Two more Flash 0-days as a result of HackingTeam data leak

July 15, 2015

As we discusses in our previous blog on recent Adobe 0-day(CVE-2015-5119), there are two more vulnerabilities that surfaced from the same HackingTeam data leak:

  • CVE-2015-5122: Adobe Flash ActionScript3 opaqueBackground Use After Free Vulnerability
  • CVE-2015-5123: Adobe Flash Player BitmapData Remote Code Execution Vulnerability

All three vulnerabilities are use-after-free vulnerabilities; although they occur in different classes. These vulnerabilities trigger the bug by overriding the 'valueOf()' function of these classes. During the override, the associated object is either freed or relocated. This makes the associated address invalid which inadvertantly triggers the vulnerability.

Here's an example of CVE-2015-5123 where a 'BitmapData' object is created and disposed by overriding 'valueOf()' function:

Sonicwall team has written following signature that protect our customers from these exploits:

  • 15380.CVE-2015-5119.B_3 Exploit
  • 15392.CVE-2015-5119.A Exploit
  • 15398.CVE-2015-5119.DH_2 Exploit
  • 15399.CVE-2015-5119.A_2 Exploit
  • 15400.CVE-2015-5119.B Exploit
  • 15404.CVE-2015-5119.C Exploit
  • 15410.CVE-2015-5119.C_2 Exploit
  • 15413.CVE-2015-5119.A_4 Exploit
  • 15415.CVE-2015-5119.A_5 Exploit
  • 15416.CVE2015-5119.SW Exploit
  • 15418.CVE-2015-5119.A_6 Exploit
  • 15419.CVE-2015-5119.TTY Exploit
  • 15420.CVE-2015-5119.A_7 Exploit
  • 15423.CVE-2015-5119.A_10 Exploit
  • 15424.CVE-2015-5119.A_11 Exploit
  • 15426.CVE-2015-5119.A_12 Exploit
  • 15550.CVE-2015-5122.SW Exploit
  • 15553.CVE-2015-5122 Exploit
  • 15670.CVE-2015-5123.A Exploit