[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Flash JIT and spraying info leak gadgets

To: dailydave@xxxxxxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Flash JIT and spraying info leak gadgets
From: Fermín J. Serna <fjserna@xxxxxxxxx>
Date: Fri, 19 Jul 2013 12:52:41 -0700

Hi,

Back in Fall/2012 I did some research on Flash JIT code generation.
This research and lack of constant blinding resulted on the following
paper (including Win7/IE9 exploit code for CVE-2012-4787) where Flash
could be used for ASLR bypass on IE by spraying ROP info leak gadgets.

Document: 
http://zhodiac.hispahack.com/my-stuff/security/Flash_Jit_InfoLeak_Gadgets.pdf
Exploit code: 
http://zhodiac.hispahack.com/my-stuff/security/Flash_Jit_InfoLeak_Gadgets/

I just found today (without notification form Adobe) that Flash 11.8
implements JIT constant blinding. So consider this technique gone but
older versions may still be used for info leak purposes. :)

Enjoy,

---
Fermín J. Serna

Web & Blog: http://zhodiac.hispahack.com
Pgp key: http://zhodiac.hispahack.com/gpg/zhodiac.asc
Twitter: @fjserna

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] AFU and XSS vulnerabilities in TinyMCE Image Manager
Next by Date: [Full-disclosure] Download Lite v4.3 iOS - Persistent File Web Vulnerability
Previous by thread: [Full-disclosure] AFU and XSS vulnerabilities in TinyMCE Image Manager
Next by thread: [Full-disclosure] Download Lite v4.3 iOS - Persistent File Web Vulnerability
Index(es):
- Date
- Thread