In association with heise online

03 April 2008, 15:29

PWN to OWN Flash hack: first info

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

In an interview with US media, Shane Macaulay and Alexander Sotirov have disclosed the first background information about the hacking of the notebook running Windows Vista SP1 during the PWN to OWN competition at the CanSecWest security conference. The hackers say the exploit also works with adjustments under Linux and Mac OS X.

Although the hack exploits a security hole in Adobe Flash, the hackers had to take further steps in order to crack Vista. Vista's Data Execution Prevention (DEP) would have prevented the injection of code by the heap-spraying method using JavaScript, so Macaulay first had to detour around DEP with the aid of Sotirov.

He managed to do that using Java. Java evidently does not function under Windows Vista if DEP is activated – which is why it is switched off for Java as a rule. The hackers then requested executable memory using a Java applet and filled it with shell code. This, according to Sotirov, is not a flaw in Java: it just makes the exploit easier. He said he also had other methods for circumventing DEP and could have used them.

But Macaulay and Sotirov would not give more details about the error in Flash itself, because that would break the rules of the competition. These state that details of a discovered security hole may not be published until the manufacturer has provided an update to close it. Macaulay did hint vaguely that the error was based on a type that is specified with two parameters but accepts three. The object, he said, was then called via the third parameter, enabling infiltrated programming code to be executed.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit