April 16th, 2008

Mark Dowd's null pointer dereference exploit and advanced Flash ActionScript techiques proove definitively: Aliens Do Exist!

Posted by Nathan McFeters @ 10:06 pm

Categories: Adobe, Exploit code, Flash, Hackers, Vulnerability research

Tags: Research, Adobe Systems Inc., Blog, Blogging, Team Management, Internet, Management, Nathan McFeters

Alright, I’m just going to start out with a little background before I start, this particular research was so cool that I’ve been talking about it all day.  Reading this whitepaper, written by Mark Dowd, was as exciting to me as watching highlights of Michael Jordan sinking that winning shot, which when you look at the replay looks like he’s jump kicking Craig Ehlo right in his face.  In fact, Dowd’s research is that cool, that’s right, cool enough to kick Craig Ehlo in the face.  Here’s an image (to the right) in case you don’t remember.

Just a bit of background, null pointer dereference issues are unbelievably difficult to exploit, and in fact, currently in most cases they are not exploitable.  Barnaby Jack had some research describing techniques for specific architectures and situations where it may be exploitable, and skape (aka Matt Miller) plus Skywing (aka Ken Johnson) discussed some of this in the Windows world on Uninformed, but Mark Dowd from IBM X-Force has blown my mind, as I just today read his 25-page report on the exploitation of a null pointer dereference issue in Adobe Flash.  Oh, by the way, it’s not just an exploit of a null pointer dereference issue, it’s a reliable one that is likely cross-platform.

I called most of the security researchers that I work on my research with, I called friends at work, told a few clients, hell, I even called and told my Mom about it.  Yeah, I know what you’re thinking, how could the research really be that cool if my Mom could understand it?  Well, of course she couldn’t understand it, most people can’t!  The level of hard-core bad assery (yeah, I made up a new word just for this), involved in this is unbelievable.  Reading this article, I felt like Dowd must be an alien with advanced intelligence to have pulled this off.  I reserve comments like that for very specific scenarios, and in fact, I think I’ve only used it once before when discussing some research performed by skape (aka Matt Miller of Leviathan).

I’m not the only one stunned by the technical details.  I talk with Thomas Ptacek (from Matasano) from time to time, and I count him one of the most intelligent people I’ve met, very legit.  Even he was thoroughly excited about this, which is clearly evident from his blog entry on the subject.  Actually, even if you already know you won’t understand what’s being talked about, you should read Ptacek’s article anyways.  He really breaks it down quite well.  After I read it a few times I felt like I understood quite a bit, but in any case, Ptacek’s article is hilarious as always, so it’s a good read anyways.

In fact, I’m not even going to talk further about this, I’m just going to point you to the original whitepaper and Ptacek’s blog, which will do the issue far more justice than I could.  I count myself very technical, and I’ve done some very cool stuff in my own right, but I know my limits, and this research goes past what those limits currently are.

It’s been a rough month for Adobe, which is too bad since they seem like good and intelligent guys on the security team.  Unfortunately, they have the unenviable job of securing software integrated into all browsers on all Operating Systems that’s used on tons of websites.  Thanks to their dilligent work of the Adobe Security Team and responsible disclosure by Dowd, this terrifying issue is already patched.

If anyone has specific questions or thoughts after reading the whitepaper or Ptacek’s article, feel free to post talkbacks and I may seek out an interview with Dowd to discuss.

-Nate

Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center in Chicago. The views and opinions expressed in this article are his own and do not represent the views and opinions of Ernst & Young Advanced Security Center or Ernst & Young, LLP. Nathan has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for numerous clients in the Fortune 500 during his career at Ernst & Young and has spoken at a number of prestigious conferences, including Black Hat, DEFCON, ToorCon, and Hack in the Box. He can be found at his Pwn* blog and XS-Sniper, a blog with Billy Rios. See his full profile and disclosure of his industry affiliations.