Monday, March 30, 2009

The inhuman Flash vulnerability

A reliable security exploit for Flash is big news, or at least it should be big news, because Flash is on nearly every graphical browser on nearly every operating system, and there's only one supplier. (Sure, there's Gnash, but that's not yet ready for prime-time, and may never be.) A good exploit against Flash could allow Bad People to p0wn nearly every desktop everywhere. So even though this is a year old, this is still important.

Cyberdyne Systems, er, sorry, IBM researcher Mark Dowd demonstrated an incredible vulnerability that allows a single Trojan to exploit Flash in either IE or Firefox while leaving the Flash runtime operating normally. And it can bypass Vista security. Although Dowd doesn't explicitly mention other OSes, I see no reason to believe the same technique wouldn't work on Linux as well.

Start with the vulnerability.

It’s an integer overflow, but not a simple one.
The net result of this silliness is that it’s hard to do what attackers normally do with a write32 vulnerability, which is to clobber a function’s address with a pointer back to their buffer, so that their shellcode is called when the clobbered function is called. So Dowd’s exploit takes things in a different direction, and manipulates the ActionScript bytecode state.
Clobber the right value in the length table, and you can make an unused bytecode instruction that the verifier ignores seem much longer than it is. The “extra” bytes slip past the verifier. But they don’t slip past the executive, which has no idea that the unused bytecode has trailing bytes. If those trailing bytes are themselves valid bytecode, Flash will run them. Unverified. Giving them access to the whole system stack. Game over.

Security is hard.

No comments: