Adobe Flash Zero Day Exploit Analysis

March 6, 2014

Last week, Dell Sonicwall Threats Research Team observed multiple instances of Adobe Flash Zero Day targeting CVE-2014-0502.
A Double Free Vulnerability exists in Adobe Flash which may allow arbitrary code execution.
Adobe quickly addressed this attack by providing a Security Update.
We also have a detailed writeup on Malware analysis of downloaded file after successful exploitation.

Let's look at an in-depth analysis of the Exploit.

Attack Flow:

We can see how the iframe is injected,

When user gets redirected to malicious iframe, the HTML contains a reference to malicious SWF.

SWF De-compilation shows how gif file is loaded.

Here we can see how the exploit is fine-tuned for Windows XP, Windows 7.

SWF also does the work of allocating the ROP chain corresponding to checks above.

A cookie is set and checked for one time execution only.

Debugging shows how the execution pivots into the ROP chain.

We can see how urlmon module is used for downloading exe.

This exe gets copied at C: and is executed.

Then there is Post-Infection Activity

We have implemented following signatures to detect the attack.

  • SPY:4185 Malformed-File swf.OT.7
  • SPY:4186 Malformed-File gif.OT.1
  • SPY:2342 Malformed-File swf.MP.103
  • SPY:2344 Malformed-File swf.MP.104