McAfee Labs Threat Advisory - Intel Security

McAfee Labs Threat Advisory
Exploit-CVE2011-2140

February 24, 2012

Summary
Exploit-CVE2011-2140 is the detection for malicious swf files which infiltrate a victim’s computer by
exploiting a flash player vulnerability to download the malicious payloads from a remote server. This
vulnerability could cause a crash and potentially allow an attacker to take control of the affected
system.
Detailed information about the exploit, its propagation, and mitigation are in the following sections:

• Infection and Propagation Vectors
• Characteristics and Symptoms
• Getting Help from the McAfee Foundstone Services team

Infection and Propagation Vectors
The infection may occur when users visit the compromised website which is hosted with malicious
JavaScript. The link of the compromised websites may arrive via email as part of spam campaign,
compromised out bound links on a website and by injecting the malicious URL trough iframes etc.

Mitigation

Users are requested to exercise caution while opening unsolicited emails and unknown links. Users are
advised to update Windows and third-party application security patches and virus definitions on a
regular basis and have proper firewall filtering rules.

Characteristics and Symptoms

Description:

The pictorial illustration below [Figure 1] gives an overview and flow of this attack.

Figure 1 : Overview and Flow

The compromised web server is hosted with malicious JavaScript [Figure 2], which identifies the flash
player version and redirects the user to execute the malicious swf file.

Figure 2: Malicious Javascript

The attacker uses open source JavaScript code [Figure 3] to identify if a flash player is installed on the
machine as shown below:

Figure 3: Detecting flash player’s presence

Upon identifying the vulnerable version, the control is transferred to execute the malicious swf file by
using the following parameters [Figure 4].

Figure 4: Parameters

The malicious swf has DOABC tag which contains the Action Script commands [Figure 5] that are used
by the exploit to load another swf file and to spray the shellcode in to memory.

Figure 5: Action Script -1

The loaded swf payload plays a movie file named “e.avi” [Figure 6], which attempts to exploit the flash
player vulnerability. On successful exploitation, the remote attacker could gain the control to execute
the arbitrary code.

Figure 6: Action Script -2

Upon execution of the main .swf file, it crashes the Internet explorer in the flash player module
“flash10u.ocx” as shown below in Figure-7.

Figure 7: Crash of Internet explorer

The investigation of crash further reveals that the flaw exists in the flash player, which allows the
attacker to overwrite the stack [Figure 8] and control the EIP that leads to the execution of the shell
code. The below mentioned figure shows that the stack is overwritten by the address 0x0D0D0D0D.

Figure 8: Stack Overwrite

The control [Figure 9] is transferred to the address 0x0D0D0D0D using LEAVE and RETN instruction,
which is already occupied by the shellcode that is now ready for execution.

Figure 9: Control & Transfer

Then it decrypts [Figure 10] the URL and covertly downloads the malicious payload from the remote
server on to the victims’ machine.

Figure 10: Decryption of URL

The malicious URL in the shellcode is clearly visible as shown in the below figure-11.

Figure 11: Shellcode

The Network connections that were observed includes :

• tongjiaaexe.3322.org
• meorm.com
• news.zztlgg.com
Mitigation
• Block access to the domains listed above.
• Use a browser plug-in to block execution of scripts and iframes.
• Keep up-to-date Antivirus signatures
• Keep software up-to-date with the latest available patches

Getting Help from the McAfee Foundstone Services team
This document is intended to provide a summary of current intelligence and best practices to ensure
the highest level of protection from your McAfee security solution. The McAfee Foundstone Services
team offers a full range of strategic and technical consulting services that can further help to ensure
you identify security risk and build effective solutions to remediate security vulnerabilities. You can
reach them here: https://secure.mcafee.com/apps/services/services-contact.aspx

© 2011 McAfee, Inc. All rights reserved.