Exploiting Adobe Flash Player in the Era of Control Flow Guard
Offered By: Black Hat via YouTube
Course Description
Overview
Explore advanced exploitation techniques for Adobe Flash Player in the context of Control Flow Guard (CFG) protection. Delve into the challenges posed by CFG implementation on Windows 8.1 and Windows 10, and discover innovative approaches to bypass this security measure. Learn about leveraging the Flash Player's JIT compiler to circumvent CFG, and understand the subsequent hardening measures implemented by Microsoft and Adobe. Examine three practical data-only attacks that avoid CFG restrictions, including a method to execute arbitrary commands without shellcode or ROP. Gain insights into the difficulties of detecting and protecting against these sophisticated data-only attacks. While focusing on Flash Player vulnerabilities, acquire knowledge of techniques applicable to exploiting other software on CFG-enabled systems.
Syllabus
Intro
Agenda
Overview of CFG
CVE-2015-0311 Overview
Control flow hijacking attempt detected!
Approaches
Flash JIT compiler
Leveraging the JIT compiler to bypass CFG
Current status
JIT hardening
Data-only attacks: related work
The Security Settings object
Gaining (unauthorized) access to the camera & mic
From Remote sandbox to Local Trusted sandbox
Executing commands without shellcode nor ROP
Crafted state
Thank you!
Taught by
Black Hat
Related Courses
Computer SecurityStanford University via Coursera Cryptography II
Stanford University via Coursera Malicious Software and its Underground Economy: Two Sides to Every Story
University of London International Programmes via Coursera Building an Information Risk Management Toolkit
University of Washington via Coursera Introduction to Cybersecurity
National Cybersecurity Institute at Excelsior College via Canvas Network