Nytro Posted July 26, 2012 Report Posted July 26, 2012 CVE-2012-0769, the case of the perfect info leakAuthor: Fermin J. Serna - fjserna gmail.com | fjserna google.com - @fjsernaURL: http://zhodiac.hispahack.com/my-stuff/security/Flash_ASLR_bypass.pdfCode: http://zhodiac.hispahack.com/my-stuff/security/InfoLeak.asSWF: http://zhodiac.hispahack.com/my-stuff/security/InfoLeak.swfDate: 23/Feb/2012TL;DR Flash is vulnerable to a reliable info leak that allows ASLR to be bypassed making exploitation of other vulnerabilities, on browsers, Acrobat Reader, MS Office and any process that can host Flash, trivial like in the old days where no security mitigations were available. Patch immediately.1. IntroductionUnless you use wget and vi to download and parse web content the odds are high that you may be exposed to a vulnerability that will render useless nearly all security mitigations developed in the latest years.Nowadays, security relies heavily on exploitation mitigation technologies. Over the past years there has been some investment on development of several mechanisms such as ASLR, DEP/NX, SEHOP, Heap metadata obfuscation, etc. The main goal of these is to decrease the exploitability of a vulnerability.The key component of this strategy is ASLR (Address Space Layout Randomization) [1] . Most other mitigations techniques depend on the operation of ASLR. Without it and based on previous research from the security industry: DEP can be defeated with return-to-libc or ROP gadget chaining, SEHOP can be defeated constructing a valid chain, ...Put simply, if you defeat ASLR, we are going to party like if it is 1999. And this is what happened, a vulnerability was found in Adobe’s Flash player (according to Adobe [2] installed on 99% of user computers) that with some magic, explained later, resulted in a multiplatform, highly stable and highly efficient info leak that could be combined with any other vulnerability for trivial exploitation.This vulnerability CVE-2012-0769, with another one that my colleague Tavis Ormandy found, were patched in version 11.1.102.63 [3] released the 05/Mar/2012.According to Adobe, all versions earlier to 11.1.102.63 are impacted by this vulnerability. Flash users can check their current version and latest available one at Adobe’s website[4].Download:http://zhodiac.hispahack.com/my-stuff/security/Flash_ASLR_bypass.pdf Quote
