cbcvebase.
CVE-2013-0634
published 2013-02-08

CVE-2013-0634: Adobe Flash Player before 10.3.183.51 and 11.x before 11.5.502.149 on Windows and Mac OS X, before 10.3.183.51 and 11.x before 11.2.202.262 on Linux, before…

PriorityP180critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
77.60%
99.5th percentile
Adobe Flash Player before 10.3.183.51 and 11.x before 11.5.502.149 on Windows and Mac OS X, before 10.3.183.51 and 11.x before 11.2.202.262 on Linux, before 11.1.111.32 on Android 2.x and 3.x, and before 11.1.115.37 on Android 4.x allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted SWF content, as exploited in the wild in February 2013.

Affected

5 ranges
VendorProductVersion rangeFixed in
adobeflash_player>= 10.3 < 10.3.183.5110.3.183.51
adobeflash_player>= 11.1 < 11.1.111.3211.1.111.32
adobeflash_player>= 11.1 < 11.1.115.3711.1.115.37
adobeflash_player>= 11.2 < 11.2.202.26211.2.202.262
adobeflash_player>= 11.5 < 11.5.502.14911.5.502.149

Detection & IOCsextracted from sources · hover to see the quote

hash4788CCA43F06752BD6D52978CBF8058FA4A3AEB76BC5242EE83DA4223EC2DE13
filenamenu.swf
filename1.swf
filename2.swf
path/modules/2.swf
path/modules/1.swf
path/modules/nu.swf
path/load_module.php?user=
domainwww.rouleta.org
domaintsp-team.com
domainwww.air-bilet.ru
domainwww.cook-n-eat.net
domainwww.preotech.ru
pathdata/exploits/CVE-2013-0634/exploit.swf
otherCLSID: {D27CDB6E-AE6D-11cf-96B8-444553540000}
otherSnort SIDs: 31229-31232
  • Detect exploit kit landing page requests matching the URI pattern /load_module.php?user= with values n1, 1, 2, or 11
  • Alert on HTTP requests for /modules/nu.swf, /modules/1.swf, or /modules/2.swf — these paths deliver the CVE-2013-0634 exploit payload (hash 4788CCA43F06752BD6D52978CBF8058FA4A3AEB76BC5242EE83DA4223EC2DE13)
  • CVE-2013-0634 was delivered via malicious Flash content hosted on websites targeting Firefox/Safari on Mac, and also via malicious SWF embedded in Microsoft Word documents sent as email attachments targeting Windows users
  • The Metasploit module targets the Flash ActiveX control (CLSID D27CDB6E-AE6D-11cf-96B8-444553540000) via Internet Explorer and uses a predictable SharedUserData address to leak ntdll and bypass ASLR; monitor for IE spawning child processes after loading SWF content
  • The CVE-2013-0634 exploit SWF hash is shared between the Bleeding Life and Nuclear exploit kits; presence of this hash in either kit context should be treated as high-confidence indicator
  • Apply Snort/Sourcefire SIDs 31229–31232 to detect Bleeding Life exploit kit activity including CVE-2013-0634 delivery
  • ·The exploit hash (4788CCA43F06752BD6D52978CBF8058FA4A3AEB76BC5242EE83DA4223EC2DE13) is shared between the Bleeding Life and Nuclear exploit kits, so a hit does not uniquely identify one kit over the other
  • ·The Metasploit module specifically targets the ActiveX (Internet Explorer) version of Flash Player on Windows; the in-the-wild exploit also targeted Firefox/Safari on Mac via hosted web content, so detection scope must cover both vectors

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.