‚ÄčLast week we published a blog post about a CVE-2013-5330 exploit. We’ve also recently seen a new, similar attack targeting a patched Adobe Flash Player vulnerability (CVE-2014-0497).

The vulnerability related to this malware was addressed with a patch released by Adobe on February 4, 2014. Flash Player versions 12.0.0.43 and earlier are vulnerable. We analyzed how these attacks work and found the following details.

The malicious file has been distributed as a .swf file, which contains:

  • The vulnerability trigger
  • Shellcode
  • A PE file (encrypted)

The .swf file can be hosted on a web server and run when the webpage is visited. When the .swf is loaded, the vulnerability is triggered.

The .swf successfully bypasses the validation of memory range and is able to access an arbitrary location.  It overwrites a pointer in a VTABLE to successfully pass control to a controlled location (Note that the exploit does not rely on heap spray – see figure 1). The controlled location starts with stack pivot ROP gadgets built from a Flash Player DLL. The ROP gadgets call VirtualProtect() to make the shellcode memory region executable. Finally, the control is passed to the shellcode via a jmp esp instruction (as shown in figure 3).

Control transfer

Figure 1: Control transfer via an overwritten pointer in VTABLE

ROP gadgets

Figure 2: Stack pivot ROP gadgets

Control is passed to shellcode

Figure 3: Control is passed to shellcode via “jmp esp”

The shellcode simply drops a PE File (already decrypted by .swf) as %temp%\a.exe and executes it. The dropped PE file (Sha1: 265fdeb993a09d2350daa130de4ce5b662bed628) is detected as TrojanDownloader:Win32/Siromost.A.

The telemetry of this exploit is shown in figure 4.

Daily reports for CVE-2014-0497

Figure 4: Daily reports for CVE-2014-0497

We have confirmed this exploit works across multiple Flash Player versions. In our lab testing, we are able to reproduce the attack on the following Adobe Flash Player versions:

  • 11.6.602.171
  • 11.6.602.180
  • 11.7.700.169
  • 11.7.700.202
  • 11.7.700.224
  • 11.8.800.94
  • 11.8.800.168
  • 11.8.800.175
  • 11.9.900.117
  • 11.9.900.152
  • 11.9.900.170

Version 12.x (12.0.0.43 and earlier) is known to contain the vulnerability used by the attack, but it also carries a mitigation that prevents building the ROP gadget from the Flash Player DLL. The sample we analyzed does not support version 12.x for this reason.

If you're using Flash Player version 12.0.0.43 or earlier, you need to update your Flash Player now to be protected against these attacks.

You can also find more information about this vulnerability, including workarounds, in Microsoft Security Advisory (2755801).

Chun Feng
MMPC