Cracking the CVE-2014-0569 nutshell


​The Microsoft Malware Protection Center (MMPC) has recently seen an exploit targeting the Adobe Flash Player vulnerability CVE-2014-0569. This exploit is being integrated into the Fiesta exploit kit.

The vulnerability related to this malware was addressed with a patch released by Adobe on 14 October 2014. Adobe Flash Player desktop runtime for Windows versions 15.0.0.167 and earlier are vulnerable. If you're using a vulnerable Adobe Flash Player version you should update now to help protect your PC.

We analyzed how these attacks work and found the following details.

The exploit successfully bypasses the validation of memory range and is able to access an arbitrary location. It attempts to corrupt the VTABLE entry for the virtual function toString( ) of sound object. Later, the ActionScript calls the Sound.toString() method and control is transferred to the controlled address, as shown in Figure 1.

DESCRIPTION 

DESCRIPTION 

Figure 1: Transfer control via a corrupted VTABLE Sound.toString()

At the controlled address, it starts the ROP gadgets built from the Flash Player DLL, as shown in Figure 2.

DESCRIPTION 

Figure 2:  Control transferred to ROP gadgets

These ROP gadgets are a bit convoluted, but they can be summarized in following steps:

  1. The gadgets prepare the data on the stack using a loop of the following gadgets:

    dec eax  // decrement the address to build code

    ret
    pop ecx  // store the code bytes in ECX
    ret
    mov     dword ptr [eax],ecx  // store the code to the address specified by EAX
    pop ebp
    ret

  2. The control is passed to (via a ret instruction) API VirtualAlloc() to allocate a 0x1000 byte buffer.

  3. It uses gadget:

    mov     dword ptr [eax],ecx  // store the code
    pop ebp
    ret

    to build some new gadgets at the start of the allocated buffer, for example:

    mov     dword ptr [eax+0Ch],ecx
    ret
  4. These new gadgets build up a small piece of two-layer decryption code to decrypt the shellcode:
           
    DESCRIPTION
  5. Control is passed over to the fully decrypted shellcode.

The shellcode downloads a file from the remote server and executes it. The downloaded file is detected as TrojanDropper:Win32/Ropest.A.

As well as keeping your software up-to-date, we also recommend running a real-time security product such as Microsoft Security Essentials to help protect your PC from this and other threats.

Chun Feng
MMPC

Sha1:
468f23ef2f6318ea59a3cbc5570ac766435a5315  (detected as Exploit:SWF/Fiexp.B)
61a776fda7d50655ea336b22499573250fa8761d  (detected as TrojanDropper:Win32/Ropest.A)


Comments (1)

  1. Antti says:

    Will EMET provide any mitigation or protection against threats like this?

Skip to main content