Hot on the heels of the last zero-day vulnerability that was found from the Hacking Team data leak (i.e. CVE-2015-5119) comes yet another that may be as dangerous: CVE-2015-5122, a vulnerability in Adobe Flash Player. If exploited, it could result in a crash that would allow an attacker to take control of the vulnerable system. And yes, just like CVE-2015-5119, it affects all recent versions of Flash on Windows, Mac and Linux (i.e. 126.96.36.199).
This is a new vulnerability apart from the ones we discussed in Unpatched Flash Player Flaw, More POCs Found in Hacking Team Leak, which were two Flash bugs and one in the Windows kernel. One of these Flash vulnerabilities has since been used in various exploit kits.
The good news: it’s still a Proof-of-Concept, and we are still looking to see if it is already being used in an attack. The bad news: there’s no patch for it out yet, but there should be one coming up as we had notified Adobe as soon as we verified the vulnerability itself (July 11, 10:30 AM, GMT +8). Adobe sent out the security advisory for this vulnerability at 11:40 AM (GMT+8).
So how does the vulnerability work?
With our analysis, we discovered that it is a Use-After-Free vulnerability involving the methods TextBlock.createTextLine() and TextBlock.recreateTextLine(textLine).
The trigger involves the method my_textLine.opaqueBackground = MyClass_object. What happens is that the MyClass.prototype.valueOf is overriden, as such the valueOf function it will call TextBlock.recreateTextLine(my_textLine). The my_textLine function is then used after it is freed.
We debugged the POC on an X86 environment, so the vulnerability trigger is in MyClass32 class. The exploit function itself is TryExpl of MyClass32.
The exploit steps are as follows:
- A new Array is named _ar, the length of _ar is _arLen = 126. _ar[0…29] is set by Vector.<uint>, vector length is 0x62. _ar[46….125] is set by Vector.<uint>, vector length is 0x8. _ar[30….45] is set by testLine using _tb.createTextLine(), and the textLine. opaqueBackground is set to 1.
- The MyClass.prototype.valueOf is overriden using MyClass.prototype.valueOf = valueOf2, and using _ar[_cnt].opaqueBackground = _mc to trigger the valueOf2 function. _mc is an instance of MyClass.
- In valueOf2 function, it will call _tb. recreateTextLine(_ar[index]) to free the textLine function allocated in step 1. Then, the vector’s length is set from 0x8 to 0x62 to occupy the memory of the freed textLine. The valueOf2 function will return with 0x62 + 8 = 0x6a, so _ar[_cnt].opaqueBackground will be set to 0x6a until valueOf2 return. To ensure the overwriting of the occupy vector length field, the valueOf2 function uses recursive invocation.
- After overwriting the vector length to 0x6a, it searches the corrupt vector, and sets the neighbor vector length to 0x40000000.
Updated July 11, 2015, 12:43 AM (UTC-7) to clarify some technical details.
Updated July 12, 2015, 7:46 PM (UTC-7)
Vulnerability protection in Trend Micro Deep Security protects user systems from threats that may leverage this vulnerability with the following DPI rule:
- 1006858 – Adobe Flash ActionScript3 opaqueBackground Use After Free Vulnerability (CVE-2015-5122)
Updated July 14, 2015, 3:05 AM PDT (UTC-7)
Upon further investigation of feedback from the Trend Micro™ Smart Protection Network™, after Kafeine mentioned that Angler Exploit Kit added the exploit code using CVE-2015-5122, we found that the Nuclear and Rig Exploit Kits now include CVE-2015-5122 to their laundry list of exploits on July 13 (UTC – 07:00). The Nuclear Exploit Kit leads to one of notorious banking Trojan family, TROJ_CARBERP (NvdUpd.exe), and the Rig Exploit Kit leads to one of backdoor with possible infostealing capabilities, BKDR_TOFSEE (F01A – Copy.tmp). We are currently analyzing these payloads and will later update this blog post with the details.
With analysis by Brooks Li
Updated July 14, 2015, 9:53 AM PDT (UTC-7)
Adobe has released security updates that address critical vulnerabilities, including the one mentioned in this entry, in Adobe Flash Player for Windows, Mac, and Linux. These vulnerabilities could allow attackers to take control of the affected system. The advisory APSB15-18 states that the update addresses affected versions, which include versions 188.8.131.52 and earlier.
Users should update their Adobe Flash as soon as possible. They can verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select About Adobe (or Macromedia) Flash Player from the menu.
Timeline of posts related to the Hacking Team
|July 5||The Italian company Hacking Team was hacked, with more than 400GB of confidential company data made available to the public.|
Three exploits – two for Flash Player and one for the Windows kernel—were initially found in the information dump. One of these [CVE-2015-5119] was a Flash zero-day.
The Windows kernel vulnerability (CVE-2015-2387) existed in the open type font manager module (ATMFD.dll) and can be exploited to bypass the sandbox mitigation mechanism.
|July 11||Two new Flash zero-day vulnerabilities, CVE-2015-5122 and CVE-2015-5123, were found in the hacking team dump.|
|July 13||Further analysis of the hacking team dump revealed that the company used UEFI BIOS rootkit to keep their Remote Control System (RCS) agent installed in their targets’ systems.|
|July 14||A new zero-day vulnerability (CVE-2015-2425) was found in Internet Explorer.|
|July 16||On the mobile front, a fake news app designed to bypass Google Play was discovered.|
|July 20||A new zero-day vulnerability (CVE-2015-2426) was found in Windows, which Microsoft fixed in an out-of-band patch.|
|July 21||Analysis of the RCSAndroid spying tool revealed that Hacking Team can listen to calls and roots devices to get in.|
|July 28||A recent campaign compromised Taiwan and Hong Kong sites to deliver Flash exploits related to Hacking Team.|