Exploits & Vulnerabilities
Trend Micro Solutions for CVE-2014-8439 Vulnerability
Save to Folio
Figure 1. The main flow of the exploit for CVE-2014-8439The usage of vector .<int> above is similar to CVE-2014-0515, which is used to read/write any memory address. But after that, it goes totally different way. In CVE-2014-0515, a function in Adobe Flash Player is used to call function VirtualAlloc()&VirtualProtect(), which is a stable way to bypass DEP. But in this CVE, it still uses complex return-oriented programming (ROP) to do that.
Figure 2. ROP used in CVE-2014-8439Interestingly, the binary used in CVE-2014-0515 is still kept in CVE-2014-8439. However, we cannot find where it is used. Did the author forget to remove it? That might explain why some vendors detect this specific binary as CVE-2014-0515, and not CVE-2014-8439.
Figure 3. A binary in CVE-2014-8439, same as CVE-2014-0515Trend Micro Solutions for CVE-2014-8439 It would be ideal to detect this newest exploit through the same signature, but we don’t want to rely on luck. Our products have a script analyzer module, which uses dynamic emulation to de-obfuscate the script and analyze script’s behaviors. The behavior rule “SWF.Dynamic.HeapSpray.A” created in June this year can detect this new exploit on new vulnerabilities. The same rule also can detect another recent exploits CVE-2014-0569 and CVE-2014-8440. The rule is targeting on the following method to read/write any memory, which is frequently used in Flash exploits.
Figure 4. Detection point in our script analyzer moduleScript Dynamic Emulation as an Effective Tool against Targeted Attacks Script-based exploits are widely used in targeted attacks. Because scripts can easily be obfuscated, static signature-based solutions proves ineffective in detecting new variants. Heuristic analysis is helpful as it acts as a fast filter before sandboxing. Sandboxing makes the final decision and controls the false-positive rate based on behavioral analysis. All sandboxes have behavioral analysis of payload on an operating system, but a good sandbox should also include behavior analysis of exploit (script) in exploitable application. This is because it’s hard to trigger an exploit with stability, especially in a limited specific VM environment in a sandbox. Sandbox detections will fail because of unsuccessful exploits or unsuccessful payload downloading. In such a situation, studying the behavior of an exploit helps. By dynamic emulation, we can simulate the execution of a script in a controllable environment to study its behavior. These behaviors may include heap spray techniques, ROP, or function call with specific parameter for specific CVE, and any other anomaly usage. Of course, script dynamic emulation has its limitations, and attackers will also try their best to evade these techniques. In-depth defense is necessary for defending against targeted attacks, coupled with heuristic scanning, monitoring system behavior monitor, dynamic emulation to give users the best protection. Recommendations Though the fixing comes after the actual exploit, Adobe released an update last October 14 which can prevent the exploit from taking place. Users with Flash Player version above 15.0.189/13.0.250/220.127.116.111 are protected from these exploits. However, since the root-cause of this bug was only fixed in the latest update, we still recommend users to upgrade Adobe Flash Player as soon as possible to avoid being infected by other exploit variants. For Trend Micro users, Titanium and OfficeScan are equipped with the script analyzer module mentioned above, which has effective detection on exploit kit. And the detection can automatically expend to URL and binary signature to share among Trend Micro users via the Trend Micro™ Smart Protection Network™. For enterprise users, we recommend Trend Micro ™ Deep Discovery™ to protect organization from unknown exploits and possible targeted attacks. Additional insights and analyses by Michael Du, Peter Pi and Moony Li. Below are the hashes related to this analysis:
- 80B632B139F11CAC5E832092BF173C2B11D80E3E, SWF_EXPLOYT.LDCE
- 34567961ad0326e63a8968e2b7f108d940ff6b80, TROJ_WALEDAC.WJG
- The blog entry has been edited to further explain the classification of the new exploit.