Exploiting ActionScript3 interpreter

Presented at VB2018, Oct. 3, 2018, 11:30 a.m. (30 minutes)

At the end of 2017 we discovered an *Adobe Flash Player* zero-day vulnerability (CVE-2017-11292) which was used in the BlackOasis APT. This case demonstrates that *Adobe Flash Player* is still a good target for threat actors. CVE-2017-11292 is a particularly interesting type-confusion vulnerability, and there are no public reports describing it. In this presentation we will present and release our own 'ActionScript3' processor module and debug plug-in for *IDA Pro*. These tools work together to complement each other, and have already shown good results in in-the-wild exploit debugging. We analysed the Actionscript Virtual Machine (AVM) and found a way to increase analysis with the rich possibilities of *IDA Pro* and APIs. In our presentation we will cover the following: * What exploitation techniques are used by threat actors now in Flash exploits * A detailed description of CVE-2017-11292 * How to find new vulnerabilities in *Adobe Flash Player * * Our self-made *IDA Pro* plug-ins for analysis and debugging of Flash exploits.

Presenters:

  • Anton Ivanov - Kaspersky Lab
    Anton Ivanov Anton graduated from Russia's Higher School of Economics in 2013, with a degree in information technology. Anton also has a Master's degree from the Russian Presidential Academy of National Economy and Public Administration. Anton joined Kaspersky Lab in 2011 as malware analyst. Now he leads the behavioural detection team. Anton has several patents relating to malware detection. @antonivanovm
  • Boris Larin - Kaspersky Lab
    Boris Larin Boris Larin is a malware analyst at Kaspersky Lab, focused on exploits and network attack detection. His main fields of interest are reverse engineering, code deobfuscation and vulnerability research. He is also the author of educational materials for Kaspersky Academy and runs a malware reverse engineering course at Harbour.Space University in Barcelona. In his free time he likes to investigate and examine the security of embedded devices. @oct0xor

Links:

Similar Presentations: