NULL Pointer Exploit Excites Researchers

Da Massive writes "Mark Dowd's paper "Application-Specific Attacks: Leveraging the ActionScript Virtual Machine" has alarmed researchers. It points out techniques that promise to open up a class of exploits and vulnerability research previously thought to be prohibitively difficult. Already, the small but growing group of Information Security experts who have had the chance to read and digest the contents of the paper are expressing an excited concern depending on how they are interpreting it. While the Flash vulnerability described in the paper[PDF] has been patched by Adobe, the presentation of a reliable exploit for NULL pointer dereferencing has the researchers who have read the paper fascinated. Thomas Ptacek has an explanation of Dowd's work, and Nathan McFeters at ZDNet is 'stunned by the technical details.'"

The Art of Software Security Assessment

[MadMidnightBomber]

(book by Dowd, McDonald, Schuh) is well worth a look: http://taossa.com/index.php/author/mark/ [taossa.com]

Re:fubar

[Hal_Porter]

This interesting because he's exploiting a malloc fail. The gory details of exploiting ActionScript is also cool because it has a bytecode verifier and he manages to get around it. It really is a lot more high tech than a typical stack buffer smash against a badly written C application, and that is important because everyone should hopefully have updated that sort of code to be exploit free by now. And stack checked binaries and data execute prevention, AMD's "Not Execute" bit, make those more likely to end in process death than arbitrary code execution.

Finally because it works on both IE and Firefox and Flash has such a huge installation base it should be able to target a very high percentage of current machines. Larry Osterman called it "The way the world (wide web]) ends [msdn.com]"

Mind you, if Address Space Layout Randomisation was turned on in the Flash executable on Vista, exploiting this hole would most likely (255 times out of 256) lead to a browser crash rather than arbitrary code execution, so it's not like the last few years work on security has been totally wasted. At the moment it's not and you will get owned reliably. Adobe have published an update, so it's a good idea to download it.

http://www.adobe.com/support/security/bulletins/apsb08-11.html [adobe.com]

Back when I was reading about security someone said that buffer overflows that execute code on the stack were first generation exploits. Second generation would be more subtle stuff like this.

Re:Cross platform? I don't think so.

[Alioth]

The only cross platformness it needs is browser cross platformness. 95% of desktops run Windows on x86. Since I suspect Flash doesn't get updated as often as Windows or Firefox (and I suspect many users don't even update those) this is going to be quite an effective way of making a botnet.

The original article already has Russian trackbacks on it.

Re:Cross platform? I don't think so.

[Anonymous Coward]

It relies on Flash. Flash is only available in five versions - Windows / x86 (as an ActiveX control, and a Netscape plugin), Linux / x86, Mac OS X / PPC, and Mac OS X / x86.

The exploit already works on two (both Windows versions) out of those five. With some tweaking, it'll work on two more. With some additional work, it will also work on the last one.

The neat thing is that this single exploit can be used to break into any browser, on any operating system.

Anyone still believe that the secure browser from a month or so ago was overkill?

Why the java icon?

[LarsWestergren]

The paper specifically talks about the ActionScript virtual machine, i.e. the Flash player VM. There is nothing in there about Java. Why the Java icon? Why the Java tag?

When it comes a day after this flamebait article [slashdot.org] you have to start to wonder if the Slashdot editors are busy with some massive FUD campaign against Sun or if they are just really ignorant.

Re:Binary blobs

[atlastiamborn]

What I'd really want was some way to have both the proprietary flash player and gnash installed side by side and an easy way to switch between them. That way, you could just use gnash until you hit some file that it has trouble with and then just switch over.

Re:The crux of the exploit:

[dargaud]

I don't know either flash or VMs in general, but in order for the attacker to return a fake value from a malloc call, shouldn't the attacker already have control to libc (in C) or to the internals of the VM in that case ? Meaning he already can do whatever he wants...

Re:flashblock ftw!

[Hatta]

Or use NoScript. I don't know why anyone would use Flashblock when there's NoScript.

Try again

[Anonymous Coward]

Attitudes like yours are the reason people keep getting owned. There tons of ways to get around NX. You could do the pwn to own thing and use something like Java to allocate an executable range. Or you can use a return to libc style attack. There's so much crap running in a browser that you have nothing but options.

Re:Help me out here...

[Flaming_cows]

Yes, it's easily patchable once you realize it's there, and yes, it should have been easy to check for. This isn't as revolutionary as the summary might suggest, but it is still interesting. The way Dowd jumps through a bunch of hoops to achieve the exploit is interesting to learn from, in the same way a perfect shot in pool or pitching a no-hitter might be to a sports fan. Dowd showed an amazing amount of technical skill by putting together all the pieces, and people are reacting to that more than the specific bug(s) that allowed it, though those are interesting as well in some ways.

Re:flashblock ftw!

[Inda]

LiquidCoooled is right.

Try it on an old PC (450mhz in my case) with many applications running. I can often hear the sound from the Flash player advert or video before it is 'blocked'.

Re:Binary blobs

[Peter La Casse]

What I'd really want was some way to have both the proprietary flash player and gnash installed side by side and an easy way to switch between them. That way, you could just use gnash until you hit some file that it has trouble with and then just switch over.

I do that on my Kubuntu desktop. I use Konqueror with gnash as my default browser, and when it can't handle something I right click and select "open this page in Firefox" (which has the adobe plugin installed.)

Re:Binary blobs

[Anonymous Coward]

Do you care about Flash as anything other than an audio/video container? If that's all you need, then just use mplayer to play the video. I have been doing this for a long time, and it works wonderfully. It is far better than using any Flash player. There are Greasemonkey scripts to automate the whole process for Youtube now too.

Re:flashblock ftw!

[LiquidCoooled]

Without checking I cannot be certain, but I would imagine that anything hooking onto the DOM event tree is too late.

It may be interesting to see if noscript suffers similar issues.

Maybe some enterprising young security guy could investigate (send reports to flashblock so they an make improvements if required).