Adobe Type Confusion Vulnerability CVE-2015-7645 Exploits in the Wild

By

There was a critical zero day vulnerability CVE-2015-7645 found on Oct 13, 2015 and it was discovered firstly to be used by cyber-espionage campaign Pawn Storm. Adobe has acknowledged and released an emergent patch later that week. By exploiting this vulnerability, a remote attacker can execute arbitrary code on the target systems running vulnerable versions of Adobe Flash Player via a crafted SWF file. The affected versions include Adobe Flash Player 18.x through 18.0.0.252 and 19.x through 19.0.0.207 on Windows and OS X and 11.x through 11.2.202.535 on Linux. An immediate patch is suggested by the Adobe.

Specifically, the vulnerability exists in the IExternalizable interface supported by ActionScript of Adobe Flash Player. A type-confusion vulnerability exists when the function writeExternal pointer is overwritten by another different type variable with the same name. The overwritten pointer can be pointed to arbitrary code which may be controlled by an attacker.

There are multiple exploits have been found for this vulnerability, and some of them are identified to be used by Angler Exploit Kits, for example, the following are two hashes of the files:

  • d3e3194e612e7f9df804aea2f2ab818dd25a392b7a4b44f144a8d85ec8bc766d
  • 1b332c513d20e01208ee7dc3c80fc231b49cfd03a9be6c49990372d742381985

The following codes from one the exploits shows how the writeExternal function was overwritten by a variable claim and assignment:

And it was called later:

An example of the obfuscated Action Script code from the exploits is below:

Dell SonicWALL have researched this vulnerability at the same week as the vulnerability was discovered and released multiple signatures to cover the exploits in the wild:

  • GAV: CVE-2015-7645 (Exploit)
  • GAV: CVE-2015-7645_2 (Exploit)
  • GAV: CVE-2015-7645_3 (Exploit)
  • GAV: CVE-2015-7645_4 (Exploit)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.