Angler EK Exploiting Adobe Flash CVE-2015-3090

FireEye has detected a new attack by the Angler Exploit Kit (EK) that exploits CVE-2015-3090 in Adobe Flash Player. Angler began exploiting CVE-2015-3090 about two weeks after Adobe released a patch (Patch: May 11, 2015, Exploit: approx. May 26, 2015).

Exploit kits (particularly Angler and Nuclear) regularly exploit recently patched Flash vulnerabilities. In April, they exploited CVE-2015-0359 (patched earlier in April). In March, they exploited CVE-2015-0336 (patched earlier in March). Earlier in the year (and at the end of 2014), they exploited unpatched vulnerabilities CVE-2015-0311, CVE-2015-0313 (and a leak, CVE-2015-0310). The trend is not new, but it is worrisome.

Exploit Overview

The attack uses common Exploit Kit obfuscations (SecureSWF) and techniques that we discussed in earlier blogs. They also use the CFG bypass (bytearray.tostring) as the CVE-2015-0359 exploit last month. FlashVars were used to determine the URL to the next stage of the attack.

The exploit for CVE-2015-3090 involves a race condition in the shader class, in which asynchronously modifying the width/height of a shader object while starting a shader job will result in a memory corruption vulnerability. Angler uses this to execute arbitrary code and infect unpatched users’ systems.

Exploit Details

The exploit follows the steps below:

1.     Check if target is vulnerable.

2.     Create a vector of length 0x400 filled with vectors of length 0xA6.

3.     Create a ShaderJob and set its width to 0.

4.     Start the ShaderJob.

5.     Set the ShaderJob width to 0x25E.

6.     Wait 0x12C before continuing.

7.     Loop through the vector from step 2, and find one whose length is not 0xA6 or 0xA6*2. This is the corrupted vector used for out-of-bounds memory accesses.

8.     Post-corruption exploitation techniques are the same as last month’s CVE-2015-0359 exploit, culminating in a control-flow transfer to the attacker via bytearray.toString circumventing CFG.

Telemetry

Filename

MD5

Description

H-niKRHt3rWB8xxtWHt80XX-xX6RGZuP1aJzKSBFpwPB3rzM

 

1436e63f983604aa7b2ace32e797231a

SecureSWF protected CVE-2015-3090 Adobe Flash Exploit

Domain

Description

news4news14[.]com

Initial page

dop45904h-khb747bjg324yu83-sdk.andledrigh[.]in

Serves landing page and SWF file

Adobe PSIRT is aware of this issue, and we provided them access to the above samples.

Note that another blog of ours discusses malicious activity with the same news* and other related domains.

Acknowledgements

Thank you to Henry Bernabe of FireEye for working with us on this issue.