Application-Specific Attacks: Leveraging the ActionScript Virtual Machine
Introduction Memory corruption vulnerabilities are becoming increasingly difficult to exploit, largely due to the protection mechanisms being integrated into most modern operating systems. As general protection mechanisms evolve, attackers are engaging in more specific, low-level application-targeted attacks. In order to refine general countermeasures (or at least raise awareness of their shortcomings), it is important to first understand how memory corruption vulnerabilities are exploited in some unique scenarios. The following case study describes a unique exploitation scenario using a recently disclosed flash vulnerability that was reported to Adobe by IBM (advisory available at http://www.iss.net/threats/289.html). At first the vulnerability seemed to offer limited exploitation options, but further analysis uncovered an application-specific attack that results in reliable, consistent exploitation. Achieving the same exploitation with more conventional methods is unlikely. The technique presented leverages functionality provided by the ActionScript Virtual Machine – an integral part of Adobe Flash Player. Further, it will be shown that the vulnerability can be successfully exploited without leaving telltale signs, such as a browser crash following the attack. Although this document deals specifically with the Win32/intel platform, similar attacks can most likely be carried out on the many other platforms flash is available for. In particular, some of the methodology discussed might be useful for constructing a robust exploit on Unix platforms as well as several embedded platforms. Understanding the specific scenarios used to exploit memory corruption vulnerabilities will help improve protection strategies.
