Adobe Flash Zero Day(CVE-2014-0502) Exploit Analysis (Feb 27, 2014)


Last week, Dell Sonicwall Threats Research Team observed multiple instances of Adobe Flash Zero Day targeting CVE-2014-0502.
A Double Free Vulnerability exists in Adobe Flash which may allow arbitrary code execution.
Adobe quickly addressed this attack by providing a Security Update.
We also have a detailed writeup on Malware analysis of downloaded file after successful exploitation.

Let’s look at an in-depth analysis of the Exploit.

Attack Flow:

We can see how the iframe is injected,

When user gets redirected to malicious iframe, the HTML contains a reference to malicious SWF.

SWF De-compilation shows how gif file is loaded.

Here we can see how the exploit is fine-tuned for Windows XP, Windows 7.

SWF also does the work of allocating the ROP chain corresponding to checks above.

A cookie is set and checked for one time execution only.

Debugging shows how the execution pivots into the ROP chain.

We can see how urlmon module is used for downloading exe.

This exe gets copied at C: and is executed.

Then there is Post-Infection Activity

We have implemented following signatures to detect the attack.

  • SPY:4185 Malformed-File swf.OT.7
  • SPY:4186 Malformed-File gif.OT.1
  • SPY:2342 Malformed-File swf.MP.103
  • SPY:2344 Malformed-File swf.MP.104
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.