Hacking Team Flash Zero Day Weaponized in Exploit Kits

2015-07-08T11:19:00
ID HACKING-TEAM-FLASH-ZERO-DAY-WEAPONIZED-IN-EXPLOIT-KITS/113663
Type threatpost
Reporter Michael Mimoso
Modified 2015-07-09T13:52:36

Description

Handlers for three major exploit kits have managed to utilize in short order a zero-day vulnerability in Adobe Flash Player uncovered among the 400 Gb of data stolen from Hacking Team.

Experts, including French researcher Kafeine and a number of others from security companies, revealed last night that the Angler, Neutrino, and Nuclear kits had incorporated exploits for the zero day, which Adobe has patched.

The Hacking Team breach was disclosed on Sunday and by Monday afternoon, word of the Flash zero day, along with an unpatched Windows kernel vulnerability, was circulating. Though the Hacking Team data included only a proof of concept that opened the computer’s calculator, an extensive read-me document that accompanied it likely helped pave the way to the exploits.

> Flash 0day from #HackingTeam with a nice readme. Works very well on Chrome etc. <http://t.co/nfqck54YhT> pic.twitter.com/8uAQuUIXGV > > — webDEViL (@w3bd3vil) July 6, 2015

A Metasploit module was also developed and integrated into the framework, before integration into the exploit kits, Kafeine told Threatpost via email.

Adobe issued an advisory late Tuesday afternoon that it would today release an updated Flash Player. The vulnerability, CVE-2015-5119, affects Flash Player version 18.0.0.194 and earlier for Windows, Macintosh and Linux systems.

Security company Bromium, meanwhile, published an analysis of the vulnerability, which is a byte array use-after-free memory issue that allows an attacker to gain control of a Windows machine running the vulnerable Flash Player. Researcher Nick Cano wrote that Hacking Team built its proof-of-concept code based on a 2014 vulnerability known as the ActionScript-Spray attack (CVE-2014-0322) which took advantage of a UAF bug in Internet Explorer to gain access to the heap of a process.

“HackingTeam’s exploit uses this idea to achieve execution, but uses a UAF bug internal to the ActionScript 3 engine,” Cano wrote. The Bromium analysis provides in-depth detail on the vulnerability and how the Hacking Team PoC exploits it.

Cano said the Hacking Team exploits comes with shellcode for 32- and 64-bit Windows machines, as well as Mac OS X 64-bit machines, and mitigation bypasses for Microsoft’s free EMET tool. .

“We’ve tested this exploit with the latest updated Flash Player 18 and Internet Explorer which indicates that this is clearly a zero day risk to internet users today,” Cano wrote. “This exploit has the potential to completely own almost any system that it hits, and can be reliably blocked by leveraging robust isolation technologies.”

Researchers from China’s 360Vulcan Team, who cashed in big at this year’s Pwn2Own contest, also published an analysis of the vulnerability (translated).

Hacking Team is a controversial player in security, selling intrusion software flagged by the Wassenaar Arrangement used to monitor users’ computers. It, along with others such as Gamma Corp., has been criticized for selling software that violates not only privacy but human rights; the companies are accused of selling their products to oppressive governments. Among the Hacking Team data were invoices showing sales to the Sudan, Ethiopia and other sanctioned nations, drawing the ire of the European Parliament, which yesterday asked some pointed questions about the incident.