Adobe Flash Player DEP and ASLR bypass affects browsers and Adobe Reader

Discussion in 'other security issues & news' started by MrBrian, Mar 7, 2010.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Researchers penetrate last bastion of Windows security:
    From Security Expert: Flash Is the Root of Browser Insecurity (Oh, and IE8 Isn't So Bad!):
    Newer-format PDF files that have Flash embedded can also apparently be targeted, according to JIT Spraying in PDF:
     
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  3. Pain of Salvation

    Pain of Salvation Registered Member

    Joined:
    Apr 21, 2005
    Posts:
    398
    Flashblock for Chrome and Firefox wouldn´t help?
     
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Any Flash blocking browser add-ons that block Flash content on webpages would be helpful for blocking malicious Flash content in webpages, but be careful about PDFs that a browser may automatically open using Adobe Reader (or maybe even other PDF viewers). Flash blocker browser add-ons won't stop embedded Flash content within PDFs, as far as I know. If your browser can automatically open a PDF, then you may be vulnerable to a drive-by PDF with malicious embedded Flash content that could evade DEP and ASLR.
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks for the articles. Hopefully everyone will consider them carefully. I think the first one, from last month, has been discussed elsewhere.

    From the 2nd article:

    Well, that cripples a lot of sites on the internet. Wouldn't just disabling Plugins protect against the remote code execution exploit? That is, the Flash object would not load by default:

    flash_1.gif

    Loading the Flash object also requires javascript to be enabled:

    Code:
    script type="text/javascript">
            
               var swfSRC = "/swf/photogallery.swf"
               
               flashvars.xml = '/2009/12/top-ten/top-ten-photogallery.xml';
    
               swfobject.embedSWF
    
            /script>
    

    Wouldn't this be an additional protection against the remote code execution exploit for those who configure scripting per site? Wouldn't these configurations also take care of remote code execution flash exploits embedded in a PDF file? In Opera, for example, disabling "Plugins" globally takes care of both Flash and PDF.

    Back to this site: with both Plugins and Javascript enabled, I see the photographs:

    flash_2.gif

    It's obvious that a decision must be made by the user. One would probably trust the National Geographic Site. But here is a similar message from a Facebook exploit, the Koobface trojan:

    koobface-2.gif

    One would hope that the user would not succumb to the trick. Much would depend on the user's knowledge of how her/his plugins are updated, and, hopefully, knowing to do so only from the vendor's site.

    Back to the remote code execution exploit: what happens if the user has Plugins and Javascript enabled? We would have to see the exploit in action to know, but based on previous such drive-by (remote code execution) Flash exploits, the payload would be a malware executable:

    Security in place to block this type of payload is an added protection.

    One of the points in the article is that most people have Flash enabled by default, but that doesn't negate the fact that there are solutions for the drive-by exploits (I present three here). Why don't these article ever point that out?

    ----
    rich
     
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Hopefully my previous post (which probably wasn't there yet when you started composing your last message) addresses this.

    It's always good to highlight thoughts like these again :).
     
  7. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    Charlie Miller: The main thing is not to install Flash!

    Pwn2Own 2010: interview with Charlie Miller.

     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Weren't you addressing Flash Block? What about Plugins in general? I don't know how Firefox works, but in Opera, you can configure per site,

    plugins-1.gif

    and/or globally

    plugins-2.gif

    Have you seen the exploit code for a PDF file with embedded Flash object? With Plugins disabled, wouldn't that prevent the PDF file from loading automatically? Hence, no Flash object triggered?

    Anyway, my advice to home users always has been to configure PDF files to prompt for a download:

    [​IMG]

    Using code from past exploits, I make a drive-by exploit and it generates the download prompt:

    plugins-3.gif

    Wouldn't that be a good preventative measure against the drive-by exploit?

    Again, I ask rhetorically, why these authors who like to present these vulnerabilities to the public don't discuss preventative measures, other than "switch browsers" or "don't install Flash." Not very helpful, IMO!

    ----
    rich
     
  9. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    No, but I didn't look either.

    Sorry I don't know for sure, as I switched to Firefox last year.

    It's probably best to also not have PDFs open automatically in the browser, as you already suggested, so that in any event having Opera Plugins turned on for a given site doesn't expose you to drive-by PDFs.
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    What is your advice to Firefox users as to configuring the browser to prevent the drive-by PDF exploit?

    ----
    rich
     
  11. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    In Firefox itself, in Tools->Options->Applications, I have almost every content type set to "Always ask."

    In Adobe Reader, in Edit->Preferences->Internet, I have "Display PDF in browser" unchecked.
     
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks!

    This takes care of Firefox and Opera.

    Maybe users of IE, Chrome, and others, can post similar settings from their Options.

    ----
    rich
     
  13. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    I would add also that there are alternatives to Adobe Reader, such as Foxit and Nuance. While they or may not be more secure in and of themselves, the fact is that exploits are targeted specifically at Adobe Reader weaknesses.

    And no matter which pdf reader you use, it is safer to disable javascript in the reader unless you must use some particular documents (such as some pdf forms) that require it.
     
  14. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Can these exploits assume root privileges in a LUA account?
     
  15. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    if there is a privilege escalation vulnerability, holes in your LUA account, etc.
     
Loading...
Thread Status:
Not open for further replies.