CVE-2013-0634
published 2013-02-08CVE-2013-0634: Adobe Flash Player before 10.3.183.51 and 11.x before 11.5.502.149 on Windows and Mac OS X, before 10.3.183.51 and 11.x before 11.2.202.262 on Linux, before…
PriorityP180critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
77.60%
99.5th percentile
Adobe Flash Player before 10.3.183.51 and 11.x before 11.5.502.149 on Windows and Mac OS X, before 10.3.183.51 and 11.x before 11.2.202.262 on Linux, before 11.1.111.32 on Android 2.x and 3.x, and before 11.1.115.37 on Android 4.x allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted SWF content, as exploited in the wild in February 2013.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | flash_player | >= 10.3 < 10.3.183.51 | 10.3.183.51 |
| adobe | flash_player | >= 11.1 < 11.1.111.32 | 11.1.111.32 |
| adobe | flash_player | >= 11.1 < 11.1.115.37 | 11.1.115.37 |
| adobe | flash_player | >= 11.2 < 11.2.202.262 | 11.2.202.262 |
| adobe | flash_player | >= 11.5 < 11.5.502.149 | 11.5.502.149 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploit kit landing page requests matching the URI pattern /load_module.php?user= with values n1, 1, 2, or 11 ↗
- →Alert on HTTP requests for /modules/nu.swf, /modules/1.swf, or /modules/2.swf — these paths deliver the CVE-2013-0634 exploit payload (hash 4788CCA43F06752BD6D52978CBF8058FA4A3AEB76BC5242EE83DA4223EC2DE13) ↗
- →CVE-2013-0634 was delivered via malicious Flash content hosted on websites targeting Firefox/Safari on Mac, and also via malicious SWF embedded in Microsoft Word documents sent as email attachments targeting Windows users ↗
- →The Metasploit module targets the Flash ActiveX control (CLSID D27CDB6E-AE6D-11cf-96B8-444553540000) via Internet Explorer and uses a predictable SharedUserData address to leak ntdll and bypass ASLR; monitor for IE spawning child processes after loading SWF content ↗
- →The CVE-2013-0634 exploit SWF hash is shared between the Bleeding Life and Nuclear exploit kits; presence of this hash in either kit context should be treated as high-confidence indicator ↗
- →Apply Snort/Sourcefire SIDs 31229–31232 to detect Bleeding Life exploit kit activity including CVE-2013-0634 delivery ↗
- ·The exploit hash (4788CCA43F06752BD6D52978CBF8058FA4A3AEB76BC5242EE83DA4223EC2DE13) is shared between the Bleeding Life and Nuclear exploit kits, so a hit does not uniquely identify one kit over the other ↗
- ·The Metasploit module specifically targets the ActiveX (Internet Explorer) version of Flash Player on Windows; the in-the-wild exploit also targeted Firefox/Safari on Mac via hosted web content, so detection scope must cover both vectors ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-82c2-48r6-3hq5: Adobe Flash Player before 10
ghsa_unreviewed·2022-05-14
CVE-2013-0634 [HIGH] CWE-119 GHSA-82c2-48r6-3hq5: Adobe Flash Player before 10
Adobe Flash Player before 10.3.183.51 and 11.x before 11.5.502.149 on Windows and Mac OS X, before 10.3.183.51 and 11.x before 11.2.202.262 on Linux, before 11.1.111.32 on Android 2.x and 3.x, and before 11.1.115.37 on Android 4.x allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted SWF content, as exploited in the wild in February 2013.
VulnCheck
Adobe Flash Player Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2013·CVSS 9.3
CVE-2013-0634 [CRITICAL] Adobe Flash Player Improper Restriction of Operations within the Bounds of a Memory Buffer
Adobe Flash Player Improper Restriction of Operations within the Bounds of a Memory Buffer
Adobe Flash Player before 10.3.183.51 and 11.x before 11.5.502.149 on Windows and Mac OS X, before 10.3.183.51 and 11.x before 11.2.202.262 on Linux, before 11.1.111.32 on Android 2.x and 3.x, and before 11.1.115.37 on Android 4.x allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted SWF content, as exploited in the wild in February 2013.
Affected: Adobe Flash Player
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2013-0634; https://pap
Red Hat
flash-plugin: multiple code execution flaws (APSB13-04)
vendor_redhat·2013-02-07·CVSS 9.3
CVE-2013-0634 [CRITICAL] flash-plugin: multiple code execution flaws (APSB13-04)
flash-plugin: multiple code execution flaws (APSB13-04)
Adobe Flash Player before 10.3.183.51 and 11.x before 11.5.502.149 on Windows and Mac OS X, before 10.3.183.51 and 11.x before 11.2.202.262 on Linux, before 11.1.111.32 on Android 2.x and 3.x, and before 11.1.115.37 on Android 4.x allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted SWF content, as exploited in the wild in February 2013.
No detection rules found.
Exploit-DB
Adobe Flash Player - Regular Expression Heap Overflow (Metasploit)
exploitdb·2014-04-21
CVE-2013-0634 Adobe Flash Player - Regular Expression Heap Overflow (Metasploit)
Adobe Flash Player - Regular Expression Heap Overflow (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 "Adobe Flash Player Regular Expression Heap Overflow",
'Description' => %q{
This module exploits a vulnerability found in the ActiveX component of Adobe
Flash Player before 11.5.502.149. By supplying a specially crafted swf file
with special regex value, it is possible to trigger an memory corruption, which
results in remote code execution under the context of the user, as exploited in
the wild in February 2013. This module has been tested successfully with Adobe
Flash Player 11.5 before 11.5.502.149 on Windows XP SP3 and Windows 7 SP1 before
MS1
Metasploit
Adobe Flash Player Regular Expression Heap Overflow
metasploit
Adobe Flash Player Regular Expression Heap Overflow
Adobe Flash Player Regular Expression Heap Overflow
This module exploits a vulnerability found in the ActiveX component of Adobe Flash Player before 11.5.502.149. By supplying a specially crafted swf file with special regex value, it is possible to trigger a memory corruption, which results in remote code execution under the context of the user, as exploited in the wild in February 2013. This module has been tested successfully with Adobe Flash Player 11.5 before 11.5.502.149 on Windows XP SP3 and Windows 7 SP1 before MS13-063, since it takes advantage of a predictable SharedUserData in order to leak ntdll and bypass ASLR.
Talos
The never ending Exploit Kit shift - Bleeding Life
blogs_talos·2014-06-12·CVSS 9.8
[CRITICAL] The never ending Exploit Kit shift - Bleeding Life
## The never ending Exploit Kit shift - Bleeding Life
Recently we've been able to observe several shifts in exploit kit techniques, so I thought it would be good to share the IOC information for the exploit kits so that administrators and network defenders can take a look at their devices and logs to remediate on their networks.
## Bleeding Life
Bleeding life, traditionally, was not one of the more subtle exploit kits.
In the past, the exploit kit would attempt to get the exploits through fairly obvious URI methods. For example:
"/load_module.php?e=Adobe-2010-2884"
"/load_module.php?e=Java-2010-3552"
"/modules/helpers/Java-2010-0842.jar"
The URI would be explicit about which vulnerability the kit was going to download and run on the client. However, as of the beginning of of May, s
Talos
The never ending Exploit Kit shift - Bleeding Life
blogs_talos·2014-06-12·CVSS 9.8
[CRITICAL] The never ending Exploit Kit shift - Bleeding Life
Recently we've been able to observe several shifts in exploit kit techniques, so I thought it would be good to share the IOC information for the exploit kits so that administrators and network defenders can take a look at their devices and logs to remediate on their networks.
## Bleeding Life
Bleeding life, traditionally, was not one of the more subtle exploit kits.
In the past, the exploit kit would attempt to get the exploits through fairly obvious URI methods. For example:
"/load_module.php?e=Adobe-2010-2884"
"/load_module.php?e=Java-2010-3552"
"/modules/helpers/Java-2010-0842.jar"
The URI would be explicit about which vulnerability the kit was going to download and run on the client. However, as of the beginning of of May, subtlety increased slightly, as we've seen a shift in th
Krebs
Critical Flash Player Update Fixes 2 Zero-Days
blogs_krebs·2013-02-07·CVSS 9.3
CVE-2013-0634 [CRITICAL] Critical Flash Player Update Fixes 2 Zero-Days
Adobe today pushed out an emergency update that fixes at least two zero-day vulnerabilities in its ubiquitous Flash Player software — flaws that attackers are already exploiting to break into systems. Interestingly, Adobe warns that one of the exploits in use is designed to drop malware on both Windows and Mac OS X systems.
Adobe said in an advisory that one of the vulnerabilities — CVE-2013-0634 – is being exploited in the wild in attacks delivered via malicious Flash content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform, as well as attacks designed to trick Windows users into opening a Microsoft Word document delivered as an email attachment.
Adobe also warned that a separate flaw — CVE-2013-0633 — is being exploited in the wild in targeted
Krebs
Critical Flash Player Update Fixes 2 Zero-Days – Krebs on Security
blogs_krebs·2013-02-01·CVSS 9.3
CVE-2013-0634 [CRITICAL] Critical Flash Player Update Fixes 2 Zero-Days – Krebs on Security
Adobe today pushed out an emergency update that fixes at least two zero-day vulnerabilities in its ubiquitous Flash Player software — flaws that attackers are already exploiting to break into systems. Interestingly, Adobe warns that one of the exploits in use is designed to drop malware on both Windows and Mac OS X systems.
Adobe said in an advisory that one of the vulnerabilities — CVE-2013-0634 – is being exploited in the wild in attacks delivered via malicious Flash content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform, as well as attacks designed to trick Windows users into opening a Microsoft Word document delivered as an email attachment.
Adobe also warned that a separate flaw — CVE-2013-0633 — is being exploited in the wild in targeted
Recorded Future
Tracking Moving Targets: Exploit Kits and CVEs
blogs_recorded_future
Tracking Moving Targets: Exploit Kits and CVEs
# Tracking Moving Targets: Exploit Kits and CVEs
One year ago a notorious programmer Paunch, who coded the Blackhole exploit kit, was arrested and charged for the distribution and sale of his wares. Blackhole was an epic Russian exploit kit, rented and used by thousands for their successful campaigns against a range of targets.
Since Paunch’s arrest, the exploit kit threat landscape has changed significantly as malicious actors have sought out new tool kits. Recorded Future undertook the task of analyzing over 600,000 unique web sources to identify the most prevalent exploit kits, what CVEs they commonly leverage, and what the most vulnerable products are.
To get started, let’s craft a simple query looking for mentions of any exploit kit over the last six months.
###### Click image for
Bugzilla
pcre: heap buffer overflow with a crafted regular expression
bugzilla·2015-08-06
[MEDIUM] pcre: heap buffer overflow with a crafted regular expression
pcre: heap buffer overflow with a crafted regular expression
The following issue was reported in PCRE (https://bugs.exim.org/show_bug.cgi?id=1667):
"""
Latest version of PCRE is prone to a Heap Overflow vulnerability which could caused by the following regular expression.
/(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R'))))/
To reproduce the problem, we could use pcretest provide by PCRE library or applications which is wrapped with PCRE such as PHP.
For pcretest, simply type the regular expression after the re>
For PHP, latest version of PHP 5.6.11 (wrapped with PCRE 8.37) could be triggered by following code snippet:
First, pcre_compile2 invoke compile_regex() to calcuate the size of memory that is used to save the regular expression.
re then points to the new allocated memory w
Bugzilla
pcre: heap buffer overflow in pcre_compile2() / compile_regex()
bugzilla·2015-06-01
[LOW] pcre: heap buffer overflow in pcre_compile2() / compile_regex()
pcre: heap buffer overflow in pcre_compile2() / compile_regex()
Following issue was reorted in the PCRE library:
"""
Latest version of PCRE is prone to a Heap Overflow vulnerability which could caused by the following regular expression.
/^(?P=B)((?P=B)(?J:(?Pc)(?Pa(?P=B)))>WGXCREDITS)/
To reproduce the problem, we could use pcretest provide by PCRE library or applications which is wrapped with PCRE such as PHP.
For pcretest, simply type the regular expression after the re>
For PHP, latest version of PHP 5.6.9 (wrapped with PCRE 8.37) could be triggered by following code snippet:
c)(?Pa(?P=B)))>WGXCREDITS)/","ADLAB",$arr);
?>
First, pcre_compile2 invoke compile_regex() to calucate the size of memory that is used to save the regular expression.
re then points to the new allocated memor
HackerOne
Adobe Flash Player Out-of-Bound Access Vulnerability
hackerone·2015-03-25·CVSS 9.3
[CRITICAL] Adobe Flash Player Out-of-Bound Access Vulnerability
Adobe Flash Player Out-of-Bound Access Vulnerability
I. Summary
Adobe Flash Player is prone to a vulnerability which leads to Out-of-Bound memory access memory via carefully crafted regular expression. An attacker can exploit this issue to defeat ASLR protection or even execute arbitrary code in the context of affected application (Internet Explorer, EXCEL...).
II. Description
Adobe Flash is a multimedia and software platform used for authoring of vector graphics, animation, games and rich Internet applications (RIAs) that can be viewed, played and executed in Adobe Flash Player.
When constructing a RegExpObject, most part of memory was applied from the heap. While heap overflow may also happen as it is with CVE-2013-0634, CVE-2014-0559, the matching result is stored on the stack. A fixe
Bugzilla
CVE-2013-0633 CVE-2013-0634 flash-plugin: multiple code execution flaws (APSB13-04)
bugzilla·2013-02-08·CVSS 9.3
CVE-2013-0633 [CRITICAL] CVE-2013-0633 CVE-2013-0634 flash-plugin: multiple code execution flaws (APSB13-04)
CVE-2013-0633 CVE-2013-0634 flash-plugin: multiple code execution flaws (APSB13-04)
Adobe security bulletin APSB13-04 describes two security flaws that could cause Adobe Flash Player to crash and potentially allow an attacker to take control of the affected system:
This update resolves a buffer overflow vulnerability that could lead to code execution (CVE-2013-0633).
This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2013-0634).
External References:
http://www.adobe.com/support/security/bulletins/apsb13-04.html
Discussion:
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 6
Supplementary for Red Hat Enterprise Linux 5
Via RHSA-2013:0243 https://rhn.redhat.com/errata/RHSA-2013-0243.html
http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00004.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-02/msg00006.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-02/msg00007.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0243.htmlhttp://www.adobe.com/support/security/bulletins/apsb13-04.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-02/msg00004.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-02/msg00006.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-02/msg00007.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0243.htmlhttp://www.adobe.com/support/security/bulletins/apsb13-04.html
2013-02-08
Published
Exploited in the wild