Recent Flash zero day (CVE-2016-4117) attacks spotted in the wild (May 24,2016)


CVE-2016-4117 exploits have been spotted in the wild. Adobe Flash Player and earlier allows remote attackers to execute arbitrary code.

The swf exploit is packed and the binary data is encrypted as seen below. The swf file decrypts this section when this flash file is loaded in memory.

To unpack this swf let us load it in IE and attach a debugger. When the swf loads in memory,it decrypts the binary data to create another flash file which carries the actual payload.We can search the memory for this malicious flash file by looking for the magic bytes.

After spotting the swf exploit with payload

Extract the swf using writemem command.

This swf has many action scripts objects.

In the Data4 object notice the use of import com.adobe.tvsdk.mediacore.timeline.operations.DeleteRangeTimelineOperation and placement object which are a part of Primetime SDK.

Looking at the Data99 class we observe that flash90 variable is declared of type DeleteRangeTimelineOperation which is set to null. Later in the code at line 236 this variable is type confused with the placement property triggering the vulnerability which enables arbitrary read and write access to memory.

The exploit sprays the memory with shellcode.

Dell SonicWALL Threat Research Team has researched this vulnerability and released following signatures to protect their customers

  • GAV 16631: CVE-2016-4117.A
  • SPY 4502: Malformed-File swf.MP.410
    • Security News
      The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.