CVE-2015-0359
published 2015-04-14CVE-2015-0359: Double free vulnerability in Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux…
PriorityP181critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
95.18%
99.9th percentile
Double free vulnerability in Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0346.
Affected
28 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | flash_player | <= 13.0.0.264 | — |
| adobe | flash_player | <= 11.2.202.451 | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| adobe | flash_player | — | — |
| opensuse | opensuse | — | — |
| opensuse | opensuse | — | — |
| redhat | enterprise_linux_desktop_supplementary | — | — |
| redhat | enterprise_linux_desktop_supplementary | — | — |
| redhat | enterprise_linux_server_supplementary | — | — |
| redhat | enterprise_linux_server_supplementary | — | — |
| redhat | enterprise_linux_server_supplementary_eus | — | — |
| redhat | enterprise_linux_workstation_supplementary | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The exploit targets specific Flash Player versions: 13.0.0.277 and 17.0.0.134 use a distinct exploit trigger path (CVE-2015-X/UAF), while 13.0.0.250–13.0.0.269 and 15.0.0.189–16.0.0.305 use CVE-2015-0313. Detection should flag Flash versions 17.0.0.134 and 13.0.0.277 as actively exploited. ↗
- →The Angler EK exploit SWF uses a multi-layer packing technique via 'Loader::loadbytes()' to embed an encoded inner SWF that is decoded and loaded entirely in memory without being written to disk — look for in-memory SWF loading without disk artifacts. ↗
- →The exploit uses ActionScript workers (Flash threads) to free a ByteArray assigned to ApplicationDomain.domainMemory without notifying subscribers, triggering a UAF. Behavioral detection should monitor for ApplicationDomain.domainMemory assignment followed by worker-side ByteArray.clear() calls. ↗
- →The Metasploit module targets Windows 7 SP1 (32-bit) with IE 8 or IE11 and Flash 17.x. Browser/OS fingerprinting in HTTP requests matching this combination should be treated as high-risk for this exploit. ↗
- →The HanJuan exploit kit used false ads and shortened URLs to deliver CVE-2015-0359 exploits. Shortened URL redirects leading to SWF delivery should be flagged in proxy/web gateway logs. ↗
- →The exploit SWF uses variable substitution, NOP insertion, and JavaScript function hooks for obfuscation. Deobfuscation pipelines should look for regex/math/concat/split/replace chains constructing values assigned to variables in JS wrapping malicious SWFs. ↗
- ·The sample attributed to CVE-2015-0359 in the Angler EK (MD5: 049ff69bc23f36a78d86bbf1356c2f63c) was assessed by Unit 42 to actually exploit a distinct UAF vulnerability they call 'CVE-2015-X', not a double-free as described in the official CVE-2015-0359. The official CVE describes a double-free, but the in-the-wild exploit is a UAF. ↗
- ·Both CVE-2015-0359 and CVE-2015-X were fixed simultaneously in Flash Player 17.0.0.169 (April 14, 2015). Exploit activity targeting Flash 17.0.0.134 may be attributed to either CVE in threat intelligence reports. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vulncheck10.0CRITICAL
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7vvf-ghq4-pw24: Double free vulnerability in Adobe Flash Player before 13
ghsa_unreviewed·2022-05-17·CVSS 10.0
CVE-2015-0359 [CRITICAL] GHSA-7vvf-ghq4-pw24: Double free vulnerability in Adobe Flash Player before 13
Double free vulnerability in Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0346.
GHSA
GHSA-r6j8-xrxq-g7wx: Double free vulnerability in Adobe Flash Player before 13
ghsa_unreviewed·2022-05-14·CVSS 10.0
CVE-2015-0346 [CRITICAL] GHSA-r6j8-xrxq-g7wx: Double free vulnerability in Adobe Flash Player before 13
Double free vulnerability in Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0359.
OSV
CVE-2015-0359: Double free vulnerability in Adobe Flash Player before 13
osv·2015-04-14·CVSS 10.0
CVE-2015-0359 [CRITICAL] CVE-2015-0359: Double free vulnerability in Adobe Flash Player before 13
Double free vulnerability in Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0346.
OSV
CVE-2015-0346: Double free vulnerability in Adobe Flash Player before 13
osv·2015-04-14·CVSS 10.0
CVE-2015-0346 [CRITICAL] CVE-2015-0346: Double free vulnerability in Adobe Flash Player before 13
Double free vulnerability in Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0359.
VulnCheck
Adobe Flash Player Double Free
vulncheck·2015·CVSS 10.0
CVE-2015-0359 [CRITICAL] Adobe Flash Player Double Free
Adobe Flash Player Double Free
Double free vulnerability in Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0346.
Affected: Adobe Flash Player
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.recordedfuture.com/blog/top-vulnerabilities-2015
Red Hat
flash-plugin: multiple code execution issues fixed in APSB15-06
vendor_redhat·2015-04-14·CVSS 10.0
CVE-2015-0359 [CRITICAL] flash-plugin: multiple code execution issues fixed in APSB15-06
flash-plugin: multiple code execution issues fixed in APSB15-06
Double free vulnerability in Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0346.
Red Hat
flash-plugin: multiple code execution issues fixed in APSB15-06
vendor_redhat·2015-04-14·CVSS 10.0
CVE-2015-0346 [CRITICAL] flash-plugin: multiple code execution issues fixed in APSB15-06
flash-plugin: multiple code execution issues fixed in APSB15-06
Double free vulnerability in Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0359.
No detection rules found.
Exploit-DB
Adobe Flash Player - domainMemory ByteArray Use-After-Free (Metasploit)
exploitdb·2015-05-08
CVE-2015-0359 Adobe Flash Player - domainMemory ByteArray Use-After-Free (Metasploit)
Adobe Flash Player - domainMemory ByteArray Use-After-Free (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Adobe Flash Player domainMemory ByteArray Use After Free',
'Description' => %q{
This module exploits a use-after-free vulnerability in Adobe Flash Player. The
vulnerability occurs when the ByteArray assigned to the current ApplicationDomain
is freed from an ActionScript worker, when forcing a reallocation by copying more
contents than the original capacity, but Flash forgets to update the domainMemory
pointer, leading to a use-after-free situation when the main worker references the
domainMemory again. This module has been tested successfu
Metasploit
Adobe Flash Player domainMemory ByteArray Use After Free
metasploit
Adobe Flash Player domainMemory ByteArray Use After Free
Adobe Flash Player domainMemory ByteArray Use After Free
This module exploits a use-after-free vulnerability in Adobe Flash Player. The vulnerability occurs when the ByteArray assigned to the current ApplicationDomain is freed from an ActionScript worker, when forcing a reallocation by copying more contents than the original capacity, but Flash forgets to update the domainMemory pointer, leading to a use-after-free situation when the main worker references the domainMemory again. This module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 and IE11 with Flash 17.0.0.134.
Fortinet
The Definition and Examples of Exploit Kits | Fortinet Blog
blogs_fortinet·2022-01-27
The Definition and Examples of Exploit Kits | Fortinet Blog
INDUSTRY TRENDS & INSIGHTS
The Definition and Examples of Exploit Kits
By Aamir Lakhani | January 27, 2022
In cybersecurity terminology, an exploit is a bit of code or a program that takes advantage of vulnerabilities or flaws in software or hardware. An exploit is not malware, but rather a way to deliver malware like ransomware or viruses. The goal of exploits is to install malware or to infiltrate and initiate denial-of-service (DoS) attacks for example.
The recent exponential growth of computer peripherals, software advances, and edge and cloud computing has led to a corresponding increase in vulnerabilities. Of course, cybercriminals love having more systems to attack with exploit kits.
What Is An Exploit Kit?
Exploit kits (EKs) are automated programs used by cybercriminals to ex
Unit42
Understanding Flash Exploitation and the Alleged CVE-2015-0359 Exploit
blogs_unit42·2015-06-01·CVSS 9.8
CVE-2015-0359 [CRITICAL] Understanding Flash Exploitation and the Alleged CVE-2015-0359 Exploit
What follows is a detailed analysis of the root cause of a vulnerability we call CVE-2015-X, as well as a step-by-step explanation of how to trigger it. For more on Flash vulnerabilities, we also invite you to read "The Latest UAF Vulnerabilities in Exploit Kits," published May 28 by Tao Yan.
Not too long ago we came across a sample from the Angler Exploit kit (MD5: 049ff69bc23f36a78d86bbf1356c2f63c), which allegedly exploits CVE-2015-0359. The obfuscated SWF contains an encoded SWF (MD5: d45808cfa6f3cbfb343fdea269fdc375), which is later decoded and loaded into Flash, without getting saved on disk. Here’s a somewhat beautified example of this process:
The embedded SWF is heavily obfuscated, but the code has much in common with the source code for Angler EK’s CVE-2015-0313 exploit.
The f
Unit42
Understanding Flash Exploitation and the Alleged CVE-2015-0359 Exploit
blogs_unit42·2015-06-01·CVSS 9.8
CVE-2015-0359 [CRITICAL] Understanding Flash Exploitation and the Alleged CVE-2015-0359 Exploit
Threat Research Center
Threat Research
Vulnerabilities
## Understanding Flash Exploitation and the Alleged CVE-2015-0359 Exploit
Palo Alto Networks
Published: June 1, 2015
Threat Research
Vulnerabilities
Adobe Flash Player
Angler Exploit
ByteArray
ByteArrayObject
Flash
What follows is a detailed analysis of the root cause of a vulnerability we call CVE-2015-X, as well as a step-by-step explanation of how to trigger it. For more on Flash vulnerabilities, we also invite you to read " The Latest UAF Vulnerabilities in Exploit Kits ," published May 28 by Tao Yan.
Not too long ago we came across a sample from the Angler Exploit kit (MD5: 049ff69bc23f36a78d86bbf1356c2f63c), which allegedly exploits CVE-2015-0359 . The obfuscated SWF contains an encoded SWF (MD5: d45808cfa6f3cbfb3
Unit42
The Latest Flash UAF Vulnerabilities in Exploit Kits
blogs_unit42·2015-05-28
The Latest Flash UAF Vulnerabilities in Exploit Kits
## The Latest Flash UAF Vulnerabilities in Exploit Kits
Tao Yan
Published: May 28, 2015
Threat Research
Vulnerabilities
Adobe Flash
ByteArray
Flash UAF
## Introduction
Recently, several popular exploit kits, including Angler, Flash EK, SweetOrange, Fiesta andNeutrino[1], have included several use-after-free (UAF) vulnerabilities in Adobe Flash to exploit victims’ browsers. Previously, these exploit kits typically used out-of-bounds access (OBA) vulnerabilities in Adobe Flash, as these types of vulnerabilities can be exploited universally and stably [2], and require less effort to exploit compared to UAF vulnerabilities. In order to detect these newly added UAF vulnerabilities, we analyzed the code found in the exploit kits to determine which vulnerabilities are present and how
Unit42
The Latest Flash UAF Vulnerabilities in Exploit Kits
blogs_unit42·2015-05-28
The Latest Flash UAF Vulnerabilities in Exploit Kits
### Introduction
Recently, several popular exploit kits, including Angler, Flash EK, SweetOrange, Fiesta andNeutrino[1], have included several use-after-free (UAF) vulnerabilities in Adobe Flash to exploit victims’ browsers. Previously, these exploit kits typically used out-of-bounds access (OBA) vulnerabilities in Adobe Flash, as these types of vulnerabilities can be exploited universally and stably [2], and require less effort to exploit compared to UAF vulnerabilities. In order to detect these newly added UAF vulnerabilities, we analyzed the code found in the exploit kits to determine which vulnerabilities are present and how they are exploited.
### Obfuscation in exploit kits
To determine the vulnerabilities within each exploit kit, we first had to overcoming the various obfuscation
Bugzilla
flash-plugin: multiple code execution issues fixed in APSB15-06
bugzilla·2015-04-15·CVSS 10.0
CVE-2015-0347 [CRITICAL] flash-plugin: multiple code execution issues fixed in APSB15-06
flash-plugin: multiple code execution issues fixed in APSB15-06
Adobe Security Bulletin APSB15-06 for Adobe Flash Player describes multiple flaws that can possibly lead to code execution when Flash Player is used to play a specially crafted SWF file.
Quoting from the APSB15-06:
These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2015-0347, CVE-2015-0350, CVE-2015-0352, CVE-2015-0353, CVE-2015-0354, CVE-2015-0355, CVE-2015-0360, CVE-2015-3038, CVE-2015-3041, CVE-2015-3042, CVE-2015-3043).
These updates resolve a type confusion vulnerability that could lead to code execution (CVE-2015-0356).
These updates resolve a buffer overflow vulnerability that could lead to code execution (CVE-2015-0348).
These updates resolve use-after-free vulnerabilit
http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00010.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-04/msg00011.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-04/msg00012.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-04/msg00013.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0813.htmlhttp://www.securityfocus.com/bid/74067http://www.securitytracker.com/id/1032105https://helpx.adobe.com/security/products/flash-player/apsb15-06.htmlhttps://security.gentoo.org/glsa/201504-07http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00010.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-04/msg00011.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-04/msg00012.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-04/msg00013.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0813.htmlhttp://www.securityfocus.com/bid/74067http://www.securitytracker.com/id/1032105https://helpx.adobe.com/security/products/flash-player/apsb15-06.htmlhttps://security.gentoo.org/glsa/201504-07
2015-04-14
Published
Exploited in the wild