Exploiting Adobe Flash Player in the Era of Control Flow Guard

Presented at Black Hat Europe 2015, Unknown date/time (Unknown duration).

Adobe Flash Player, one of the most ubiquitous pieces of software, is integrated into the operating system on Windows 8.1 and Windows 10. Along with the introduction of Control Flow Guard (CFG) - Microsoft's newest exploit mitigation technology - in November 2014, Flash Player binaries provided by Microsoft are now protected by CFG, which adds a check before every indirect call in the code in order to verify that the destination address of that call is one of the locations identified as "safe" at compile time. Gaining code execution isn't as simple as overwriting the vtable of an object and calling one of its virtual methods anymore. We'll start this presentation by discussing an exploitation technique which leverages the Flash Player's JIT compiler in order to bypass CFG, and how Microsoft and Adobe have hardened Flash Player's JIT compiler against this technique in the June 2015 security updates. Then, we are going to discuss three practical data-only attacks, showing how it is possible to take advantage of vulnerabilities in Flash Player while avoiding the mess of having to deal with CFG. One of these alternative payloads makes it possible to execute arbitrary commands on the vulnerable system without injecting shellcode nor using ROP. Interestingly, detecting and protecting against these data-only attacks can be challenging. Although this talk is focused on the challenges of exploiting Flash Player vulnerabilities on CFG-enabled systems, the techniques and ideas discussed here may be applied against other software.


Presenters:

  • Francisco Falcon - Core Security
    Francisco Falcon is a Specialist Exploit Writer at Core Security. He has been doing reverse engineering since 2004. He has published several security advisories detailing low-level vulnerabilities in software products from IBM, Oracle, Novell, Google, and SAP, among others. He is interested in reverse engineering, programming, vulnerability research, and exploitation. Francisco has been a speaker at security conferences such as REcon (Canada, 2012 and 2014), Ekoparty (Argentina, 2013) and Hack.lu (Luxembourg, 2013 and 2014).

Links:

Similar Presentations: