Archive

2010年6月 的Archive

Flash zero-day(CVE-2010-1297) used in mass injections

2010年6月13日 Mars 1 則評論

In recent days, the vulnerability of flash(CVE-2010-1297) has been used for drive-by download. Therefore, many websites are injected by malicious links such as  (hxxp://2677.in/yahoo.js), and those comprised webistes are intruded by automatic mass injection tools.   

Mass Injections   

TOMTOM WebSite is injected by Malicious link

In most cases, hackers are faster than vendors, so it gives them a great opportunity to build a strong BotNet and be able to control more victims. :(    

The following flow chart shows the attacking path of Zero-Day.     

閱讀全文…

Categories: Exploits, General Discuss, Malware Research Tags:

Flash crash caused by bad P-Code modification (CVE-2010-1297)

2010年6月10日 Mars 尚無評論

After analyzing the PDF sample (which is still exploited in the wild),we extract the embedded flash file called "pad.swf",This file seems modified from the website http://lostinactionscript.googlecode.com/svn/trunk/bin/AES-PHP.swf.

If we compare these two files deeply(shown as below),

Orginal AES-PHP.swf (0×66)

Exploit pad.swf(0×40)

It is surprised that there is just 1 byte changed. It causes flash ActionScript to execute a newfunction() and disturb the internal ActionScript engine stack .

Here is a problem in the JIT-ed AS code:

閱讀全文…

Categories: Exploits Tags: