New Flash Vulnerability CVE-2016-4117 Shares Similarities With Older Pawn Storm Exploit

Earlier this week Adobe released a security advisory (APSA16-02) which disclosed that a critical vulnerability (CVE-2016-4117) was present in versions of Adobe Flash Player. Reports also said it was being exploited in the wild. A successful exploit could cause the targeted system to crash and potentially allow arbitrary code to run on the system, allowing an attacker to take control of it. Note that Adobe has released the patch on May 12.

We would like to dive into the detail this vulnerability to provide additional background information about this threat.

Vulnerability analysis

Simply put, this vulnerability is a type check vulnerability in the class DeleteRangeTimelineOperation, which is a part of the Primetime SDK.

The Placement property in the base class DeleteRangeTimelineOperation is wrongly outbound, and can be accessed or even executed with a controlled offset by a new Placement class whose type could be a simple one such as Boolean, or an Integer derived from classes in carefully constructed malicious SWF file.

`Below are the detailed declarations of the DeleteRangeTimelineOperation and Placement classes, which are taken from Library.swf, which is provided by Adobe for use by developers.

[API(“712”)] //API version greater than SWF27/AIR16/FP16
[native(cls=”PSDKDeleteRangeTimelineOperationClass”, instance=”PSDKDeleteRangeTimelineOperationObject”, methods=”auto”)]

public class DeleteRangeTimelineOperation implements TimelineOperation
{
public function DeleteRangeTimelineOperation(placement:Placement)
{
this.ctor(placement);
}

private native function ctor(placement:Placement):void;
final public native function get isValid():Boolean;
final public native function get placement():Placement;
final public native function set placement(placement:Placement):void;
}

}//package com.adobe.tvsdk.mediacore.timeline.operations

Figure 1. DeleteRangeTimelineOperation class declaration in Adobe library

[API(“712”)] //API version greater than SWF27/AIR16/FP16
[native(cls=”PSDKPlacementClass”, instance=”PSDKPlacementObject”, methods=”auto”)]

public class Placement
{
public static const UNKNOWN_DURATION:Number = -1;
public static const UNKNOWN_POSITION:Number = -1;
public function Placement(_arg_1:int=0, time:Number=-1, duration:Number=-1, mode:int=0)

{
this.ctor(_arg_1, time, duration, mode);
}

private native function ctor(_arg_1:int=0, _arg_2:Number=-1, _arg_3:Number=-1, _arg_4:int=0):void;
final public native function compareTo(otherPlacement:Placement):int;
final public native function get isValid():Boolean;
final public native function get type():int;
final public native function get time():Number;
final public native function get duration():Number;
final public native function get mode():int;
final public native function get range():TimeRange;
}

}//package com.adobe.tvsdk.mediacore.timeline

Figure 2. Placement class declaration in Adobe library

We examined the previous version (Flash Player 21.0.0.213) to find the vulnerability. The graph below is the psuedocode for the vulnerability, which causes an out-of-boundary access.

int __thiscall sub_1035F480(int this_DeleteRangeTimelineOperation, int a2)

{
…
this_DeleteRangeTimelineOperation1 = this_DeleteRangeTimelineOperation;
…
varPlacement = sub_10787840(aThis, (int)”placement”);
…
varPlacement_1 = varPlacement;
…
varControlledIndex = sub_107C84E0(
*(_DWORD *)(*(_DWORD *)(*(_DWORD *)(this_DeleteRangeTimelineOperation1 + 12) + 8) + 4),
*(_DWORD *)(*(_DWORD *)(*(_DWORD *)(this_DeleteRangeTimelineOperation1 + 12) + 8) + 20),
&varPlacement_1);

obj = *(_DWORD *)(this_DeleteRangeTimelineOperation1 + 0xC);
varControlledObj = *(_DWORD *)(*(_DWORD *)(obj + 8) + 4 * (varControlledIndex >> 3) + 0x3C);
v24 = (*(int (**)(void))(*(_DWORD *)obj + 8))();
v14 = alloca(v13 & 4);
v15 = (*(int (__cdecl **)(int, _DWORD, int *))(*(_DWORD *)(varControlledObj + 8) + 8))(varControlledObj, 0, &v24);

…
}

Figure 3. Vulnerability pseudocode

When DeleteRangeTimelineOperation::Placement is referenced, sub_1035F480 is also called. varControlledIndex is actually the offset of Placement in the derived class whose value(N) could be easily controlled by declaring N objects before the Placement property in the derived class. varControlledObj is controlled by varControlledIndex, and finally the function address (*(int (__cdecl **)(int, _DWORD, int *))(*(_DWORD *)(varControlledObj + 8) + 8)) is wrongly executed.

0:006> t

eax=00000078 ebx=0d79e7f0 ecx=0a4e52e0 edx=0a3c3460 esi=08f05ea8 edi=00000000
eip=0932f51b esp=020be67c ebp=020be6ac iopl=0         nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000             efl=00040206
Flash32_21_0_0_213!DllUnregisterServer+0x14ff98:
0932f51b 8b74823c        mov     esi,dword ptr [edx+eax*4+3Ch] ds:0023:0a3c367c=00000000
//get wrong esi== varControlledObj,
// where eax == varControlledIndex == 00000078 == N

Figure 4. Vulnerability pseudocode

The above assembly code shows how varControlledObj is controlled by varControlledIndex.

0:006> t

eax=0a4e52e1 ebx=0d79e7f0 ecx=00000004 edx=0a3c3460 esi=00000000 edi=00000000
eip=0932f533 esp=020be67c ebp=020be6ac iopl=0         nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000             efl=00040202
Flash32_21_0_0_213!DllUnregisterServer+0x14ffb0:
0932f533 8b4608          mov     eax,dword ptr [esi+8] ds:0023:00000008=????????
//crash here, esi == varControlledObj ==0

Figure 5. Vulnerability pseudocode

The psuedocode above shows how an access violation occurs when trying to fetch (*(int (__cdecl **)(int, _DWORD, int *))(*(_DWORD *)(varControlledObj + 8) + 8)).

What’s interesting is that CVE-2015-7645, used in late 2015 by Pawn Storm was a similar vulnerability. That vulnerability was due to type confusion in the IExternalizable interface and is also triggered in a very similar way. The disassembled code is also very similar, as can be seen in Figure 4 here and Figure 4 in the previous post.

The similarity of these vulnerabilities indicates that there may be more type fusion risk vulnerabilities in the native code of the Flash Player‘s ActionScript Virtual Machine (AVM). The same vulnerable design and/or code may have been reused elsewhere.

Best Practices and Mitigation

We strongly suggest that end users apply the latest patch from Adobe to update their versions of Flash Player to the newest version (21.0.0.242) as soon as possible.

The Browser Exploit Prevention feature in our endpoint products such as Trend Micro™ Security, Smart Protection Suites, and Worry-Free Business Security blocks browser exploits once the user accesses the URLs these are hosted at. Browser Exploit Prevention also protects against exploits that target browsers or related plugins.

The Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can frequently detect these threats as well without any engine or pattern update.

Trend Micro Deep Security and Vulnerability Protection protect user systems from any threats that may use this vulnerability via the following DPI rules:

1007638 – Adobe Flash Player Type Confusion Overflow Vulnerability (CVE-2016-4117)

TippingPoint customers will be protected from attacks exploiting this vulnerability with the following MainlineDV filter that will be made avail on May 17: