[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAHCxs98mWnUWcN_JKa3turn7=NM68KbrneaHfbBfKwxMPY1CQw@mail.gmail.com>
Date: Fri, 19 Jul 2013 12:52:41 -0700
From: Fermín J. Serna <fjserna@...il.com>
To: dailydave@...ts.immunityinc.com, full-disclosure@...ts.grok.org.uk
Subject: Flash JIT and spraying info leak gadgets
Hi,
Back in Fall/2012 I did some research on Flash JIT code generation.
This research and lack of constant blinding resulted on the following
paper (including Win7/IE9 exploit code for CVE-2012-4787) where Flash
could be used for ASLR bypass on IE by spraying ROP info leak gadgets.
Document: http://zhodiac.hispahack.com/my-stuff/security/Flash_Jit_InfoLeak_Gadgets.pdf
Exploit code: http://zhodiac.hispahack.com/my-stuff/security/Flash_Jit_InfoLeak_Gadgets/
I just found today (without notification form Adobe) that Flash 11.8
implements JIT constant blinding. So consider this technique gone but
older versions may still be used for info leak purposes. :)
Enjoy,
---
Fermín J. Serna
Web & Blog: http://zhodiac.hispahack.com
Pgp key: http://zhodiac.hispahack.com/gpg/zhodiac.asc
Twitter: @fjserna
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists