CVE-2016-1019: A New Flash Exploit Included in Magnitude Exploit Kit

On April 2, security researcher @Kafeine at Proofpoint discovered
a change to the Magnitude Exploit Kit
. Thanks to their
collaboration, we analyzed the sample and discovered that Magnitude EK
was exploiting a previously unknown vulnerability in Adobe Flash
Player (CVE-2016-1019). The in-the-wild exploit achieves remote code
execution on recent versions of Flash Player, but fails on the latest
version (21.0.0.197).

While version 21.0.0.197 is vulnerable to this exploit, execution
fails because Adobe introduced new exploit mitigations in version
21.0.0.182 of Flash Player. This was a great move from Adobe that
shows how valuable innovations into exploit mitigations can be. Before
the exploit kit authors could devise a way around the new mitigations,
Adobe patched the underlying vulnerability.

Exploit Delivery Chain

Magnitude EK recently updated its delivery chain. It added a profile
gate, just like Angler EK, which collects the screen’s dimensions and
color depth (Figure 1).

Figure 1. JS of Profile Gate

The server responds with another profiling page, which tries to
avoid sending exploits to users browsing from virtual machines or with
certain antivirus programs installed (Figure 2). See the appendix for
the full list of checks performed.

Figure 2. JS of redirecting to main exploit page

In our tests, Magnitude EK delivered the JSON double free exploit
(CVE-2015-2419) and a small Flash loader that renders the new Flash
exploit (Figure 3).

Figure 3. JS of loading exploits

The Flash Exploit

A memory corruption vulnerability exists in an undocumented ASnative
API. The exploit causes the flash memory allocator to allocate buffers
under the attacker’s control. The attacker can then create a ByteArray
of length 0xFFFFFFFF such that it can read and write arbitrary memory,
as seen in Figure 4. The exploit’s code layout and some of the
functionalities are similar to the leaked HackingTeam exploits, in
that it downloads malware from another server and executes it.

Figure 4. ActionScript of Flash exploits

Conclusion

This is not the first time that new exploit mitigation research
rendered an in-the-wild zero-day exploit ineffective. Exploit
mitigations are an invaluable tool for the industry, and their ongoing
development within some of the most widely targeted applications –
such as Internet Explorer/Edge and Flash Player – change the game.

Despite regular security updates, attackers continue to target Flash
Player, primarily because of its ubiquity and cross-platform reach. If
Flash Player is required in your environment, ensure that you update
to the latest version, and consider the use of mitigation tools such
as EMET
from Microsoft.

Click here
for the security bulletin issued by Adobe.

Acknowledgements

A huge thank you to @Kafeine, without whom this discovery would not
be possible. His diligence continues to keep this industry at pace
with exploit kit authors around the world.

Appendix

res://\Program%20Files%20(x86)\Fiddler2\Fiddler.exe/#3/#32512
res://\Program%20Files\Fiddler2\Fiddler.exe/#3/#32512
res://\Program%20Files%20(x86)\VMware\VMware
Tools\TPAutoConnSvc.exe/#2/#26567
res://\Program%20Files\VMware\VMware
Tools\TPAutoConnSvc.exe/#2/#26567
res://\Program%20Files%20(x86)\VMware\VMware
Tools\TPAutoConnSvc.exe/#2/#30996
res://\Program%20Files\VMware\VMware
Tools\TPAutoConnSvc.exe/#2/#30996
res://\Program%20Files%20(x86)\Oracle\VirtualBox Guest
Additions\uninst.exe/#2/#110
res://\Program%20Files\Oracle\VirtualBox Guest
Additions\uninst.exe/#2/#110
res://\Program%20Files%20(x86)\Parallels\Parallels
Tools\Applications\setup_nativelook.exe/#2/#204
res://\Program%20Files\Parallels\Parallels
Tools\Applications\setup_nativelook.exe/#2/#204
res://\Program%20Files%20(x86)\Malwarebytes
Anti-Malware\mbamext.dll/#2/202
res://\Program%20Files\Malwarebytes
Anti-Malware\mbamext.dll/#2/202
res://\Program%20Files%20(x86)\Malwarebytes
Anti-Malware\unins000.exe/#2/DISKIMAGE
res://\Program%20Files\Malwarebytes
Anti-Malware\unins000.exe/#2/DISKIMAGE
res://\Program%20Files%20(x86)\Malwarebytes
Anti-Exploit\mbae.exe/#2/200
res://\Program%20Files\Malwarebytes
Anti-Exploit\mbae.exe/#2/200
res://\Program%20Files%20(x86)\Malwarebytes
Anti-Exploit\mbae.exe/#2/201
res://\Program%20Files\Malwarebytes
Anti-Exploit\mbae.exe/#2/201
res://\Program%20Files%20(x86)\Malwarebytes
Anti-Exploit\unins000.exe/#2/DISKIMAGE
res://\Program%20Files\Malwarebytes
Anti-Exploit\unins000.exe/#2/DISKIMAGE
res://\Program%20Files%20(x86)\Trend
Micro\Titanium\TmConfig.dll/#2/#30994
res://\Program%20Files\Trend
Micro\Titanium\TmConfig.dll/#2/#30994
res://\Program%20Files%20(x86)\Trend
Micro\Titanium\TmSystemChecking.dll/#2/#30994
res://\Program%20Files\Trend
Micro\Titanium\TmSystemChecking.dll/#2/#30994
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus 6.0
for Windows Workstations\shellex.dll/#2/#102
res://\Program%20Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for
Windows Workstations\shellex.dll/#2/#102
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus
6.0\shellex.dll/#2/#102
res://\Program%20Files\Kaspersky
Lab\Kaspersky Anti-Virus 6.0\shellex.dll/#2/#102
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus
7.0\shellex.dll/#2/#102
res://\Program%20Files\Kaspersky
Lab\Kaspersky Anti-Virus 7.0\shellex.dll/#2/#102
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus
2009\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky
Lab\Kaspersky Anti-Virus 2009\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus
2010\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky
Lab\Kaspersky Anti-Virus 2010\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus
2011\avzkrnl.dll/#2/BBALL
res://\Program%20Files\Kaspersky
Lab\Kaspersky Anti-Virus 2011\avzkrnl.dll/#2/BBALL
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus
2012\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky
Lab\Kaspersky Anti-Virus 2012\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus
2013\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky
Lab\Kaspersky Anti-Virus 2013\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus
14.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky
Lab\Kaspersky Anti-Virus 14.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus
15.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky
Lab\Kaspersky Anti-Virus 15.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus
15.0.1\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky
Lab\Kaspersky Anti-Virus 15.0.1\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus
15.0.2\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky
Lab\Kaspersky Anti-Virus 15.0.2\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Anti-Virus
16.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky
Lab\Kaspersky Anti-Virus 16.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet
Security 6.0\shellex.dll/#2/#102
res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security
6.0\shellex.dll/#2/#102
res://\Program%20Files%20(x86)\Kaspersky
Lab\Kaspersky Internet Security 7.0\shellex.dll/#2/#102
res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security
7.0\shellex.dll/#2/#102
res://\Program%20Files%20(x86)\Kaspersky
Lab\Kaspersky Internet Security 2009\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security
2009\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet
Security 2010\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security
2010\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet
Security 2011\avzkrnl.dll/#2/BBALL
res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security
2011\avzkrnl.dll/#2/BBALL
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet
Security 2012\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security
2012\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet
Security 2013\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security
2013\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet
Security 14.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security
14.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet
Security 15.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security
15.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet
Security 15.0.1\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security
15.0.1\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet
Security 16.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security
16.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Internet
Security 15.0.2\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky Lab\Kaspersky Internet Security
15.0.2\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security
14.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky
Lab\Kaspersky Total Security 14.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security
15.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky
Lab\Kaspersky Total Security 15.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security
15.0.1\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky
Lab\Kaspersky Total Security 15.0.1\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security
15.0.2\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky
Lab\Kaspersky Total Security 15.0.2\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky Total Security
16.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky
Lab\Kaspersky Total Security 16.0.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky PURE
2.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky
Lab\Kaspersky PURE 2.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky PURE
3.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky
Lab\Kaspersky PURE 3.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky CRYSTAL
3.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky
Lab\Kaspersky CRYSTAL 3.0\x86\mfc42.dll/#2/#26567
res://\Program%20Files%20(x86)\Kaspersky Lab\Kaspersky
PURE\mfc42.dll/#2/#26567
res://\Program%20Files\Kaspersky
Lab\Kaspersky PURE\mfc42.dll/#2/#26567

This is a Security Bloggers Network syndicated blog post authored by Nick Harbour. Read the original post at: Threat Research Blog