PWN Flash with Reflection and HashTables

Presented at REcon 2018, June 17, 2018, 4 p.m. (60 minutes).

Reflection is the ability of a program to examine, introspect, and modify its own structure and behavior at runtime. AVM2 which support Action Script 3 in Flash Player, however, did not implement reflection completely. In this topic, we will introduce how we implement an AS3 based fuzzing tool with random instantiations of new objects, random invocations of methods and random fields getter/setter using the implicit reflection in AS3. We will also discuss some other flash fuzzing issues like template, sanitizing, reproducing, code coverage and so on. This fuzzing system discovered more than 50 Flash vulnerabilities in several months, 23 of them have got CVE numbers. Some interesting findings will be shown in this topic.

HashTable is an internal structure which stores key and value pairs in AS3. We discovered that it can be a new exploit-friendly object like Vector, ByteArray and String to be used to bypass anti-UAF(Use After Free) mitigations(isolate heap, memory protector, length validation of Vector/ByteArray). We will pick one unreported(patched) UAF vulnerability as an example to show how we exploit one single UAF vulnerability to get read and write primitive and bypass all of modern mitigations in Win10 x64 1709 with the help of HashTable. More importantly, this exploitation technique we used could generally make many other Flash UAF vulnerabilities get arbitrary read and write primitive which can be used to bypass all of modern mitigations. At last, we will show the demo of it.


Presenters:

  • Tao Yan
    Tao Yan (@ga1ois) is a security researcher at Palo Alto Networks. His interests include on bug findings, exploits and mitigations bypass, in the meantime he has also been involved with exploits/APTs/malwares detection and defense. He has been listed as #7 in 2016 and #4 in 2017 for MSRC. He has spoken at some security conferences including CanSecWest, POC and HITCON.
  • Bo Qu
    Bo Qu is a Distinguished Engineer from Palo Alto Networks. His skills include vulnerability research and coverage, bug hunting, reverse engineering, binary diff, exploitability research and analysis, and vulnerability reproducing and coverage. He also does research on iOS, Android and other mobile OS security.

Links:

Similar Presentations: