Submission + - Security exploit in Flash Player 9 (blogspot.com)
SadSoupDragon writes: Through general code-hackery, I have stumbled upon a nasty little bug in the most recent version of Flash Player (and every other version I've tried so far). This happened when I made a mistake in creating an in-memory SWF file, loaded it via flash.display.Loader, and extracted an asset from it as a Sound object. The sound plays, but the Flash Player audio engine keeps playing past the end of the sound — As a result, you actually hear a buffer overflow. The usual result is nasty bleeps and bloops (not unlike loading a Spectrum or C64 game) coming out of your speakers, which you can even record and save as a raw sound file to view the data. My browser usually crashes seconds later, yet another symptom of buffer-related security badness.
It's bad enough that a simple SWF file can bring the browser down, but the really scary thing is what could be done with the data accessed (I know that at least a SWF program could analyse the spectrum of this data and send it back to a server) — or worse still, if an in-memory SWF could be crafted in such a way that it overruns the buffer with executable code, as many of the worst software exploits do.
I've written a proof of concept which you can download the source of here, or try the compiled nastiness for yourself.
It's bad enough that a simple SWF file can bring the browser down, but the really scary thing is what could be done with the data accessed (I know that at least a SWF program could analyse the spectrum of this data and send it back to a server) — or worse still, if an in-memory SWF could be crafted in such a way that it overruns the buffer with executable code, as many of the worst software exploits do.
I've written a proof of concept which you can download the source of here, or try the compiled nastiness for yourself.
