Friday, December 17th, 2010

Will it Blend?

I had the honor of presenting at RuxCon and BayThreat this year.  Both were great conferences with great people.  I’m always humbled when I learn of what others are doing in the security community and even more humbled when asked to present.  I gave a presentation called Will It Blend.  The title of the talk is based on a series of videos from Blendtec (I could watch these videos all day).  The content of the talk however is about “blended threats”.  During the talk I presented a set of bugs I discovered in various browser plug-ins.  Independently, these bugs are pretty lame.  However, if we chain the bugs together, we get something that’s actually pretty interesting.  If you’re interested in taking a look at the slides, you can find them here (PPTPLEX format) or on the RuxCon/Baythreat websites.  The vuln chaining is a little difficult to visualize by looking at the slides, so at the end of my talk I gave a live demo of the bugs being chained together.  For those who were unable to attend my talk live, I’ve created a video to help understand how the exploit would be pulled off (  It will help to go over the slides first, then watch the video.

Most of the relevant code is available in the slide deck (its really simple).  There are around 5 different bugs in play here, involving a variety of vendors.  All the vendors involved have been contacted.  The oldest bug here is over a year old, the youngest is about five months old.  Kudos to Adobe.  Adobe X has changed its caching behavior, so this specific attack cannot be used against Adobe X users. 

I’m not sure where the blame lies for fixing these issues.  On one hand, if a single vendor addresses their portion of the attack, the entire chain of vulnerabilities is broken.  On the other hand, if only one vendor addresses their issue, all we have to do is find some other software/plugin that buys us the same capability and its game on again.

I hope someone finds the presentation useful.  Happy hunting.

Posted by xssniper | Filed in Security

5 Responses to “Will it Blend?”

  1. December 25th, 2010 at 11:26 am

    pz said:

    But still one question.The SWF file’s sandbox type is localWithFile by default,which means it has no access to internet.A geeky way to bypass?

  2. January 6th, 2011 at 6:18 pm

    Blended Threats - Bernardo's Tech Blog said:

    […] talk about it at RuxCon and BayThreat last year. I would suggest that anybody interested read his blog post. Slides containing the code are available there as well. This is interesting stuff. See video […]

  3. January 7th, 2011 at 4:07 am

    Bypassing Flash’s local-with-filesystem Sandbox | said:

    […] few weeks ago, I posted a description of a set of bugs that could be chained together to do “bad things”.  In the PoC I provided, a SWF file reads an arbitrary file from the victim’s local file […]

  4. May 10th, 2011 at 9:19 pm

    Daniel said:

    Was at this talk at Ruxcon last year. Was amazing. Got me really thinking about putting together different vulnerabilities and bugs.

  5. March 24th, 2013 at 7:44 pm

    Chaining Bugs to Exploit Browser Plug-Ins | Threatpost said:

    […] the vulnerabilities together, Rios is able to steal content from a victim’s machine. The slides containing the code for the attack are available on Rios’s […]

Please leave a Comment