cbcvebase.
CVE-2012-0754
published 2012-02-16

CVE-2012-0754: Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and 3.x; and…

PriorityP188high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-06-22
Exploited in the wild
EPSS
92.03%
99.8th percentile
Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and 3.x; and before 11.1.115.6 on Android 4.x allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors.

Affected

4 ranges
VendorProductVersion rangeFixed in
adobeflash_player< 10.3.183.1510.3.183.15
adobeflash_player< 11.1.111.611.1.111.6
adobeflash_player< 11.1.115.611.1.115.6
adobeflash_player>= 11.0 < 11.1.102.6211.1.102.62

Detection & IOCsextracted from sources · hover to see the quote

pathC:\WINDOWS\system32\Macromed\Flash\Flash11e.ocx
pathC:\WINDOWS\system32\Macromed\Flash\Flash10x.ocx
pathdata/exploits/CVE-2012-0754.swf
url/bbs/info.asp
filenameIran's Oil and Nuclear Situation.doc
url/test.mp4
bytes
\x00\x00\x00\x18 ftypmp42 \x00\x00\x00\x00 mp42isom \x00\x00\x00\x0D cprt \x00\xFF\xFF\xFF \x00\x00\x00\x00 \x0c\x0c\x0c\x0c (x2586)
snort
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Yayih.A Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/bbs/info.asp"; fast_pattern; http.header_names; to_lowercase; content:!"\x0d\x0auser-agent\x0d\x0a"; reference:url,contagiodump.blogspot.com/2012/03/mar-2-cve-2012-0754-irans-oil-and.html; classtype:command-and-control; sid:2014336; rev:5; metadata:created_at 2012_03_09, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_20;)
  • Exploit delivers a malicious MP4 file with a corrupt 'cprt' atom containing heap spray pattern 0x0c0c0c0c repeated 2586 times; detect MP4 files with oversized/malformed 'cprt' boxes.
  • Post-exploitation C2 beacon (Yayih.A malware) sends HTTP POST to /bbs/info.asp and notably omits the User-Agent header; alert on POST requests to /bbs/info.asp lacking a User-Agent header.
  • Exploit module uses 'migrate -f' as InitialAutoRunScript for post-exploitation process migration; monitor for Flash-spawned processes migrating to other processes.
  • Exploit serves the malicious SWF with Content-Type 'application/x-shockwave-flash' and the MP4 payload with Content-Type 'video/mp4' from the same server; correlate HTTP responses serving both types from the same host.
  • Crash occurs at Flash10x+0x48b65 with EAX=0x0c0c0c0c (heap spray value); memory forensics or crash dumps showing this pattern indicate exploitation.
  • ·Affected versions are Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on Windows/Mac/Linux/Solaris; before 11.1.111.6 on Android 2.x/3.x; before 11.1.115.6 on Android 4.x. The Metasploit module specifically targets Flash Player 11.1.102.55 and 10.3.183.10.
  • ·The exploit module targets specific browser/OS combinations (IE 6/7/8 on XP SP3, IE 7 on Vista) with different ROP chains (msvcrt or JRE-based); detection rules should account for all target variants.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.1HIGH
cisa8.1HIGH
vendor_redhat8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.