Friday, October 29, 2010

Dumb Fuzzing - Flash Player Zero-day Vulnerability (CVE-2010-3654)

Via Fortinet Blog -

As indicated in our FortiGuard Advisory FGA-2010-53, an attack exploiting a critical zero-day vulnerability in Adobe Flash Player was found very recently roaming in the wild. Although the attack vector in the wild is a PDF file, it is a Flash Player vulnerability indeed (Adobe Reader embeds a Flash Player).

After analyzing the PDF sample, we do confirm that the core ActionScript in the embeded flash file, which triggers the exploit, is almost exactly the same as that of an example on flashamdmath.com, as Bugix Security guessed.

Almost? Indeed: the only difference lies in a single byte (at 0×494A, for those who’d like to make a signature based on that ;)), changed from 0×16 in the example to 0×07 in the exploit code:

[...]

Based on this, it is not extremely challenging to guess how the attacker discovered this 0day vulnerability: Simply by running a “dummy” fuzzer on basic flash files, as many bug hunters are doing. We had already noticed the same thing likely happened for CVE-2010-1297 and CVE-2010-2884.


--------------------------------------------------------------------------------------------------------------

The evidence presented by Bugix Security [and by Fortinet above], point to the attackers using the dumb fuzzing method on the legitimate flash file from flashandmath.com.

For those not familiar with dumb fuzzing, an attacker (or researcher) basically takes a legitimate valid file and then modifies it randomly (sometimes a single byte at a time) until a crash is produced, then those crashes are examined deeper for a exploitable vulnerability.

No comments:

Post a Comment