Unknown
Adobe Flash ID3 Decode Integer Overflow
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Unknown
(1 user assessed)
Unknown
(1 user assessed)Unknown
Unknown
Unknown
Adobe Flash ID3 Decode Integer Overflow
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Heap-based buffer overflow in Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.228 on Windows and OS X and before 11.2.202.554 on Linux, Adobe AIR before 20.0.0.204, Adobe AIR SDK before 20.0.0.204, and Adobe AIR SDK & Compiler before 20.0.0.204 allows attackers to execute arbitrary code via an MP3 file with COMM tags that are mishandled during memory allocation, a different vulnerability than CVE-2015-8438.
Add Assessment
Technical Analysis
Details
This is a vulnerability in Adobe Flash. It is due to an incomplete patch of CVE-2015-5560. The decode_buffer_size is calculated this way in Flash:
decode_buffer_size = (encode_data_size – 1) * 6 + 2
In asm:
.text:10024F13 loc_10024F13: ; CODE XREF: sub_10024C79+278j .text:10024F13 mov eax, ebx .text:10024F15 imul eax, 6 .text:10024F18 add eax, 2 .text:10024F1B cmp [esi+28h], eax .text:10024F1E mov [ebp+var_20], eax .text:10024F21 jge short loc_10024F4D
During decoding, the buffer can be reallocated:
int current_buffer_size int decoded_buffer_size if (current_buffer_size < decoded_buffer_size) { // reallocate the decode buffer }
If the encode_data_size is larger than 0x2aaaaaab, it will cause an integer overflow in the
calculation of (encode_data_size –1) * 6 + 2
Patch for CVE-2015-5560
Version 18.0.0.232:
.text:10024E3E mov eax, [ebp+var_14] .text:10024E41 imul eax, 6 .text:10024E44 inc eax .text:10024E45 inc eax .text:10024E46 cmp eax, [ebp+var_14] .text:10024E49 jbe loc_10024FB8
(encode_data_size * 6 + 2) > encode_data_size
Analysis of CVE-2015-8446
If the patch is bypassed, we have CVE-2015-8446.
If encode_data_size is 0x15555580:
(0x15555580 – 1) * 6 + 2 = 0x800000FC
Which is less than 0.
And then that can cause an overflow.
ByteArray Length Protection
Adobe introduced the ByteArray Length Protection in December, which would make exploitation
difficult against newer versions of Adobe Flash.
It is likely the exploit in the wild exploited an older version of Adobe Flash (this needs to be
confirmed).
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportGeneral Information
References
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Zero-day Exploit
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
