Adobe Flash Player Zero Day exploit

June 8, 2010

SonicWALL UTM Research team found reports of a new zero-day vulnerability (CVE-2010-1297) in Adobe Flash player, Reader and Acrobat affecting Windows, Mac OS X, Linux and Solaris operating systems. Successful exploit attempts typically lead to application crash, and could potentially allow the attacker to gain control of the victim machine. Affected software versions include: Adobe Flash Player and earlier versions, Adobe Reader and Acrobat 9.3.2 and earlier versions. Adobe issued a security advisory on June 4, 2010 warning the users about this flaw.

SonicWALL UTM Research team got hold of a zero-day exploit for this vulnerability which is a specially crafted PDF file containing a malicious packed Shockwave Flash (SWF) file and a malicious encoded JavaScript. The exploit may arrive via e-mail or can be served via a malicious drive-by site.

Decoded version of JavaScript extracted from the PDF file shows presence of shellcode that drops a malicious executable file onto the target machine:


The embedded malicious SWF file looks like this when executed:


The malicious PDF file when opened performs the following:

  • Encoded JavaScript uses heap spraying technique via large Unicode strings to effectively place the embedded shellcode into the memory.
  • Malicious SWF file gets executed which triggers the vulnerability and causes the Adobe application to crash.
  • The application crash further leads to the execution of the shellcode that already resides within the memory.
  • The shellcode is responsible for extracting and dropping a malicious executable file from the PDF onto the victim machine.
    • c:-.exe [Detected as: GAV: DownLdr.AC (Trojan)]

The downloaded malware executable is a backdoor Trojan that performs following activities on the victim machine:

  • Sends GET request: GET /ddradmin/ddrh.ashx?guid=00000000-0000-0000-0000-000000000000 to a predetermined IP addresss. [appears to be down at the time of writing this alert]
  • Drops following files:
    • (Windows System)dllcacheqmgr.dll
    • (Windows System)qmgr.dll
    • (Windows System)es.ini
    • (Windows System)kernel64.dll
    • (Windows)EventSystem.dll

    The dropped DLL files are detected as GAV: Agent.AAQJ (Trojan).

Adobe made an announcement today about releasing security patch for Flash player on June 10, 2010 whereas security patch for Adobe Reader and Acrobat will be available on June 29, 2010.

SonicWALL UTM appliance provides protection against this threat via GAV: Pdfka.CKQ (Exploit) and IPS: Adobe PDF File with Flash signatures.