Cracking the CVE-2014-0569 nutshell

[Nytro]

Cracking the CVE-2014-0569 nutshell

msft-mmpc 5 Nov 2014 5:00 PM

?The Microsoft Malware Protection Center (MMPC) has recently seen an exploit targeting the Adobe Flash Player vulnerability CVE-2014-0569. This exploit is being integrated into the Fiesta exploit kit.

The vulnerability related to this malware was addressed with a patch released by Adobe on 14 October 2014. Adobe Flash Player desktop runtime for Windows versions 15.0.0.167 and earlier are vulnerable. If you're using a vulnerable Adobe Flash Player version you should update now to help protect your PC.

We analyzed how these attacks work and found the following details.

The exploit successfully bypasses the validation of memory range and is able to access an arbitrary location. It attempts to corrupt the VTABLE entry for the virtual function toString( ) of sound object. Later, the ActionScript calls the Sound.toString() method and control is transferred to the controlled address, as shown in Figure 1.

Figure 1: Transfer control via a corrupted VTABLE Sound.toString() At the controlled address, it starts the ROP gadgets built from the Flash Player DLL, as shown in Figure 2.

Figure 2: Control transferred to ROP gadgets

These ROP gadgets are a bit convoluted, but they can be summarized in following steps:

1. The gadgets prepare the data on the stack using a loop of the following gadgets:
   
   dec eax // decrement the address to build code
   ret
   pop ecx // store the code bytes in ECX
   ret
   mov dword ptr [eax],ecx // store the code to the address specified by EAX
   pop ebp
   ret
   
   
2. The control is passed to (via a ret instruction) API VirtualAlloc() to allocate a 0x1000 byte buffer.
   
3. It uses gadget:
   mov dword ptr [eax],ecx // store the code
   pop ebp
   ret
   
   to build some new gadgets at the start of the allocated buffer, for example:
   mov dword ptr [eax+0Ch],ecx
   ret
   
   
4. These new gadgets build up a small piece of two-layer decryption code to decrypt the shellcode:
   
   
5. Control is passed over to the fully decrypted shellcode.
   

The shellcode downloads a file from the remote server and executes it. The downloaded file is detected as TrojanDropper:Win32/Ropest.A.

As well as keeping your software up-to-date, we also recommend running a real-time security product such as Microsoft Security Essentials to help protect your PC from this and other threats.

Chun Feng

MMPC

Sha1:

468f23ef2f6318ea59a3cbc5570ac766435a5315 (detected as Exploit:SWF/Fiexp.B)

61a776fda7d50655ea336b22499573250fa8761d (detected as TrojanDropper:Win32/Ropest.A)

Sursa: Cracking the CVE-2014-0569 nutshell - Microsoft Malware Protection Center - Site Home - TechNet Blogs