1. 27

Issue 0x14 of Proof of Concept || GTFO is now available from

https://www.alchemistowl.org/pocorgtfo/

This PDF is a zip and NES ROM that prints the PDF’s MD5.

  1.  

  2. 3

    I must admit this plus the wikileaks Vault7 stuff is giving me the grues…..

    ..it’s just a pdf Right? It’s just Plain Old Data Right? It can’t infect your system Right?

    Adobe never has any security flaws, Right? /s

    1. 1

      Is it just me, or does it seem like in order for the FLUSH+RELOAD attack to work in the provided PoC, ASLR must be disabled? If the application is compiled as a PIE and ASLR is enabled, the addresses needing to be probed will change. Thus, the output provided by the objdump script will be inapplicable.

      1. 3

        It will still work for two reasons: First off, most systems today still ship without position independent executables, so the text and data segments will be at known offsets.

        Second, even with full ASLR, the principle is sound as long as caching operates on physical addresses instead of virtual addresses. This is the case for Intel. Offsets would become relative to a symbol, instead of absolute, but as long as the operating system maps the same pages across processes to back the data, the timing still works. The objdump script is too naive, but it’s a small change to fix it for the ASLR world.