More details on the Pwn2Own Flash flaw that won the Vista machine

More details on the Pwn2Own Flash flaw that won the Vista machine

Summary: So, I've been pretty surprised by the response to the discussion of the Flash flaw that allowed the Vista machine to be compromised in the Pwn2Own contest.


Alexander Sotirov (SolarEclipse) and Shane Macaulay (k2)So, I've been pretty surprised by the response to the discussion of the Flash flaw that allowed the Vista machine to be compromised in the Pwn2Own contest.  I'm working on getting an interview with Alexander Sotirov and Shane Macaulay (see image, courtesy of ZDI's official site) to discuss the issue, but in the meantime, I think we can make some reasonable assumptions from the details that have been released in an InfoWorld article:

Macaulay, who was a co-winner of last year's hacking contest, needed a few hacking tricks courtesy of VMware researcher Alexander Sotirov to make his bug work. That's because Macaulay hadn't been expecting to attack the Service Pack 1 version of Vista, which comes with additional security measures...

For those who aren't familiar with Sotirov, he's of the Javascript Fung Shui fame, which is basically a new method of heap spraying that allows the exploit code to have a predictable target address where it will be located in the heap.  So they team up and get to work:

Under contest rules, Macaulay and Miller aren't allowed to divulge specific details about their bugs until they are patched, but Macaulay said the flaw that he exploited was a cross-platform bug that took advantage of Java to circumvent Vista's security.

Hmmm... does this sound familiar to anyone?  See my posts (part 1 here and part 2 here) on the flaws that John Heasman spoke of in Java which require it to turn off features like DEP in operating systems that provide these protections.  So my guess, and I feel it is an educated one (of course time will tell), is that Sotirov helped out by providing some additional hacker ninjitsu by helping Macaulay load this Flash attack through a Java Applet, thus turning off any DEP protections the operating system provides.  Heck, I wouldn't even be surprised if he used the applet to do some fancy heap spraying to load the shellcode from the heap.  The article continues:

"The flaw is in something else, but the inherent nature of Java allowed us to get around the protections that Microsoft had in place," he (Macaulay) said in an interview shortly after he claimed his prize Friday. "This could affect Linux or Mac OS X."

Macaulay said he chose to work on Vista because he had done contract work for Microsoft in the past and was more familiar with its products.

Aha, so there is your story right there, this flaw could've worked on any of the systems; however, the contest rules state that the same exploit can only be used to compromise one machine (see rule #2 from the web page which states "You can't use the same vulnerability to claim more than one box, if it is a cross-platform issue."), and Macaulay used Vista because it was what he was more familiar with.

So I guess we can end the OS wars about who's is better.  Perhaps I could just put up a poll so we could vote on it and get that all over and done with.  So now, we should be pointing the finger at Adobe for allowing this flaw... or wait a minute, should we be pointing it at Sun since it doesn't play nice with DEP?


Topics: Open Source, Microsoft, Operating Systems, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Or should we blame Microsoft

    For their inability to push DEP sooner and get more of a response out developers sooner and breaking applications that have been coded wrongly for years.

    That would be the ABMer's excuse anyway.

    NBMer would say that Adobe is at fault for not putting the man power behind their development cycle and getting with the program in time.
    • RE: Microsoft

      Haha, well here we go again.

      Actually, I agree, it would've been nice if we had those protections sooner, and it would be nice if Microsoft could force everyone to opt-in.

    • MS has had DEP support since XP SP2

      Which is over 3 1/2 years old now. I think the delay in adding DEP protection was lack of widespread hardware support.
      • RE: MS has had DEP since XP SP 2

        Actually, that is a great point. DEP isn't just a software deal, it's also that the chip has to support the NX flag, so yeah, it would make sense why it took so long to come out.

      • To sum up the battle in a few lines

        [b]Microsoft:[/b] Here comes Vista, That DEP thing is now Mandatory

        [b]Developers:[/b] Wait, that's not enough time, We won't be ready.

        [b]Microsoft:[/b] Too bad.

        [b]Developers:[/b] Fine be that way, we will just make you look bad

        [b]End Users:[/b] Our Apps won't work on this beta!!!! Make them work

        [b]Developers:[/b] This is all Microsoft's fault

        [b]End Users:[/b] Microsoft, fix this or we will complain more

        [b]Microsoft:[/b] Alright, developers can have their way.
        • Nice summation (nt)

        • RE:

          Yep, that sounds about right :)
        • Forgot last 2 steps...

          <p><b>Pwn2Own:</b> We own Vista through a program that doesn't do DEP.</p>

          <p><b>Developers:</b> This is all Microsoft's fault for not requiring DEP.</p>
    • Sorry not this time.

      The problem isn't with Microsoft it's with Java and systems that support Java. The fact is that java was used to bypass system security. Java has always been a risky tool because it allows an outside process to have access to system resources. If you have control of which resources you can gain control of you can control the computer running java. That would be the gist of this particular flaw.

      So, this particular bug can't be laid at Microsoft's feet unless you want to fault them for supporting java's virtual engine. And if you do that you need to blame every graphical user interface based operating system capable of browsing the web.
      • Oh, NO! I have to disable Java [i]AGAIN[/i]?

        So what it all comes down to is that after just installing Vista SP1, I have to disable Java [i]AGAIN[/i] to be secure? Oh, hamburgers.
        • I have it always disabled

          Not worth the problem.
  • Point at Sun for allowing Java to bypass DEP protection.

    I don't trust Java's "virtual machine" for security, let alone not passing down the DEP protection to any applets/applications that use Java.
    Grayson Peddie
    • RE: Point to sun

      Yeah, the fact that the JVM needs to turn off DEP is scary. I'm not sure if they are fixing that or not.

      • "Turning off DEP"????

        I am confused - if DEP can be turned off via software then what use is it, since malware is [b]also[/b] software?

        Suppose you run a JVM as a non-privileged user on a DEP-enabled machine: Does the JVM still disable DEP?
        • No

          The JVM can't "turn off DEP". Any application, however, can allocate executable memory pages. That's how JIT compilers work; they construct machine code in memory that must be executed right then and there.

          I don't know the details of the JVM attack, but it probably exploits the fact that a JVM host process always has at least some memory pages that are both writable and executable, whereas a normal native code process only has pages that are executable but nonwritable (code) and writable but nonexecutable (data).
          Guy Smiley
          • RE: No

            I do believe you are wrong on this one. I'm not an expert with how DEP is implemented on all systems but I can say that you can most definitely turn it off, and in fact have to so that the JVM will work in IE7. See the following link, specifically the work around section gives examples.

          • Something's not right...

            If the JVM [i]inherently[/i] needs to execute data then it couldn't possibly expect to work on [b]any[/b] machine with hardware DEP and an OS that supports it. And that's most modern x86 hardware and OSs these days...
          • Not really...

            Even on machines with hardware DEP, most OSs allow applications to allocate memory pages that are both executable and writable; see VirtualAlloc() / VirtualProtect() on Windows and mmap() / mprotect() on Unix/Linux.

            If the JVM on Windows can't work with DEP as Nate says, then that's only because it has a bug, probably due to their programmers' incorrect assumption that data pages are executable by default.
            Guy Smiley
          • You misunderstood me...

            Yes, the administrator can turn off DEP in Windows, either globally or by using whitelists or blacklists. A program can also opt in or out of DEP using its manifest.

            However, no program running without elevated privileges can change the DEP settings, so Zogg's fears are unwarranted. The JVM can't and doesn't make any attempt to turn off DEP. It simply has a bug that requires the administrator to turn off DEP for the host process (IE in this case).
            Guy Smiley
  • This contest had only one loser.

    The problem with this "contest" is that the press was allowed to comment on it. Now we have stupid slogans like "unhackable Linux" littering the search engines. Anyone who believes such nonsense deserves to get hacked and most likely will. It also buries two important features of Linux security: It takes longer to hack (not indefinitely) and the speed at which the vulnerability is fixed (not just patched), is in days not months. Now I've noticed an eerie quite from the Microsoft friendly bloggers on this subject. When Vista or what ever OS Microsoft is peddling finally beats Linux in such a contest, as it most likely will some day, I fully expect a pent up torrent of schoolyard taunts to come gushing from the blogsphere. Just remember this, no serious Linux security specialist is calling Linux "unhackable Linux" or anything like it. It's the idiots who should know better.