• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   New Adobe Zero-Day Shares Same Root Cause as Older Flaws

New Adobe Zero-Day Shares Same Root Cause as Older Flaws

  • Posted on:June 24, 2015 at 12:07 am
  • Posted in:Malware
  • Author:
    Peter Pi (Threats Analyst)
1

Earlier we talked about the out-of-band update for Flash Player that was released by Adobe (identified as APSB15-14) that was released to fix CVE-2015-3113. This update raised the Flash Player version to 18.0.0.194.

Our analysis of the current flaw reveals that the root cause of CVE-2015-3113 is similar to CVE-2015-3043. Both cause a buffer overflow within the Flash Player code. In fact, code targeting the previous exploit can also cause crashes in version 18.0.0.160 (the version immediately before this emergency update).

Both vulnerabilities can be used to run arbitrary code (i.e., malware) on user systems if they visit a site with a malicious Flash file. Users who visit a malicious or compromised site containing malicious Flash files that still use older, unpatched versions of Flash Player are at risk.

Vulnerability comparisons

Both CVE-2015-3113 and CVE-2015-3043 are heap overflow vulnerabilities in the FLV audio parsing flow. They are both in how Flash Player processes audio with the Nellymoser codec; they can be triggered by modifying the FLV file’s audio tag. They both overflow a hardcoded length heap buffer with a length of 0x2000.

CVE-2015-3043 and CVE-2015-3113 both trigger this bug using sample_count * sample_size > 0x2000, and bypass the length check.

Old Patch for CVE-2015-3043

CVE-2015-3043 was originally patched in 17.0.0.169. This was done by limiting the sample count acquired from the FLV audio tag.

Figure 1. Original patch

We can see that the sample count is limited to 0x400. We can compute the biggest buffer size needed from this: FLV specifies a size of 4 as the biggest size per sample. The Nellymoser codec has a hardcoded multiple size of 2 (as seen in the code below). Therefore, the biggest buffer needed is 0x400 * 4 *2 = 0x2000.

Figure 2. Nellymoser doubling

New Patch in 18.0.0.160

However, the code underwent significant changes in 18.0.0.160. The code now looks like this:

Figure 3. New patch

The GetSampleCount function checks the final buffer size needed. If the final buffer size is larger than 0x2000, it will limit it to 0x2000. However, this ignores the Nellymoser decode function’s hardcoded double operation; this can be used to trigger a heap buffer overflow once again.

Conclusion

The analysis above shows that both the previous Flash zero-day and the current incident share the same underlying root cause. In fact, code targeting the previous zero-day will cause 18.0.0.160 to crash.

This incident highlights how important careful development of patches is, to prevent patched bugs from being re-exploited at a later time. Regression testing must also be a part of software development in order to check that old bugs do not threaten new versions of software.

Update as of June 24, 2015, 8:08 A.M. (PDT):

Trend Micro Deep Security and Vulnerability Protection protect user systems from threats that may leverage this vulnerability with the following DPI rule:

  • 1006810 – Adobe Flash Player Heap Buffer Overflow Vulnerability (CVE-2015-3113)

Update as of June 26, 2015, 3:10 P.M. PDT (UTC-7):

Trend Micro solutions are available to help protect users against threats that may leverage this vulnerability. Endpoint products detect malware that attempt to exploit this vulnerability as SWF_EXPLOYT.S. The existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can be used to detect this threat by its behavior without any engine or pattern updates.

Below are the SHA1 hashes related to this threat:

  • 5f6a2521c6bfd5becfefc3a3db74d0a23d382f0e
  • 5f28787f60c5f8d9f3aa9163975422d1ff55f460
Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: CVE-2015-3043CVE-2015-3113flash player

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.