Cracking the CVE-2014-0569 nutshell

​The Microsoft Malware Protection Center (MMPC) has recently seen an exploit targeting the Adobe Flash Player vulnerability CVE-2014-0569. This exploit is being integrated into the Fiesta exploit kit.

The vulnerability related to this malware was addressed with a patch released by Adobe on 14 October 2014. Adobe Flash Player desktop runtime for Windows versions and earlier are vulnerable. If you're using a vulnerable Adobe Flash Player version you should update now to help protect your PC.

We analyzed how these attacks work and found the following details.

The exploit successfully bypasses the validation of memory range and is able to access an arbitrary location. It attempts to corrupt the VTABLE entry for the virtual function toString( ) of sound object. Later, the ActionScript calls the Sound.toString() method and control is transferred to the controlled address, as shown in Figure 1.



Figure 1: Transfer control via a corrupted VTABLE Sound.toString()

At the controlled address, it starts the ROP gadgets built from the Flash Player DLL, as shown in Figure 2.


Figure 2:  Control transferred to ROP gadgets

These ROP gadgets are a bit convoluted, but they can be summarized in following steps:

  1. The gadgets prepare the data on the stack using a loop of the following gadgets:

    dec eax  // decrement the address to build code

    pop ecx  // store the code bytes in ECX
    mov     dword ptr [eax],ecx  // store the code to the address specified by EAX
    pop ebp

  2. The control is passed to (via a ret instruction) API VirtualAlloc() to allocate a 0x1000 byte buffer.
  3. It uses gadget:

    mov     dword ptr [eax],ecx  // store the code
    pop ebp

    to build some new gadgets at the start of the allocated buffer, for example:

    mov     dword ptr [eax+0Ch],ecx

  4. These new gadgets build up a small piece of two-layer decryption code to decrypt the shellcode:
  5. Control is passed over to the fully decrypted shellcode.

The shellcode downloads a file from the remote server and executes it. The downloaded file is detected as TrojanDropper:Win32/Ropest.A.

As well as keeping your software up-to-date, we also recommend running a real-time security product such as Microsoft Security Essentials to help protect your PC from this and other threats.

Chun Feng

468f23ef2f6318ea59a3cbc5570ac766435a5315  (detected as Exploit:SWF/Fiexp.B)
61a776fda7d50655ea336b22499573250fa8761d  (detected as TrojanDropper:Win32/Ropest.A)

Microsoft Malware Protection Center
Secure Hunter Anti -Malware

You may also like...

Popular Posts