By Jack Tang and Stanley Liu
Adobe has just released a security update for Adobe Flash to address a vulnerability (CVE-2016-1019) that was used in zero day attacks against older versions of Adobe Flash. We previously discussed one such attack when we discovered this vulnerability being integrated in Magnitude Exploit Kit. In this post, we took a look at the exploit code. In the sample we acquired from our Smart Protection Network feedback, we observed that this vulnerability is also present in Mac OS X. In addition to being present on the Windows platform, it is interesting to note it is also present on Mac OS X given that fewer exploits target the said OS.
CVE-2016-1019 affects all versions of Adobe Flash Player but is only currently exploitable to versions 220.127.116.116 and earlier. It is a type confusion vulnerability which exists in Action script 2 FileReference class’s type checking mechanism. As mentioned earlier, when we were analyzing the sample, we found that it contained following code slides, which specifically calls out Mac OS X:
Figure 1. Code designed for Mac OS X attack
Based on our investigation, this vulnerability can be exploited when an attacker prepares a ByteArray containing a TextFormat array. One element of the TextFormat array is “customized,” wherein its “toString” function is overridden by a function, as shown in the following code:
Figure 2. FileReference constructor function
As seen in the code above, ASnative is the method that calls an AS2.0 object, while 2204 is the FileReference identity . It will call a FileReference init function with the TextFormat instance. The issue in the FileReference type checking mechanism lets this happen. The attacker then creates the “customized ” TextFormat , which will trigger the overrided toString function.
After preparing the Array, a class in action script, an attacker calls sort function in its array, which compare callback do some action. The following shows the main activity:
Figure 3: Overwrite ByteArray object ‘s length
The compare callback function calls FileReference class method by ASnative call with the “customized” TextFormat object . In other words, it uses FileReference class method on a TextFormat object. The function overwrites TextFormat object boundary, and then it also overwrites the data after the TextFormat.
Once the said routine finishes with AS2, it uses a matrix field of ConvolutionFilter to overwrite memory. In addition, it overwrites a prepared ByteArray object, then changes the length of the ByteArray object to 0xFFFFFFFF.
Figure 4. ConvolutionFilter overwriting memory
After the length is set to 0xFFFFFFFF, the exploit can achieve arbitrary read and write memory of the current process. The exploit uses two functions for reading and writing memory as seen below.
Figure 5. Functions for reading and writing memory
Corrupting vector length has been prevented by Adobe’s Vector mitigation in 2015. So overwriting ByteArray length became a common method to achieve arbitrary read and write memory of current process in recent exploits.
Adobe introduced a heap mitigation version of 18.104.22.168.This mitigation prevents this exploit in 22.214.171.124 and later versions. While it is difficult to remove all of the bugs, a good mitigation can quickly decrease exploit of bugs such as MemGC decreased Use After Free (UAF) exploits on Internet Explorer and Edge. Adobe has introduced a number of mitigations with community collaboration from 2015 up to now. These mitigations mainly focused on making it harder to exploit vulnerabilities. From the case of CVE-2016-1019, we can see that mitigation works and prevents the attacks that are affecting earlier versions without the mitigation..
Trend Micro Solutions
To help prevent exploits, we strongly urge users and organizations to make sure that they are using up-to-date systems and applications with the latest security patches. Exploit kits in general are known to operate around those who use outdated programs. Like in this scenario, the vulnerability becomes easy to exploit for systems that still use older versions (126.96.36.1996 and earlier) of Adobe Flash Player. As a workaround fix, we recommend updating Flash Player to its latest version.
Trend Micro products and solutions defend against exploit kits. Trend Micro™ Deep Discovery uses the Sandbox with Script Analyzer to detect this threat by its behavior without any engine or pattern updates. Our endpoint products such as Trend Micro™ Security, Smart Protection Suites, and Worry-Free Business Security uses the Browser Exploit Prevention feature to prevent exploits from running on affected systems, preempting any possible threats from taking root.
- 1007572 – Adobe Flash Player Remote Code Execution Vulnerability (CVE-2016-1019)
The following SHA1 hash is related to this attack:
- c4b156b60f8e9e931a638923711c884f9a5951dd – detected as SWF_CVE20161019.A
TippingPoint has posted a CSW for CVE-2016-1019 that is available for customers to download on TMC.