Shulou(Shulou.com)05/31 Report--

What this article shares with you is the case analysis of Flash 0day vulnerability CVE-2018-5002. The editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

Overview of 0x1

Tencent's threat Intelligence Center recently monitored an APT attack using the Adobe Flash 0day vulnerability (CVE-2018-5002). The attacker suspected that malicious Excel documents were sent to the target person through live chat tools and mailboxes to trick the target person into opening the document. In fact, the malicious Excel document is specially constructed and embedded in the flash object. Once the user opens the document, the computer will be poisoned.

CVE-2018-5002 affects Adobe Flash Player 29.0.0.171 and all previous versions. Adobe officially issued a security bulletin (announcement ID:APSB18-19) on the afternoon of June 7, and the version of Adobe Flash Player has been updated to 30.0.0.113. For more information, please refer to Adobe official Security Bulletin: https://helpx.adobe.com/security/products/flash-player/apsb18-19.html

We promptly reported the exploit sample to the Adobe official, and obtained the Adobe official confirmation and thanks.

(attack flowchart)

Analysis of 0x2 attack flow 1. Behavior Analysis of vulnerability documents

The bait document used in the attack is called "basic_salary.xlsx" and focuses on the basic salary of foreign ministry officials written in Arabic. The bait document embeds an online Flash object, and when the user opens the document, the Flash file is automatically loaded.

(google translated document content)

(bait document content)

2. SWF1 behavior analysis

The code in the SWF1 file is highly confused, and the source code in subsequent pictures is intercepted after certain optimization of the confusing code.

(obfuscated SWF1 code)

An online swf object is embedded in the bait document, and when the vulnerable excel table is opened, the online Flash file pointed to in the "Movie" field is loaded, here named SWF1.

Excel will pass the text pointed to by FlashVars to SWF1 in the form of parameters. Here, URL information such as exploit samples (SWF2 files) and ShellCode are marked as stabUrl, encKeyUrl, downloadUrl, and imageUrl, respectively.

(SWF1 runtime takes parameters)

After the SWF1 is running, the decrypted key and encrypted swf are obtained from the WEB server pointed to by the parameter encKeyUrl in post mode. After decrypting using the aes algorithm, the vulnerability swf file is obtained, which is named SWF2.

(SWF1 downloads encrypted SWF2 in post)

(SWF1 uses aes to decrypt SWF2)

SWF1 loads and executes the decrypted exploit file SWF2 through LoadBytes, and passes parameters such as downloadUrl to SWF2.

(SWF1 loads SWF2)

3. Behavior Analysis of SWF2 (0day vulnerability)

CVE-2018-5002 is due to a stack-crossing read and write vulnerability caused by Flash's failure to properly handle SWF files containing special bytecode sequences. This vulnerability, similar to the previous CVE-2017-11292, requires the bytecode of the SWF file to be modified to trigger the vulnerability. At the same time, the exploitation of this vulnerability requires only a simple memory layout, no complex heap spray, and a sample runs stably in both 32-bit and 64-bit systems.

1) Analysis of loophole principle

a. Vulnerability code

ASC2 (ActionScript 2) introduces a set of functions for quickly manipulating memory, such as li8, si8, and so on. The specific meaning of this set of functions is as follows:

The sample code has been maliciously confused. Here is the trigger vulnerability code after the confusion has been cleared.

The static initialization (Static Initializer) code containing li8 has not been completely decompiled. The following is the pseudo code based on its bytecode:

The actual debugging found that the exception will be triggered when the li8 instruction is executed, and the exception will be handled by the current catch block. On the other hand, the code in the catch part can cross the boundary to interchange the two object pointers (local_448, local_449) on the caller's stack, thus achieving type confusion.

Here are two important questions:

The I li8 instruction is not in the try block, so why can the generated exception be caught by the current catch block?

Normally, II catch blocks can only access local_0 and local_1. Why can I read and write out of bounds here?

b. Exception handling

The virtual machine AVM of Flash records the current execution position previous_bytecode_offset before executing the bytecode that may trigger the exception. When an exception occurs, it looks for the corresponding exception handling function from the exception handling routine table ExceptionHandlerTable according to the recorded execution position, that is, the AS script or the catch block in the bytecode.

When Flash creates a domainMemory, it initializes a memory with the size of 0x400.

When Flash executes the li8 (123456) instruction, it first checks whether the offset of 123456 exceeds the size of the domainMemory. Because the offset of 123456 exceeds the range of 0-1023 of domainMemory, Flash throws an exception of Range Error, as shown in the following figure, where 0x34 is the bytecode 0x35-1 of li8.

Previous_bytecode_offset is initialized to 0 before the code is executed. Since then, a total of three bytecodes have been executed, namely: jump,push,li8, none of which has saved the current execution location to previous_bytecode_offset.

In this way, when Flash handles the exception triggered by the li8 bytecode, it thinks that the location of the exception is 0, and then the FindExceptionHandler function looks for the corresponding exception handling function according to the location of the exception. Since the exception location 0 is in the current Try block, the FindExceptionHandler function believes that the exception should be handed over to the current catch block to handle.

The following is a screenshot of debugging the process. The second parameter of FindExceptionHandler is the abnormal offset, namely previous_bytecode_offset, with a value of 0.

c. Stack out of bounds for reading and writing

Stack out-of-bounds reading and writing is mainly achieved by bypassing Flash's Verify of Catch code blocks.

When Flash examines the Try code block, it finds that the current code block has only one jump instruction, and the jump instruction does not throw an exception.

At the same time, because the bytecode sequence of the jump target area is not within the Try code block, Flash AVM believes that the whole code will not be abnormal, and the corresponding catch code will not be executed, so it skips the check of the catch code block, so that cross-boundary reading and writing can be realized in the catch code block.

Before crossing the line for reading and writing:

Trigger cross-boundary read and write, swap local_448 and local_449:

2) behavior analysis

After SWF2 runs, it downloads encrypted data from the WEB server that downloadUrl points to to get shellcode.

(SWF2 takes shellcode download link)

(download shellcode from SWF2)

The first 16 bytes of encrypted data are taken as the decrypted Key, and the ShellCode is decrypted through AES.

(SWF2 decompresses and executes shellcode)

Then execute the shellcode with the help of 0day vulnerabilities. Because the ShellCode server has been shut down, the specific contents of the ShellCode can no longer be obtained.

(execute 32-bit or 64-bit shellcode)

(execute shellcode)

0x3 summary

The APT organization uses 0day vulnerabilities to attack relevant government departments and uses pure shellcode to do bad things in the host process excel. However, this kind of 0day vulnerability plus pure shellcode attack is a challenge to the detection and protection ability of security software.

Tencent Royal View threat Intelligence Center judged that before this 0day vulnerability exploitation method is widely spread, the vulnerability will still be mainly controlled by technologically powerful APT organizations. In view of the fact that Adobe Flash Player is installed on almost every computer, and a large number of users fail to repair the security loophole in time, when the exploit method of this vulnerability is mastered by the virus Trojan black industry, it may bring a large area of web page hanging horse threat.

Tencent security experts remind government agencies and relevant enterprise users not to open documents of unknown origin at will and install security software to defend against attacks. In addition, upgrade Adobe Flash Player to the latest version (30.0.0.113) in a timely manner to protect against possible vulnerability threats. Download address: https://get.adobe.com/cn/flashplayer/

At present, Tencent Yujie Advanced threat Detection system can detect and block the connection behavior of this round of attacks. Through the deployment of the advanced threat detection system, enterprise users can sense malicious traffic in time, detect the access of phishing web addresses and remote control server addresses in the enterprise network, and protect the security of the enterprise network.

The above is the example analysis of Flash 0day vulnerability CVE-2018-5002. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.