A Root Cause Analysis of the Recent Flash Zero-Day Vulnerability, CVE-2016-1010

On March 10, Adobe has released an emergency out-of-band update to fix a zero-day vulnerability that was being used in targeted attacks. The vulnerability was designated as CVE-2016-1010. To analyze this vulnerability, I examined an earlier version of the Flash Player (Flash32_19_0_0_185.ocx file on Windows 7) to find the root cause of the vulnerability.

Root cause analysis

In ActionScript 3.0, the BitmapData class has a public function copyPixels defined this way:

public function copyPixels(sourceBitmapData:BitmapData, sourceRect:Rectangle, destPoint:Point, alphaBitmapData:BitmapData = null, alphaPoint:Point = null, mergeAlpha:Boolean = false):void

When Flash runs this function, it will use sourceRect (a Rectangle), which is defined as:

public function Rectangle(x:Number = 0, y:Number = 0, width:Number = 0, height:Number = 0)

to create a temporary structure which may be called BitmapData. In Flash 19.0.0.185 this may have the following structure:

0x08: height // the height of the Bitmap 0x0c: width // the weight of the Bitmap 0x20: pBitmapData // the pointer to the Bitmap Data array 0x24: bytesize // the byte size of each line in Bitmap, bytesize = width*4

When calculating the bytesize, Flash uses the shl operation, as shown in Figure 1. If width >= 0x40000000, “shl ecx,2” will trigger an integer overflow. The function next processes use bytesize*height to calculate the allocated memory size of pBitmapData. If the bytesize overflowed, the allocated memory will be lower than needed.

An attacker can use this overflow to read and write to arbitrary memory locations, effectively leading to arbitrary code exexuction.

Figure 1. Unpatched Function

The pseudocode would look something like this:

pBitmapData->width = width; pBitmapData->height = height; pBitmapData-> bytesize = 4*width; //trigger integer overflow when width>0x40000000 int allocSize = pBitmapData->bytesize*height; allocMemory = allocMemory( allocSize); pBitmapData-> pBitmapData = allocMemory;

Patching the Vulnerability

In Flash Player 21.0.0.182, this vulnerability was patched. How did Adobe do this?

The original shl operation was replaced with imul. In addition, the (edx,eax) command records the width*4 value. If the value of edx is non-zero, it represents the width of the overflow. If this is known, the code will correctly handle this issue.

Figure 2. Patched Function

Integer overflow vulnerabilities are common in Flash Player. In APSB16-08 alone, three integer overflow vulnerabilities (CVE-2016-0963, CVE-2016-0993 ,CVE-2016-1010) were fixed. Adding integer overflow checking features during compilation would reduce the number of overflow vulnerabilities.

For end users, we highly recommend keeping Adobe Flash Player up-to-date. By default this can be done automatically, although some users may prefer being manually promoted to install newer versions.

The Browser Exploit Prevention feature in our endpoint products such as Trend Micro™ Security, Smart Protection Suites, and Worry-Free Business Security blocks browser exploits once the user accesses the URLs these are hosted at. Browser Exploit Prevention also protects against exploits that target browsers or related plugins.

The Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can frequently detect these threats as well without any engine or pattern update. Deep Security and Vulnerability Protection protect user systems from any threats that may use these vulnerabilities via the following DPI rules: