Shulou(Shulou.com)06/01 Report--

How to achieve the principle of Flash 0Day vulnerabilities and the use of code analysis, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

First, the background of loopholes

Adobe issued a security announcement on February 1, 2018, local time:

Https://helpx.adobe.com/security/products/flash-player/apsa18-01.html

The announcement said that a new Flash 0Day vulnerability (CVE-2018-4878) has been exploited in the field to launch targeted attacks against Windows users. Attackers can induce users to open Microsoft Office documents, web pages, spam emails, etc., that contain malicious Flash code files.

This vulnerability affects the current version of Flash Player 28.0.0.137 and all previous versions, and Adobe plans to release an emergency update on February 5 local time to fix this vulnerability. According to the Adobe announcement, the field attack sample of this vulnerability was first discovered by the South Korean computer Emergency response team (KR-CERT), and KR-CERT also said that hacker groups from North Korea have successfully exploited the 0Day vulnerability to launch attacks.

Second, the analysis of the principle of loopholes

CVE-2018-4878, like the 0Day vulnerability CVE-2017-11292 discovered in October 2017, is located in the com.adobe.tvsdk package of Flash. CVE-2018-4878 is a UAF vulnerability that needs to be triggered by forcing GC or refreshing pages.

The key code for POC is as follows:

MyListener is an object that inherits from the DRMOperationCompleteListener class:

Register the MyListener object as a notification callback interface of the MediaPlayer object, and then release the MyListener object, but the MyListener object is still stored in the MediaPlayer object. When the system is forced to garbage collect, the callback of the MediaPlayer object will be executed, but at this time the MyListener has been released, resulting in a UAF vulnerability.

The following figure shows the crash location of POC when IE is running:

Rcx is the DRMManager member of the MediaPlayer object, and it is the MyListener object that is stored at the offset 0x18, so you can see that the MyListener object has been released.

Third, vulnerability exploitation analysis

The vulnerability allows arbitrary address reading and writing by modifying the length of the Flash script object ByteArray to 0xFFFFFFFF. The subsequent utilization technology is consistent with the exploits used in HackingTeam exposure and will not be described in detail.

After the HackingTeam leak, Vector, a simple and stable way to read and write arbitrary addresses in vulnerability exploitation, spread rapidly. Adobe then adopted a series of security reinforcement measures for Flash, including heap isolation, length check for Vector, ByteArray and other common exploitable objects, data zone check and other security verification measures, which to some extent increase the difficulty of Flash vulnerability attacks. But it does not completely stop such attacks. In this 0Day utilization, ByteArray is used to read and write any address. The structure of ByteArray consists of two parts. The first part is structured as follows, and one of the key members is m_buffer:

The m_buffer contains important values such as the address array, capacity and length of the data area of the ByteArray, and an encrypted backup of these values is stored immediately. When Flash detects that the two values may be inconsistent due to a vulnerability exploitation program, it will trigger abnormal termination of execution. The structure is as follows:

This is based on the object data of ByteArray before execution. The red box in the figure identifies the m_buffer members:

Trigger the vulnerability and modify the value of m_buffer so that the array address is 0 and the capacity and length are changed to 0xFFFFFFFF:

Furthermore, any address is read and written in 32-bit address space.

IV. ShellCode analysis

After Shellcode runs, it obtains the API address it needs, traverses the process of the current environment, and mainly determines whether there are security protection products such as Korean soft AhnLab and ViRobot APT Shield. Depending on the environment, Shellcode chooses different implementation scenarios:

Note:

AhnLab:asdsvc.exe v3ui.exe v3svc.exe any process exists

ViRobot APT Shield:vraptshieldlaunchersvc.exe hagenttray.exe hvrtray.exe any process exists

Any process of 360:zhudongfangyu.exe 360tray.exe qhsafemain.exe exists.

Option 1:

This scenario is executed when AhnLab,ViRobot APT Shield, 360 does not exist, or when there is only AhnLab. Start cmd.exe in a hidden way, create a remote thread, and inject the second piece of shellcode into the cmd.exe for execution. After the shellcode is injected into the cmd.exe, it will also obtain the required API address and load "wininet.dll" (to obtain the network operation API) by visiting:

Hxxp:// www.1588-2040.co.kr/conf/product.jpg (invalidated) acquires the third segment of shellcode, and finally jumps directly to the third segment of shellcode memory address to continue executing malicious code.

Option 2:

This scenario is executed when there are both AhnLab and 360th, or only 360and only ViRobot APT Shield. First create a new thread and dynamically get the% TEMP% directory by visiting:

Hxxp://www.1588-2040.co.kr/conf/product_old.jpg takes the data, writes it to% TEMP%\ fontdrvhost.exe, and finally starts% TEMP%\ fontdrvhost.exe.

Option 3:

When AhnLab and ViRobot APT Shield coexist, Shellcode exits directly and does nothing.

V. investigation, killing and defense

Considering that the CVE-2018-4878 vulnerability attack code is likely to be made public, or even integrated into the hacker toolkit, Tencent PC Manager has immediately realized the detection and killing of the vulnerability attack sample.

In addition, Adobe released the patch on Feb. 6, Beijing time, and corporate IT personnel or system administrators can download and install the latest Flash update package on the Adobe official website.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.