Vulnerability on Adobe Flash Player, Exploit in the Wild (Sep 23, 2016)

By

Adobe Flash Player is prone to a use-after-free vulnerability CVE-2016-4228. This vulnerability affects Adobe Flash Player before 18.0.0.366, 19.x through 22.0.0.209 on Windows and OS X and before 11.2.202.632 on Linux. An attacker could exploit this vulnerability remotely by a certain crafted swf file, such as embedded in a HTML file. A successful attack could cause arbitrary code execution with the privilege of the current running process.

A prove-of-concept exploit is already in the wild (see reference). Below is the detailed analysis:

The object class that caused this use-after-free is called MovieClip, which is used for manipulate movie clips in ActionScript. The PoC uses the createEmptyMovieClip() function to create such an object.


Figure 1: Documented createEmptyMovieClip() function and its usage.

Afterwards a Rectangle object was created from the flash.geom package. In both the getter/setter function, the previously created MovieClip object (mc) was freed using the removeMovieClip() method.

var g = flash.geom;
g.addProperty(“Rectangle”,func,func); //point both getter and setter to a same function

function func()
{
trace(“here”);
mc.removeMovieClip(); //… and in this function, the MovieClip object is freed
… //fix heap
}

At this point, the MovieClip object will not be freed until the getter/setter function is actually invoked. And by doing so, the object’s reference count will be reduced by 1, causing the object to be freed, and all the reference will be destroyed as well – and the use-after-free would not happen.

However, there’s an undocumented function that can be used to call the getter/setter, while still keeping the reference of the MovieClip object: the ASnative() method. The ASnative function is used for return the handler or property of an ActionScript function, depending on the parameters:

var f = ASnative(900,405);

Afterwards, the PoC tried to access the reference of MovieClip object, causing an use-after-free vulnerability.

The break-down of the PoC is shown in the figure below:

Figure 4: The PoC exploit

Dell SonicWALL Threat Research Team has researched this vulnerability and released following signatures to protect their customers:

  • SPY:1024
  • SPY:1371

Reference: https://bugs.chromium.org/p/project-zero/issues/detail?id=842

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.