Earlier this week the Italian company Hacking Team was hacked, with more than 400GB of confidential company data made available to the public. The company was known for selling what it described as tools used to lawfully intercept communications that could be used by governments and law enforcement agencies. The company has stated they do not do business with oppressive countries in the past.
Most of the leaked information covered Hacking Team’s business practices, which seemingly contradict their official statements on who they sell their products to. However, the leak also included the tools provided by the company to carry out attacks, and this included several exploits targeting Adobe Flash Player and Windows itself.
The information dump includes at least three exploits – two for Flash Player and one for the Windows kernel. One of the Flash Player vulnerabilities, CVE-2015-0349, has already been patched.
One of the Flash exploits is described by Hacking Team as “the most beautiful Flash bug for the last four years.” This Flash exploit has not yet been given the CVE number.
Figure 1. Description of vulnerability by Hacking Team
The leaked package contains both a Flash zero-day proof-of-concept (POC) which can open the Windows calculator and a release version with real attack shellcode.
In the POC, there is a readme document which describes the details of this zero-day as we can see below. It states that this exploit can affect Adobe Flash Player 9 and later, and that desktop/metro IE, Chrome, Firefox and Safari are all affected. External reports have stated that the latest version Adobe Flash (version 126.96.36.199) is also affected.
Figure 2. Description of vulnerability by Hacking Team
Root Cause Analysis
The readme also describes the root cause of the vulnerability. This is a ByteArray class user-after-free (UAF) vulnerability, which we can describe simply.
- When you have a ByteArray object ba, and perform an assignment like this ba = object, it will call this object’s ValueOf function
- The ValueOf function can be overridden, so someone can change value of ba in the object ValueOf function
- If you reallocate the ba memory in the ValueOf function, it will cause a UAF because ba = object will save the original memory and use it after ValueOf function has been called.
Release Version Exploit Analysis
After triggers UAF vulnerability, it corrupts the Vector.<uint> length to achieve arbitrary memory read and write capabilities in the process. With this ability, the exploit is capable of performing the following:
- Search for the kernel32.dll base address in process, then find the VirtualProtect address
- Find the address of shellcode which is contained in a ByteArray
- Call VirtualProtect to change the shellcode memory to become executable.
- There is an empty static function named Payload defined in AS3 code.
- Find the Payload function object address and then find the real function code address contained by the Payload function object.
- Overwrite the real function code address with the shellcode address
- Call the static function Payload in AS3, which causes the shellcode to be called
- After the shellcode executes, reset the static function address.
We can see that this exploit method can bypass Control Flow Guard by overwriting a static function code address.
While Hacking Team stated that this was the most beautiful bug since CVE-2010-2161, we can see that several bugs have used this ValueOf trick, including CVE-2015-0349 which was used at Pwn2Own 2015.
Users do not need to be overly concerned about this vulnerability at this time, as an active attack has not yet been spotted in the wild. We will update this post with more information and advice if it becomes necessary at a later time.
Trend Micro is already able to protect users against this threat out of the box, without any necessary updates. The existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can be used to detect this threat by its behavior. The Browser Exploit Prevention feature in the Endpoint Security in Trend Micro™ Smart Protection Suite detects the exploit once the user accesses the URL it is hosted in. Browser Exploit Prevention detects against exploits that target browsers or related plugins.
Update as of July 7, 2015, 07:44 A.M. PDT (UTC-7)
Based on further verification, we note that Adobe Flash Player vulnerability and the Windows kernel flaw have no assigned CVEs yet. We have updated the blog entry to reflect this.
Update as of July 7, 2015, 09:48 A.M. PDT (UTC-7)
Based on our ongoing investigation, we believe that this zero-day vulnerability from this leak has been used in an attack we’ve been tracking recently. We will be providing additional information in another blog entry soon.
Vulnerability protection in Trend Micro Deep Security protects user systems from threats that may leverage this vulnerability with the following DPI rule:
- 1006824 – Adobe Flash ActionScript3 ByteArray Use After Free Vulnerability
Update as of July 8, 2015, 7:00 PM PDT (UTC – 7)
Adobe has released a fix for the Flash zero-day vulnerability. Information about this update has been released in APSB15-16. We recommend that users apply this update as soon as possible.
Update as of July 14, 2015, 4:48 PM PDT (UTC – 7)
To clarify, the used-to-be zero-day vulnerability was assigned CVE-2015-5119 in APSA15-03 on July 7.
Timeline of posts related to the Hacking Team
||The Italian company Hacking Team was hacked, with more than 400GB of confidential company data made available to the public.
Three exploits – two for Flash Player and one for the Windows kernel—were initially found in the information dump. One of these [CVE-2015-5119] was a Flash zero-day.
The Windows kernel vulnerability (CVE-2015-2387) existed in the open type font manager module (ATMFD.dll) and can be exploited to bypass the sandbox mitigation mechanism.
The Flash zero-day exploit (CVE-2015-5119) was added into the Angler Exploit Kit and Nuclear Exploit Pack. It was also used in limited attacks in Korea and Japan.
||Two new Flash zero-day vulnerabilities, CVE-2015-5122 and CVE-2015-5123, were found in the hacking team dump.
||Further analysis of the hacking team dump revealed that the company used UEFI BIOS rootkit to keep their Remote Control System (RCS) agent installed in their targets’ systems.
||A new zero-day vulnerability (CVE-2015-2425) was found in Internet Explorer.
||On the mobile front, a fake news app designed to bypass Google Play was discovered.
||A new zero-day vulnerability (CVE-2015-2426) was found in Windows, which Microsoft fixed in an out-of-band patch.
||Analysis of the RCSAndroid spying tool revealed that Hacking Team can listen to calls and roots devices to get in.