A proof of concept (for Flash 14.0.0.145) of a heap-based buffer overflow patched on September 9th, affecting Flash 13.0.0.<244, 14.0.0.<=179 15.0.0.<152 was published on September 30th on Packet Storm . Code targeting that CVE is now in Nuclear Pack.
Nuclear Pack :
Spotted on the 2014-10-19 but i thought illustrating it with a top500 worldwide website (owner will explain that it has been abused again...strange timing no ?) would better set things in perspective.
<edit>
For people thinking i "forgot" to credit Threat Glass for the referer...take a look at the vote timestamp on the payload ;)
</edit>
Beeg .com leading to Nuclear Pack and Cryptowall Successul CVE-2014-0556 pass in Nuclear Pack 2014-10-20 |
GET http://axxesopri .ml/305d439amjgij.html
200 OK (text/html) d0806f81d4aaada74228ac352b463c05
Here another fresh Nuclear Pack landing after first deobfuscation pass :
http://pastebin.com/8U1rPbF7
CVE-2014-0556 related piece of Code in Nuclear Pack |
GET http://axxesopri .ml/e109e3265b7emjgij/1413764940
200 OK (application/octet-stream) 23efdf5481fcd364559b0949a25c747d CVE-2014-0556 - Confirmation by @TimoHirvonen
GET http://axxesopri .ml/e109e326mjgij/1413764940/7
200 OK (application/octet-stream) d0806f81d4aaada74228ac352b463c05 - Cryptowall
--------------------------------
[Public Mail Reply]
How can I manage the updates for free and in a reliable way ?
You can consider using opensource tools like wpkg to spread the update. Ocs Inventory NG to ensure that the update campaign has been totally successful (and track the glitches).
In a multi-site environment a well thought DFS installation may help pushing the wpkg/update package on all remote sites. Then new flash/java/reader updates can be handled in few minutes (comments welcome)
Files: A pointless : Nothing yet.
Read more:
Exploiting CVE-2014-0556 in Flash - 2014-09-23 - Chris Evans - Project Zero
Adobe Flash 14.0.0.145 copyPixelsToByteArray() Heap Overflow - 2014-09-30 - Packet Storm