|
|
#1
April 10th, 2012, 10:23 PM
|
||||
|
||||
Flash info leak leads to a fun vulnerability
http://zhodiac.hispahack.com/my-stuf...SLR_bypass.pdf
TL  R Flash is vulnerable to a reliable info leak that allows ASLR to be bypassed making exploitationof other vulnerabilities, on browsers, Acrobat Reader, MS Office and any process that can host Flash, trivial like in the old days where no security mitigations were available. Patch immediately (My personal note) I think it's silly when these get called "ASLR bypasses" because people get confused. This didn't really bypass ASLR, ASLR just wasn't fully supported. Had ASLR been fully supported it would have made this far less viable. It also highlights that a single area of address space not supporting ASLR (though the initial exploit wouldn't' care about ASLR) is often all it takes to construct ROP - so consider what you inject into processes, a single non-aslr DLL undermines the security of the entire program.
__________________
Last edited by Hungry Man : April 10th, 2012 at 10:34 PM. |
|
#2
April 11th, 2012, 10:09 AM
|
||||
|
||||
|
Re: Flash info leak leads to a fun vulnerability
Quote:
Which I believe is one of the things Microsoft is trying to kill off with EPM.
__________________
OpenDNS with DNSCrypt SSD: Windows 8 Pro x64 | IE10 (Enhanced Protected Mode) & Fanboy's TPLs HDD: Xubuntu 12.04 LTS (x64) | Firefox: ABP(Fanboy's list) & HTTPS Everywhere |
|
#3
April 11th, 2012, 04:09 PM
|
||||
|
||||
|
Re: Flash info leak leads to a fun vulnerability
The problem is that the fixed address used for ROP in this case is an undocumented library that's actually provided by Windows and is always loaded into the same address.
So I'm wondering if all programs use/ have access to this because it's a major security hole if so - it's like a universal ASLR bypass.
__________________
|
| « Previous Thread | Next Thread » |
| Thread Tools | Search this Thread |
|
|
