Help Keep Boards Alive. Support us by going ad free today. See here: https://subscriptions.boards.ie/.
If we do not hit our goal we will be forced to close the site.

Current status: https://keepboardsalive.com/

Annual subs are best for most impact. If you are still undecided on going Ad Free - you can also donate using the Paypal Donate option. All contribution helps. Thank you.

https://www.boards.ie/group/1878-subscribers-forum

Private Group for paid up members of Boards.ie. Join the club.

Flash exploit runs unverified bytecode

aidan_walsh · 2008-04-16 07:55:51

http://www.matasano.com/log/1032/this-new-vulnerability-dowds-inhuman-flash-exploit/ From Mark Dowd's IBM white paper Introduction: The white paper itself goes into quite a bit of detail on what the exploit is (as you would expect), but Thomas Ptacek's article (linked above) gives a pretty good overview. It basically comes…

16-04-2008 08:55AM

#1

aidan_walsh

Closed Accounts Posts: 17,208 ✭✭✭✭

Join Date: February 2003

Posts: 15589

http://www.matasano.com/log/1032/this-new-vulnerability-dowds-inhuman-flash-exploit/

Reliable Flash vulnerabilities are catastrophes. In 2008, we have lots of different browsers. We have different versions of the OS, and we have Mac users. But we’ve only got one Flash vendor, and everyone has Flash installed. Why do you care about Flash exploits? Because in the field, any one of them wins a commanding majority of browser installs for an attacker. It is the Cyberdyne Systems Model 101 of clientsides.

From Mark Dowd's IBM white paper Introduction:

The following case study describes a unique exploitation scenario using a recently disclosed flash vulnerability that was reported to Adobe by IBM (advisory available at http://www.iss.net/threats/289.html). At first the
vulnerability seemed to offer limited exploitation options, but further analysis uncovered an application-specific attack that results in reliable, consistent exploitation. Achieving the same exploitation with more conventional methods is unlikely. The technique presented leverages functionality provided by the ActionScript Virtual Machine – an integral part of Adobe Flash Player. Further, it will be shown that the vulnerability can be successfully exploited without leaving telltale signs, such as a browser crash following the attack.

Although this document deals specifically with the Win32/intel platform, similar attacks can most likely be carried out on the many other platforms flash is available for. In particular, some of the methodology discussed might be useful for constructing a robust exploit on Unix platforms as well as several embedded platforms. Understanding the specific scenarios used to exploit memory corruption vulnerabilities will help improve protection strategies.

The white paper itself goes into quite a bit of detail on what the exploit is (as you would expect), but Thomas Ptacek's article (linked above) gives a pretty good overview. It basically comes down to inconsistencies in ActionScript's two-pass bytecode verification allowing an attacker to embed or inject malicious bytecode.

0