Multiple Exploits for CVE-2015-5119 Observed in the Wild

September 18, 2015

CVE-2015-5119 is a Use-after-free vulnerability in the ByteArray class in the ActionScript 3. Adobe first released the advisory for CVE-2015-5119 in July and the first exploit surfaced soon. We kept observing the new exploits taking use of this vulnerability after that and multiple exploits have been observed.

A typical type of exploits using this vulnerability is wrapping the exploit Action Script code into a second flash file, which is embedded as a binary with the Flash file. Here is an example of the binary:

The binary file was retrieved through a ByteArrayAsset class of Action Script for decoding:

And the following function decoded the binary with an embedded key and obfuscated system function calls:

After the decoding, the binary of the embedded Flash file is below:

By decompiling it, we can see the exploit code for CVE-2015-5119:

Dell SonicWALL has observed hundreds of the exploits using the flash wrapping method in the wild since July. Multiple GAV signatures have been created to protect the customers. The following are some of them:

  • 28044 CVE-2015-5119a.A
  • 28030 CVE-2015-5119.AJ_2
  • 28005 CVE-2015-5119.AJ
  • 27997 CVE-2015-5119.C_3
  • 27992 CVE-2015-5119.A_17
  • 19262 CVE-2015-5119_3
  • 18484 CVE-2015-5119_2
  • 18363 CVE-2015-5119.AN_2