freeBuf
主站

分类

漏洞 工具 极客 Web安全 系统安全 网络安全 无线安全 设备/客户端安全 数据安全 安全管理 企业安全 工控安全

特色

头条 人物志 活动 视频 观点 招聘 报告 资讯 区块链安全 标准与合规 容器安全 公开课

官方公众号企业安全新浪微博

FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。

FreeBuf+小程序

FreeBuf+小程序

CVE-2016-1019:Magnitude攻击工具里的flash漏洞 金币
2016-05-03 09:30:58

*本文中涉及到的相关漏洞已报送厂商并得到修复,本文仅限技术研究与讨论,严禁用于非法用途,否则产生的一切后果自行承担。

上月,Proofpoint一安全研究人员发现Magnitude攻击工具里似乎出现了些新东西。于是在他们的合作下我们分析了样本并发现Magnitude EK里增加了之前存在于Adobe Flash Player的漏洞(cve-2016-1019),然后野外利用对Flash Player最近版本进行远程执行。

虽然最新版本21.0.0.197也存在这个漏洞,不过因为Adobe 在Flash Player21.0.0.182版本中引入了新的漏洞缓解方式,因此这个漏洞在这个版本中起不到什么作用。这次是Adobe处理漏洞问题的一大举动。

利用传输链做坏事

Magnitude EK更新了它的传输链。它在链里增加了一道“门”,有点像Angler EK,先收集屏幕的尺寸和色彩深度。

fig1.jpg

然后服务器为防止被用户的防毒软件发现用了另一个页面响应。

fig2.jpg

Magnitude EK通过发送JSON来双重释放这个漏洞(cve-2015-2419)和一个Flash loader。

fig3.jpg

Flash攻击

这个漏洞(cve-2015-2419)的特点是在攻击者的控制下会导致Flash内存分配器自主分配缓冲区。然后攻击者就可以在里面创建一个长度为0xffffffff的字节数组任意读写存储器。而且,在我们查看过程中发现侵入代码及其一些功能和之前HackingTeam泄露的漏洞入侵代码很相似,都是从另一个服务器下载恶意程序。

fig4.jpg

附录

    res://\Program%20Files%20(x86)\Fiddler2\Fiddler.exe/#3/#32512
    res://\Program%20Files\Fiddler2\Fiddler.exe/#3/#32512
    res://\Program%20Files%20(x86)\VMware\VMware Tools\TPAutoConnSvc.exe/#2/#26567
    res://\Program%20Files\VMware\VMware Tools\TPAutoConnSvc.exe/#2/#26567
    res://\Program%20Files%20(x86)\VMware\VMware Tools\TPAutoConnSvc.exe/#2/#30996
    res://\Program%20Files\VMware\VMware Tools\TPAutoConnSvc.exe/#2/#30996
    res://\Program%20Files%20(x86)\Oracle\VirtualBox Guest Additions\uninst.exe/#2/#110
    res://\Program%20Files\Oracle\VirtualBox Guest Additions\uninst.exe/#2/#110
    res://\Program%20Files%20(x86)\Parallels\Parallels Tools\Applications\setup_nativelook.exe/#2/#204
    res://\Program%20Files\Parallels\Parallels Tools\Applications\setup_nativelook.exe/#2/#204
    res://\Program%20Files%20(x86)\Malwarebytes Anti-Malware\mbamext.dll/#2/202
    res://\Program%20Files\Malwarebytes Anti-Malware\mbamext.dll/#2/202
    res://\Program%20Files%20(x86)\Malwarebytes Anti-Malware\unins000.exe/#2/DISKIMAGE
    res://\Program%20Files\Malwarebytes Anti-Malware\unins000.exe/#2/DISKIMAGE
    res://\Program%20Files%20(x86)\Malwarebytes Anti-Exploit\mbae.exe/#2/200
    res://\Program%20Files\Malwarebytes Anti-Exploit\mbae.exe/#2/200
    res://\Program%20Files%20(x86)\Malwarebytes Anti-Exploit\mbae.exe/#2/201
    res://\Program%20Files\Malwarebytes Anti-Exploit\mbae.exe/#2/201
    res://\Program%20Files%20(x86)\Malwarebytes Anti-Exploit\unins000.exe/#2/DISKIMAGE
    res://\Program%20Files\Malwarebytes Anti-Exploit\unins000.exe/#2/DISKIMAGE
    res://\Program%20Files%20(x86)\Trend Micro\Titanium\TmConfig.dll/#2/#30994
    res://\Program%20Files\Trend Micro\Titanium\TmConfig.dll/#2/#30994
    res://\Program%20Files%20(x86)\Trend Micro\Titanium\TmSystemChecking.dll/#2/#30994
    res://\Program%20Files\Trend Micro\Titanium\TmSystemChecking.dll/#2/#30994
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\shellex.dll/#2/#102
    res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\shellex.dll/#2/#102
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll/#2/#102
    res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll/#2/#102
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 7.0\shellex.dll/#2/#102
    res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\shellex.dll/#2/#102
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2009\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2010\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2011\avzkrnl.dll/#2/BBALL
    res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avzkrnl.dll/#2/BBALL
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2012\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 2013\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 15.0.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.1\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 15.0.1\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 15.0.2\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 15.0.2\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 16.0.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 16.0.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 6.0\shellex.dll/#2/#102
    res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 6.0\shellex.dll/#2/#102
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 7.0\shellex.dll/#2/#102
    res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 7.0\shellex.dll/#2/#102
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2009\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2009\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2010\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2010\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2011\avzkrnl.dll/#2/BBALL
    res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2011\avzkrnl.dll/#2/BBALL
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2012\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2012\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 2013\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 2013\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 15.0.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.1\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 15.0.1\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 16.0.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 16.0.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security 15.0.2\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 14.0.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 14.0.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 15.0.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 15.0.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 15.0.1\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 15.0.1\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 15.0.2\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 15.0.2\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security 16.0.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky Total Security 16.0.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky PURE 2.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky PURE 2.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky PURE 3.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky PURE 3.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky CRYSTAL 3.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky CRYSTAL 3.0\x86\mfc42.dll/#2/#26567
    res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky PURE\mfc42.dll/#2/#26567
    res://\Program%20Files\Kaspersky Lab\Kaspersky PURE\mfc42.dll/#2/#26567

*参考来源fireeye  ,FB小编江湖小吓翻译,转载请注明来自FreeBuf黑客与极客(FreeBuf.COM)

本文作者:, 转载请注明来自FreeBuf.COM

# flash # 漏洞利用 # CVE-2016-1019
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
评论 按时间排序

登录/注册后在FreeBuf发布内容哦

相关推荐
  • 0 文章数
  • 0 评论数
  • 0 关注者
登录 / 注册后在FreeBuf发布内容哦
收入专辑