PWN to OWN Flash hack: first info
In an interview with US media, Shane Macaulay and Alexander Sotirov have disclosed the first background information about the hacking of the notebook running Windows Vista SP1 during the PWN to OWN competition at the CanSecWest security conference. The hackers say the exploit also works with adjustments under Linux and Mac OS X.
He managed to do that using Java. Java evidently does not function under Windows Vista if DEP is activated – which is why it is switched off for Java as a rule. The hackers then requested executable memory using a Java applet and filled it with shell code. This, according to Sotirov, is not a flaw in Java: it just makes the exploit easier. He said he also had other methods for circumventing DEP and could have used them.
But Macaulay and Sotirov would not give more details about the error in Flash itself, because that would break the rules of the competition. These state that details of a discovered security hole may not be published until the manufacturer has provided an update to close it. Macaulay did hint vaguely that the error was based on a type that is specified with two parameters but accepts three. The object, he said, was then called via the third parameter, enabling infiltrated programming code to be executed.
- Java plug-in triggers Data Execution Prevention (DEP) in 32-bit IE7 on 64-bit Vista, entry in the Sun bug database