Sicurezza IT proattiva

Blog sulla sicurezza [EN]

Shockwave Flash (SWF) Exploit

Impact: Moderate
Application: Adobe Flash Player 9.0.115.0 and earlier
Vulnerability identifier: APSB08-11
CVE Number: CVE-2007-0071

Vulnerability details

Adobe Flash Player is vulnerable to buffer overflow. When a user runs a malicious multimedia file, the attacker overflows a buffer and compromises the victim’s system to execute an arbitrary code to do a malicious activity.

Example

A malicious shockwave file (SWF) contains the regular SWF and attached code that will trigger the vulnerability and carry out the malicious activity.

Tools:

  1. Sothink SWF Decompiler
  2. UltraEdit text editor

Static analysis

The main file would be containing the additional malicious code:

Fig 1.1 Malicious code

Fig 1.2 Code view

Fig 1.3 Code view

The malicious activity of this code is:

  1.  An array is decrypted using an XOR deciphered loop.
  2. The decrypted bytes are further loaded into another compressed SWF file.
  3. The compressed SWF file drops 12 other SWFs, which are responsible for triggering the vulnerability.
  4. The malware is downloaded from this url: <removed>

XOR decrypting loop:

Fig 2.1 Decrypting loop

Array sArr[i] is bitwise XOR’d with “alsoThePiece” and uses a unicode/ascii "charCodeAt" formula.

APIs and URL found in decrypted file:

Fig 3.1 APIs used for downloading and executing the malware

Solution

Downloading and installing newer versions than Adobe Flash Player 9.0.115.0.

References:

http://www.adobe.com/support/security/bulletins/apsb08-11.html
http://secunia.com/
http://en.wikipedia.org/wiki/SWF
http://en.wikipedia.org/wiki/Exploit_%28computer_security%29