Posts

More Adobe Flash (SWF) Exploits Discovered in the Wild for CVE-2015-5119

/in /by

More Adobe Flash (SWF) Exploits Discovered in the Wild for CVE-2015-5119

CVE-2015-5119 is a Use-after-free vulnerability in the ByteArray class in the ActionScript 3. Adobe first released the advisory for CVE-2015-5119 in July and the first exploit surfaced soon. We continue to observe new exploits in the wild.

A typical type of exploit using this vulnerability is to add an extra layer of obfuscation to the exploit Action Script code into a second flash file–which is embedded as a binary within the outer Flash file. The following image shows the decompiled outer SWF file. Here you can see that there is a binary byte array included in in the outer SWF file:

This image shows the encrypted bytes of the binary file (which will be retrieved through a ByteArrayAsset class of Action Script and decoded):

The following function decodes the binary with an embedded key and obfuscated system function calls:

This image shows the binary of the embedded Flash file after decryption:

Finally, we can see the exploit code for CVE-2015-5119 that resides inside the inner SWF file. This exploit uses the valueOf property on a ByteArray:

Dell SonicWALL has observed hundreds of the exploits using the flash wrapping method in the wild since July. Multiple GAV signatures have been created to protect the customers. The following are some of them:

  • 28005 CVE-2015-5119.AJ
  • 27997 CVE-2015-5119.C_3
  • 27992 CVE-2015-5119.A_17
  • 19262 CVE-2015-5119_3
  • 18484 CVE-2015-5119_2
  • 18363 CVE-2015-5119.AN_2
  • 16398 CVE-2015-5119.C_4
  • 16399 CVE-2015-5119.C_5

Multiple Exploits for CVE-2015-5119 Observed in the Wild (Sept 18, 2015)

/in /by

CVE-2015-5119 is a Use-after-free vulnerability in the ByteArray class in the ActionScript 3. Adobe first released the advisory for CVE-2015-5119 in July and the first exploit surfaced soon. We kept observing the new exploits taking use of this vulnerability after that and multiple exploits have been observed.

A typical type of exploits using this vulnerability is wrapping the exploit Action Script code into a second flash file, which is embedded as a binary with the Flash file. Here is an example of the binary:

The binary file was retrieved through a ByteArrayAsset class of Action Script for decoding:

And the following function decoded the binary with an embedded key and obfuscated system function calls:

After the decoding, the binary of the embedded Flash file is below:

By decompiling it, we can see the exploit code for CVE-2015-5119:

Dell SonicWALL has observed hundreds of the exploits using the flash wrapping method in the wild since July. Multiple GAV signatures have been created to protect the customers. The following are some of them:

  • 28044 CVE-2015-5119a.A
  • 28030 CVE-2015-5119.AJ_2
  • 28005 CVE-2015-5119.AJ
  • 27997 CVE-2015-5119.C_3
  • 27992 CVE-2015-5119.A_17
  • 19262 CVE-2015-5119_3
  • 18484 CVE-2015-5119_2
  • 18363 CVE-2015-5119.AN_2

CVE-2015-5119(Recent Adobe Flash 0-day) Exploit in the wild

/in /by

We called out in our previous SonicAlert that CVE-2015-5119 is very easy to exploit. It’s not a surprise that the exploit kits have already updated their arsenal to include this CVE. Here’s an analysis of a sample used by Nuclear Exploit Kit:

As you can see, the sample is heavily obfuscated. While many times, decompilation of obfuscated swf exploits is not perfect, this time it was successful. We used FlashDevelop IDE to ‘debug’ this sample. First we exported the ‘Scripts’ and the ‘binaryData’ section from this exploit and created a new Flex ActionScript project.

This is a typical 2 stage exploit where stage 1 loads bytes from ‘binaryData’ and decrypts it. This decrypted data is the 2nd stage SWF file which actually contains the exploit. We can see the key being passed to the decrypt routine:

This decrypt routine returns a Bytearray which contains stage2 SWF file. We used Actionscript’s trace functionality to dump this array. A trace statement was injected in the decryption routine to print this array to log file:

The log dumps the bytes

Looking at it in a hex view, we can see a compressed hex file.

Let’s decompile this file:

We can clearly see the vulnerability being exploited.

Sonicwall team has created the following signatures that protects customers from this exploit.

  • [GAV] CVE-2015-5119.B_3 (Exploit)
  • [GAV] CVE-2015-5119.A_12 (Exploit)
  • [GAV] CVE-2015-5119.A_11 (Exploit)
  • [GAV] CVE-2015-5119.A_10 (Exploit)
  • [GAV] CVE-2015-5119.A_9 (Exploit)
  • [GAV] CVE-2015-5119.A_8 (Exploit)
  • [GAV] CVE-2015-5119.A_7 (Exploit)
  • [GAV] CVE-2015-5119.TTY (Exploit)
  • [GAV] CVE-2015-5119.A_6 (Exploit)
  • [GAV] CVE-2015-5119.A_5 (Exploit)
  • [GAV] CVE-2015-5119.A_4 (Exploit)
  • [GAV] CVE-2015-5119.A_3 (Exploit)
  • [GAV] CVE-2015-5119.C_2 (Exploit)
  • [GAV] CVE-2015-5119.C (Exploit)
  • [GAV] CVE-2015-5119.B_2 (Exploit)
  • [GAV] CVE-2015-5119.B (Exploit)
  • [GAV] CVE-2015-5119.A_2 (Exploit)
  • [GAV] CVE-2015-5119.A (Exploit)
  • [GAV] CVE-2015-5119.DH_2 (Exploit)
  • [GAV] CVE-2015-5119.DH (Exploit)

Two more Flash 0-days as a result of HackingTeam data leak

/in /by

As we discusses in our previous blog on recent Adobe 0-day(CVE-2015-5119), there are two more vulnerabilities that surfaced from the same HackingTeam data leak:

  • CVE-2015-5122: Adobe Flash ActionScript3 opaqueBackground Use After Free Vulnerability
  • CVE-2015-5123: Adobe Flash Player BitmapData Remote Code Execution Vulnerability

All three vulnerabilities are use-after-free vulnerabilities; although they occur in different classes. These vulnerabilities trigger the bug by overriding the ‘valueOf()’ function of these classes. During the override, the associated object is either freed or relocated. This makes the associated address invalid which inadvertantly triggers the vulnerability.

Here’s an example of CVE-2015-5123 where a ‘BitmapData’ object is created and disposed by overriding ‘valueOf()’ function:

Sonicwall team has written following signature that protect our customers from these exploits:

  • 15380.CVE-2015-5119.B_3 Exploit
  • 15392.CVE-2015-5119.A Exploit
  • 15398.CVE-2015-5119.DH_2 Exploit
  • 15399.CVE-2015-5119.A_2 Exploit
  • 15400.CVE-2015-5119.B Exploit
  • 15404.CVE-2015-5119.C Exploit
  • 15410.CVE-2015-5119.C_2 Exploit
  • 15413.CVE-2015-5119.A_4 Exploit
  • 15415.CVE-2015-5119.A_5 Exploit
  • 15416.CVE2015-5119.SW Exploit
  • 15418.CVE-2015-5119.A_6 Exploit
  • 15419.CVE-2015-5119.TTY Exploit
  • 15420.CVE-2015-5119.A_7 Exploit
  • 15423.CVE-2015-5119.A_10 Exploit
  • 15424.CVE-2015-5119.A_11 Exploit
  • 15426.CVE-2015-5119.A_12 Exploit
  • 15550.CVE-2015-5122.SW Exploit
  • 15553.CVE-2015-5122 Exploit
  • 15670.CVE-2015-5123.A Exploit

0-day Flash Exploit From Hacking Team Data Leak (July 7, 2015)

/in /by

HackingTeam has discovered a 0-day exploit in the wild in Flash Player. This exploit works against the most recent version of Flash Player(18.0.0.194). The exploit triggers a use-after-free vulnerability that affects the flash player.

The vulnerability occurs when an element of ByteArray of certain size is initialized with an object. This assignment happens first by saving the offset address of the array in a local variable. Then to calculate the value of the object, ‘valueOf()’ function is triggered against the object. This function is overriden where the code changes the length of the ByteArray and the array is relocated. This advertently invalidates the offset address thus triggering use-after-free vulnerability. With the vulnerability, it’s very easy to predict and control the address and thus making it very easy to exploit.

We are closely monitoring if there are any other exploits in-the-wild.

Sonicwall has written following signatures that protect our customers from this exploit:

  • SPY 1069 : Malformed-File swf.OT.29
  • SPY 1366 : Malformed-File swf.MT.16

This vulnerability is referred by CVE as CVE-2015-5119.