Adobe Flash Zero Day, CVE-2015-3113 Exploited in the Wild

adobe-flash-logo

The Vulnerability

Last Week, Adobe released security update for a Critical Vulnerability, CVE-2015-3113 that affects Adobe Flash on Windows, Mac and Linux. CVE-2015-3113.

This may allow remote attackers to execute arbitrary code.

In The Wild Attacks

There were reports of the “In The Wild Zero Day Attacks” affecting Windows 7 with Internet Explorer and Windows XP with Firefox.

Fireeye reported Operation Clandestine Wolf, which was utilizing this vulnerability as an initial point in infecting victims.

Here is the sequence of steps that amount for a successful exploitation:
image1

Lets take a look at the malicious Flash file.
Here is the detection rate as seen in Virustotal.

image2

Here is how the Flash file is constructed, do observe a couple of Binary Data blocks. These are later referenced in ActionScript.

image3

Here is the decompilation of the ActionScript embedded in the Flash File.
We can see the control flow where encrypted data is decrypted using a specified key. This is achieved using some array manipulations followed by decode function call.

image4

This function converts the byte array to an integer array.

image5

This is the actual logic of the “decode” routine that utilizes XOR decryption.

image6

 

Advanced Exploitation Techniques

The exploit has to rely on advanced techniques like Heap Spray and ROP Chain to bypass security mechanisms like DEP, ASLR.

Attribution

This attack was attributed to China Based Threat Actor, APT3 based on the similarities with Operation Clandestine Fox reported last year. Here, the threat actors similarly had exploited a Zero Day in Internet Explorer before downloading Backdoor on the Victim’s systems and eventually achieving lateral movement across multiple hosts.

They have also been blamed to target high profile industries like Construction, Aerospace, Defense, Telecommunications, etc

Remediation

Adobe has already released a fix for this vulnerability thus make sure your systems are patched.

Since, it was a Zero day affecting patched versions, you should also consider if disabling Adobe Flash is an option.