Analyzing the CVE-2014-0515 Exploit – The Recent Flash Zero-Day
Last week, Adobe released an advisory disclosing a new zero-day vulnerability in Flash Player.
Looking into the exploit code used in attacks targeting this vulnerability, we found several interesting ties to other vulnerabilities – not all of them for Flash Player, either. To explain this, we will discuss the highlights of how this exploit was performed.
At its core, the vulnerability is a buffer overflow that occurs when parsing a compiled shader in a Flash object. The overflow overwrites an adjacent memory buffer, which has a vector object within it. The attacker overwrites the adjacent vector object’s length. From here, the attacker carries out some processes and is eventually able to run arbitrary shellcode.
This exploit first uses a buffer overflow to overwrite the length of an adjacent vector object. This corrupt vector can be used to assign very large length values to the adjacent vector object. This vector object is then used to browse the system’s memory space and find the target data, as well as rearrange memory layout. This particular method is fairly common, and was used by CVE-2013-0640 (Adobe Reader), CVE-2013-3163 (Internet Explorer), CVE-2014-0322 (Internet Explorer), and CVE-2014-1776 (Internet Explorer).
This corrupted vector’s element is used to locate the flash object FileReference‘s address, and replace it with a fake virtual table pointer. The fake virtual table only contains the Cancel function, which points to the shell code. Calling FileReference.Cancel runs the arbitrary shellcode of this exploit. This is similar, but not identical to, recent exploit techniques used in CVE-2014-0322 and CVE-2014-1776, which use the Sound object, and trigger with Sound.toString().
To defeat DEP (Data Execution Prevention, a technique used to harden systems against exploits) is relatively simple, since the attack has full control of the memory space. The attacker searches for a specific function, which is located in the Flash ActiveX plugin (Flash32_12_0_0_70.ocx). The function takes two parameters (buffer address and buffer length) and makes the buffer executable. This address is used to replace the fake FileReference object ‘s Cancel function address. After this call, the first stage shellcode become executable. Note that this is all done without the use of ROP (return-oriented programming) exploit techniques at all.
Trend Micro Solutions
Adobe has rolled out updates to Adobe Flash that patch this vulnerability. This would update users to Flash 18.104.22.168. Users of Trend Micro products have various solutions available to help deal with this attack: the browser exploit prevention technology in Titanium 7 proactively detects websites that attempt to exploit this vulnerability.
Products with the ATSE (Advanced Threats Scan Engine), such as Deep Discovery, have heuristic rules which detect attacks using this vulnerability. These attacks are detected as HEUR_SWFJIT.B with ATSE pattern 9.755.1107 since April 22. Our other products detect these malicious Flash files as SWF_EXPLOIT.RWF.