Adobe vulnerability – what’s all the fuss?
Many of you will (hopefully) have heard about the recent vulnerabilities found in Adobe Flash and Shockwave. These have been reported as ‘Zero Day’ exploits which basically means at the time of reporting there was no known fix. By now I hope anybody reading this blog has updated Adobe Flash and Adobe Shockwave (if you haven’t, minimise this page and do it now before reading on).
So what are the vulnerabilities? How could they affect your systems or users?
Adobe describes the vulnerabilities as “critical vulnerabilities that could potentially allow an attacker to take control of the affected system”. These vulnerabilities affect the following versions:
Windows and Mac
Adobe Flash Player Desktop Runtime – 18.104.22.168 and earlier
Adobe Flash Player Extended Support Release – 22.214.171.1242 and earlier
Adobe Flash Player for Google Chrome – 126.96.36.199 and earlier
Windows 8.0 and 8.1
Adobe Flash Player for Internet Explorer 10 and Internet Explorer 11 – 188.8.131.52 and earlier
Adobe Flash Player for Google Chrome – 184.108.40.206 and earlier
Adobe Flash Player – 220.127.116.111 and earlier
Which, long story short means they affect most of us (well before the update anyway).
Security vulnerabilities are registered with a unique name in a dictionary style list known as CVE (Common Vulnerabilities and Exposures). This is a publicly known dictionary for information security vulnerabilities, most people don’t need to know about this merely that it exists for cyber security professionals to classify and report vulnerabilities and exposures. (This article is referring to CVE-2015-5119 in particular).
So how could somebody use Adobe Flash or Adobe Shockwave to take control of my machine?…TrendMicro documented the technical workings of the vulnerability as detailed below.
Root Cause Analysis
The readme also describes the root cause of the vulnerability. This is a ByteArray class user-after-free (UAF) vulnerability, which we can describe simply.
- When you have a ByteArray object ba, and perform an assignment like this ba = object, it will call this object’s ValueOf function
- The ValueOf function can be overridden, so someone can change value of ba in the object ValueOf function
- If you reallocate the ba memory in the ValueOf function, it will cause a UAF because ba = object will save the original memory and use it after ValueOf function has been called.
Release Version Exploit Analysis
After triggers UAF vulnerability, it corrupts the Vector.<uint> length to achieve arbitrary memory read and write capabilities in the process. With this ability, the exploit is capable of performing the following:
- Search for the kernel32.dll base address in process, then find the VirtualProtect address
- Find the address of shellcode which is contained in a ByteArray
- Call VirtualProtect to change the shellcode memory to become executable.
- There is an empty static function named Payload defined in AS3 code.
- Find the Payload function object address and then find the real function code address contained by the Payload function object.
- Overwrite the real function code address with the shellcode address
- Call the static function Payload in AS3, which causes the shellcode to be called
- After the shellcode executes, reset the static function address.
We can see that this exploit method can bypass Control Flow Guard by overwriting a static function code address.
This may seem overly complex and most people reading this will think it is too complex for your average hacker to perform…Unfortunately, this vulnerability has been packaged and now ships with a number of hacking tools as an exploit. This means a hacker could use a piece of software such as Metasploit, download the exploit (exploit/multi/browser/adobe_flash_hacking_team_uaf) and target your systems. In a few lines on the Metasploit shell your systems could be exploited using this vulnerability.
This is why REGULAR vulnerability scans and patch management is essential for your business. These vulnerabilities come out frequently and hacking tools include them generally a few days later dropping the technical expertise required to use them.