- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
-
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
-
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
-
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
-
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
-
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
-
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
-
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
-
- Support Widget
Adobe Flash 0-day exploit
03/26/2020 
6 People found this article helpful
100,507 Views
Description
Adobe Flash 0-day exploit
Resolution
Adobe Flash 0-day exploit (July 22, 2009)
SonicWall UTM Research team found reports of new 0-day vulnerability in Adobe Flash player v9 and v10 being exploited in the wild via malicious drive-by sites.
SonicWall UTM Research team found reports of new 0-day vulnerability in Adobe Flash player v9 and v10 being exploited in the wild via malicious drive-by sites.
The exploit is being actively served in the wild via following URL that is found to be injected into pages of infected websites:
- sorla.us/(REMOVED)x/mail.asp
The above page will only load with a valid referrer field containing the URL of one of the infected pages. The active server page contains script to identify user's browser environment and based on that loads one of the following pages:
- If browser is not Internet Explorer, iframe URL- sorla.us/(REMOVED)x/ff.html
- If browser is Internet explorer and has flash ActiveX installed, iframe URL- sorla.us/(REMOVED)x/ie.html
- if browser is Internet Explorer and script cannot create a valid flash ActiveX object, iframe URL- sorla.us/(REMOVED)x/mpg.html
The code snippet can be seen below:
In the first two cases, ff.html and ie.html contains JavaScript to download and run malicious Shockwave flash file that exploits 0-day vulnerability in Adobe Flash player:
- sorla.us/(REMOVED)x/xp.swf [Detected as GAV: Pidief_2 (Exploit)]
It also downloads XORed Backdoor Trojan executable file from following URL:
- sorla.us/(REMOVED)x/xor.gif [Detected as GAV: Agent.ROX (Trojan)]
Screenshot of 0-day exploit in action causing the flash player object and browser to crash can be seen below:
In the third case, mpg.html page contains JavaScript that further checks for the presence of specific host AntiVirus software from Kaspersky and McAfee. If the AntiVirus software is not present then it tries to exploit Microsoft DirectShow Msvidctl vulnerability.
The code snippet for AntiVirus presence detection can be seen below:
SonicWall Gateway AntiVirus provides protection against this threat via GAV: Pidief (Exploit), GAV: Pidief_2 (Exploit), GAV: Pidief_3 (Exploit) and GAV: Agent.ROX (Trojan) signatures.
Click here to read the complete security alert from SonicWall Security Centre.
Click here to read the complete security alert from SonicWall Security Centre.
Related Articles
Categories
- Firewalls > TZ Series
- Firewalls > SonicWall SuperMassive E10000 Series
- Firewalls > SonicWall SuperMassive 9000 Series
- Firewalls > SonicWall NSA Series
YES
NO