Unpatched Flash Player Flaw, More POCs Found in Hacking Team Leak

Earlier this week the Italian company Hacking Team was hacked, with more than 400GB of confidential company data made available to the public. The company was known for selling what it described as tools used to lawfully intercept communications that could be used by governments and law enforcement agencies. The company has stated they do not do business with oppressive countries in the past.

Most of the leaked information covered Hacking Team’s business practices, which seemingly contradict their official statements on who they sell their products to. However, the leak also included the tools provided by the company to carry out attacks, and this included several exploits targeting Adobe Flash Player and Windows itself.

The information dump includes at least three exploits – two for Flash Player and one for the Windows kernel. One of the Flash Player vulnerabilities, CVE-2015-0349, has already been patched.

One of the Flash exploits is described by Hacking Team as “the most beautiful Flash bug for the last four years.” This Flash exploit has not yet been given the CVE number.

Figure 1. Description of vulnerability by Hacking Team

Vulnerability Information

The leaked package contains both a Flash zero-day proof-of-concept (POC) which can open the Windows calculator and a release version with real attack shellcode.

In the POC, there is a readme document which describes the details of this zero-day as we can see below. It states that this exploit can affect Adobe Flash Player 9 and later, and that desktop/metro IE, Chrome, Firefox and Safari are all affected.

Figure 2. Description of vulnerability by Hacking Team

Root Cause Analysis

The readme also describes the root cause of the vulnerability. This is a ByteArray class user-after-free (UAF) vulnerability, which we can describe simply.

When you have a ByteArray object ba, and perform an assignment like this ba[0] = object, it will call this object’s ValueOf function
The ValueOf function can be overridden, so someone can change value of ba in the object ValueOf function
If you reallocate the ba memory in the ValueOf function, it will cause a UAF because ba[0] = object will save the original memory and use it after ValueOf function has been called.

Release Version Exploit Analysis

After triggers UAF vulnerability, it corrupts the Vector.<uint> length to achieve arbitrary memory read and write capabilities in the process. With this ability, the exploit is capable of performing the following:

Search for the kernel32.dll base address in process, then find the VirtualProtect address
Find the address of shellcode which is contained in a ByteArray
Call VirtualProtect to change the shellcode memory to become executable.
There is an empty static function named Payload defined in AS3 code.
Find the Payload function object address and then find the real function code address contained by the Payload function object.
Overwrite the real function code address with the shellcode address
Call the static function Payload in AS3, which causes the shellcode to be called
After the shellcode executes, reset the static function address.

We can see that this exploit method can bypass Control Flow Guard by overwriting a static function code address.

Conclusion

While Hacking Team stated that this was the most beautiful bug since CVE-2010-2161, we can see that several bugs have used this ValueOf trick, including CVE-2015-0349 which was used at Pwn2Own 2015.

Users do not need to be overly concerned about this vulnerability at this time, as an active attack has not yet been spotted in the wild. We will update this post with more information and advice if it becomes necessary at a later time.

Trend Micro is already able to protect users against this threat out of the box, without any necessary updates. The existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can be used to detect this threat by its behavior. The Browser Exploit Prevention feature in the Endpoint Security in Trend Micro™ Smart Protection Suite blocks the exploit once the user accesses the URL it is hosted in. Browser Exploit Prevention protects against exploits that target browsers or related plugins.

Update as of June 7, 2015, 07:44 A.M. PDT (UTC-7):

Based on the further verification, one Adobe Flash Player vulnerability along with the Windows kernel flaw have no CVEs yet. We updated the blog entry to reflect this.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Unpatched Flash Player Flaw, More POCs Found in Hacking Team Leak