logo
DATABASE RESOURCES PRICING ABOUT US

CVE-2016-1019: A New Flash Exploit Included in Magnitude Exploit Kit

Description

On April 2, security researcher @Kafeine at Proofpoint [discovered a change to the Magnitude Exploit Kit](<https://www.proofpoint.com/us/threat-insight/post/killing-zero-day-in-the-egg>). Thanks to their collaboration, we analyzed the sample and discovered that Magnitude EK was exploiting a previously unknown vulnerability in Adobe Flash Player (CVE-2016-1019). The in-the-wild exploit achieves remote code execution on recent versions of Flash Player, but fails on the latest version (21.0.0.197). While version 21.0.0.197 is vulnerable to this exploit, execution fails because Adobe introduced new exploit mitigations in version 21.0.0.182 of Flash Player. This was a great move from Adobe that shows how valuable innovations into exploit mitigations can be. Before the exploit kit authors could devise a way around the new mitigations, Adobe patched the underlying vulnerability. ##### Exploit Delivery Chain Magnitude EK recently updated its delivery chain. It added a profile gate, just like Angler EK, which collects the screen’s dimensions and color depth (Figure 1). ![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Flash%200day%20Genwei%20Jang/fig1.jpg) Figure 1. JS of Profile Gate The server responds with another profiling page, which tries to avoid sending exploits to users browsing from virtual machines or with certain antivirus programs installed (Figure 2). See the appendix for the full list of checks performed. ![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Flash%200day%20Genwei%20Jang/fig2.jpg) Figure 2. JS of redirecting to main exploit page In our tests, Magnitude EK delivered the JSON double free exploit (CVE-2015-2419) and a small Flash loader that renders the new Flash exploit (Figure 3). ![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Flash%200day%20Genwei%20Jang/fig3.jpg) Figure 3. JS of loading exploits ##### The Flash Exploit A memory corruption vulnerability exists in an undocumented ASnative API. The exploit causes the flash memory allocator to allocate buffers under the attacker’s control. The attacker can then create a ByteArray of length 0xFFFFFFFF such that it can read and write arbitrary memory, as seen in Figure 4. The exploit’s code layout and some of the functionalities are similar to the leaked HackingTeam exploits, in that it downloads malware from another server and executes it. ![](https://www.fireeye.com/content/dam/fireeye-www/blog/images/Flash%200day%20Genwei%20Jang/fig4.jpg) Figure 4. ActionScript of Flash exploits ##### Conclusion This is not the first time that new exploit mitigation research rendered an in-the-wild zero-day exploit ineffective. Exploit mitigations are an invaluable tool for the industry, and their ongoing development within some of the most widely targeted applications – such as Internet Explorer/Edge and Flash Player – change the game. Despite regular security updates, attackers continue to target Flash Player, primarily because of its ubiquity and cross-platform reach. If Flash Player is required in your environment, ensure that you update to the latest version, and consider the use of mitigation tools such as [EMET](<https://support.microsoft.com/en-us/kb/2458544>) from Microsoft. Click [here](<https://helpx.adobe.com/security/products/flash-player/apsb16-10.html>) for the security bulletin issued by Adobe. ##### Acknowledgements A huge thank you to @Kafeine, without whom this discovery would not be possible. His diligence continues to keep this industry at pace with exploit kit authors around the world. ##### Appendix res://\Program%20Files%20(x86)\Fiddler2\Fiddler.exe/#3/#32512 res://\Program%20Files\Fiddler2\Fiddler.exe/#3/#32512 res://\Program%20Files%20(x86)\VMware\VMware Tools\TPAutoConnSvc.exe/#2/#26567 res://\Program%20Files\VMware\VMware Tools\TPAutoConnSvc.exe/#2/#26567 res://\Program%20Files%20(x86)\VMware\VMware Tools\TPAutoConnSvc.exe/#2/#30996 res://\Program%20Files\VMware\VMware Tools\TPAutoConnSvc.exe/#2/#30996 res://\Program%20Files%20(x86)\Oracle\VirtualBox Guest Additions\uninst.exe/#2/#110 res://\Program%20Files\Oracle\VirtualBox Guest Additions\uninst.exe/#2/#110 res://\Program%20Files%20(x86)\Parallels\Parallels Tools\Applications\setup_nativelook.exe/#2/#204 res://\Program%20Files\Parallels\Parallels Tools\Applications\setup_nativelook.exe/#2/#204 res://\Program%20Files%20(x86)\Malwarebytes Anti-Malware\mbamext.dll/#2/202 res://\Program%20Files\Malwarebytes Anti-Malware\mbamext.dll/#2/202 res://\Program%20Files%20(x86)\Malwarebytes Anti-Malware\unins000.exe/#2/DISKIMAGE res://\Program%20Files\Malwarebytes Anti-Malware\unins000.exe/#2/DISKIMAGE res://\Program%20Files%20(x86)\Malwarebytes Anti-Exploit\mbae.exe/#2/200 res://\Program%20Files\Malwarebytes Anti-Exploit\mbae.exe/#2/200 res://\Program%20Files%20(x86)\Malwarebytes Anti-Exploit\mbae.exe/#2/201 res://\Program%20Files\Malwarebytes Anti-Exploit\mbae.exe/#2/201 res://\Program%20Files%20(x86)\Malwarebytes Anti-Exploit\unins000.exe/#2/DISKIMAGE res://\Program%20Files\Malwarebytes Anti-Exploit\unins000.exe/#2/DISKIMAGE res://\Program%20Files%20(x86)\Trend Micro\Titanium\TmConfig.dll/#2/#30994 res://\Program%20Files\Trend Micro\Titanium\TmConfig.dll/#2/#30994 res://\Program%20Files%20(x86)\Trend Micro\Titanium\TmSystemChecking.dll/#2/#30994 res://\Program%20Files\Trend Micro\Titanium\TmSystemChecking.dll/#2/#30994 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\shellex.dll/#2/#102 res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\shellex.dll/#2/#102 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll/#2/#102 res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll/#2/#102 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 7.0\shellex.dll/#2/#102 res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\shellex.dll/#2/#102 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2009\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2010\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2011\avzkrnl.dll/#2/BBALL res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avzkrnl.dll/#2/BBALL res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2012\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.1\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 15.0.1\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.2\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 15.0.2\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 16.0.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 16.0.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 6.0\shellex.dll/#2/#102 res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 6.0\shellex.dll/#2/#102 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 7.0\shellex.dll/#2/#102 res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 7.0\shellex.dll/#2/#102 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2009\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2009\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2010\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2010\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2011\avzkrnl.dll/#2/BBALL res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2011\avzkrnl.dll/#2/BBALL res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2012\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2012\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2013\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2013\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 15.0.1\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 16.0.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 15.0.2\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 14.0.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 14.0.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 15.0.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 15.0.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 15.0.1\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 15.0.1\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 15.0.2\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 15.0.2\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 16.0.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 16.0.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky PURE 2.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky PURE 2.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky PURE 3.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky PURE 3.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky CRYSTAL 3.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky CRYSTAL 3.0\x86\mfc42.dll/#2/#26567 res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky PURE\mfc42.dll/#2/#26567 res://\Program%20Files\Kaspersky Lab\Kaspersky PURE\mfc42.dll/#2/#26567


Related