Unpatched Flash exploits unveiled in Hacking Team data dump

One of the vulnerabilities was described by Hacking Team as one of the "most beautiful Flash bug for the last four years."

screen-shot-2015-07-07-at-12-32-15.png

Security researchers claim 400GB of corporate data stolen from Hacking Team in a recent cyberattack contains a number of unreported, unpatched Adobe flaws.

A number of exploits and their coding is contained within the leaked file, according to Trend Micro researchers. In an analysis of the dump, the security team says there is "at least" three exploits, including several which target Adobe Flash Player and Microsoft's Windows operating system.

Two exploits have been designed for Flash Player, and the Windows vulnerability, CVE-2015-0349, has already been patched.

Hacking Team seemed delighted with its work, labelling one of the Flash vulnerabilities as the "most beautiful Flash bug for the last four years."

screen-shot-2015-07-07-at-13-19-17.png

The Flash exploits are yet to receive CVE numbers.

Want the full story? Check out our previous coverage: Hacking Team hit by breach; leak suggests it sold spyware to oppressive regimes | Hacking Team confirms it was hacked | Hacking Team breach: A 400GB corporate data dump and online mockery

The leaked package contains a Flash zero-day proof-of-concept -- which can open the Windows calculator -- as well as a release version with attack shellcode. In the proof-of-concept, a readme document describes one of the exploits, of which impacts on Adobe Flash Player 9 or higher.

Internet Explorer, Chrome, Firefox and Safari are all vulnerable.

One of the flaws is a ByteArray class user-after-free (UAF) vulnerability, which can be used to override PC functions, change the value of objects and reallocate memory.

As explained by Trend Micro, once the UAF vulnerability is triggered, "it corrupts the Vector. length to achieve arbitrary memory read and write capabilities in the process." As a result, the researchers say the exploit is able to:

  • Search for the kernel32.dll base address in process, then find the VirtualProtect address
  • Find the address of shellcode which is contained in a ByteArray
  • Call VirtualProtect to change the shellcode memory to become executable.
  • There is an empty static function named Payload defined in AS3 code.
  • Find the Payload function object address and then find the real function code address contained by the Payload function object.
  • Overwrite the real function code address with the shellcode address
  • Call the static function Payload in AS3, which causes the shellcode to be called After the shellcode executes, reset the static function address.

This exploit method is, therefore, able to bypass Control Flow Guard by overwriting a static function code address. Control Flow Guard, found in Windows 10, is a system which aims to prevent indirect calls targeting a shellcode address.

"While Hacking Team stated that this was the most beautiful bug since CVE-2010-2161, we can see that several bugs have used this ValueOf trick, including CVE-2015-0349 which was used at Pwn2Own 2015," Trend Micro says.

At the time of writing, no attacks exploiting this vulnerability have been spotted in the wild.

A spokesperson from Hacking Team told ZDNet:

"HackingTeam has been the victim of an online attack, and documents have been stolen from the company. We are investigating to determine the extent of this attack and specifically what has been taken. We are working with several appropriate law enforcement to determine who is responsible.

We cannot comment on the validity of documents purportedly from our company. However, interpreting even valid documents without [a] complete picture of why they were created or how they were used can easily lead to misunderstandings and even false conclusions. "

Read on: Top picks