神刀安全网

A Root Cause Analysis of the Recent Flash Zero-Day Vulnerability, CVE-2016-1010

On March 10, Adobe has released an emergency out-of-band update to fix a zero-day vulnerability that was being used in targeted attacks. The vulnerability was designated as CVE-2016-1010. To analyze this vulnerability, I examined an earlier version of the Flash Player ( Flash32_19_0_0_185.ocx file on Windows 7) to find the root cause of the vulnerability.

Root cause analysis

In ActionScript 3.0, the BitmapData class has a public function copyPixels defined this way:

public function copyPixels(sourceBitmapData:<a onclick="javascript:pageTracker._trackPageview(‘/outgoing/help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/display/BitmapData.html’);" href="http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/display/BitmapData.html">BitmapData</a>, sourceRect:<a onclick="javascript:pageTracker._trackPageview(‘/outgoing/help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/geom/Rectangle.html’);" href="http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/geom/Rectangle.html">Rectangle</a>, destPoint:<a onclick="javascript:pageTracker._trackPageview(‘/outgoing/help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/geom/Point.html’);" href="http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/geom/Point.html">Point</a>, alphaBitmapData:<a onclick="javascript:pageTracker._trackPageview(‘/outgoing/help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/display/BitmapData.html’);" href="http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/display/BitmapData.html">BitmapData</a>&nbsp;= null, alphaPoint:<a onclick="javascript:pageTracker._trackPageview(‘/outgoing/help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/geom/Point.html’);" href="http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/geom/Point.html">Point</a>&nbsp;= null, mergeAlpha:<a onclick="javascript:pageTracker._trackPageview(‘/outgoing/help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/Boolean.html’);" href="http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/Boolean.html">Boolean</a>&nbsp;= false):<a onclick="javascript:pageTracker._trackPageview(‘/outgoing/help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/specialTypes.html#void’);" href="http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/specialTypes.html#void">void</a>

When Flash runs this function, it will use sourceRect  (a Rectangle ), which is defined as:

public function Rectangle(x:Number = 0, y:Number = 0, width:Number = 0, height:Number = 0)

to create a temporary structure which may be called  BitmapData. In Flash 19.0.0.185 this may have the following structure:

0x08:  height             // the height of the Bitmap  0x0c:  width              // the weight of the Bitmap  0x20:  pBitmapData        // the pointer to the Bitmap Data array  0x24:  bytesize           // the byte size of each line in Bitmap, bytesize = width*4

When calculating the bytesize , Flash uses the shl operation, as shown in Figure 1. If width >= 0x40000000, “shl ecx,2” will trigger an integer overflow. The function next processes use bytesize*height to calculate the allocated memory size of pBitmapData. If the  bytesize overflowed, the allocated memory will be lower than needed.

An attacker can use this overflow to read and write to arbitrary memory locations, effectively leading to arbitrary code exexuction.

A Root Cause Analysis of the Recent Flash Zero-Day Vulnerability, CVE-2016-1010

Figure 1. Unpatched Function

The pseudocode would look something like this:

pBitmapData->width = width;  pBitmapData->height = height;  pBitmapData-> bytesize = 4*width;         //trigger integer overflow when width>0x40000000  int allocSize = pBitmapData->bytesize*height;  allocMemory = allocMemory( allocSize);  pBitmapData-> pBitmapData = allocMemory;

Patching the Vulnerability

In Flash Player 21.0.0.182, this vulnerability was patched. How did Adobe do this?

The original shl operation was replaced with  imul.  In addition, the (edx,eax) command records the width*4 value. If the value of edx is non-zero, it represents the width of the overflow. If this is known, the code will correctly handle this issue.

A Root Cause Analysis of the Recent Flash Zero-Day Vulnerability, CVE-2016-1010

Figure 2. Patched Function

Integer overflow vulnerabilities are common in Flash Player. In APSB16-08 alone, three integer overflow vulnerabilities (CVE-2016-0963, CVE-2016-0993 ,CVE-2016-1010) were fixed. Adding integer overflow checking features during compilation would reduce the number of overflow vulnerabilities.

For end users, we highly recommend keeping Adobe Flash Player up-to-date. By default this can be done automatically, although some users may prefer being manually promoted to install newer versions.

The Browser Exploit Prevention feature in our endpoint products such as Trend Micro™ SecuritySmart Protection Suites , and  Worry-Free Business Security blocks browser exploits once the user accesses the URLs these are hosted at. Browser Exploit Prevention also protects against exploits that target browsers or related plugins.

The Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery , can frequently detect these threats as well without any engine or pattern update.Deep Security and  Vulnerability Protection protect user systems from any threats that may use these vulnerabilities via the following DPI rules:

  • 1007519 – Adobe Flash Player Integer Overflow Vulnerability (CVE-2016-1010)

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » A Root Cause Analysis of the Recent Flash Zero-Day Vulnerability, CVE-2016-1010

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
分享按钮