This is the way the world (wide web) ends...

Robert Hensing linked to a post by Thomas Ptacek over on the Matasano Chargen blog. Thomas (who is both a good hacker AND a good writer) has a writeup of a “game-over” vulnerability that was just published by Mark Dowd over at IBM's ISS X-Force that affects Flash. For those that don’t speak hacker-speak, in this case, a “game-over” vulnerability is one that can be easily weaponized (his techniques appear to be reliable and can be combined to run an arbitrary payload). As an added bonus, because it’s a vulnerability in Flash, it allows the attacker to write a cross-browser, cross-platform exploit – this puppy works just fine in both IE and Firefox (and potentially in Safari and Opera).

This vulnerability doesn’t affect Windows directly, but it DOES show how a determined attacker can take what was previously thought to be an unexploitable failure (a null pointer dereference) and turn it into something that can be used to 0wn the machine.

Every one of the “except not quite” issues that Thomas writes about in the article represented a stumbling block that the attacker (who had no access to the source to Flash) had to overcome – there are about 4 of them, but the attacker managed to overcome all of them.

This is seriously scary stuff.  People who have flash installed should run, not walk over to Adobe to pick up the update.  Please note that the security update comes with the following warning:

"Due to the possibility that these security enhancements and changes may impact existing Flash content, customers are advised to review this March 2008 Adobe Developer Center article to determine if the changes will affect their content, and to begin implementing necessary changes immediately to help ensure a seamless transition."

Edit2: It appears that the Adobe update center I linked to hasn't yet been updated with the fix, I followed their update proceedure, and my Flash plugin still had the vulnerable version number. 

Edit: Added a link to the relevant Adobe security advisory, thanks JD.

Comments

  • Anonymous
    April 16, 2008
    The comment has been removed

  • Anonymous
    April 16, 2008
    I didn't realize Thomas Ptacek was still around. His paper on vulnerabilities in intrusion detection systems back in the 90's was fantastic.

  • Anonymous
    April 16, 2008
    The comment has been removed

  • Anonymous
    April 16, 2008
    The comment has been removed

  • Anonymous
    April 16, 2008
    The comment has been removed

  • Anonymous
    April 16, 2008
    The comment has been removed

  • Anonymous
    April 16, 2008
    JD, I've added your link (and the warning that comes with the security update) to the article.

  • Anonymous
    April 16, 2008
    The comment has been removed

  • Anonymous
    April 17, 2008
    Larry, please, at least put "0wn" in quotes. Can't stand that word. Speaks of low men.

  • Anonymous
    April 17, 2008
    Nathan:  Seriously.  He should have at least gone with "pwnz0r".

  • Anonymous
    April 17, 2008
    The comment has been removed

  • Anonymous
    April 18, 2008
    The comment has been removed

  • Anonymous
    April 18, 2008
    The comment has been removed

  • Anonymous
    April 19, 2008
    The comment has been removed

  • Anonymous
    April 20, 2008
    The comment has been removed

  • Anonymous
    April 21, 2008
    How about a modest proposal of sorts: (1) robust error handling of out-of-memory conditions continues to be a problem -- it requires all allocations to be handled correctly. (2) These NULL pointer derefs can now be weaponized. Therefore: (solution) - make all all memory allocations that return NULL call abort() [or the language's closest equivalent], to protect the app and the user from themselves. Frankly, I'd rather have OS-level support for this kind of behavior.

  • Anonymous
    April 21, 2008
    @NathanM: So you're saying the OS should crash any apps that doesn't have enough memory for one single operation?  That seems pretty drastic.  Surely the app writer would rather have a chance to simply display an error message to the user rather than dying an unholy death and taking the user's work down with the app. Besides, if you're using C++ allocators (ie. new operator), the default behavior is to throw an exception rather than returning a null pointer, so in a sense what you're proposing is already built into the language.  It's too late to go back in time and change how C behaves with respect to malloc(). ============== On another note, it's technically inaccurate to characterize this exploit as a "a null pointer dereference".  If you read the article you'll see that what's being dereferenced is not a null pointer, but rather (null pointer + some offset controllable by the attacker).

  • Anonymous
    April 21, 2008
    @NathanM: I hope you never get a job as a software developer or if you already have one I hope you lose it soon if you don't start using that brain of yours. Such ignorant thinking deserves at least some sort of punishment. malloc()'s job is to allocate memory, not to terminate applications. It is on developer to decide how they are going to handle the error and NULL pointer can be handled just fine in most situations. What if you have 6 unsaved Word documents and malloc() aborts because there is no room for 7th document you wanted to create? If it aborts all documents are gone. If it returns NULL Word can just say "no memory for another document" and you get the chance to save. Which one would you prefer as a user?

  • Anonymous
    April 21, 2008
    For a much simpler example of this class of exploit, see http://taossa.com/index.php/2007/04/15/bored-games/

  • Anonymous
    April 21, 2008
    I'd be calling the unfair dismissal lawyers if I were fired for having a bad idea. There surely would not be much in the way of innovation at any company that punishes people for having bad ideas.

  • Anonymous
    April 22, 2008
    Igor - Whilst I agree with what you're saying, I utterly disagree with the way in which you said it. "Such ignorant thinking deserves at least some sort of punishment." is just, plain, rude. Manners, please! :-) Larry - "weaponize", is that commonly used in the security field? Either way, I absolutely love it! I suspect my colleagues are going to be driven to utter distraction by the amount I'm going to use it. So much so that any throwable objects on their desks may all of a sudden become weaponized! ;)

  • Anonymous
    April 22, 2008
    The comment has been removed

  • Anonymous
    April 22, 2008
    NathanM used the phrase "a modest proposal" - I think there's a chance he isn't even in the neighborhood of being serious.

  • Anonymous
    April 23, 2008
    The comment has been removed

  • Anonymous
    April 23, 2008
    The comment has been removed

  • Anonymous
    April 27, 2008
    The comment has been removed

  • Anonymous
    June 08, 2008
    The comment has been removed