lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAHCxs98mWnUWcN_JKa3turn7=NM68KbrneaHfbBfKwxMPY1CQw@mail.gmail.com>
Date: Fri, 19 Jul 2013 12:52:41 -0700
From: Fermín J. Serna <fjserna@...il.com>
To: dailydave@...ts.immunityinc.com, full-disclosure@...ts.grok.org.uk
Subject: Flash JIT and spraying info leak gadgets

Hi,

Back in Fall/2012 I did some research on Flash JIT code generation.
This research and lack of constant blinding resulted on the following
paper (including Win7/IE9 exploit code for CVE-2012-4787) where Flash
could be used for ASLR bypass on IE by spraying ROP info leak gadgets.

Document: http://zhodiac.hispahack.com/my-stuff/security/Flash_Jit_InfoLeak_Gadgets.pdf
Exploit code: http://zhodiac.hispahack.com/my-stuff/security/Flash_Jit_InfoLeak_Gadgets/

I just found today (without notification form Adobe) that Flash 11.8
implements JIT constant blinding. So consider this technique gone but
older versions may still be used for info leak purposes. :)

Enjoy,

---
Fermín J. Serna

Web & Blog: http://zhodiac.hispahack.com
Pgp key: http://zhodiac.hispahack.com/gpg/zhodiac.asc
Twitter: @fjserna

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ