Earlier this week the Italian company Hacking Team was hacked, with more than 400GB of confidential company data made available to the public. The company was known for selling what it described as tools used to lawfully intercept communications that could be used by governments and law enforcement agencies. The company has stated they do not do business with oppressive countries in the past.
Most of the leaked information covered Hacking Team's business practices, which seemingly contradict their official statements on who they sell their products to. However, the leak also included the tools provided by the company to carry out attacks, and this included several exploits targeting Adobe Flash Player and Windows itself.
The information dump includes at least three exploits - two for Flash Player and one for the Windows kernel. One of the Flash Player vulnerabilities, CVE-2015-0349, has already been patched.
One of the Flash exploits is described by Hacking Team as "the most beautiful Flash bug for the last four years." This Flash exploit has not yet been given the CVE number.
Figure 1. Description of vulnerability by Hacking Team
Vulnerability Information The leaked package contains both a Flash zero-day proof-of-concept (POC) which can open the Windows calculator and a release version with real attack shellcode. In the POC, there is a readme document which describes the details of this zero-day as we can see below. It states that this exploit can affect Adobe Flash Player 9 and later, and that desktop/metro IE, Chrome, Firefox and Safari are all affected. External reports have stated that the latest version Adobe Flash (version 18.0.0.194) is also affected.Figure 2. Description of vulnerability by Hacking Team
Root Cause Analysis The readme also describes the root cause of the vulnerability. This is a ByteArray class user-after-free (UAF) vulnerability, which we can describe simply.- When you have a ByteArray object ba, and perform an assignment like this ba[0] = object, it will call this object’s ValueOf function
- The ValueOf function can be overridden, so someone can change value of ba in the object ValueOf function
- If you reallocate the ba memory in the ValueOf function, it will cause a UAF because ba[0] = object will save the original memory and use it after ValueOf function has been called.
- Search for the kernel32.dll base address in process, then find the VirtualProtect address
- Find the address of shellcode which is contained in a ByteArray
- Call VirtualProtect to change the shellcode memory to become executable.
- There is an empty static function named Payload defined in AS3 code.
- Find the Payload function object address and then find the real function code address contained by the Payload function object.
- Overwrite the real function code address with the shellcode address
- Call the static function Payload in AS3, which causes the shellcode to be called
- After the shellcode executes, reset the static function address.
- 1006824 - Adobe Flash ActionScript3 ByteArray Use After Free Vulnerability
DATE | UPDATE |
July 5 | The Italian company Hacking Team was hacked, with more than 400GB of confidential company data made available to the public. |
July 7 |
Three exploits – two for Flash Player and one for the Windows kernel—were initially found in the information dump. One of these [CVE-2015-5119] was a Flash zero-day. The Windows kernel vulnerability (CVE-2015-2387) existed in the open type font manager module (ATMFD.dll) and can be exploited to bypass the sandbox mitigation mechanism. The Flash zero-day exploit (CVE-2015-5119) was added into the Angler Exploit Kit and Nuclear Exploit Pack. It was also used in limited attacks in Korea and Japan. |
July 11 | Two new Flash zero-day vulnerabilities, CVE-2015-5122 and CVE-2015-5123, were found in the hacking team dump. |
July 13 | Further analysis of the hacking team dump revealed that the company used UEFI BIOS rootkit to keep their Remote Control System (RCS) agent installed in their targets’ systems. |
July 14 | A new zero-day vulnerability (CVE-2015-2425) was found in Internet Explorer. |
July 16 | On the mobile front, a fake news app designed to bypass Google Play was discovered. |
July 20 | A new zero-day vulnerability (CVE-2015-2426) was found in Windows, which Microsoft fixed in an out-of-band patch. |
July 21 | Analysis of the RCSAndroid spying tool revealed that Hacking Team can listen to calls and roots devices to get in. |
July 28 | A recent campaign compromised Taiwan and Hong Kong sites to deliver Flash exploits related to Hacking Team. |
Tags