CVE-2012-0754
published 2012-02-16CVE-2012-0754: Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and 3.x; and…
PriorityP188high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-06-22
Exploited in the wild
EPSS
92.03%
99.8th percentile
Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and 3.x; and before 11.1.115.6 on Android 4.x allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | flash_player | < 10.3.183.15 | 10.3.183.15 |
| adobe | flash_player | < 11.1.111.6 | 11.1.111.6 |
| adobe | flash_player | < 11.1.115.6 | 11.1.115.6 |
| adobe | flash_player | >= 11.0 < 11.1.102.62 | 11.1.102.62 |
Detection & IOCsextracted from sources · hover to see the quote
url/bbs/info.asp
bytes↗
\x00\x00\x00\x18 ftypmp42 \x00\x00\x00\x00 mp42isom \x00\x00\x00\x0D cprt \x00\xFF\xFF\xFF \x00\x00\x00\x00 \x0c\x0c\x0c\x0c (x2586)
snort
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Yayih.A Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/bbs/info.asp"; fast_pattern; http.header_names; to_lowercase; content:!"\x0d\x0auser-agent\x0d\x0a"; reference:url,contagiodump.blogspot.com/2012/03/mar-2-cve-2012-0754-irans-oil-and.html; classtype:command-and-control; sid:2014336; rev:5; metadata:created_at 2012_03_09, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_20;)
- →Exploit delivers a malicious MP4 file with a corrupt 'cprt' atom containing heap spray pattern 0x0c0c0c0c repeated 2586 times; detect MP4 files with oversized/malformed 'cprt' boxes. ↗
- →Post-exploitation C2 beacon (Yayih.A malware) sends HTTP POST to /bbs/info.asp and notably omits the User-Agent header; alert on POST requests to /bbs/info.asp lacking a User-Agent header.
- →Exploit module uses 'migrate -f' as InitialAutoRunScript for post-exploitation process migration; monitor for Flash-spawned processes migrating to other processes. ↗
- →Exploit serves the malicious SWF with Content-Type 'application/x-shockwave-flash' and the MP4 payload with Content-Type 'video/mp4' from the same server; correlate HTTP responses serving both types from the same host. ↗
- →Crash occurs at Flash10x+0x48b65 with EAX=0x0c0c0c0c (heap spray value); memory forensics or crash dumps showing this pattern indicate exploitation. ↗
- ·Affected versions are Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on Windows/Mac/Linux/Solaris; before 11.1.111.6 on Android 2.x/3.x; before 11.1.115.6 on Android 4.x. The Metasploit module specifically targets Flash Player 11.1.102.55 and 10.3.183.10. ↗
- ·The exploit module targets specific browser/OS combinations (IE 6/7/8 on XP SP3, IE 7 on Vista) with different ROP chains (msvcrt or JRE-based); detection rules should account for all target variants. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.1HIGH
cisa8.1HIGH
vendor_redhat8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Adobe Flash Player Memory Corruption Vulnerability
cisa·2022-06-08·CVSS 8.1
CVE-2012-0754 [HIGH] CWE-787 Adobe Flash Player Memory Corruption Vulnerability
Vulnerability: Adobe Flash Player Memory Corruption Vulnerability
Affected: Adobe Flash Player
Adobe Flash Player contains a memory corruption vulnerability that allows remote attackers to execute code or cause denial-of-service (DoS).
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2012-0754
Remediation Due Date: 2022-06-22
Red Hat
flash-plugin: multiple code execution flaws (APSB12-03)
vendor_redhat·2012-02-15·CVSS 8.1
CVE-2012-0754 [HIGH] flash-plugin: multiple code execution flaws (APSB12-03)
flash-plugin: multiple code execution flaws (APSB12-03)
Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and 3.x; and before 11.1.115.6 on Android 4.x allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors.
GHSA
GHSA-p5xj-3764-5mhh: Adobe Flash Player before 10
ghsa_unreviewed·2022-05-14
CVE-2012-0754 [HIGH] CWE-119 GHSA-p5xj-3764-5mhh: Adobe Flash Player before 10
Adobe Flash Player before 10.3.183.15 and 11.x before 11.1.102.62 on Windows, Mac OS X, Linux, and Solaris; before 11.1.111.6 on Android 2.x and 3.x; and before 11.1.115.6 on Android 4.x allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors.
VulnCheck
Adobe Flash Player Memory Corruption Vulnerability
vulncheck·2012·CVSS 8.1
CVE-2012-0754 [HIGH] CWE-787 Adobe Flash Player Memory Corruption Vulnerability
Adobe Flash Player Memory Corruption Vulnerability
Adobe Flash Player contains a memory corruption vulnerability that allows remote attackers to execute code or cause denial-of-service (DoS).
Affected: Adobe Flash Player
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Exploitation References: https://contagiodump.blogspot.com/2012/03/mar-2-cve-2012-0754-irans-oil-and.html; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-06-22
Suricata
ET MALWARE Yayih.A Checkin
suricata·2012-03-09
CVE-2012-0754 ET MALWARE Yayih.A Checkin
ET MALWARE Yayih.A Checkin
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Yayih.A Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/bbs/info.asp"; fast_pattern; http.header_names; to_lowercase; content:!"|0d 0a|user-agent|0d 0a|"; reference:url,contagiodump.blogspot.com/2012/03/mar-2-cve-2012-0754-irans-oil-and.html; classtype:command-and-control; sid:2014336; rev:5; metadata:created_at 2012_03_09, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_20;)
Exploit-DB
Adobe Flash Player - '.mp4 cprt' Remote Overflow (Metasploit)
exploitdb·2012-03-08
CVE-2012-0754 Adobe Flash Player - '.mp4 cprt' Remote Overflow (Metasploit)
Adobe Flash Player - '.mp4 cprt' Remote Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 "Adobe Flash Player MP4 'cprt' Overflow",
'Description' => %q{
This module exploits a vulnerability found in Adobe Flash Player.
By supplying a corrupt .mp4 file loaded by Flash, it is possible to gain arbitrary
remote code execution under the context of the user.
This vulnerability has been exploited in the wild as part of the
"Iran's Oil and Nuclear Situation.doc" e-mail attack.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Alexander Gavrun', # Vulnera
Metasploit
Adobe Flash Player MP4 'cprt' Overflow
metasploit
Adobe Flash Player MP4 'cprt' Overflow
Adobe Flash Player MP4 'cprt' Overflow
This module exploits a vulnerability found in Adobe Flash Player. By supplying a corrupt .mp4 file loaded by Flash, it is possible to gain arbitrary remote code execution under the context of the user. This vulnerability has been exploited in the wild as part of the "Iran's Oil and Nuclear Situation.doc" e-mail attack. According to the advisory, 10.3.183.15 and 11.x before 11.1.102.62 are affected.
Securelist
Investigation Report for the September 2014 Equation malware detection incident in the US
blogs_securelist·2017-11-16
Investigation Report for the September 2014 Equation malware detection incident in the US
Authors
- Kaspersky
## Background
In early October, a story was published by the Wall Street Journal alleging Kaspersky Lab software was used to siphon classified data from an NSA employee’s home computer system. Given that Kaspersky Lab has been at the forefront of fighting cyberespionage and cybercriminal activities on the Internet for over 20 years now, these allegations were treated very seriously. To assist any independent investigators and all the people who have been asking us questions whether those allegations were true, we decided to conduct an internal investigation to attempt to answer a few questions we had related to the article and some others that followed it:
1. Was our software used outside of its intended functionality to pull classified information from a person’s c
Securelist
Investigation Report for the September 2014 Equation malware detection incident in the US
blogs_securelist·2017-11-16
Investigation Report for the September 2014 Equation malware detection incident in the US
Authors
Kaspersky
## Background
In early October, a story was published by the Wall Street Journal alleging Kaspersky Lab software was used to siphon classified data from an NSA employee’s home computer system. Given that Kaspersky Lab has been at the forefront of fighting cyberespionage and cybercriminal activities on the Internet for over 20 years now, these allegations were treated very seriously. To assist any independent investigators and all the people who have been asking us questions whether those allegations were true, we decided to conduct an internal investigation to attempt to answer a few questions we had related to the article and some others that followed it:
Was our software used outside of its intended functionality to pull classified information from a person’s comput
Bugzilla
CVE-2012-0752 CVE-2012-0753 CVE-2012-0754 CVE-2012-0755 CVE-2012-0756 flash-plugin: multiple code execution flaws (APSB12-03)
bugzilla·2012-02-16·CVSS 9.3
CVE-2012-0752 [CRITICAL] CVE-2012-0752 CVE-2012-0753 CVE-2012-0754 CVE-2012-0755 CVE-2012-0756 flash-plugin: multiple code execution flaws (APSB12-03)
CVE-2012-0752 CVE-2012-0753 CVE-2012-0754 CVE-2012-0755 CVE-2012-0756 flash-plugin: multiple code execution flaws (APSB12-03)
Adobe security bulletin APSB12-03 describes multiple security flaws that can
lead to arbitrary code execution when a malicious SWF file is opened in Adobe
Flash Player.
This update resolves a type confusion memory corruption vulnerability that could lead to code execution (CVE-2012-0752).
This update resolves an MP4 parsing memory corruption vulnerability that could lead to code execution (CVE-2012-0753).
This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2012-0754).
This update resolves a security bypass vulnerability that could lead to code execution (CVE-2012-0755).
This update resolves a security bypass vulnerabil
http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00014.htmlhttp://rhn.redhat.com/errata/RHSA-2012-0144.htmlhttp://secunia.com/advisories/48265http://secunia.com/advisories/48819http://security.gentoo.org/glsa/glsa-201204-07.xmlhttp://www.adobe.com/support/security/bulletins/apsb12-03.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15030https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15973http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00014.htmlhttp://rhn.redhat.com/errata/RHSA-2012-0144.htmlhttp://secunia.com/advisories/48265http://secunia.com/advisories/48819http://security.gentoo.org/glsa/glsa-201204-07.xmlhttp://www.adobe.com/support/security/bulletins/apsb12-03.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15030https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15973https://github.com/cisagov/vulnrichment/issues/196https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2012-0754
2012-02-16
Published
2022-06-08
Added to CISA KEV
Exploited in the wild