Jump to content
Nytro

An interesting case of the CVE-2014-8439 exploit

By Nytro, in Reverse engineering & exploit development

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

An interesting case of the CVE-2014-8439 exploit

msft-mmpc 2 Dec 2014 6:02 PM

We have recently seen an exploit targeting the Adobe Flash Player vulnerability CVE-2014-8439 (we detect it as Exploit:SWF/Axpergle). This exploit is being integrated into multiple exploit kits, including the Nuclear exploit kit (Exploit:JS/Neclu) and the Angler exploit kit (Exploit:JS/Axpergle).

Adobe released a patch in November to address this exploit (APSB14-26). Coincidentally, our investigation shows that Adobe released a patch to address a different exploit and that patch appears to have rendered this exploit useless.

CVE-2014-0569 or CVE-2014-8439?

In our analysis of the exploit code, we noticed that the exploit author seems to be confused about the CVE number of the vulnerability they are trying to exploit. It appears the author thinks the exploit is CVE-2014-0569, when the vulnerability they are actually targeting is CVE-2014-8439. This incorrect CVE number is used in the source path (Figure 1) of the SWF file.

incorrect%20CVE.png

Figure 1: Incorrect CVE number (CVE-2014-0569) used

The unusual control transfer trick

To successfully deliver the attack, the exploit needs to transfer control to the deliberately crafted code. In this exploit we didn't see the common tricks used by SWF exploits to cause the control transfer (see Cracking the CVE-2014-0569 nutshell and A journey to CVE-2014-0497 exploit). Actually, we didn't even see any code which explicitly causes the control transfer.

After some further investigation, we discovered the new trick used by this exploit: it attempts to use the vulnerability to corrupt a garbage collection (GC) object. In the GC object, there is an ITelemetry object pointer (offset 0x180 on the Flash Player we are analyzing). The ITelemetry object's VTABLE is crafted with the address to which the control is transferred (Figure 2).

Crafted%20GC%20object.png

Figure 2: Crafted GC object, Crafted ITelemetry object and Crafted VTABLE entries

The control will be transferred to return-oriented programming (ROP) gadgets via the ITelemetry.IsActive() virtual function call when garbage collection occurs (Figure 3).

Control%20transfer.png

Figure 3: Control transferred to ROP gadgets Shellcode and payload

The shellcode downloads and decrypts a DLL from a remote server. It then registers the DLL by executing the regsvr32 command. The DLL is detected as Ransom:Win32/Reveton, which is a lockscreen ransomware trojan.

You should apply the update from Adobe, mentioned in APSB14-26, keep your software up-to-date, and use a real-time security product such as Microsoft Security Essentials to help protect your PC from this and other threats.

Chun Feng

MMPC

Acknowledgements

I would like to thank Timo Hirvonen from F-Secure and Kafeine from Malware don't need Coffee for the great help during my analysis.

SHA1s used in this analysis:

Sursa: An interesting case of the CVE-2014-8439 exploit - Microsoft Malware Protection Center - Site Home - TechNet Blogs

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...