Another Zero-Day Vulnerability Arises from Hacking Team Data Leak
Hot on the heels of the last zero-day vulnerability that was found from the Hacking Team data leak (i.e. CVE-2015-5119) comes yet another that may be as dangerous: CVE-2015-5122, a vulnerability in Adobe Flash Player. If exploited, it could result in a crash that would allow an attacker to take control of the vulnerable system. And yes, just like CVE-2015-5119, it affects all recent versions of Flash on Windows, Mac and Linux (i.e. 220.127.116.11).
This is a new vulnerability apart from the ones we discussed in Unpatched Flash Player Flaw, More POCs Found in Hacking Team Leak, which were two Flash bugs and one in the Windows kernel.
The good news: it’s still a Proof-of-Concept, and we are still looking to see if it is already being used in an attack. The bad news: there’s no patch for it out yet, but there should be one coming up as we had notified Adobe as soon as we verified the vulnerability itself (July 11, 10:30 AM, GMT +8). Adobe sent out the security advisory for this vulnerability at 11:40 AM (GMT+8).
So how does the vulnerability work?
With our analysis, we discovered that it is a Use-After-Free vulnerability involving the methods TextBlock.createTextLine() and TextBlock.recreateTextLine(textLine).
The trigger involves the method my_textLine.opaqueBackground = MyClass_object. What happens is that the MyClass.prototype.valueOf is overriden, as such the valueOf function it will call TextBlock.recreateTextLine(my_textLine). The my_textLine function is then used after it is freed.
We debugged the POC on an X86 environment, so the vulnerability trigger is in MyClass32 class. The exploit function itself is TryExpl of MyClass32.
The exploit steps are as follows:
- A new Array is named _ar, the length of _ar is _arLen = 126. _ar[0…29] is set by Vector.<uint>, vector length is 0x62. _ar[46….125] is set by Vector.<uint>, vector length is 0x8. _ar[30….45] is set by testLine using _tb.createTextLine(), and the textLine. opaqueBackground is set to 1.
- The MyClass.prototype.valueOf is overriden using MyClass.prototype.valueOf = valueOf2, and using _ar[_cnt].opaqueBackground = _mc to trigger the valueOf2 function. _mc is an instance of MyClass.
- In valueOf2 function, it will call _tb. recreateTextLine(_ar[index]) to free the textLine function allocated in step 1. Then, the vector’s length is set from 0x8 to 0x62 to occupy the memory of the freed textLine. The valueOf2 function will return with 0x62 + 8 = 0x6a, so _ar[_cnt].opaqueBackground will be set to 0x6a until valueOf2 return. To ensure the overwriting of the occupy vector length field, the valueOf2 function uses recursive invocation.
- After overwriting the vector length to 0x6a, it searches the corrupt vector, and sets the neighbor vector length to 0x40000000.
Posts related to vulnerabilities found in the Hacking Team Leak
- Hacking Team Flash Zero-Day Integrated into Exploit Kits
- A Look at the Open Type Font Manager Vulnerability from the Hacking Team Leak
- Unpatched Flash Player Flaw, More POCs Found in Hacking Team Leak
- Hacking Team Flash Zero-Day Tied To Attacks In Korea and Japan… on July 1
Updated July 11, 2015, 12:43 AM (UTC-7) to clarify some technical details.