Adobe Flash Player Zero Day exploit
SonicWALL UTM Research team found reports of a new zero-day vulnerability (CVE-2010-1297) in Adobe Flash player, Reader and Acrobat affecting Windows, Mac OS X, Linux and Solaris operating systems. Successful exploit attempts typically lead to application crash, and could potentially allow the attacker to gain control of the victim machine. Affected software versions include: Adobe Flash Player 10.0.45.2 and earlier versions, Adobe Reader and Acrobat 9.3.2 and earlier versions. Adobe issued a security advisory on June 4, 2010 warning the users about this flaw.
The embedded malicious SWF file looks like this when executed:
The malicious PDF file when opened performs the following:
- Malicious SWF file gets executed which triggers the vulnerability and causes the Adobe application to crash.
- The application crash further leads to the execution of the shellcode that already resides within the memory.
- The shellcode is responsible for extracting and dropping a malicious executable file from the PDF onto the victim machine.
- c:-.exe [Detected as: GAV: DownLdr.AC (Trojan)]
The downloaded malware executable is a backdoor Trojan that performs following activities on the victim machine:
- Sends GET request: GET /ddradmin/ddrh.ashx?guid=00000000-0000-0000-0000-000000000000 to a predetermined IP addresss. [appears to be down at the time of writing this alert]
- Drops following files:
- (Windows System)dllcacheqmgr.dll
- (Windows System)qmgr.dll
- (Windows System)es.ini
- (Windows System)kernel64.dll
The dropped DLL files are detected as GAV: Agent.AAQJ (Trojan).
Adobe made an announcement today about releasing security patch for Flash player on June 10, 2010 whereas security patch for Adobe Reader and Acrobat will be available on June 29, 2010.
SonicWALL UTM appliance provides protection against this threat via GAV: Pdfka.CKQ (Exploit) and IPS: Adobe PDF File with Flash signatures.