Flash info leak leads to a fun vulnerability

Discussion in 'malware problems & news' started by Hungry Man, Apr 10, 2012.

Thread Status:
Not open for further replies.
  1. Hungry Man
    Offline

    Hungry Man Registered Member

    http://zhodiac.hispahack.com/my-stuff/security/Flash_ASLR_bypass.pdf

    TL:DR Flash is vulnerable to a reliable info leak that allows ASLR to be bypassed making exploitation
    of other vulnerabilities, on browsers, Acrobat Reader, MS Office and any process that can host
    Flash, trivial like in the old days where no security mitigations were available. Patch immediately

    (My personal note) I think it's silly when these get called "ASLR bypasses" because people get confused. This didn't really bypass ASLR, ASLR just wasn't fully supported. Had ASLR been fully supported it would have made this far less viable. It also highlights that a single area of address space not supporting ASLR (though the initial exploit wouldn't' care about ASLR) is often all it takes to construct ROP - so consider what you inject into processes, a single non-aslr DLL undermines the security of the entire program.
    Last edited: Apr 10, 2012
  2. funkydude
    Offline

    funkydude Registered Member

    Which I believe is one of the things Microsoft is trying to kill off with EPM.
  3. Hungry Man
    Offline

    Hungry Man Registered Member

    The problem is that the fixed address used for ROP in this case is an undocumented library that's actually provided by Windows and is always loaded into the same address.

    So I'm wondering if all programs use/ have access to this because it's a major security hole if so - it's like a universal ASLR bypass.
Thread Status:
Not open for further replies.