Understanding and Exploiting Flash ActionScript Vulnerabilities

Understanding and Exploiting Flash ActionScript Vulnerabilities
Adobe's Flash Player has become the most popular rich internet application (RIA) today. Recent years we have seen many Flash zero-day attacks in the wild, and researchers' analysis show that the black-hat hackers found these vulnerabilities just by 'dumb fuzzing' [1]. On the other hand, one year ago, Dion Blazakis did a fantastic effort which opened the door leveraging Flash JIT mechanism for universal ASLR+DEP bypassing exploitation (JIT Spray) [2]. Unfortunately, current Flash Players implemented several improvements including randomizing the start address of JITed function, which increased the difficulty of JIT Spraying exploitation significantly.
But what is the essence of Flash ActionScript-level vulnerabilities? Furthermore, how to write modern exploits for them? This work goes deep into the ActionScript's Virtual Machine 2 (AVM2) and Just-In-Time (JIT) implementation trying to answer these two questions.
We use the recent Flash zero-day CVE-2010-3654 as a case study to understand the JIT compiler behavior and internal atom (and object) structures. A new JIT-specific vulnerability class called 'Atom Confusion' will be exposed, then, we will introduce a novel technology which is used to 'read' arbitrary memories when Atom Confusion happens. As a proof, a perfect ASLR+DEP bypassing exploit for CVE-2010-3654 which does not rely on non-ASLR module or heap/JIT spray can be developed out successfully.
[1] https://blog.fortinet.com/fuzz-my-life-flash-player-zero-day-vulnerability-cve-2010-3654/
[2]
https://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf


Understanding and Exploiting Flash ActionScript Vulnerabilities
Adobe's Flash Player has become the most popular rich internet application (RIA) today. Recent years we have seen many Flash zero-day attacks in the wild, and researchers' analysis show that the black-hat hackers found these vulnerabilities just by 'dumb fuzzing' [1]. On the other hand, one year ago, Dion Blazakis did a fantastic effort which opened the door leveraging Flash JIT mechanism for universal ASLR+DEP bypassing exploitation (JIT Spray) [2]. Unfortunately, current Flash Players implemented several improvements including randomizing the start address of JITed function, which increased the difficulty of JIT Spraying exploitation significantly.
But what is the essence of Flash ActionScript-level vulnerabilities? Furthermore, how to write modern exploits for them? This work goes deep into the ActionScript's Virtual Machine 2 (AVM2) and Just-In-Time (JIT) implementation trying to answer these two questions.
We use the recent Flash zero-day CVE-2010-3654 as a case study to understand the JIT compiler behavior and internal atom (and object) structures. A new JIT-specific vulnerability class called 'Atom Confusion' will be exposed, then, we will introduce a novel technology which is used to 'read' arbitrary memories when Atom Confusion happens. As a proof, a perfect ASLR+DEP bypassing exploit for CVE-2010-3654 which does not rely on non-ASLR module or heap/JIT spray can be developed out successfully.
[1] https://blog.fortinet.com/fuzz-my-life-flash-player-zero-day-vulnerability-cve-2010-3654/
[2]
https://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf

References

CanSecWest 2011