Genwei JiangFIREEYE:1A61A821CE69D378830204326B2E938CCVE-2016-1019: A New Flash Exploit Included in Magnitude Exploit Kit
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.972 High
EPSS
Percentile
99.8%
On April 2, security researcher @Kafeine at Proofpoint discovered a change to the Magnitude Exploit Kit. Thanks to their collaboration, we analyzed the sample and discovered that Magnitude EK was exploiting a previously unknown vulnerability in Adobe Flash Player (CVE-2016-1019). The in-the-wild exploit achieves remote code execution on recent versions of Flash Player, but fails on the latest version (21.0.0.197).
While version 21.0.0.197 is vulnerable to this exploit, execution fails because Adobe introduced new exploit mitigations in version 21.0.0.182 of Flash Player. This was a great move from Adobe that shows how valuable innovations into exploit mitigations can be. Before the exploit kit authors could devise a way around the new mitigations, Adobe patched the underlying vulnerability.
Exploit Delivery Chain
Magnitude EK recently updated its delivery chain. It added a profile gate, just like Angler EK, which collects the screen’s dimensions and color depth (Figure 1).
Figure 1. JS of Profile Gate
The server responds with another profiling page, which tries to avoid sending exploits to users browsing from virtual machines or with certain antivirus programs installed (Figure 2). See the appendix for the full list of checks performed.
Figure 2. JS of redirecting to main exploit page
In our tests, Magnitude EK delivered the JSON double free exploit (CVE-2015-2419) and a small Flash loader that renders the new Flash exploit (Figure 3).
Figure 3. JS of loading exploits
The Flash Exploit
A memory corruption vulnerability exists in an undocumented ASnative API. The exploit causes the flash memory allocator to allocate buffers under the attacker’s control. The attacker can then create a ByteArray of length 0xFFFFFFFF such that it can read and write arbitrary memory, as seen in Figure 4. The exploit’s code layout and some of the functionalities are similar to the leaked HackingTeam exploits, in that it downloads malware from another server and executes it.
Figure 4. ActionScript of Flash exploits
Conclusion
This is not the first time that new exploit mitigation research rendered an in-the-wild zero-day exploit ineffective. Exploit mitigations are an invaluable tool for the industry, and their ongoing development within some of the most widely targeted applications – such as Internet Explorer/Edge and Flash Player – change the game.
Despite regular security updates, attackers continue to target Flash Player, primarily because of its ubiquity and cross-platform reach. If Flash Player is required in your environment, ensure that you update to the latest version, and consider the use of mitigation tools such as EMET from Microsoft.
Click here for the security bulletin issued by Adobe.
Acknowledgements
A huge thank you to @Kafeine, without whom this discovery would not be possible. His diligence continues to keep this industry at pace with exploit kit authors around the world.
Appendix
res://\Program%20Files%20(x86)\Fiddler2\Fiddler.exe/#3/#32512
res://\Program%20Files\Fiddler2\Fiddler.exe/#3/#32512
res://\Program%20Files%20(x86)\VMware\VMware Tools\TPAutoConnSvc.exe/#2/#26567
res://\Program%20Files\VMware\VMware Tools\TPAutoConnSvc.exe/#2/#26567
res://\Program%20Files%20(x86)\VMware\VMware Tools\TPAutoConnSvc.exe/#2/#30996
res://\Program%20Files\VMware\VMware Tools\TPAutoConnSvc.exe/#2/#30996
res://\Program%20Files%20(x86)\Oracle\VirtualBox Guest Additions\uninst.exe/#2/#110
res://\Program%20Files\Oracle\VirtualBox Guest Additions\uninst.exe/#2/#110
res://\Program%20Files%20(x86)\Parallels\Parallels Tools\Applications\setup_nativelook.exe/#2/#204
res://\Program%20Files\Parallels\Parallels Tools\Applications\setup_nativelook.exe/#2/#204
res://\Program%20Files%20(x86)\Malwarebytes Anti-Malware\mbamext.dll/#2/202
res://\Program%20Files\Malwarebytes Anti-Malware\mbamext.dll/#2/202
res://\Program%20Files%20(x86)\Malwarebytes Anti-Malware\unins000.exe/#2/DISKIMAGE
res://\Program%20Files\Malwarebytes Anti-Malware\unins000.exe/#2/DISKIMAGE
res://\Program%20Files%20(x86)\Malwarebytes Anti-Exploit\mbae.exe/#2/200
res://\Program%20Files\Malwarebytes Anti-Exploit\mbae.exe/#2/200
res://\Program%20Files%20(x86)\Malwarebytes Anti-Exploit\mbae.exe/#2/201
res://\Program%20Files\Malwarebytes Anti-Exploit\mbae.exe/#2/201
res://\Program%20Files%20(x86)\Malwarebytes Anti-Exploit\unins000.exe/#2/DISKIMAGE
res://\Program%20Files\Malwarebytes Anti-Exploit\unins000.exe/#2/DISKIMAGE
res://\Program%20Files%20(x86)\Trend Micro\Titanium\TmConfig.dll/#2/#30994
res://\Program%20Files\Trend Micro\Titanium\TmConfig.dll/#2/#30994
res://\Program%20Files%20(x86)\Trend Micro\Titanium\TmSystemChecking.dll/#2/#30994
res://\Program%20Files\Trend Micro\Titanium\TmSystemChecking.dll/#2/#30994
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\shellex.dll/#2/#102
res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\shellex.dll/#2/#102
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll/#2/#102
res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll/#2/#102
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 7.0\shellex.dll/#2/#102
res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\shellex.dll/#2/#102
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2009\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2010\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2011\avzkrnl.dll/#2/BBALL
res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avzkrnl.dll/#2/BBALL
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2012\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.1\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 15.0.1\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.2\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 15.0.2\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 16.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 16.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 6.0\shellex.dll/#2/#102
res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 6.0\shellex.dll/#2/#102
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 7.0\shellex.dll/#2/#102
res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 7.0\shellex.dll/#2/#102
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2009\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2009\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2010\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2010\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2011\avzkrnl.dll/#2/BBALL
res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2011\avzkrnl.dll/#2/BBALL
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2012\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2012\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2013\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2013\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 15.0.1\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 16.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 15.0.2\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 14.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 14.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 15.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 15.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 15.0.1\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 15.0.1\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 15.0.2\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 15.0.2\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 16.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 16.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky PURE 2.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky PURE 2.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky PURE 3.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky PURE 3.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky CRYSTAL 3.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky CRYSTAL 3.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky PURE\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky PURE\mfc42.dll/#2/#26567
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.972 High
EPSS
Percentile
99.8%