Null Pointer Exploit in Flash



  • Please direct your attention to Dowd’s 25-page bombshell on a Flash bytecode attack.

    Some context. Reliable Flash vulnerabilities are catastrophes. In 2008, we have lots of different browsers. We have different versions of the OS, and we have Mac users. But we’ve only got one Flash vendor, and everyone has Flash installed. Why do you care about Flash exploits? Because in the field, any one of them wins a commanding majority of browser installs for an attacker. It is the Cyberdyne Systems Model 101 of clientsides.

    So that’s pretty bad-ass. But that’s not why the fate of humanity demands that we hunt down Dowd and dissolve him in molten steel.

    Look at the details of this attack. It’s a weaponized NULL pointer attack that desynchronizes a bytecode verifier to slip malicious ActionScript bytecode into the Flash runtime. If you’re not an exploit writer, think of it this way: you know that crazy version of Super Mario Brothers that Japan refused to ship to the US markets because they thought the difficulty would upset and provoke us? This is the exploit equivalent of that guy who played the perfect game of it on YouTube.

    (from: http://www.matasano.com/log/1032/this-new-vulnerability-dowds-inhuman-flash-exploit/)

    The implications are staggering; guess how many people have Flash installed world wide?  And this will work on most of them.



  • This is exactly why you block ActiveX controls by default, and make good use of the "Trusted sites" list instead.



  • The important thing is, not that this is that unnatural abomination that is Adobe/macromedia Flash. It is that he has worked out how to exploit the common error of dereferencing a null pointer. Normally, the reason that a video player or other program can crash is that a malformed input file is causing it to use a pointer before it sets it - this is dereferencing a null pointer.

    This work takes this annoying bug and makes it a security exploit. One upside is these types of crashes really annoy me, and now developers are going to be taking them seriously.



  • @robbak said:

    The important thing is, not that this is that unnatural abomination that is Adobe/macromedia Flash. It is that he has worked out how to exploit the common error of dereferencing a null pointer. Normally, the reason that a video player or other program can crash is that a malformed input file is causing it to use a pointer before it sets it - this is dereferencing a null pointer.

    This work takes this annoying bug and makes it a security exploit. One upside is these types of crashes really annoy me, and now developers are going to be taking them seriously.

     

    Or, they might not...



  • Not everyone has Flash installed. I don't have Flash installed, and I never did. I won't install it.



  • @zzo38 said:

    Not everyone has Flash installed. I don't have Flash installed, and I never did. I won't install it.
    Anyone who runs Linux x64 is guaranteed to not run Flash.



  •  @Lingerance said:

    @zzo38 said:
    Not everyone has Flash installed. I don't have Flash installed, and I never did. I won't install it.
    Anyone who runs Linux x64 is guaranteed to not run Flash.

    Actually, you can install Flash on Linux x64: http://ubuntuforums.org/showthread.php?t=202537

    Even Java works.



  • @Lingerance said:

    Anyone who runs Linux x64 is guaranteed to not run Flash.
    Speak for yourself... 



  • @redct said:

    Actually, you can install Flash on Linux x64: http://ubuntuforums.org/showthread.php?t=202537

    Even Java works.

    Thanks for the link.  I always wondered why people who were running x64 Linux couldn't just use the 32-bit FF binaries.  TRWTF is needing a 64-bit desktop OS. 



  • @morbiuswilters said:

    TRWTF is needing a 64-bit desktop OS.
    Dev station.



  • @Lingerance said:

    @morbiuswilters said:
    TRWTF is needing a 64-bit desktop OS.
    Dev station.

    I was mostly joking but I'm envious of anyone who has more than 64GB of RAM. 



  • @morbiuswilters said:

    @Lingerance said:

    @morbiuswilters said:
    TRWTF is needing a 64-bit desktop OS.
    Dev station.

    I was mostly joking but I'm envious of anyone who has more than 64GB of RAM. 

    64bit desktop can only have 64GiB of RAM? WTF!



  • @djmaze said:

    64bit desktop can only have 64GiB of RAM? WTF!

    No, 32-bit is limited to 64GB which is why I would be envious of anyone who needed a 64-bit desktop computer. 



  • @morbiuswilters said:

    No, 32-bit is limited to 64GB which is why I would be envious of anyone who needed a 64-bit desktop computer. 
     

    With 32 address bits you're still limited to 2^32 bytes = 4 GB. 64 GB are only addressable with a 36 bit address bus, which is what PAE does. That really does nothing for normal applications that still run in a 4 GB virtual address space (of which only 3-2 GB may be usable, depending on the address space layout.) So saying that 64-bit architectures are only useful with > 64 GB memory is rather dishonest :)

    Of course, with techniques such as paging and overlays, an application that really wanted to could swap its memory in and out to disk as needed, and use an "infinite" (well, limited by the disk capacity) amount of memory that way. So why do we even need 32 bit computers. I'm sure that with a little creativity it wouldn't be too hard to manage 4 GB+ data sets on 16 or even 8 bit architectures. The majority of the cpu time would be spent swapping memory and performing address translation though, so it'd probably be as convenient to program as a single-head turing machine with only half an infinite tape.

    /still running a 32 bit OS on a 64 bit machine 



  • @Nandurius said:

    With 32 address bits you're still limited to 2^32 bytes = 4 GB. 64 GB are only addressable with a 36 bit address bus, which is what PAE does. That really does nothing for normal applications that still run in a 4 GB virtual address space (of which only 3-2 GB may be usable, depending on the address space layout.) So saying that 64-bit architectures are only useful with > 64 GB memory is rather dishonest :)

     

    What part of my posts made it seem I wasn't aware of this?  I never said 64-bit is only useful for more than 64 GB of memory, I said I was envious of anyone who had more than 64GB of physical memory.  I also don't know of any desktop apps that need more than 3GB of memory, although I'm sure there are some specialized multimedia or engineering apps that probably do.  My point was that almost everyone would be fine with a 32-bit OS but if you are amongst the few that have a need for more, then you're doing something extraordinary. 



  • @morbiuswilters said:

    My point was that almost everyone would be fine with a 32-bit OS but if you are amongst the few that have a need for more, then you're doing something extraordinary. 

    Depends if you want 32 or 64 bit data blocks.

    It isn't about extraordinary--it's about actually doubling the amount of data a CPU can process per clock cycle. Servers and high-end workstation have been reaping the technology's benefits for years.

    A 64-bit chip has the power to dramatically improve the performance of your more demanding applications, such as audio and video encoding, complex engineering programs like CAD, and--of course--games.

    Oh and 64 bit data blocks are useless with 32 bit applications, it could even be slower depending if your system puts 2x32 in 1x64 or just 1x32 in 1x64

    So yes, for simple OpenOffice/Word documents or a Flash animation you can stick with 32bit.



  • @djmaze said:

    It isn't about extraordinary--it's about actually doubling the amount of data a CPU can process per clock cycle. Servers and high-end workstation have been reaping the technology's benefits for years.

    Uh.. wat?  It's about being able to address a larger amount of memory or work with larger numbers.  That doesn't mean "doubling the amount of data a CPU can process per clock cycle".  You will get over a 2x performance boost when working with 64-bit ints, but that's not very common in desktop apps.

     

    @djmaze said:

    A 64-bit chip has the power to dramatically improve the performance of your more demanding applications, such as audio and video encoding, complex engineering programs like CAD, and--of course--games.

    Wow, that sounds like marketing speak.  Most apps (including games) are compiled to run on 32-bit archs.  Hell, it's still a bit of a pain just to get an OS and drivers that work in 64-bit mode. 

     

    @djmaze said:

    Oh and 64 bit data blocks are useless with 32 bit applications, it could even be slower depending if your system puts 2x32 in 1x64 or just 1x32 in 1x64

    This is why 32-bit apps are run in 32-bit mode.

     

    @djmaze said:

    So yes, for simple OpenOffice/Word documents or a Flash animation you can stick with 32bit.

    How many apps do you use on a regular basis that work with 64-bit ints or that need more than 3GB of memory?  Even if you do, most people do not, therefore your needs are extraordinary.



  • I'm confused... since when was Mario a Flash hacker? 


Log in to reply