Multiple Exploits for CVE-2015-5119 Observed in the Wild (Sept 18, 2015)


CVE-2015-5119 is a Use-after-free vulnerability in the ByteArray class in the ActionScript 3. Adobe first released the advisory for CVE-2015-5119 in July and the first exploit surfaced soon. We kept observing the new exploits taking use of this vulnerability after that and multiple exploits have been observed.

A typical type of exploits using this vulnerability is wrapping the exploit Action Script code into a second flash file, which is embedded as a binary with the Flash file. Here is an example of the binary:

The binary file was retrieved through a ByteArrayAsset class of Action Script for decoding:

And the following function decoded the binary with an embedded key and obfuscated system function calls:

After the decoding, the binary of the embedded Flash file is below:

By decompiling it, we can see the exploit code for CVE-2015-5119:

Dell SonicWALL has observed hundreds of the exploits using the flash wrapping method in the wild since July. Multiple GAV signatures have been created to protect the customers. The following are some of them:

  • 28044 CVE-2015-5119a.A
  • 28030 CVE-2015-5119.AJ_2
  • 28005 CVE-2015-5119.AJ
  • 27997 CVE-2015-5119.C_3
  • 27992 CVE-2015-5119.A_17
  • 19262 CVE-2015-5119_3
  • 18484 CVE-2015-5119_2
  • 18363 CVE-2015-5119.AN_2
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.