Deep Analysis of CVE-2014-0502 – A Double Free Story

The Adobe Flash Player zero-day that was part of a targeted attack that infected several nonprofit organizations’ websites.

The vulnerability is a double-free vulnerability caused by a bug in how shared objects are handled by Adobe Flash Player.

The full story:
http://blog.spiderlabs.com/2014/03/deep-analysis-of-cve-2014-0502-a-double-free-story.html

A double free vulnerability occurs during the termination of adobe flash worker. when a worker is being terminated, all shared objects (also called as "flash cookies") are flushed an then freed from memory. while failing to flush an off limit "shared object" to disk (for being above 100KB data) a garbage collection occurs. the garbage collection decides to free the "shared object" from memory whilst the first free operation is still in process.

a screenshot presenting a "record" shared object while exploiting the vulnerable code and controlling EIP (0xcccccccc+8):

the screenshot blow presents the internal SharedObject destructor procedure, you can notice that there's a flag that checks whether flushing data to disk is required.
the "SharedObject" has data pending for flushing but fails to do so since the data exceeds the 100KB limit. then during the flushing attempt, garbage collection fires and frees the object without clearing this "pending flush" flag.

This specific flow will result in the “Pending Flush” flag being up when the object was already freed, and therefore Adobe Flash Player will try to execute a function from a dereferenced pointer otherwise known as remote code execution. 

I originally posted this post on spiderlabs blog. for more details read the full story.

The Kernel is calling a zero(day) pointer – CVE-2013-5065 – Ring Ring

Here's my analysis of a PDF file which contained two different vulnerabilities, a remote-code-execution vulnerability in Adobe Reader and a new escalation-of-privileges zero-day vulnerability in Windows Kernel.

The full story:
http://blog.spiderlabs.com/2013/12/the-kernel-is-calling-a-zeroday-pointer-cve-2013-5065-ring-ring.html

A flaw in NDProxy driver while processing Telephony Application Programming Interface (TAPI) operations, was used to cause the Kernel to dispatch out-of-boundaries function. Therefore, one could exploit this vulnerability and gain SYSTEM privileges and bypass different sandbox protections.

The vulnerability allows index control of the following static function table, which get executed in the kernel context:

Dispatching the invalid PxTapi function results access to address 0x0 in memory and crash:

The Technical Aspects of Exploiting IE Zero-Day CVE-2013-3897

Just last month, during our work at spiderlabs research, the team and myself had the chance to analyze CVE-2013-3897 Use-after-free vulnerability.
This vulnerability was basically a result of an object type CDisplayPointer being freed and used again when a richtext tries to scroll the pointer into the current view.
A flow that includes a selection, that occurs under "onpropertychange" event, and a DOM that contains a textarea structure (detailed below) results a possible remote code execution.

Breaking it to down

1. Create a TEXTAREA and apply a different element as a child using applyElement. This will place theaddress element as the child of the textarea element.

2. Trigger a select event on the TEXTAREA element to create an instance of DisplayPointer.

3. Inside onselect event change the value property of the TEXTAREA element, which in turn will fire the eventonpropertychange. For example, usage of appendChild or swapNode will cause this behavior. 

Notice that id_2 (“address” element) is a child of the TEXTAREA element. By swapping that element we remove it from layout of “textarea” and insert a different element, therefore the value property changes.

4. The event onpropertychange is triggered

5. In the next stage we basically need to change the position of the display pointer within the TEXTAREA layout. In the original exploit document.execCommand(“UnSelect”) was used. However, selecting a different element, executing the SelectAll command or any operation that causes a DisplayPointer position change will also work. 

The attacker used "UnSelect" command

6.  The JavaScript selection causes a call to CDisplayPointer::ScrollIntoView, which tries to set a new position for the DisplayPointer. At this stage, the reference to CMarkupPointer is already released by the CDisplayPointer::Release function (as a result of the “UnSelect” command) and therefore points to an attacker-controlled heap area.

The flow eventually gets into QIClassID, which tries to execute “CMarkupPointer::QueryInterface” (located at offset 0x0 in CMarkupPointer’s virtual table).

QIClassID (use): 

QIClassID disassemble crash point

At the crash we end up with the following stack trace:

CMarkupPointer freed and then used by QIClassID:

Most of this post was originally generated here:
(http://blog.spiderlabs.com/2013/10/ie-zero-day-cve-2013-3897-technical-aspects.html)

Uncrackable? - Exceptional Cracking

Okay, I've been waiting for a long time for a case worth posting in my blog. I ran into this one during a search for much less interesting, standard challenges, for teaching newbies the basics of RE.

This one is a bit beyond what you guys are used to, and I really want you to give it a try before you read this. If you crack it quickly then don't bother reading, if you already have 3 letters of the serial and you're stuck you should start reading from phrase F.

I won't teach you how to use a debugger or how to trace the relevant RE chunk of code, there's tons of tutorials that'd do just that. You should consider this as a case study, what's interesting is the case itself and my focus would be accordingly.
Background:
One of the reasons I chose this crackme is because it "forces" u to focus on discovering the serial itself and not just 'patch & trash' waste of time, additionally the serial discovery is special.
Goal:
The goal is to find the serial key. I'll show the entire process including the method I used and why I chose to use that method, and I'll hand over the correct serial.

CrackMe Download Mirrors:

Mirror 1

Mirror 2


Download the Full PDF Article