Confidential source code stolen from Hacking Team, and subsequently leaked online, has revealed fresh software vulnerabilities exploited by the spyware maker to infect victims’ computers.
The security holes can be used to inject into PCs malicious code that installs surveillance tools to monitor the user’s every move and remote control their machines over the internet.
Hacking Team, which is based in Italy, counts the governments of Saudi Arabia, Oman, Sudan, Egypt, Lebanon, Russia, the US, and others, plus various private organizations, as its customers, past and present, it appears.
Adobe Flash
From what we’ve seen so far, inside the leaked source code lies an Adobe Flash exploit for which no patch exists: it can be used against Internet Explorer, Firefox, Chrome and Safari, and affects Flash Player 9 to the latest version, 18.0.0.194.
A proof-of-concept exploit uses the flaw to open calc.exe on Windows, proving a malicious Flash file downloaded from the internet can execute arbitrary code on a victim’s computer. Hacking Team describes it as “the most beautiful Flash bug for the last four years” in its internal documentation.
Adobe told us in a statement today that it is working on a patch, which it hopes to release by the end of the week. The vulnerability is present in its plugin software for Windows, OS X and Linux:
A critical vulnerability (CVE-2015-5119) has been identified in Adobe Flash Player 18.0.0.194 and earlier versions for Windows, Macintosh and Linux. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. Adobe is aware of reports that an exploit targeting this vulnerability has been published publicly. Adobe expects to make updates available on July 8.
According to Trend Micro, the Flash vulnerability is a classic use-after-free() programming cockup that allows the attacker to read and write arbitrary bytes in memory. This allows the malicious Flash file to build a chain of instructions that tells the Windows kernel to mark a chunk of injected code as executable – which is then called and can do whatever it likes.
A technical breakdown of the vulnerability can be found here, written by a Chinese infosec researcher.
The bad news is that with the source code leaked, details of the Flash bug are now in the wild for crims to exploit against netizens.
“Without a doubt cyber criminals have already got their hands on it and will integrate it in their exploit kits soon,” warns Jérôme Segura of MalwareBytes.
Hacking Team uses another Flash vulnerability, CVE-2015-0349, but Adobe has patched that: this is why it’s always a good idea to update your software as soon as you can so you’re not caught out by old-day exploits.
Windows kernel
Meanwhile, another zero-day has apparently been found in the Hacking Team source code: this one is a vulnerability in atmfd.dll, the Adobe font driver in the kernel level of the Windows operating system. This library is bundled with Windows so that it can render fonts on screen. The vulnerability is, we’re told, not the same as the MS15-021 flaw that Microsoft patched in March.
The hole affects 32-bit and 64-bit Windows XP to Windows 8.1, according to a detailed analysis published in China. This vulnerability can be used to elevate an attacker’s privileges to administrator level, allowing more damage or surveillance to be carried out. It can be chained with the aforementioned Flash zero-day to first execute code as a user and then gain more powers to fully hijack the system.
We’re told the vulnerability is exploited by loading a malicious OTF font file, and then calling a poorly coded software interface in atmfd.dll to read and write to kernel memory. This allows high-level security tokens to be copied to the running process, elevating its privileges – this also sidesteps protection mechanisms in Windows (such as SMEP) that try to prevent malicious code execution. Google Chrome’s sandbox feature defeats this attack, we’re told.
Again, with this exploit in the wild now, crooks can wield it against normal netizens to seize control of their PCs. Analysis of the Hacking Team leak is still ongoing.
Microsoft was not available for immediate comment. ®
Sponsored:
Hyper-scale data management
Article source: TheReg http://go.theregister.com/feed/www.theregister.co.uk/2015/07/07/hacking_team_zero_days_flash_windows_kernel/