On TV.com: How to Save HEROES
BNET Business Network:
BNET
TechRepublic
ZDNet

March 31st, 2008

More details on the Pwn2Own Flash flaw that won the Vista machine

Posted by Nathan McFeters @ 11:39 am

Categories: Exploit code, Hackers, Java, Microsoft, Responsible disclosure, Sun Microsystems, Vulnerability research, Windows Vista, Zero-day attacks

Tags: Java, Microsoft Windows Vista, Data Execution Prevention, Flaw, Microsoft Windows Vista (Longhorn), Security, Operating Systems, Microsoft Windows, Software, Nathan McFeters

Alexander Sotirov (SolarEclipse) and Shane Macaulay (k2)So, I’ve been pretty surprised by the response to the discussion of the Flash flaw that allowed the Vista machine to be compromised in the Pwn2Own contest.  I’m working on getting an interview with Alexander Sotirov and Shane Macaulay (see image, courtesy of ZDI’s official site) to discuss the issue, but in the meantime, I think we can make some reasonable assumptions from the details that have been released in an InfoWorld article:

Macaulay, who was a co-winner of last year’s hacking contest, needed a few hacking tricks courtesy of VMware researcher Alexander Sotirov to make his bug work. That’s because Macaulay hadn’t been expecting to attack the Service Pack 1 version of Vista, which comes with additional security measures…

For those who aren’t familiar with Sotirov, he’s of the Javascript Fung Shui fame, which is basically a new method of heap spraying that allows the exploit code to have a predictable target address where it will be located in the heap.  So they team up and get to work:

Under contest rules, Macaulay and Miller aren’t allowed to divulge specific details about their bugs until they are patched, but Macaulay said the flaw that he exploited was a cross-platform bug that took advantage of Java to circumvent Vista’s security.

Hmmm… does this sound familiar to anyone?  See my posts (part 1 here and part 2 here) on the flaws that John Heasman spoke of in Java which require it to turn off features like DEP in operating systems that provide these protections.  So my guess, and I feel it is an educated one (of course time will tell), is that Sotirov helped out by providing some additional hacker ninjitsu by helping Macaulay load this Flash attack through a Java Applet, thus turning off any DEP protections the operating system provides.  Heck, I wouldn’t even be surprised if he used the applet to do some fancy heap spraying to load the shellcode from the heap.  The article continues:

“The flaw is in something else, but the inherent nature of Java allowed us to get around the protections that Microsoft had in place,” he (Macaulay) said in an interview shortly after he claimed his prize Friday. “This could affect Linux or Mac OS X.”

Macaulay said he chose to work on Vista because he had done contract work for Microsoft in the past and was more familiar with its products.

Aha, so there is your story right there, this flaw could’ve worked on any of the systems; however, the contest rules state that the same exploit can only be used to compromise one machine (see rule #2 from the cansecwest.com web page which states “You can’t use the same vulnerability to claim more than one box, if it is a cross-platform issue.”), and Macaulay used Vista because it was what he was more familiar with.

So I guess we can end the OS wars about who’s is better.  Perhaps I could just put up a poll so we could vote on it and get that all over and done with.  So now, we should be pointing the finger at Adobe for allowing this flaw… or wait a minute, should we be pointing it at Sun since it doesn’t play nice with DEP?

-Nate

Nathan McFeters

Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center in Chicago. The views and opinions expressed in this article are his own and do not represent the views and opinions of Ernst & Young Advanced Security Center or Ernst & Young, LLP. Nathan has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for numerous clients in the Fortune 500 during his career at Ernst & Young and has spoken at a number of prestigious conferences, including Black Hat, DEFCON, ToorCon, and Hack in the Box. He can be found at his Pwn* blog and XS-Sniper, a blog with Billy Rios. See his full profile and disclosure of his industry affiliations.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?

  • Talkback
  • Most Recent of 101 Talkback(s)
Hahaha
Yeah, I had to step in and make it a war, just trying to get you guys to keep posting talkbacks so I get more $ happy

S... (Read the rest)
Posted by: nmcfeters Posted on: 04/04/08 You are currently: a Guest | | Terms of Use
Or should we blame Microsoft  nucrash | 03/31/08
RE: Microsoft  nmcfeters | 03/31/08
MS has had DEP support since XP SP2  ye | 03/31/08
RE: MS has had DEP since XP SP 2  nmcfeters | 03/31/08
To sum up the battle in a few lines  nucrash | 03/31/08
Nice summation (nt)  ye | 03/31/08
RE:  nmcfeters | 03/31/08
Forgot last 2 steps...  aureolin@... | 03/31/08
Sorry not this time.  maldain | 03/31/08
Oh, NO! I have to disable Java AGAIN?  jlafitte | 04/01/08
I have it always disabled  markbn | 04/03/08
Point at Sun for allowing Java to bypass DEP protection.  Grayson Peddie | 03/31/08
RE: Point to sun  nmcfeters | 03/31/08
"Turning off DEP"????  Zogg | 04/01/08
No  Guy Smiley | 04/01/08
RE: No  nmcfeters | 04/01/08
Something's not right...  Zogg | 04/02/08
Not really...  Guy Smiley | 04/02/08
You misunderstood me...  Guy Smiley | 04/02/08
This contest had only one loser.  kozmcrae | 03/31/08
Unhackable  aureolin@... | 03/31/08
Isn't that the truth  GeiselS@... | 03/31/08
Aren't well all better off because Sun sued MS...  ye | 03/31/08
RE: Hahahaha  nmcfeters | 03/31/08
So ... it WASN'T Adobe's fault ...  OButterball | 03/31/08
Security is usually a shared responsibility  nucrash | 03/31/08
But this is like blaming the cops because ...  OButterball | 03/31/08
Java Can't work with DEP, not the other way around  nmcfeters | 03/31/08
DEP is alive and well in Solaris on Ultra Sparc  ye | 03/31/08
RE: Yep, that's the question  nmcfeters | 03/31/08
This should give you an idea:  ye | 03/31/08
RE:  nmcfeters | 03/31/08
My question still stands:  OButterball | 03/31/08
Back under the bridge troll!  ShadeTree | 03/31/08
Gee whiz, Shadey, you've gone from being someone ...  OButterball | 03/31/08
RE: API  nmcfeters | 03/31/08
RE: Where is your disconnect?  nmcfeters | 03/31/08
Where is YOUR disconnect? Why are you SO interested ...  OButterball | 03/31/08
Now you've ended your own argument  nmcfeters | 03/31/08
Nope the discussion isn't over ...  OButterball | 04/01/08
Argh...  nmcfeters | 04/01/08
DOUBLE Arrghh!  OButterball | 04/01/08
INFINITY Arghh... haha  nmcfeters | 04/01/08
16 bit on Vista  ed.ahlsen-girard@... | 04/01/08
Argh ... Alright! NOW we're gittin' somewhere!  OButterball | 04/01/08
I wash my hands of this argument  nmcfeters | 04/01/08
Yer hands still ain't clean, Nate:  OButterball | 04/01/08
RE: OButterball - My hands are washed in industrial grade anti-bacterial  nmcfeters | 04/01/08
@nmcfeters  rtk | 04/01/08
rtk: That's right, attempt to kill the messenger ...  OButterball | 04/02/08
duhhh, well, when you have to disable security to run the app....  jlafitte | 04/01/08
Huh? How come a mere application ...  OButterball | 04/01/08
you suggestion is somewhat like  rtk | 04/01/08
rtk: No, my suggestion is EXACTLY like ...  OButterball | 04/02/08
it's really simple OButterball Microsoft tells sun or adobe until  SO.CAL Guy | 04/01/08
EXACTLY!  nmcfeters | 04/01/08
Simpler than THAT, actually:  OButterball | 04/01/08
Re: it's really simple ...  n0neXn0ne | 04/01/08
Now you just don't make any sense at all  nmcfeters | 04/01/08
Industrial grade is obviously the wrong strength, Nate.  OButterball | 04/01/08
RE: OButterball  nmcfeters | 04/01/08
re: Nate - don't worry he was abused as a child...  ItsTheBottomLine | 04/02/08
Thanks  nmcfeters | 04/02/08
Nate: "Thanks"? You're thanking ...  OButterball | 04/02/08
That's right, get defensive  nmcfeters | 04/02/08
Patching  nabeel_z | 04/01/08
Correct  nmcfeters | 04/01/08
RE: More details on the Pwn2Own Flash flaw that won the Vista machine  nmcfeters | 03/31/08
Who're you replying to?  Grayson Peddie | 03/31/08
RE: More details on the Pwn2Own Flash flaw that won the Vista machine  nmcfeters | 03/31/08
RE: More details on the Pwn2Own Flash flaw that won the Vista machine  nmcfeters | 03/31/08
Please disregard, this is a duplicate post.  nmcfeters | 03/31/08
RE: More details on the Pwn2Own Flash flaw that won the Vista machine  nmcfeters | 04/01/08
RE: More details on the Pwn2Own Flash flaw that won the Vista machine  nmcfeters | 04/01/08
In stead of ...  n0neXn0ne | 04/01/08
First thanks Nate  desamuelson | 04/01/08
Thanks  nmcfeters | 04/01/08
Thanks desamuelson for your observation that helps make my point  n0neXn0ne | 04/01/08
RE:  nmcfeters | 04/02/08
Not blaming anyone  nilotpal_c | 04/01/08
Good points, Nate still not buying...  n0neXn0ne | 04/01/08
What am I not buying?  nmcfeters | 04/01/08
RE: OK  nmcfeters | 04/01/08
re: ok  n0neXn0ne | 04/01/08
Sure, I'll buy it  nmcfeters | 04/01/08
tRu dAt (nt)  n0neXn0ne | 04/01/08
RE:re:Sure, I'll buy it; Sold to the highest bidder wink  n0neXn0ne | 04/01/08
RE:  nmcfeters | 04/02/08
What about PaX?  nmcfeters | 04/02/08
Why would recompile be difficult?  Robert Crocker | 04/02/08
Recompile  nmcfeters | 04/02/08
What is the "average *Nix user"?  Robert Crocker | 04/02/08
Yep, that's the question  nmcfeters | 04/02/08
Did they need to elevate their privileges to win?  Zogg | 04/03/08
Nope  nmcfeters | 04/03/08
I thought that "0wning" a machine was *defined* as "root access"...  Zogg | 04/03/08
I disagree  nmcfeters | 04/03/08
Intrusion? Yes. "Pwned"? No.  Zogg | 04/03/08
Well  nmcfeters | 04/03/08
what are you talking about?  rtk | 04/03/08
Hahaha  nmcfeters | 04/04/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here