cbcvebase.
CVE-2012-1535
published 2012-08-15

CVE-2012-1535: Unspecified vulnerability in Adobe Flash Player before 11.3.300.271 on Windows and Mac OS X and before 11.2.202.238 on Linux allows remote attackers to execute…

PriorityP182high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
70.38%
99.3th percentile
Unspecified vulnerability in Adobe Flash Player before 11.3.300.271 on Windows and Mac OS X and before 11.2.202.238 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted SWF content, as exploited in the wild in August 2012 with SWF content in a Word document.

Affected

8 ranges
VendorProductVersion rangeFixed in
adobeflash_player< 11.3.300.27111.3.300.271
adobeflash_player< 11.2.202.23811.2.202.238
opensuseopensuse
opensuseopensuse
redhatenterprise_linux_desktop
redhatenterprise_linux_server
redhatenterprise_linux_workstation
suselinux_enterprise_desktop

Detection & IOCsextracted from sources · hover to see the quote

pathdata/exploits/CVE-2012-1535/trigger.swf
snort
SID 23853
snort
SID 23854
snort
SID 23856
snort
SID 23857
snort
SIDs 23857 - 23862
snort
SID 18546
snort
SID 18549
  • Detect SWF content embedded inside Microsoft Word documents — the primary delivery mechanism for this exploit. Snort SIDs 18546 (HTTP) and 18549 (SMTP) cover this generically and would have caught the attack before public disclosure.
  • Hunt for unencoded, unobfuscated heap spray byte sequences inside SWF files delivered via Word documents — the in-the-wild samples contained plaintext heap spray strings with no compression or obfuscation.
  • The exploit specifically targets the ActiveX version of Flash Player for Internet Explorer on Windows; prioritise detection on IE/ActiveX Flash delivery paths.
  • The exploit abuses a kern table integer overflow in OTF font parsing inside Flash; look for SWF files referencing malformed OTF fonts with anomalously large nTables values in the kern header.
  • The Metasploit module forces URIPATH to fewer than 3 characters; short random alphanumeric URIs ending in .swf (e.g. /ab.swf) combined with a companion /pay.txt request from the same client are a strong indicator of exploitation activity.
  • Look for HTTP requests containing an x-flash-version header followed by a .txt payload request from the same session — the Metasploit module uses this pattern to fingerprint the Flash version and serve the correct ROP chain.
  • ·Enabling SIDs 18546/18549 (Flash-in-Word detection) may produce false positives in environments where embedding Flash in Word documents is a legitimate business practice; evaluate before deploying in blocking mode.
  • ·Simply compressing the malicious SWF would defeat the plaintext heap-spray byte signatures (SIDs 23856–23862); these rules are effective only against the specific unobfuscated in-the-wild samples and should be supplemented with vulnerability-level rules (SIDs 23853/23854).

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.