Flash info leak leads to a fun vulnerability

Discussion in 'malware problems & news' started by Hungry Man, Apr 10, 2012.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    http://zhodiac.hispahack.com/my-stuff/security/Flash_ASLR_bypass.pdf

    TL:DR Flash is vulnerable to a reliable info leak that allows ASLR to be bypassed making exploitation
    of other vulnerabilities, on browsers, Acrobat Reader, MS Office and any process that can host
    Flash, trivial like in the old days where no security mitigations were available. Patch immediately

    (My personal note) I think it's silly when these get called "ASLR bypasses" because people get confused. This didn't really bypass ASLR, ASLR just wasn't fully supported. Had ASLR been fully supported it would have made this far less viable. It also highlights that a single area of address space not supporting ASLR (though the initial exploit wouldn't' care about ASLR) is often all it takes to construct ROP - so consider what you inject into processes, a single non-aslr DLL undermines the security of the entire program.
     
    Last edited: Apr 10, 2012
  2. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Which I believe is one of the things Microsoft is trying to kill off with EPM.
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    The problem is that the fixed address used for ROP in this case is an undocumented library that's actually provided by Windows and is always loaded into the same address.

    So I'm wondering if all programs use/ have access to this because it's a major security hole if so - it's like a universal ASLR bypass.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.