Last week we published a blog post about a CVE-2013-5330 exploit. We’ve also recently seen a new, similar attack targeting a patched Adobe Flash Player vulnerability (CVE-2014-0497).
The vulnerability related to this malware was addressed with a patch released by Adobe on February 4, 2014. Flash Player versions 12.0.0.43 and earlier are vulnerable. We analyzed how these attacks work and found the following details.
The malicious file has been distributed as a .swf file, which contains:
- The vulnerability trigger
- Shellcode
- A PE file (encrypted)
The .swf file can be hosted on a web server and run when the webpage is visited. When the .swf is loaded, the vulnerability is triggered.
The .swf successfully bypasses the validation of memory range and is able to access an arbitrary location. It overwrites a pointer in a VTABLE to successfully pass control to a controlled location (Note that the exploit does not rely on heap spray – see figure 1). The controlled location starts with stack pivot ROP gadgets built from a Flash Player DLL. The ROP gadgets call VirtualProtect() to make the shellcode memory region executable. Finally, the control is passed to the shellcode via a jmp esp instruction (as shown in figure 3).
Figure 1: Control transfer via an overwritten pointer in VTABLE
Figure 2: Stack pivot ROP gadgets
Figure 3: Control is passed to shellcode via “jmp esp”
The shellcode simply drops a PE File (already decrypted by .swf) as %temp%a.exe and executes it. The dropped PE file (Sha1: 265fdeb993a09d2350daa130de4ce5b662bed628) is detected as TrojanDownloader:Win32/Siromost.A.
The telemetry of this exploit is shown in figure 4.
Figure 4: Daily reports for CVE-2014-0497
We have confirmed this exploit works across multiple Flash Player versions. In our lab testing, we are able to reproduce the attack on the following Adobe Flash Player versions:
- 11.6.602.171
- 11.6.602.180
- 11.7.700.169
- 11.7.700.202
- 11.7.700.224
- 11.8.800.94
- 11.8.800.168
- 11.8.800.175
- 11.9.900.117
- 11.9.900.152
- 11.9.900.170
Version 12.x (12.0.0.43 and earlier) is known to contain the vulnerability used by the attack, but it also carries a mitigation that prevents building the ROP gadget from the Flash Player DLL. The sample we analyzed does not support version 12.x for this reason.
If you're using Flash Player version 12.0.0.43 or earlier, you need to update your Flash Player now to be protected against these attacks.
You can also find more information about this vulnerability, including workarounds, in Microsoft Security Advisory (2755801).
Chun Feng
MMPC