Shockwave Flash (SWF) Exploit
Impact: Moderate
Application: Adobe Flash Player 9.0.115.0 and earlier
Vulnerability identifier: APSB08-11
CVE Number: CVE-2007-0071
Vulnerability details
Adobe Flash Player is vulnerable to buffer overflow. When a user runs a malicious multimedia file, the attacker overflows a buffer and compromises the victim’s system to execute an arbitrary code to do a malicious activity.
Example
A malicious shockwave file (SWF) contains the regular SWF and attached code that will trigger the vulnerability and carry out the malicious activity.
Tools:
- Sothink SWF Decompiler
- UltraEdit text editor
Static analysis
The main file would be containing the additional malicious code:
Fig 1.1 Malicious code
Fig 1.2 Code view
Fig 1.3 Code view
The malicious activity of this code is:
- An array is decrypted using an XOR deciphered loop.
- The decrypted bytes are further loaded into another compressed SWF file.
- The compressed SWF file drops 12 other SWFs, which are responsible for triggering the vulnerability.
- The malware is downloaded from this url: <removed>
XOR decrypting loop:
Fig 2.1 Decrypting loop
Array sArr[i] is bitwise XOR’d with “alsoThePiece” and uses a unicode/ascii "charCodeAt" formula.
APIs and URL found in decrypted file:
Fig 3.1 APIs used for downloading and executing the malware
Solution
Downloading and installing newer versions than Adobe Flash Player 9.0.115.0.
References:
http://www.adobe.com/support/security/bulletins/apsb08-11.html
http://secunia.com/
http://en.wikipedia.org/wiki/SWF
http://en.wikipedia.org/wiki/Exploit_%28computer_security%29
