Angler EK Exploits Adobe Flash CVE-2015-3090
Researchers at FireEye have found a new attack by the Angler Exploit Kit, which exploits CVE-2015-3090 in Adobe Flash Player. The attack uses common Exploit Kit obfuscations (SecureSWF) and techniques. They also use the CFG bypass (bytearray.tostring) as the CVE-2015-0359 exploit last month. FlashVars were used to determine the URL to the next stage of the attack.
The exploit for CVE-2015-3090 involves a race condition in the shader class, in which asynchronously modifying the width/height of a shader object while starting a shader job will result in a memory corruption vulnerability. Angler uses this to execute arbitrary code and infect unpatched users’ systems.
How Does Exploit Work?
Exploit Details
The exploit follows the steps below:
1. Check if target is vulnerable.
2. Create a vector of length 0x400 filled with vectors of length 0xA6.
3. Create a ShaderJob and set its width to 0.
4. Start the ShaderJob.
5. Set the ShaderJob width to 0x25E.
6. Wait 0x12C before continuing.
7. Loop through the vector from step 2, and find one whose length is not 0xA6 or 0xA6*2. This is the corrupted vector used for out-of-bounds memory accesses.
8. Post-corruption exploitation techniques are the same as last month’s CVE-2015-0359 exploit, culminating in a control-flow transfer to the attacker via bytearray.toString circumventing CFG.
You should receive an update from Adobe soon for Adobe Flash Player and advised to update it as soon as possible.
