A Zero Day vulnerability in Adobe Flash player has been discovered in the wild. The bug is a use after free vulnerability in the Adobe Flash MediaPlayer DRM management API, it can be exploited to achieve remote code execution. CVE-2018-4878 has been assigned to track this vulnerability. The affected versions are Adobe Flash Player ActiveX 28.0.0.137 and earlier. Adobe has released an advisory acknowledging the Zero day and has assigned severity rating as critical . The fix for this issue will be via a “release planned for the week of February 5”. Adobe has issued a fix in version 28.0.0.161. The Korean CERT division has also released a notice addressing the Flash Player vulnerability.
The exploit is delivered via a malicious MS Office document with embedded flash file. Initial reports on twitter show that the exploit being triggered via click event on a specific cell in an Excel sheet. Group123 has been attributed to this attack.
Vulnerability
As mentioned the issue is caused due to a Use-After-Free in the DRM management API, more specifically the DRM Manager’s initialize function. A DRM object is associated to a media player and is freed after it is initialized. However a dangling pointer still remains to this freed location. This memory location can be used even after it is freed therefore UAF. In the exploit this freed space is used to store a ByteArray which is used to achieve read/write primitive.
In the wild CVE-2018-4878 is exploited using a .xlsx or .doc file that contains a reconnaissance code that gather system information and sends it to a command server that responds with decryption key. This key is further used to decode the underlying code that will target the UAF vulnerability. Once read/writer primitives are achieved it stores a shellcode blob to memory and locates Kernel32!VirtualProtect to bypass DEP and Kernel32!CreateProcessA to execute the shellcode using cmd.exe. The whole attack cycle ends with downloading and executing ROKRAT malware. PoC and samples of the malware are available.
Mitigation
We request organizations to apply the latest patches provided by Adobe. Administrators can modify Flash Player’s behavior when it is running on IE on Windows 7 and below, by displaying a prompt for the user before playing any SWF content. Protected view can also enabled for local files, Files from the internet etc.
Please scan your network with QID 370756 to detect vulnerable targets. The QID checks for the version of Adobe Flash Player on the target machine.
References
Adobe Flash Player 신규 취약점 주의 권고
Security Advisory for Flash Player | APSA18-01
Security updates available for Flash Player | APSB18-03