There was a critical zero day vulnerability CVE-2015-7645 found on Oct 13, 2015 and it was discovered firstly to be used by cyber-espionage campaign Pawn Storm. Adobe has acknowledged and released an emergent patch later that week. By exploiting this vulnerability, a remote attacker can execute arbitrary code on the target systems running vulnerable versions of Adobe Flash Player via a crafted SWF file. The affected versions include Adobe Flash Player 18.x through 18.0.0.252 and 19.x through 19.0.0.207 on Windows and OS X and 11.x through 11.2.202.535 on Linux. An immediate patch is suggested by the Adobe.

Specifically, the vulnerability exists in the IExternalizable interface supported by ActionScript of Adobe Flash Player. A type-confusion vulnerability exists when the function writeExternal pointer is overwritten by another different type variable with the same name. The overwritten pointer can be pointed to arbitrary code which may be controlled by an attacker.

There are multiple exploits have been found for this vulnerability, and some of them are identified to be used by Angler Exploit Kits, for example, the following are two hashes of the files:

• d3e3194e612e7f9df804aea2f2ab818dd25a392b7a4b44f144a8d85ec8bc766d
• 1b332c513d20e01208ee7dc3c80fc231b49cfd03a9be6c49990372d742381985

The following codes from one the exploits shows how the writeExternal function was overwritten by a variable claim and assignment:

And it was called later:

An example of the obfuscated Action Script code from the exploits is below:

Dell SonicWALL have researched this vulnerability at the same week as the vulnerability was discovered and released multiple signatures to cover the exploits in the wild:

• GAV: CVE-2015-7645 (Exploit)
• GAV: CVE-2015-7645_2 (Exploit)
• GAV: CVE-2015-7645_3 (Exploit)
• GAV: CVE-2015-7645_4 (Exploit)