Recent Flash zero day (CVE-2016-4117) attacks spotted in the wild (May 24,2016)
CVE-2016-4117 exploits have been spotted in the wild. Adobe Flash Player 21.0.0.226 and earlier allows remote attackers to execute arbitrary code.
The swf exploit is packed and the binary data is encrypted as seen below. The swf file decrypts this section when this flash file is loaded in memory.
To unpack this swf let us load it in IE and attach a debugger. When the swf loads in memory,it decrypts the binary data to create another flash file which carries the actual payload.We can search the memory for this malicious flash file by looking for the magic bytes.
After spotting the swf exploit with payload
Extract the swf using writemem command.
This swf has many action scripts objects.
In the Data4 object notice the use of import com.adobe.tvsdk.mediacore.timeline.operations.DeleteRangeTimelineOperation and placement object which are a part of Primetime SDK.
Looking at the Data99 class we observe that flash90 variable is declared of type DeleteRangeTimelineOperation which is set to null. Later in the code at line 236 this variable is type confused with the placement property triggering the vulnerability which enables arbitrary read and write access to memory.
The exploit sprays the memory with shellcode.
Dell SonicWALL Threat Research Team has researched this vulnerability and released following signatures to protect their customers
- GAV 16631: CVE-2016-4117.A
- SPY 4502: Malformed-File swf.MP.410
