Merken

More Flash, More Fun!

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
have bed and do that and I
know who do not have a certain do do not and
will the alright so now I'd like to introduce release of average Google who has spoken
recon before on the on the terminology the initiative which is cool so quarterback thanks that and I think I have to say up front that this talk has nothing to do with Tamagotchi is because people keep asking so I'm sorry to disappoint you but today I'm talking about Adobe Flash specifically finding and exploiting exploiting blackbags in Adobe Flash I think doing said didn't the security review of flashed for over a year now and they found lots and lots of bugs so today I'm going to share with you guys some of the highlights some the most interesting bugs I found and how exploited them but
before I begin who am I I'm not so that over time a security researcher on Google's project 0 before I some projects 0 I worked on mobile security and BlackBerry and Android as a lot of people don't realize is up to about 5 years ago back in the dark ages that's fairly common for mobile devices is to use the ends of the root of trust the most common 1 was obviously the Java virtual machine but there is even 1 device the BlackBerry PlayBook that use Adobe AIR Adobe Flash as its main VM so that's how I really got into flash and monitoring projects 0 that was something I wanted to look at that right away so now I'm a real flashing busiest L of finding bugs in flashes lovemaking was sad puzzle piece appeared and currently I find 1 3rd of class vulnerability is about 100 bags so far so what's my goal I want to find
all of the platform abilities i wanna find every last 1 and sometime around 20 22 I will found the very last class by albeit flashily secure and course that's not a realistic goal what I really wanna do is make flash better Eleanor find as many bugs as possible to reduce the by density so it becomes harder to find bugs and the MIT we've also been working on last mitigation is to make it more difficult exploit flash in the case that by does get found the so I talk about
today to start often gonna do a quick overview of the attack surface of flashing people are familiar and I talk about how I find flash bags and gives some sample bags and finally all talk about the new mitigations and had explained last bags and give an example of a flashback that exploited so false 3 main components the 1st 1 is ActionScript this is the legacy philosophy and it's basically a big interpreted FOR loop the very 1st VM the flash had em just when it was started and as a reduced API said was eventually replaced with a different via and a 3 so I really only has the features of flash had early on and I would say it generally has more bags with a lower exploitability and has not of bags because I'm because it's old a lot of design choices were made it would not be made today and so it becomes a lot more difficult to both prevent new bags ActionScript to enter a fix the existing ones because there's things that you IBM's have like automatic type-checking the just impossible based on how this all and is designed and the flip side is in it tend to have lower exploitability because sometimes when you're exploiting a bargain something you need to use other stuff other features of the software maker exploit work and for example you need to fill up a slot on the heap and use it for use after free your user it or overflow it and with this to you because the features are limited sometimes it's a lot harder to find that thing that will make your exploit work so i'm but any a student at lower exploitability and yes it is true that you can open up a frame in S 3 alone s to and sometimes that's enough to get your exploit working but sometimes it isn't there's a lot of bugs and I'll show you some examples of these where the I'm window is very narrow and the only thing that you can and execute between say I'm freeing a pointer and the winter being used is has 2 and so sometimes it can be difficult to exploit these types of bikes that there are a lot of them and also kind of the blurry boundaries between the IBM and the API is as I said this is just a huge for loop and chaos 30 is the action is is the answer yes to it's a modern via and with the just-in-time
compilation in and a fallback interpreter but its extendable if you really wanna write your own flesh API in compile them in the ABM 3 you absolutely can but it has to heat to garbage-collected heap which I would describe as a non-strict non-exact and is not very aggressive it does eventually free and free everything there is also a fixed even this is used for a certain fixed datatypes like that that's where you want to actually manually allocate and free the memory is optimized for fast you can use it for whatever you want in fact that both of these components are open source avian 3 is open source is Cameron on Mozilla and and the heap is open source as m MG SEOmoz on 11 see definitely can find and build these yourself if you want to and this open source closer CPIs so although I really comment on Quora flash classes like array in vector and that sort of thing there open source and then there's some proprietary API is things like bit-mapped filtering their proprietary to Adobe and I'd seen a S 3 bags are less dense but more exploitable certifying bags because it's better designed but if you do find 1 you have hands and to features you can use for exploitation the and if I plot of flash is what we call the anti corpus and this is all the functionality outside of script so this is the empty for parsers of libre Jackson is all the libraries that process data types that are really part of script they also answer with a
quick warning objects and nearer larger than they appear if you try to exploit flat 1 of the problems will come across is the objects are really really big in fact the way too big for these slides so and for some examples I really compress them might be pointers to pointers to pointers just pointers and these are conceptually correct for what I'm describing but if you wanna try this at home and it isn't gonna work in some situations so if you want to see the nitty-gritty details of these bugs I recommend you check out the projects 0 tracker I have all the details there so I we find a
flashback there's 3 main ways you can do with her code review and you can do it to reverse engineering is actually using or you can do with revising and start off I find most of my bags code review of it's even in the west side of it is it finds deep unusual bugs and say at least until this year when he found a biker code review we'd be pretty sure that no 1 else defined as seen by Igor was fairly unlikely although they're starting to be a lot more contention on flashbacks these days of course the downside is requires source but as I said I am a lot of flash is open-source a lot of ActionScript 3 years and it takes it was at upfront investment it's not easy you code understand so it takes a while to figure out what's going on but I'm once you put in the investment you combine bugs quite quickly for example I started looking at flash once I ran up I was finding 1 by good day for like several weeks until I started slowing down so once you understand flash source you can find bugs quite quickly what takes the bikes that it's really easy to find through code review is take confusion bikes and fundamentally what these are is casting 1 type to another type that's incompatible and 1 of the best of confusion bags when you can cast an integer to a pointer a pointer to an integer because then you can start a massive memory units was to modify the center the highly exploitable although there are a few ones that aren't so good and don't have as much potential and he these is defined code review a reverse engineering and they're very common ActionScript to because as I said they don't have the a monarch take taking features the ActionScript as
but the that said you can still find taken fusion bugs in ActionScript 3 and to give you an example of a typical ActionScript 3 but involves taking views and I found this to do with how exceptions work ActionScript and for a hands of figuring out what to do with exceptions is actually quite hard I have my Grumpy Cat here and he's saying both designs are bad because there's 2 ways you can handle I'm exceptions from natives in both of them have their problems the way ActionScript to as it is if you're running a native code and that native code calls and a script that script throws an exception that's not handled it will keep going in the native and on the positive of that is 0 never end up in an unexpected state due to an unexpected exception because it keeps running and the downside is that sometimes developers think when they throw an exceptional stop execution it doesn't had ever seen a bargain flash due to that problem but I have seen bugs in other begins to that problem so it is a bit of a concern I'm ActionScript 3 behaves differently at the time it takes the other choice and if you throw an exception from script in in ActionScript 3 it'll stop execution the and the problem with that is dangling pointers if you can throw an exception at any time in its in native code then maybe you freed something then you throw an exception and then I'm that that pointers dangling so I can be a problem of course the plus side is that an exception always thought execution which is sometimes what people expect so in this case so this is an S 3 and it occurs due to an exceptionally can catch and they fix it by making it a fatal error basically through an exception that should have been fatal but it isn't so here is this summer
by it but both occurs encode and in this was filed on the left I have the code and on the right I have the assets in this swift file and these are some even just modify using a hex editor and you'll notice that you can have different sets of different types of Belafonte there in a video there and then part of the problem here is that there are fixed assets and these are ones that are created by the B. M. and they have reserved values and fortunately you can just override is reserved values and yourself defined thing will replace them but that would be OK except for the exception handling so you this code to create a text field and then this creates I would call a movie object and it has pointed pointed to this asset but then it actually detects that it's the wrong type and then what it does it is kind of weird as it changes the type 2 of the right type and the reason it does that is so that it doesn't detect this ever again and you don't get stuck in a loop when you're trying to shut down the player but unfortunately the flare doesn't shut down if you catch this exception so then you can just create a new text field and then it will create this pointer again but now it's of the wrong type B vector corrected it to be the right type such take confusion your casting this font takes the text fields hate and that's probably an exploitable by and I think about like I saw
tens and tens of grammatical super constructor bugs and the secure ActionScript too and they have to do with how you can override construction constructor ActionScript 2 I have here an example of the memory layout of an object in ActionScript 2 and this is actually quite relevant all the bugs all show you you In ActionScript to all script objects are the same size and so if the a video a large image or whatever that doesn't matter if they have the front script object it is always the same size and then they have the backing object which varies in size and has the real content of the object like the video or the image and what's interesting is they also have a corresponding delete function and this will free any memory that gets allocated is the part part of creating this stacking object for example let's say it's an image and then this and backing image object is a pointer to more pixels and there's no way to free that meaningfully unless you can also define a function to free because you don't know what's going its last referencing a garbage collected and that's what they do you can define this function and then last important part of an object is the properties and this is the proto and and everything you consider to be an actress script properties so if you say you know a dot B equals C B equals C will go in your properties table the so this spike happens is when you call a constructor this is the flow 1st you you fetch proto infrastructure anatase gets the script code that contains the constructor and then you call the constructor on the object but if you know how I'm object-oriented programming works that can just call the constructed as you have to call the super super instructor 1st and then a stupid instructor and the constructor so it goes through this chain and calls the super chain and calls the constructor and that should set that need data and its corresponding destroy func that's optional because for example your backing object adjusted integers and it and those that need to be freed and this is actually the problem and also you are the here's a part that I found recently I think it was fixed in the March update and it's about them to do with super instructors so the 1st thing you do is you create a watch on object and watch is something that every time the value of this variable gets change it'll trigger some code that you can define to set this watch and then you call on the file reference constructed and what this does is it immediately tries to change this property that you have a watch on so you jump into the function that you to find and you can redefine the construct constructor like this and then you call into the super constructed the and what that does is is as I said it sets the need data and then it says the destroy found and then that's that but you have the previous constructor you try to call and then still unwind so unwinds and it sets this sum bit-mapped tied to the file reference type but as I said and setting destroy fungus optional and this object doesn't need to so you end up having the wrong delete funct further right for a different object and that's once again type confusions that tries to cast something to the wrong type and interesting K confusion by
the was this 1 which I found in October pose interesting about it is I reported in in 2 weeks later was found in the wild extent confusion in serialization behavior and is due to some kind of weird behavior was implemented in the BM also found 2 similar but which were fixed in an emergency patch as 1 dimension then under these bugs compile I'm gonna show you conceptually what that code for the bags does that you can't really compelled this cogex have alter the byte code in the swift to make it work so the officers from the Open source AVM code and this is an interesting chapter what this check does is it books for binding in checks whether its binding then what this is actually doing is making sure that when you extended object you're not overriding a function with anything that's not a function like an integer and so will notice about this check which is like a lot of interesting text is commented out it is not actually perform this and that is very problematic the so to make it a little bit clearer what you can do that should violate your sense of all things object-oriented programming is and you have up here the super class and then you extend it by creating this public bar that is an integer that has the same name and you absolutely should not be able to do that but you can and so it this interesting is for these functions called right external numbers corresponding 1 called read external a what they do is there a way to override serialization so if you're using flash you don't like what the serializer is doing you can you can define these functions of the next time you try to serialize something it will just give you the object in your code has to be the vector of the back and then further corresponding 1 it will give you the beta-ray to deserialize and you have to give it the object so to do this in the b and when it tries to do is fetch this right external um function so we can call it serialize something in the the 1st thing it does is it gets this function binding but is not a function binding it's an integer cause totally override with an integer and then it calls this method binding to method ID which you can make that so that it steps outside of this array because it's not actually a method and then you're calling of this ritual method on just memory that is somewhere on the heat the you can control and so this will issue that turned up in the wild and you can see how it happened due to their commented out checking that the end so can the next made that a lot of people find bugs is using IDA and I think this is the most common way that people find bugs this is completely and citation needed this is just based on me asking people who find a lot of bugs how they found them unlike code review undefined a lot of deep unusual bugs and has long ramp up and it's lower defined bugs but still I know a lot of people have been very successful with this method i where the interesting bugs that came out reverse engineering was what I call movie clip use after freeze and these were 1st found from by low as far as I know when he found them using Ida and UN is a very very common class of bags of more than 100 of them were reported this year and by this year end in 2015 and and they're still continuing to be reported actually at known to 0 and this year and 4 out of 5 of the bikes where this class and they still keep being found on the downside of them is that they have a small variety of freedom objects there's lots of these bikes they always and use after free the same thing and I think we're starting to get to the end of them being exploitable without other bugs but are still there and they're still exploitable in some situations and the cause of this some bike is actually fairly interesting it happens because there's certain display fields in flash that really get free if you free them even if they're still references to them which you know is not the way that things are supposed to work but it was designed this way for an important reason basically in class you can imagine you're trying to make a text field scroll across the screen and when we might implement this is great text delete text no pretext elderly textual protects field Li textfield non-matching you had garbage collection instead would be protected free text field garbage collector to cause lagging and create text field so for these specific objects they really delete them even if those references so you don't have that like situation when the reflector runs but obviously this is problematic for security reasons more specifically this is also an ordering problem it happens when function parameters are converted after local variables are initialized before they're used and it can be fixed by enforcing a convert initialize use order and if you look at the for example browsers that can be susceptible for this type of problem that's typically what they do they have a strict coding style that says you have to convert things 1st and then that prevents them the use of the freeze and it's hard to be sure you're always doing something in the same order in code but I'm even making an effort to do things in this order can really reduce these bugs so here's an example of 1 I found recently I think this was fixed in March it's of these after free due to the ad property method so the 1st thing that happens is you create a movie clip and that creates this script object and then the backing object like a showed in the other example and then you add a what's 2 of the a property of the function so I showed that there in this once again calls and describe the script every time you change the property again and I call this function add property and this function the 1st thing it does is it creates pointers to these objects and locally on the stack and then it will try and set this a object as it adds the property which is a getter and setter so it does that and then this coils remove movie clip which is 1 of those functions that really deletes the movie clip and any of these dangling pointers that are used in the rest of the function so so that the way I am you can find bugs in flash is revising and in a lot of this with my colleague Meteosat anyway of size if you surfaces and this is all 3 I talked about a has to history and a corpus and so far we've just done generation vising where you are mutated templated going do know there are people out there who do generation facing about the bug reports in Flash where the parts are so insane and have so much code in them that there's no way that they never would have been produced other than in armed with generation fuzzing but never tried this personally what they noticed about the flash vising in this is true about a lot of things is that it's very dependent on the time but a lot of software you know flashes all these features and most with use like 30 per cent of the features so it's important to have a really broad said if you're gonna do mutation parsing on if the bags are of lower quality and that's why I have kind of faster question mark you do find a lot of bugs that a lot of them are null pointer exceptions in you can spend a lot of time going through the bugs trying to find the good ones but we definitely found good bags that way and the last thing is that he really matter here and 1 of the early problems that we had with fuzzing was that we would have test cases that would actually exercise about but it wouldn't crash and the kind 2 ways you can get around that 1 is if you're building the ABM yourself you have to put in the debug mode and that just puts CA CA CA over the heat every time you free something and it's really crude method but it does find a lot of use after freeze because every time you free something it guarantees of something users it and treated as a pointer it will crash on the other way you can do this if you don't wanna recompile stuff is just create swift with the frame that really turns the heap a lot and then load stuff in the frame and then that makes it more likely that stuff will craft and if there is a use after 4 years some other heat by and so here's an example of now the use after free that we found with parsing and I thought they were kind of 2 interesting things about it on 1 is you I look for this type of bargain this was 1 that I did not find looking for this type of by you and I probably should have and the 2nd thing is that we did find this through fuzzing and it's an MC use after free so this shows that only some of this type of but can also be found through fuzzing so am this works like the previous MNC use after freed and you create a movie clip object that has the backing object and then in this case you create an object and then use the @ property function properly now actually add a getter or a center and then you call this vulnerable function which is duplicate movie clip alike in the other example it creates pointers to this and then it will trigger the getter and setter when it calls this method which um where the where the object does is when you create a movie clip the object is used to set its properties so it run through every property in call tries to copy it which is what is that and then you can use that to delete the movie clips and then once again you have this use after free situation we also found them tensor products through media fuzzing we started off I'm doing M 4 is in other media types and we found a few bugs and heap overflow and Kodak and before file causes that corruption and then there was an image files but uses the 5th died in Poland 2 0 in this year and by consent and and they of use the heap overflow in image processing so I got back in Martin was like
yeah we totally have to start buzzing images and this found them I've got 3 bags here you there you've overflows 1 of an out of bounds read and I have dot dot dot because there's a few more that are going to be fixed this week and is actually quite a promising way to find bugs so there are going to talk a bit about flash medications and how to explain some of these bugs in flash and flesh litigations in the past calendar the past year and there's been 3 big stages a starting last August I'm starting with the vector medications I'm so that communications and deal with an exploit method that actually has been seen since that 2013 and the way this works is there's an object in a S 3 and flash call vector and it was in line metadata a length and but it also has the online data which can be integers are objects are any type so what the attacker would do is they would allocate a vector that would fit in a slot the got corrupted I was really nice about these M vectors was you know they can be bigger or smaller they can be any type so you can really get 1 allocated anywhere you had about like and then you'd clobber the length field and then the next any access this vector you can access anywhere in memory space because there is no length check anymore and vector mitigation did a few things to get rid of this under started added checksums the vectors that checked before insensitive functions so now if you do clobber the length of the vector then on before when you can access it will fail check sums and then crashed on the other thing it did it is it I put some vectors on their own he page and this makes it less likely that a body that is able to override those vectors will happen in the 1st place because you know they're on their own he that there's nothing that actors on on the same general this had a few of fact someone is it deftly read reduce the reusability of exploit code up there are lots of situations including the hacking team dump in August where we saw that certain people were just using the same exploit code over and over again and is at least forces them to write some new code for every new by the use of also I would see it generally increases the quality of bug needed for and exploit some the bags I saw exploited with this method where you know really really low quality by these things like you know there is 1 bite at location 27 anywhere 3 bits of it can be said that that sort of thing and I think this some mitigation makes it less likely that the very very low wind bugs are exploitable know if you have a good but again it's fairly easy to get around this but if you have a bad but I get it becomes a lot harder some people say that you can substitute the beta-ray or bit-mapped data but I this is not as good as I'm was really good about the vector was that you could change the size of it and the battery in the bit map data are set typeset length so if you have about where you know you happen to be able to slot 1 of those in yes you can override these we could at this point and then get rewrite memory access once again you need a special bite you can't use any for that on the 2nd iteration so that was the ISO he and I am but this did is it splits the heat into 3 partitions the pointer partition the non winter partition in the dangerous partition pointer when it was obvious everything the pointer non pointers is data and dangerous is things that have a history of being exploited and this is a quite perfect because of there's some objects that contain both pointers indeed and have to decide where to put them but um it does make exploitation and a bit different bit more difficult because if you think about it most exploits involve at some point confusing data for pointers are confusing pointers for data so far all on their own heaps then that's a lot harder to do and this iteration also put checksums on the beta-ray so if he could clobber 1 once again it would fail a check some check as soon as you try to access it and then cause a crash and it also included some jet spray medications and this prevents a situation where you use jet to cook create a lot of code that you can put the instruction pointer anywhere into there a few X with involved that in this and makes them more difficult I'm so the example of the impact of these mitigations all 0 the this by which is found in the wild in December and it was in the most interesting bug itself was an integer overflow in the open-source Verifier but what was interesting was that the swift contains 2 exploits 1 was on 3 August and was a typical vector exploitation and 1 of them was recently got around the mitigations and included such elements as if statements nested 95 times a 650 characters long using both an AVI file an image to fill the slots at different points in the exploit during the bug 670 times and then eventually they I'm pretty the checksums on a byte array and that's how they got read write memory access so it's kind of 2 things to learn from here and what is that so the this didn't prevent exploitation but to they had to really really want to do it you can just see how much work this was compared to the vector exploits so I the is the 3rd mitigation set and these were a few at changes in the partitioning fairly subtle just changing were certain things went that were pro and exploitation and they also added at the data check something out this so that was another an object that tended to get overwritten also that extendable checksumming so that if this happens in the future it's really easy to add checksums to a new object and it also recently implemented free zeroing so certain objects them when they get free vilket 0 right away this this is sort of mid and mitigation because of events and exploits but it it's real then if it is in discoverability there were some years after freeze we'll look at them and you're like how did that not happen in normal use new look some more it would be like well that actually did totally happen in normal use all the time and this will make it all of those crash and hopefully be more detectable in get fixed more quickly so I'll share you an exploit I wrote for at this about they're found in February and up and it bypasses the ISO heap iteration 1 but not iteration 2 because the but close before then and it requires a separate and Foley so this is a by them Taliesin I found through Freising and you know looking at this proof of concept that you guys all can totally see what's on here but what was actually wrong here is an so again ActionScript 2 which is what this code is in when you call a function in it allocates on the stack memory but there's a minimum size of lot actually allocate 8 bytes even though it's 0 and then with this feature function then you convert convert the 1st arc to a string but there is no 1st oryx so it calls this initialize them value on the stack and 1st it checks whether the pointer ends in 6 a returns if it doesn't analytical the virtual method on it and what kind of a weird thing to do and this has to do with how type-checking works in Flash take checked the situations where the online bits of the pointer are used as an to check the type of a pointer and flash so that's where this some check is doing its checking whether this is an object type and then using the pointer and converting it so this so looking at this this Kenneth 3 ways you can exploit it to start off you know it's definitely exploitable if I'm illus bypassed if you can do that then you can obviously we call a virtual function on something and get code but without that and there's a few different options on 1 was to use an absolute pointer but in that case you definitely have to bypass they'll ASL our separately and that the idea was to initialize on the point here is a pointer of the wrong time frame and you get a pointer to something else on the stack and then use it but the problem with that is that ending in 6 things right that really limits the pointer is you've got because how many pointers are there really that and then 6 and 2 ideas for this and 1 was that I could use a string and maybe get a string offset that's ends in 6 and we're doing some sort of arithmetic but the problem with that is because the strings are UTF 16 strings you only get to zeros it terminates which means they're getting a 64 bit pointer in there would can be hard on the other thought I had was to use a bit not to do that but it actually has the same problem of bit maps and flash that subsequent plates are all multiplied by the 1st due to transparencies so that was also not really an option because you can't get arbitrary values in an image very easily the 3rd an idea I had was was actually invented by the ISO he was to use are still point here and give up again a pointer to an object and I would and in 6 and then you could free that object and then get up to point to something else than maybe you could writing exploit that way but with the ISO he families in 64 bit there only 2 other objects that were allocated in the same spot as the object was freed up book or uh there were the same size as an object that it's free of the specific type that the point here and that ends in 6 . 2 and both these were kind a useless and they have lots of zeros in the and and that sort of thing so that wasn't really an option so I ended up using option 1 because I accepted at this point that I had to use a different dialog to exploit and this original by
so I pair it with an this other by they found and this is a read only use after free in the sound class it also has to do with exception handling like I explained earlier I'm so of start off but you create this sound objects and this sound object and it actually does have the I'm other object pointing to it but I haven't shown that because I'm is not relevant in this case we have this backing object and then i it points to the and PCM data create this new class and I know the pointers instead to anything and then he created by the red and this 1 has a thousand bytes and then you call this function what this does is it allocates memory for this array and then it unloads it out of the battery that you've allocated so that memory is there so a pretty new better and this 1 is sized to and you call this function again and it deletes the array and tries to read out of the data except you know there isn't even after data for a float there's only 2 bytes so this throws an exception in which you can then catch and this pointer is now dangling and you can then use you can that you then use this pointer into memory using the Extract function and so this is a fairly good info leak but the isolated he actually made this a little bit problematic to because the PCM data is pointers to data and ideally you'd like to get a pointer to a pointer so you can read 1 and 0 and bypass Salus are so I had to look around quite a bit before I found something that could be allocated in the data partition and eventually found that when the ABM is calculating jet it sometimes I'm allocates a specific object with at the table on the data he so that I could use this bargain make the same data just the right size of this object is allocated there and then read at the table and then that bypasses Ellis are now I know where everything is so I'm living on the next problem here is that I need some contiguous buffers and it's it's a an ongoing problem in Flash exploitation there actually aren't a lot of good contiguous buffers in class and as the he gets more separated and it's getting harder for most of the contiguous data types like batteries in vectors are now in the dangerous partition so I'm I'm combining and these 2 methods and map and determine preferred locales of to learn create some continuous data buffers so starting off we have the term preferred locales and this is some 1 of those functions you know you just look at the signature and you can tell that it's going to be useful you have the 2 factors that are input and what's kind a cool about these vectors is you can control both their length and the length of the string and that's very useful so you have this character of buffer that you can control the length of over the character stop buffer that you can control the length of any of the string you control the length of the 1st thing you do is you get this allocated somewhere where the sound PCM was then you can use the sound but just to read where that was and once you read this will probably get deallocated but doesn't matter you know what the pointer to that string is now and then is eventually this some string will get free to so I need to use these other function and this is another 1 and where you know you can see just from the signature that it probably allocates continuous data because it has all these arrays in it to and actually what it does is it creates an is integer reasoning copies them into memory C set this up so that it gets allocated as the same in the same spot as the string which is also data so now you have and this into interrelated that you can control that's allocated exactly where the string is so now you have both an array you can control and I'm a pointer to it the and I'll explain what's in the array in a 2nd I'm and this is good but you actually want them to buffer is because am this specific by the original and watch I get calls into a virtual function so ideally you like to create a fait object with a fake the table and call into it so it is of course just do this again with the 2nd rectangle is something called to your preferred locales and ending at the pointed to the memory uh and um appointed to this rhetoric and then the final thing you have to do is i'm trigger the UN watchdog and and this is the code I actually used to do it and you can see it's basically a recursive function involving this function calls what depths and what this does is it makes the stack really really high on you can do this generally calling recursively and flash because I'm the flash stack isn't the real stack but if you do a thing where you have a need method that calls into a script method because into a native method on and the calls are all from the Newton method you can build the real start really really high and then put stuff on it and in this case I'm putting a strain on it and you know little known fact is in Flash if a string is static unless the jury 56 by 2 taxi allocated on the stack so that was a nice and easy way to get out some data on the stack now and thing that's problematic about this and I mentioned earlier that strings in some flatter UTF and 16 so it's hard to get lots of zeros in them but funnily enough that's only the case in strings you create dynamically in script if you have a string in this with and that has different and zeros in it and this will actually come out and memory and so I'm excellent ended up working was that I created ones with a new little that once with and that 1 bypasses LSR and then it creates the structures in memory and then it gives the right pointed to out aware that there is wrote in Python and is python generating use with that has all the pointers in the static strings and then you will that's with that battle actually trigger the body and with the correct pointer in it so this is how it works then you have the and what function it passes this 6 check because you're giving a pointer that you calculated yourself up and then it gets converted the object to call the ritual function and then this calls into disarray and which acts like a b table and indexes to where this middle interiors and this will call you're rock gadget which you will then call system with that however commended put at the top and that's code execution the so and that's pretty much it I inclusion of finding bugs in class i is generally getting harder and I am as I find that kind of relative usefulness of each of the methods is changing over time and as I said when I started I was finding 1 budgetary with code review no problem now I'm down to about 1 by the week and a other methods that are a bit slow where unlike fuzzing are starting to become more useful but it seems to be that it there's also an friends with these types of techniques the more you know you find like certain ways other people start doing the same thing they start I'm getting more depleted so I I suspect over time I'm going to end up using all of these to find bikes depending on where the I'm still available of as indications are also effective but it's definitely possible to exploit stuff as well I'm turning it's important that we do both of these on both improve mitigation is and I'm defining by so there's less of them and flash becomes more secure so that's a no on and off by thinking Adobe there are actually quite helpful in this research they've been really good about both and fixing my by exact and and implementing mitigations and flat said I like open up for questions
Chubb questionnaire that but the bed I think that the it any more questions chat at this that the in but so are the flesh types is what can you say about the I mean it seems like in many of these thing with pointers could have quantum our ChIP-on-chip I
yes that that that is true of white wine or what on this a few reasons like an ActionScript 2 is definitely the worst for type checking I think that's just because they you peel back before they're really a lot of vulnerabilities and flash and before you know I X was in the wild or even really a thing like even in the nineties and this is when it was designed and they made this decision where we're going to have an object with a pointer to the object and a tight and the developer has to manually check that every time they make a call or else it could be an invalid and that that causes tons and tons of problems and I think if have the were to do it today and they wouldn't but in ActionScript 3 that's actually a lot better they made it so that you define stuff as stubs and then the code that has the type checking is auto-generated that's way better and that happens makes technician happen a lot less and the reason it still doesn't ActionScript 3 is actually usually because a developer and didn't follow conventions they intentionally did something we're that they weren't supposed to do and because the problem so I guess the R and I think that yes 3 is reasonable but the mistakes made in estuarine OK can go away there's no way to fix them at this point the the I can you reach rough similar to our is to I mean you would break some cold but yeah I think like as we would probably require a writing the whole thing over at its is the set extensive change and that will last question that so let's of like the rate of 30 let out blitz of lighter the rubric you reach the lives of older of flesh mitigations but can you are have you the have you tried looking what those exploits with doing is that yeah I am not sure unlikely don't know anything about that as you look slimmer and his group a while ago I did a bit of flesh hardening uh that the time a way as to whether you've so yeah I if there haven't seen that but it's been a while OK this effect but the it was but datasets at
Flash-Speicher
Tamagotchi
Mittelwert
Computersicherheit
Flash-Speicher
Computeranimation
Programmfehler
Computersicherheit
Applet
Klasse <Mathematik>
Mobiles Internet
Humanoider Roboter
Systemplattform
Computeranimation
Dichte <Physik>
Programmfehler
Virtuelle Maschine
Flash-Speicher
Softwareschwachstelle
Flash-Speicher
Projektive Ebene
Project Zero
Wurzel <Mathematik>
Rahmenproblem
Dichte <Physik>
Klasse <Mathematik>
Gruppenoperation
Nichtflüchtiger Speicher
t-Test
Computeranimation
Eins
Open Source
Loop
Flash-Speicher
Software
Flächentheorie
Bildschirmfenster
Stichprobenumfang
Unordnung
Datentyp
Programmbibliothek
Skript <Programm>
Skript <Programm>
Zusammenhängender Graph
Zeiger <Informatik>
Auswahlaxiom
Interpretierer
Lineares Funktional
Typprüfung
Open Source
Interpretierer
Vektorraum
Exploit
Parser
Quick-Sort
Gruppenoperation
Programmfehler
Randwert
Pufferüberlauf
Flash-Speicher
Mereologie
Speicherverwaltung
Speicherverwaltung
Vektorpotenzial
Open Source
Güte der Anpassung
Nichtflüchtiger Speicher
Ruhmasse
Quellcode
Code
Computeranimation
Eins
Programmfehler
Rechenschieber
Objekt <Kategorie>
Flash-Speicher
Einheit <Mathematik>
Ganze Zahl
Reverse Engineering
Datentyp
Ablöseblase
Projektive Ebene
Inhalt <Mathematik>
Zeiger <Informatik>
Bit
Subtraktion
Maschinensprache
Code
Computeranimation
Videokonferenz
Eins
Flash-Speicher
Loop
Font
Datentyp
Skript <Programm>
Softwareentwickler
Zeiger <Informatik>
Sichtenkonzept
Sechsecknetz
Systemaufruf
Ausnahmebehandlung
Vektorraum
Elektronische Publikation
Auswahlverfahren
Programmfehler
Objekt <Kategorie>
Texteditor
Datenfeld
Menge
Rechter Winkel
Mereologie
Computerunterstützte Übersetzung
Fehlermeldung
Aggregatzustand
Bit
Spiegelung <Mathematik>
Gewichtete Summe
Freeware
Browser
Datensichtgerät
Compiler
Computeranimation
Eins
Videokonferenz
Byte-Code
Skript <Programm>
Funktion <Mathematik>
Softwaretest
Parametersystem
Konstruktor <Informatik>
Lineares Funktional
Schnelltaste
ATM
Kategorie <Mathematik>
Physikalischer Effekt
Computersicherheit
Systemaufruf
Ausnahmebehandlung
Tensorprodukt
Konfiguration <Informatik>
Generator <Informatik>
Verkettung <Informatik>
Datenfeld
Ganze Zahl
Rechter Winkel
Kategorie <Mathematik>
Ordnung <Mathematik>
Tabelle <Informatik>
Varietät <Mathematik>
Subtraktion
Rahmenproblem
Hausdorff-Dimension
Mathematisierung
Klasse <Mathematik>
Nichtflüchtiger Speicher
Gefrieren
Systemzusammenbruch
Zahlenbereich
Code
Flash-Speicher
Variable
Syntaktische Analyse
Software
Flächentheorie
Objektorientierte Programmiersprache
Datentyp
Vererbungshierarchie
Inhalt <Mathematik>
Zeiger <Informatik>
Maßerweiterung
Bildgebendes Verfahren
Touchscreen
Pixel
Zehn
Open Source
Bildanalyse
Vektorraum
Elektronische Publikation
Datenfluss
Konstruktor <Informatik>
Programmfehler
Office-Paket
Objekt <Kategorie>
Patch <Software>
Fuzzy-Logik
Pufferüberlauf
Last
Hypermedia
Mereologie
Programmierstil
Serielle Schnittstelle
Speicherverwaltung
Speicherbereinigung
Verkehrsinformation
Bit
Konfiguration <Informatik>
Punkt
Gewichtete Summe
Virtualisierung
Gemeinsamer Speicher
Extrempunkt
Familie <Mathematik>
Schreiben <Datenverarbeitung>
Iteration
Betrag <Mathematik>
Element <Mathematik>
Raum-Zeit
Computeranimation
Homepage
Gebundener Zustand
Kreisbogen
Metadaten
Gerade
Lineares Funktional
Befehl <Informatik>
Dicke
Typprüfung
Termersetzungssystem
Zeiger <Informatik>
Exploit
Ereignishorizont
Konfiguration <Informatik>
Datenfeld
Menge
Ganze Zahl
Beweistheorie
URL
Zeichenkette
Telekommunikation
Subtraktion
Rahmenproblem
Mathematisierung
Nichtflüchtiger Speicher
Gefrieren
Systemzusammenbruch
Code
Flash-Speicher
Datentyp
Zeiger <Informatik>
Drei
Bildgebendes Verfahren
Open Source
Programmverifikation
Vektorraum
Elektronische Publikation
Partitionsfunktion
Quick-Sort
Programmfehler
Mapping <Computergraphik>
Objekt <Kategorie>
MIDI <Musikelektronik>
Pufferüberlauf
Speicherabzug
Speicherverwaltung
Normalvektor
Proxy Server
Bit
Klasse <Mathematik>
Nichtflüchtiger Speicher
Rechteck
Keller <Informatik>
Term
Code
Computeranimation
Eins
Leck
Flash-Speicher
Puffer <Netzplantechnik>
Datentyp
Quantisierung <Physik>
Skript <Programm>
Newton-Verfahren
Indexberechnung
Inklusion <Mathematik>
Datenstruktur
Zeiger <Informatik>
Analytische Fortsetzung
Array <Informatik>
Lineares Funktional
Dicke
Relativitätstheorie
Güte der Anpassung
Stellenring
Systemaufruf
Ausnahmebehandlung
Physikalisches System
Vektorraum
Exploit
Ein-Ausgabe
Elektronische Unterschrift
Partitionsfunktion
Teilbarkeit
Programmfehler
Mapping <Computergraphik>
Objekt <Kategorie>
Automatische Indexierung
Schwimmkörper
Information
Pufferspeicher
Innerer Punkt
Lesen <Datenverarbeitung>
Tabelle <Informatik>
Zeichenkette
Soundverarbeitung
Bit
Punkt
Mathematisierung
Gruppenkeim
Systemaufruf
Exploit
Bitrate
Code
Entscheidungstheorie
Objekt <Kategorie>
Flash-Speicher
Menge
Softwareschwachstelle
Datentyp
Vorlesung/Konferenz
Zeiger <Informatik>
Maßerweiterung
Softwareentwickler

Metadaten

Formale Metadaten

Titel More Flash, More Fun!
Untertitel Finding and Exploiting Bugs in Adobe Flash
Serientitel REcon 2016
Teil 13
Anzahl der Teile 20
Autor Silvanovich, Natalie
Lizenz CC-Namensnennung 4.0 International:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
DOI 10.5446/32746
Herausgeber REcon
Erscheinungsjahr 2016
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract Adobe Flash is a popular target for attackers in the wild. This presentation describes my research into Adobe Flash, which discovered over a hundred vulnerabilities in the software. It details some strategies for finding bugs through code review, fuzzing and reverse engineering and provides examples of bugs discovered using these methods. It also examines recent exploits, and how they bypass new Flash mitigations.

Ähnliche Filme

Loading...