Exploiting Adobe Flash Player in the Era of Control Flow Guard

Exploiting Adobe Flash Player in the Era of Control Flow Guard

Friday, November 13, 2015
Francisco Falcon
Black Hat Europe 2015

Adobe Flash Player, one of the most ubiquitous pieces of software, is integrated into the operating system on Windows 8.1 and Windows 10. Along with the introduction of Control Flow Guard (CFG) - Microsoft's newest exploit mitigation technology - in November 2014, Flash Player binaries provided by Microsoft are now protected by CFG, which adds a check before every indirect call in the code in order to verify that the destination address of that call is one of the locations identified as "safe" at compile time. Gaining code execution isn't as simple as overwriting the vtable of an object and calling one of its virtual methods anymore.

We'll start this presentation by discussing an exploitation technique which leverages the Flash Player's JIT compiler in order to bypass CFG, and how Microsoft and Adobe have hardened Flash Player's JIT compiler against this technique in the June 2015 security updates. Then, we are going to discuss three practical data-only attacks, showing how it is possible to take advantage of vulnerabilities in Flash Player while avoiding the mess of having to deal with CFG. One of these alternative payloads makes it possible to execute arbitrary commands on the vulnerable system without injecting shellcode nor using ROP. Interestingly, detecting and protecting against these data-only attacks can be challenging.

Although this talk is focused on the challenges of exploiting Flash Player vulnerabilities on CFG-enabled systems, the techniques and ideas discussed here may be applied against other software.