Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

A New Zero-Day of Adobe Flash CVE-2015-0313 Exploited in the Wild

Just yesterday Adobe announced a zero-day vulnerability in Adobe Flash Player version 16.0.0.296. The zero-day exploit is delivered by a lesser known Exploit Kit - HanJuan - potentially attacking a large number of users. Since the attack is exploiting Adobe Flash, the malicious code will successfully execute in various browsers and different Windows versions.

We've seen a surge in the exploitation of Flash recently. We just finished analyzing zero-day vulnerability CVE-2015-0311 that was used by the prevalent Angler exploit kit to deliver malware and infect unsuspecting users. And now CVE-2015-0313 has appeared in the wild.

The vulnerability is a use-after-free vulnerability caused by a bug in how Flash handles the FlashCC (previously Flash Alchemy) "fast memory access" feature (domainMemory), when the last is used by flash Workers (Flash threads).

Before we dive into the vulnerability details, we'll explain the important Flash components involved in the exploit.

What are Workers in flash?

Not too long ago Adobe added support for background threads, which are represented in ActionScript as "Workers." The purpose of a worker is to give the developer the possibility of running simultaneous tasks without freezing the Flash application - this is an abstraction layer to support multi-threading within Flash.

What is a Shared Property?

Adobe's documentation includes the following details about shared properties:

[1] "The most basic way to share data between workers is to use a shared property. Each worker maintains an internal dictionary of shared property values. The properties are stored with String key names to distinguish between the properties."(Adobe)

Shared properties allow for the sharing of objects and data between workers. These objects are mutable and can be set or read by a worker using the setSharedProperty/getSharedProperty methods.

What Actually Happens?

Flash supports FlashCC/Alchemy project, which is a feature allowing C/C++ applications support within Flash. As part of this feature, Adobe provides the possibility to access the process memory directly using ActionScript, this feature is named "fast memory access". This fast memory access is achieved by setting the current domain memory data to a predefined ByteArray data, as follows:

ApplicationDomain.currentDomain.domainMemory = this.ByteArray1;

When this Byte Array is freed from memory, our flash application deletes the reference from the domain Memory object. However, if this Byte Arrays is freed by another thread/worker, then the domain Memory object still holds a pointer to an already freed memory. Such a condition is a security risk and is usually classified as a use-after-free vulnerability. Using the reference to a freed memory area, it is possible to use/access the heap memory block directly.

The exploit uses heap spraying to fill this freed memory with Vector Objects and corrupt the size of a given vector setting it to a very large size. This corrupted Vector will later be used to access the entire memory of the browser process and to gain code execution over the machine.

Let us try and take a look at the malicious code reproduced in our labs to understand the vulnerability:

The following ActionScript code is responsible for:

  1. Create a Worker and set up the communication channels between the main application and the worker.
  2. Create and share a Byte Array with the Worker through Shared Properties
  3. Fill the Byte Array (byteArry1) with data.
  4. Set domain Memory (FlashCC) binaryData to byteArry1's memory region – This will create a reference inside domain Memory. An exploit will use this reference to corrupt a vector's size property and eventually get access to the entire browser's memory.
  5. Send a message (just a string - "ghbdtn" – it's value is of no importance) through the communication channel to inform the worker to free ByteArray1 from memory (while Domain Memory still holds a reference).

11438_b96869e7-7be8-4198-9d81-e1e23a2552bf

The Worker receives a message ("ghbdtn") from the main application and does the following:

  1. Frees ByteArry1 by calling .clear(), however at this point Domain Memory still holds a reference to it.
  2. Allocate ByteArray2 over the freed space of ByteArry1 and fill it with 0xBBBBBBBB dwords (important for the exploitation stages).
  3. Pass the Byte Array object to the main worker through set Shared Property.
  4. Send back another message ("vbh") to inform the Main worker to free ByteArray2.

8543_2e95f295-777f-4445-95c7-4a64b1e35344

At this point, the Main application frees the heap object of the Byte Array without removing the reference from "Domain Memory":

7736_0663ce85-5056-4547-a97c-07176004e0dd

After analyzing the ActionScript code we could identify that exactly the same heap spray and a very similar exploitation technique was used in CVE-2015-0311 that leads us to believe that this vulnerability was discovered by the same researcher.

The following screenshot shows the crash caused by the use after free vulnerability reproduced in our labs:

11802_ca75d842-4251-401d-8e9c-b3388b0bb319

According to TrendMicro, the first to identify the malvertisement attack, and evidence collected by Kafeine, the attack was delivered through malicious advertisements served in very popular sites like dailymotion.com with a high potential of reaching a very wide number of users, as currently no patch is available for this vulnerability.

According to TrendMicro: "Visitors of the popular site dailymotion.com were redirected to a series of sites that eventually led to the URL hxxp://www.retilio.com/skillt.swf"

Latest SpiderLabs Blogs

Trustwave Rapid Response: CrowdStrike Falcon Outage Update

Trustwave is proactively assessing and monitoring our clients who may have been impacted by CrowdStrike’s recently rolled-out update for its Windows users. The critical issue identified with...

Read More

Using AWS Secrets Manager and Lambda Function to Store, Rotate and Secure Keys

When working with Amazon Web Services (AWS), we often find that various AWS services need to store and manage secrets. AWS Secrets Manager is the go-to solution for this. It's a centralized service...

Read More

Facebook Malvertising Epidemic – Unraveling a Persistent Threat: SYS01

The Trustwave SpiderLabs Threat Intelligence team's ongoing study into how threat actors use Facebook for malicious activity has uncovered a new version of the SYS01 stealer. This stealer is designed...

Read More