Adobe Type Confusion Vulnerability CVE-2015-7645 Exploits in the Wild

October 30, 2015

There was a critical zero day vulnerability CVE-2015-7645 found on Oct 13, 2015 and it was discovered firstly to be used by cyber-espionage campaign Pawn Storm. Adobe has acknowledged and released an emergent patch later that week. By exploiting this vulnerability, a remote attacker can execute arbitrary code on the target systems running vulnerable versions of Adobe Flash Player via a crafted SWF file. The affected versions include Adobe Flash Player 18.x through and 19.x through on Windows and OS X and 11.x through on Linux. An immediate patch is suggested by the Adobe.

Specifically, the vulnerability exists in the IExternalizable interface supported by ActionScript of Adobe Flash Player. A type-confusion vulnerability exists when the function writeExternal pointer is overwritten by another different type variable with the same name. The overwritten pointer can be pointed to arbitrary code which may be controlled by an attacker.

There are multiple exploits have been found for this vulnerability, and some of them are identified to be used by Angler Exploit Kits, for example, the following are two hashes of the files:

  • d3e3194e612e7f9df804aea2f2ab818dd25a392b7a4b44f144a8d85ec8bc766d
  • 1b332c513d20e01208ee7dc3c80fc231b49cfd03a9be6c49990372d742381985

The following codes from one the exploits shows how the writeExternal function was overwritten by a variable claim and assignment:

And it was called later:

An example of the obfuscated Action Script code from the exploits is below:

Dell SonicWALL have researched this vulnerability at the same week as the vulnerability was discovered and released multiple signatures to cover the exploits in the wild:

  • GAV: CVE-2015-7645 (Exploit)
  • GAV: CVE-2015-7645_2 (Exploit)
  • GAV: CVE-2015-7645_3 (Exploit)
  • GAV: CVE-2015-7645_4 (Exploit)