but I don’t know if that means that it loads the Flash plugin at the same address. If it does then the exploit would work the same as for FireFox.

]]> by: Rhys http://taossa.com/index.php/2008/04/12/exploiting-flash-reliably/#comment-22480 Wed, 16 Apr 2008 14:46:00 +0000 http://taossa.com/index.php/2008/04/12/exploiting-flash-reliably/#comment-22480 Whoa, Thomas Ptacek hit it on the head. Mark you really are a robot from the future sent to kill the mother of the person who will grow up to challenge SkyNet! <a href="http://www.matasano.com/log/1032/this-new-vulnerability-dowds-inhuman-flash-exploit/" rel="nofollow">http://www.matasano.com/log/1032/this-new-vulnerability-dowds-inhuman-flash-exploit/</a> Quite a few hurdles surpassed to get reliable remote code execution here, ultimately with a unique use of the ActionScript bytecode. I hope it’s a wake up call for the many prevalent script (Ruby, Python, ECMAScript etc) interpreters that absolved themselves of all security issues because of a view memory corruption only happens in C/C++ code. Whoa, Thomas Ptacek hit it on the head. Mark you really are a robot from the future sent to kill the mother of the person who will grow up to challenge SkyNet!

http://www.matasano.com/log/1032/this-new-vulnerability-dowds-inhuman-flash-exploit/

Quite a few hurdles surpassed to get reliable remote code execution here, ultimately with a unique use of the ActionScript bytecode. I hope it’s a wake up call for the many prevalent script (Ruby, Python, ECMAScript etc) interpreters that absolved themselves of all security issues because of a view memory corruption only happens in C/C++ code.

]]> by: Juliano http://taossa.com/index.php/2008/04/12/exploiting-flash-reliably/#comment-22425 Tue, 15 Apr 2008 01:08:00 +0000 http://taossa.com/index.php/2008/04/12/exploiting-flash-reliably/#comment-22425 Awesome! I really enjoyed the paper. Congratulations. Awesome! I really enjoyed the paper. Congratulations.

]]>