Flash Zero Day Flaw – TrendLabs Security Intelligence
Most of the leaked information covered Hacking Team’s business practices, which seemingly contradict their official statements on who they sell their products to. However, the leak also included the tools provided by the company to carry out attacks, and this included several exploits targeting Adobe Flash Player and Windows itself.
The information dump includes at least three exploits – two for Flash Player and one for the Windows kernel. One of the Flash Player vulnerabilities, CVE-2015-0349, has already been patched.
One of the Flash exploits is described by Hacking Team as “the most beautiful Flash bug for the last four years.” This Flash exploit has not yet been given the CVE number.
Figure 1. Description of vulnerability by Hacking Team
The leaked package contains both a Flash zero-day proof-of-concept (POC) which can open the Windows calculator and a release version with real attack shellcode.
In the POC, there is a readme document which describes the details of this zero-day as we can see below. It states that this exploit can affect Adobe Flash Player 9 and later, and that desktop/metro IE, Chrome, Firefox and Safari are all affected. External reports have stated that the latest version Adobe Flash (version 188.8.131.52) is also affected.
Figure 2. Description of vulnerability by Hacking Team
Root Cause Analysis
The readme also describes the root cause of the vulnerability. This is a ByteArray class user-after-free (UAF) vulnerability, which we can describe simply.
- When you have a ByteArray object ba, and perform an assignment like this ba = object, it will call this object’s ValueOf function
- The ValueOf function can be overridden, so someone can change value of ba in the object ValueOf function
- If you reallocate the ba memory in the ValueOf function, it will cause a UAF because ba = object will save the original memory and use it after ValueOf function has been called.
Release Version Exploit Analysis
After triggers UAF vulnerability, it corrupts the Vector.<uint> length to achieve arbitrary memory read and write capabilities in the process. With this ability, the exploit is capable of performing the following:
- Search for the kernel32.dll base address in process, then find the VirtualProtect address
- Find the address of shellcode which is contained in a ByteArray
- Call VirtualProtect to change the shellcode memory to become executable.
- There is an empty static function named Payload defined in AS3 code.
- Find the Payload function object address and then find the real function code address contained by the Payload function object.
- Overwrite the real function code address with the shellcode address
- Call the static function Payload in AS3, which causes the shellcode to be called
- After the shellcode executes, reset the static function address.
We can see that this exploit method can bypass Control Flow Guard by overwriting a static function code address.