Thursday, December 16, 2010

Will it Blend?

I had the honor of presenting at RuxCon and BayThreat this year.  Both were great conferences with great people.  I’m always humbled when I learn of what others are doing in the security community and even more humbled when asked to present.  I gave a presentation called Will It Blend.  The title of the talk is based on a series of videos from Blendtec (I could watch these videos all day).  The content of the talk however is about “blended threats”.  During the talk I presented a set of bugs I discovered in various browser plug-ins.  Independently, these bugs are pretty lame.  However, if we chain the bugs together, we get something that’s actually pretty interesting.  If you’re interested in taking a look at the slides, you can find them here (PPTPLEX format) or on the RuxCon/Baythreat websites.  The vuln chaining is a little difficult to visualize by looking at the slides, so at the end of my talk I gave a live demo of the bugs being chained together.  For those who were unable to attend my talk live, I’ve created a video to help understand how the exploit would be pulled off (http://www.youtube.com/watch?v=fMFVVNE8ytQ).  It will help to go over the slides first, then watch the video.

Most of the relevant code is available in the slide deck (its really simple).  There are around 5 different bugs in play here, involving a variety of vendors.  All the vendors involved have been contacted.  The oldest bug here is over a year old, the youngest is about five months old.  Kudos to Adobe.  Adobe X has changed its caching behavior, so this specific attack cannot be used against Adobe X users. 

I'm not sure where the blame lies for fixing these issues.  On one hand, if a single vendor addresses their portion of the attack, the entire chain of vulnerabilities is broken.  On the other hand, if only one vendor addresses their issue, all we have to do is find some other software/plugin that buys us the same capability and its game on again.

I hope someone finds the presentation useful.  Happy hunting.
Posted by at
Labels:

5 comments:

  1. pzDecember 25, 2010 at 3:26 AM

    Brilliant!
    But still one question.The SWF file's sandbox type is localWithFile by default,which means it has no access to internet.A geeky way to bypass?

    ReplyDelete
  2. Blended Threats - Bernardo's Tech BlogJanuary 6, 2011 at 10:18 AM

    [...] talk about it at RuxCon and BayThreat last year. I would suggest that anybody interested read his blog post. Slides containing the code are available there as well. This is interesting stuff. See video [...]

    ReplyDelete
  3. Bypassing Flash’s local-with-filesystem Sandbox | SecurityGuy.orgJanuary 6, 2011 at 8:07 PM

    [...] few weeks ago, I posted a description of a set of bugs that could be chained together to do “bad things”.  In the PoC I provided, a SWF file reads an arbitrary file from the victim’s local file [...]

    ReplyDelete
  4. DanielMay 10, 2011 at 2:19 PM

    Was at this talk at Ruxcon last year. Was amazing. Got me really thinking about putting together different vulnerabilities and bugs.

    ReplyDelete
  5. Adecuar los errores para explorar la fallas en los complementos del navegador|Admiration Security News - Security Like A Professional | Admiration Security News - Security Like A ProfessionalAugust 7, 2011 at 5:17 AM

    [...] vulnerabilidades, Rios es capaz de robar el contenido del dentro del equipo de la victima. La presentación que muestra el código del ataque esta disponible en el blor de Rios.read moreView full post on Threatpost Videos [...]

    ReplyDelete

Subscribe to: Post Comments (Atom)