On May 8, 2016, FireEye detected an attack exploiting a previously unknown vulnerability in Adobe Flash Player (CVE-2016-4117) and reported the issue to the Adobe Product Security Incident Response Team (PSIRT). Adobe released a patch for the vulnerability in APSB16-15 just four days later.
Attackers had embedded the Flash exploit inside a Microsoft Office document, which they then hosted on their web server, and used a Dynamic DNS (DDNS) domain to reference the document and payload. With this configuration, the attackers could disseminate their exploit via URL or email attachment. Although this vulnerability resides within Adobe Flash Player, threat actors designed this particular attack for a target running Windows and Microsoft Office.
Upon opening the document, the exploit downloads and executes a payload from the attacker’s server. To avoid suspicion, the attacker then shows the victim a decoy document. The full exploit chain proceeds as follows:
- The victim opens the malicious Office
- The Office document
renders an embedded Flash file.
- If the Flash Player version is older than 220.127.116.11, the attack aborts.
- Otherwise, the attack runs the encoded Flash exploit.
- The Office document renders an embedded Flash file.
- The exploit runs embedded native shellcode.
- The shellcode downloads and executes a second shellcode from the attacker’s server.
- The second shellcode:
- Downloads and executes malware.
- Downloads and displays a decoy document.
- The malware connects to a second server for command and control (C2) and waits for further instructions.
This process is shown in Figure 1.
Figure 1 Attack flow chart
CVE-2016-4117 Exploitation Details
An out-of-bound read vulnerability exists in the com.adobe.tvsdk.mediacore.timeline.operations. DeleteRangeTimelineOperation module. By extending the DeleteRangeTimelineOperation class, one can define a property that conflicts with the inner interface name. In this exploit, the author chose “placement” as the property name, as shown in Figure 2. Referencing the interface causes the ActionScript Virtual Machine to call the internal function getBinding to get a bind id. Because the “placement” property conflicts with the “placement” interface name, the attacker can manipulate the bind id, and ultimately induce type confusion.
Figure 2 Placement interface vs. class definition
Before triggering the vulnerability, the exploit defines an object that extends ByteArray. The definition is modified to contain easily distinguishable values that aid in locating objects in memory. Then, the exploit allocates a set of these objects to control the memory layout (Figure 3).
Figure 3 Prepare heap memory layout
These objects look as follows when in memory:
The exploit then uses the type-confused DeleteRangeTimelineOperation object to read out of bounds and find one of the extended ByteArray objects based upon looking for the pre-defined property values (shown in Figure 4), and manipulates the data buffer pointer to an attacker-controlled area.
Figure 4 Finding target ByteArray
With the ability to read and write individual values in the extended ByteArray object, the attacker can corrupt one of the objects to extend its length to 0xffffffff, and its data buffer to address 0. Future reads and writes to the corrupted ByteArray may then access all of the user space memory (Figure 5).
Figure 5 RW primitive and execute shellcode
Once the exploit can read and write arbitrarily in memory, it executes embedded shellcode. The shellcode downloads a second stage of shellcode from the attacker’s server, which then downloads and executes the malware payload and displays the decoy document.
CVE-2016-4117 was recently exploited in targeted attacks. Just four days after notification, Adobe released a security update for Flash Player that patched the underlying vulnerability. Users who require Flash Player in their environment should download this timely patch to protect their systems from exploitation. Additionally, Flash Player users could consider employing additional mitigations, such as EMET from Microsoft, to make their systems more difficult and costly to exploit.