April 2nd, 2008

Interview with the Vista Pwn2Own contest winners

Posted by Nathan McFeters @ 6:00 am

Categories: Exploit code, Hackers, Java, Microsoft, Responsible disclosure, Sun Microsystems, Vulnerability research, Windows Vista, Zero-day attacks

Tags: Adobe Systems Inc., Vulnerability, JavaScript, Microsoft Windows Vista, Exploit, Data Execution Prevention, Flaw, Nate, Programming Languages, Java

Update 04/03/2008: I’ve updated the article as apparently the link to k2’s blog was broken.  Also, it’s important to note that Derek Callaway was a part of this research and exploitation as well, and I neglected to mention that.

So obviously our coverage of the Pwn2Own contest has received a lot of attention (see: MacBook Air falls in two minutes at PWN 2 OWN; Vista falls in Pwn2Own contests final day to a flaw in Adobe Flash; More details on the Pwn2Own Flash flaw that won the Vista machine; and Pwn2Own: What OS really won?) in the talkbacks and there have been some very heated debates over a few sticking points, especially in the discussion of the Flash flaw which compromised Vista. It’s been outstanding and I thank everyone who was involved in these discussions, especially n0neXn0ne and OButterball, who I personally had very long and detailed debates with.

Here’s a list of what the key issues debated on were:

1. Who won (or who lost, depending on who’s answering the question) the Pwn2Own contest? To be clear, when I say who, I mean, which OS.
2. Who all was vulnerable to the Adobe Flash flaw?
3. Is the Adobe Flash flaw Adobe’s fault, the fault of the operating system? (Sun’s fault?)

Well, I thought it would make sense to go straight to the source of the Adobe Flash exploit to get some first-hand accounts of what went down, so I interviewed Shane Macaulay (aka k2, pictured on the right in the image taken from the ZDI website) and Alexander Sotirov (pictured on the left in the image taken from the ZDI website). It was a great interview, which I present below:

Nate: The flaw you discovered was in Adobe Flash, was this truly a cross-platform attack?

Shane: Yeah, there’s a stack issue, where a type is accepting 3 parameters when it is defined to accept 2, possibly some polymorphism/name mangling bug, but either way, this object get’s called through the 3rd invalid/uninitialized memory that winds up jumping wherever we had pre-filled memory to.

Nate: So then, do you have exploit code for all three of the operating systems, or are you certain that you could’ve written exploit code given enough time?

Shane: Could have been done with enough time, I haven’t used gdb in years, that’s the main hurdle right now. My professional career has been on the Microsoft platform so I’ve not had the time to work with *nix much.

Nate: Why choose Vista over *Nix or the Mac?

Shane: Oh I guess I just answered that one. Not to mention once the flaw was used once, we couldn’t use it again to pwn the other machines.

Nate: So, the InfoWorld article mentions that you brought Alexander into the mix for some additional Ninjitsu and that the use of Java was involved… can you confirm my assumption that you used a Java applet to bypass the DEP restrictions (since JVM doesn’t play nice with DEP) and that this is a buffer overflow type issue within Flash?

Shane: I’ll defer to the esteemed Mr. Sotirov

Alex: The target machine had a non-executable heap in the Internet Explorer process, which prevented Shane from using JavaScript heap spraying to execute shellcode on the heap. I had done some research on bypassing DEP and I had an exploitation technique that we could use in this exploit. We utilized a Java applet to allocate executable memory and fill it with shellcode. I’d like to point out that this is not a vulnerability in Java, but simply a way to use Java applets to make the exploitation of other vulnerabilities easier. I have a few other techniques for bypassing DEP, so the Flash vulnerability could have been exploited without Java as well.

Nate: Considering Sotirov is well known for his “Javascript Heap Fung Shui” did that come into play here? Did you use Java or JavaScript to prepare the heap for this exploit to work?

Shane: I guess we shouldn’t answer a question phrased like that. We did not need the Fung Shui, but both Java and JavaScript were used. There is some chance that ActionScript could’ve been used, but that would have tweaked the target.

Alex: The Heap Feng Shui technique was not needed for exploiting this vulnerability, but Charlie Miller used an OSX port of my Heap Feng Shui library to pwn the MacBook Air on day two. I think it’s pretty cool to have my code involved in winning both laptops this year.

Nate: Yeah, that is bad ass. I’ve actually used your Heap Feng Shui attacks in my own research, but I was unaware that there was a port to Mac… that’s very interesting and likely makes my job a bit easier going forward! Any more details you can give on where the exploit occurred within flash?

Shane: I think we have to plead the fifth, until the bulletin is issued, save details in question 1.

Nate: What are you going to do with the money and laptop?

Shane: B0000m Ebay!! If the laptop was even 1/4 as good as the MacBook I got last year I would of kept it, but as it turns out, I had to add in a +1GB of ram for the offer on eBay to make sure it’s a solid box for whoever gets itAlex: I’m doing this for the chicks, not the money.

Nate: HAHAHAAHA! So, Shane, after two years of being on the successful winning team, how long do you think you can keep the streak going? Will you be attempting a three-peat?

Shane: I’ve been considering the trifecta, I’ve got an IE 0day in the hopper now (see my previous best bug ever in IE, http://systemofsystems.wordpress.com/2008/02/12/dime%e2%80%99s/), I’ll blow the dust off some exploit for use in the contest for sure.

Nate: What’s up next for you guys? Any cool research you’re currently looking into?

Shane: Myself, largely a product, a binary application attack system. Some features include:

• Very high test speed (usually in the tens of thousands/sec on a single
  core)
• Identified issues are categorized based on there type, read/write/exec/…
• Code/data trace model and reverse execution
  • Helps pinpoint original flaw location
• Optimized set generation code for inputs
• Generates test cases for fixes
  • Not just error messages

Basically, it’s a solid dynamic analysis engine with advanced data analysis for binary steering, data flow comprehension and attack capabilities. No sources required.

Alex: I have some research on bypassing DEP and ASLR that I plan to present at a future conference, as well as some social networking exploitation work. Stay tuned!

Nate: Very interesting indeed!

So, for those who have been reading up on the previous articles, there’s some info for you straight from the researchers themselves. Thanks a lot Shane and Alex for taking the time! To the readers, if you have follow-up questions that you want asked, you can submit them to me via talkback and I’ll do the best I can to get some answers from these guys, although keep in mind they are under NDA.

-Nate

Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center in Chicago. The views and opinions expressed in this article are his own and do not represent the views and opinions of Ernst & Young Advanced Security Center or Ernst & Young, LLP. Nathan has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for numerous clients in the Fortune 500 during his career at Ernst & Young and has spoken at a number of prestigious conferences, including Black Hat, DEFCON, ToorCon, and Hack in the Box. He can be found at his Pwn* blog and XS-Sniper, a blog with Billy Rios. See his full profile and disclosure of his industry affiliations.