Adobe Flash Pwn2Own details released by ZDI...

Adobe Flash Pwn2Own details released by ZDI...

Summary: ... and unfortunately leaves much to be desired.  I think many people were hoping for the disclosure from ZDI to contain a lot of details on what could've been exploited with this issue, unfortunately, the details just aren't really there.

SHARE:

... and unfortunately leaves much to be desired.  I think many people were hoping for the disclosure from ZDI to contain a lot of details on what could've been exploited with this issue, unfortunately, the details just aren't really there.  In fact, after reading it, I think I have more questions then I do answers. 

We now know the vulnerable function, and we also know approximately what an attacker might do to try to exploit the issue, so any vulnerability researchers out there that want to take a crack at creating a proof of concept have at least a starting point, but the advisory really left a lot up to the reader's imagination.

There is no mention from ZDI about if this vulnerability in Adobe Flash would be exploitable on *Nix or Mac, despite the previous details clearly indicating it was a cross-platform flaw.  The ZDI Advisory is noted below:

ZDI-08-021: Adobe Flash Player DeclareFunction2 Invalid Object Use Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-08-021 April 8, 2008

-- CVE ID: CVE-2007-6019

-- Affected Vendors: Adobe

-- Affected Products: Adobe Flash Player

-- Vulnerability Details: This vulnerability allows remote attackers to execute code on vulnerable installations of Adobe's Flash Player. User interaction is required in that a user must visit a malicious web site.

The specific flaw exists when the Flash player attempts to access embedded Actionscript objects that have not been properly instantiated.

In order for exploitation to occur, an attacker would have to modify a DeclareFunction2 Actionscript tag within an SWF file. Exploitation of this vulnerability can result in arbitrary code execution under the context of the currently logged in user.

-- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at:

http://www.adobe.com/support/security/bulletins/apsb08-11.html

-- Disclosure Timeline: 2008-02-07 - Vulnerability reported to vendor 2008-04-08 - Coordinated public release of advisory

-- Credit: This vulnerability was discovered by:    * Javier Vicente Vallejo    * Shane Macaulay CanSecWest 2007 PWN2OWN Winner

-- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com

-Nate

Topics: Security, Enterprise Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion
  • ...

    Like I said before, run it against two configurations of Linux and tell us what you get. ]:)
    Linux User 147560
    • RE: Yeah, but

      Well, run what? There's no published exploit code, and there's very little in the way of details to start working at here.

      -Nate
      nmcfeters
      • ...

        I am asking sincerely not to be a prick, can you get access to it for testing purposes as security blogger / researcher? Or ask for it to be run against the two systems then request some feedback? ]:)
        Linux User 147560
        • I know

          Possibly, but I doubt it. I do know a few people at Tipping Point who runs the ZDI, but I don't think the original author wrote an exploit for *Nix or Mac, and I doubt he has interest in doing so, since he'd be doing it for free.

          He's also under an NDA. I'm sure ZDI also has NDAs.

          -Nate
          nmcfeters
          • ...

            Just venting in general here... not directed at anyone in particular, so if anyone here takes it personal, that's your issue not mine.

            These damn NDA's and "Won't do it for the better of all unless I get paid" mentality is really getting annoyingly old! IF there is a problem that exists and you know about it then chances are someone else does... so be proactive instead of reactive and either PROVE IT OR GET THE HELL OUT!

            Okay rant over, thanks for at least listening and making an attempt Nate. It's appreciated. ]:)
            Linux User 147560
          • Well

            It's a good sentiment, but not realistic. If you've done some vulnerability research on your own, you know how long this all takes. It takes massive amounts of effort and time, and to be perfectly honest, is usually quite mentally draining.

            It's really not even worth it to get paid, you end up not making back the time you put in. I've always done it cause I think it is fun and I like to speak at conferences, etc. The kicker is, as soon as you've found it and exploited it, the fun is done and you want to move onto the next thing, not bang your head against a wall creating exploits for each target.

            Although I do agree, the NDA's are disappointing because that research is not shared. This is exactly why I don't sell my flaws.

            -Nate
            nmcfeters
  • Currently logged in user?

    [i]Exploitation of this vulnerability can result in arbitrary code execution under the context of the currently logged in user.[/i]

    Is it the currently logged in user or with the credentials of the browser's process? If it is the latter, this attack vector is almost completely neutered by IE7's Protected Mode. Yes, the exploit exists but without the ability to write to any personal or system file, a Vista user is actually quite safe. I would also guess that a SuSE user would be quite safe too through AppArmor. In fact, it would appear that OS X users are the only ones that are in [b]real[/b] danger considering Apple offers them [b]no[/b] 2nd line defense of their personal files. Once the browser [b]or any component activated by the browser[/b] gets compromised, all your [b]personal[/b] files are at risk. Hope you didn't really care too much about your son's 2nd birthday pictures because they are [b]gone[/b]. GULP!! That's okay though, you can always take pictures of his 3rd birthday. :)
    NonZealot
    • Yes, but it's Adobe..

      So their software (unlike similar software like silverlight) requires a privilege escalation and you get a box whenever flash runs unless you hit 'always escalate' as almost everyone probably does. Just to run Flash means it is running as the user and not as a low integrity process as most any other IE addon. Yet another reason to hate adobe, but sadly the internet is a lot less usable without their software.
      jamesrayg
      • You need to elevate to run flash?

        You might want to try removing it and re-installing it. I don't get an elevation prompt when flash runs on my machine (there's a flash ad running in the window as I type this, and I didn't have an elevation prompt).

        To be honest, I don't particularly like Flash (on my machine at work, it leaks memory like a seive (hundreds of megabytes of RAM leaked every night) and many ads consume 100% of my CPU time), but it's not that bad.
        Larry Osterman
    • Current Logged in User

      My understanding is that it runs in the context of the current logged in user.

      -Nate
      nmcfeters
      • that is limited by default on Vista because UAC is enabled by default

        that is limited by default on Vista because UAC is enabled by default
        qmlscycrajg
  • disable flash

    Until Adobe fixes their flakey software - disable flash in the browser.
    Use the Flashblock add-on for FireFox.
    Unregister Adobe Flash Player as an Active X component for IE.
    Security first and foremost.
    vi0l3t1975@...
    • Eh

      Yeah, maybe, but then again, so much of the web runs on Flash. They expect the fix to be out soon, so personally, I'm going to stick it out.

      -Nate
      nmcfeters