CVE-2016-1019:Magnitude攻击工具里的flash漏洞

2016-05-03 242171人围观 ,发现 3 个不明物体 漏洞

*本文中涉及到的相关漏洞已报送厂商并得到修复,本文仅限技术研究与讨论,严禁用于非法用途,否则产生的一切后果自行承担。

上月,Proofpoint一安全研究人员发现Magnitude攻击工具里似乎出现了些新东西。于是在他们的合作下我们分析了样本并发现Magnitude EK里增加了之前存在于Adobe Flash Player的漏洞(cve-2016-1019),然后野外利用对Flash Player最近版本进行远程执行。

虽然最新版本21.0.0.197也存在这个漏洞,不过因为Adobe 在Flash Player21.0.0.182版本中引入了新的漏洞缓解方式,因此这个漏洞在这个版本中起不到什么作用。这次是Adobe处理漏洞问题的一大举动。

利用传输链做坏事

Magnitude EK更新了它的传输链。它在链里增加了一道“门”,有点像Angler EK,先收集屏幕的尺寸和色彩深度。

fig1.jpg

然后服务器为防止被用户的防毒软件发现用了另一个页面响应。

fig2.jpg

Magnitude EK通过发送JSON来双重释放这个漏洞(cve-2015-2419)和一个Flash loader。

fig3.jpg

Flash攻击

这个漏洞(cve-2015-2419)的特点是在攻击者的控制下会导致Flash内存分配器自主分配缓冲区。然后攻击者就可以在里面创建一个长度为0xffffffff的字节数组任意读写存储器。而且,在我们查看过程中发现侵入代码及其一些功能和之前HackingTeam泄露的漏洞入侵代码很相似,都是从另一个服务器下载恶意程序。

fig4.jpg

附录

    res://\Program%20Files%20(x86)\Fiddler2\Fiddler.exe/#3/#32512
    res://\Program%20Files\Fiddler2\Fiddler.exe/#3/#32512
    res://\Program%20Files%20(x86)\VMware\VMware Tools\TPAutoConnSvc.exe/#2/#26567
    res://\Program%20Files\VMware\VMware Tools\TPAutoConnSvc.exe/#2/#26567
    res://\Program%20Files%20(x86)\VMware\VMware Tools\TPAutoConnSvc.exe/#2/#30996
    res://\Program%20Files\VMware\VMware Tools\TPAutoConnSvc.exe/#2/#30996
    res://\Program%20Files%20(x86)\Oracle\VirtualBox Guest Additions\uninst.exe/#2/#110
    res://\Program%20Files\Oracle\VirtualBox Guest Additions\uninst.exe/#2/#110
    res://\Program%20Files%20(x86)\Parallels\Parallels Tools\Applications\setup_nativelook.exe/#2/#204
    res://\Program%20Files\Parallels\Parallels Tools\Applications\setup_nativelook.exe/#2/#204
    res://\Program%20Files%20(x86)\Malwarebytes Anti-Malware\mbamext.dll/#2/202
    res://\Program%20Files\Malwarebytes Anti-Malware\mbamext.dll/#2/202
    res://\Program%20Files%20(x86)\Malwarebytes Anti-Malware\unins000.exe/#2/DISKIMAGE
    res://\Program%20Files\Malwarebytes Anti-Malware\unins000.exe/#2/DISKIMAGE
    res://\Program%20Files%20(x86)\Malwarebytes Anti-Exploit\mbae.exe/#2/200
    res://\Program%20Files\Malwarebytes Anti-Exploit\mbae.exe/#2/200
    res://\Program%20Files%20(x86)\Malwarebytes Anti-Exploit\mbae.exe/#2/201
    res://\Program%20Files\Malwarebytes Anti-Exploit\mbae.exe/#2/201
    res://\Program%20Files%20(x86)\Malwarebytes Anti-Exploit\unins000.exe/#2/DISKIMAGE
    res://\Program%20Files\Malwarebytes Anti-Exploit\unins000.exe/#2/DISKIMAGE
    res://\Program%20Files%20(x86)\Trend Micro\Titanium\TmConfig.dll/#2/#30994
    res://\Program%20Files\Trend Micro\Titanium\TmConfig.dll/#2/#30994
    res://\Program%20Files%20(x86)\Trend Micro\Titanium\TmSystemChecking.dll/#2/#30994
    res://\Program%20Files\Trend Micro\Titanium\TmSystemChecking.dll/#2/#30994
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\shellex.dll/#2/#102
    res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\shellex.dll/#2/#102
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll/#2/#102
    res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll/#2/#102
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 7.0\shellex.dll/#2/#102
    res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\shellex.dll/#2/#102
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2009\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2010\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2011\avzkrnl.dll/#2/BBALL
    res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avzkrnl.dll/#2/BBALL
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2012\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.1\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 15.0.1\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.2\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 15.0.2\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 16.0.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 16.0.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 6.0\shellex.dll/#2/#102
    res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 6.0\shellex.dll/#2/#102
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 7.0\shellex.dll/#2/#102
    res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 7.0\shellex.dll/#2/#102
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2009\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2009\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2010\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2010\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2011\avzkrnl.dll/#2/BBALL
    res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2011\avzkrnl.dll/#2/BBALL
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2012\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2012\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2013\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2013\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 15.0.1\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 16.0.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 15.0.2\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 14.0.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 14.0.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 15.0.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 15.0.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 15.0.1\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 15.0.1\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 15.0.2\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 15.0.2\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 16.0.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 16.0.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky PURE 2.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky PURE 2.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky PURE 3.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky PURE 3.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky CRYSTAL 3.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky CRYSTAL 3.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky PURE\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky PURE\mfc42.dll/#2/#26567

*参考来源fireeye  ,FB小编江湖小吓翻译,转载请注明来自FreeBuf黑客与极客(FreeBuf.COM)

Loading...

特别推荐

推荐关注

填写个人信息

姓名
电话
邮箱
公司
行业
职位
css.php