cbcvebase.
CVE-2015-3113
published 2015-06-23

CVE-2015-3113: Heap-based buffer overflow in Adobe Flash Player before 13.0.0.296 and 14.x through 18.x before 18.0.0.194 on Windows and OS X and before 11.2.202.468 on Linux…

PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-04
Exploited in the wild
EPSS
99.94%
100.0th percentile
Heap-based buffer overflow in Adobe Flash Player before 13.0.0.296 and 14.x through 18.x before 18.0.0.194 on Windows and OS X and before 11.2.202.468 on Linux allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in June 2015.

Affected

19 ranges
VendorProductVersion rangeFixed in
adobeflash_player< 13.0.0.29613.0.0.296
adobeflash_player< 11.2.202.46811.2.202.468
adobeflash_player>= 14.0.0.125 < 18.0.0.19418.0.0.194
hpinsight_orchestration< 7.5.07.5.0
hpsystem_management_homepage< 7.5.07.5.0
hpsystems_insight_manager< 7.57.5
hpversion_control_agent< 7.5.07.5.0
hpversion_control_repository_manager< 7.5.07.5.0
hpversion_control_repository_manager
hpvirtual_connect_enterprise_manager< 7.5.07.5.0
opensuseevergreen
opensuseopensuse
opensuseopensuse
redhatenterprise_linux_desktop
redhatenterprise_linux_eus
redhatenterprise_linux_server
redhatenterprise_linux_workstation
suselinux_enterprise_desktop
suselinux_enterprise_workstation_extension

Detection & IOCsextracted from sources · hover to see the quote

path%APPDATA%\vcl.tmp
path%TEMP%\vcl.tmp
filenamevcl.tmp
cookieHTTP Cookie field used to transmit encrypted C2 data (Pirpi.2014 and Pirpi.2015)
other0xC917432 (ROR7 hash of LoadLibraryA in kernel32.dll)
bytes
XOR key 0x12, subtraction key 0x11, XOR key 0x85 (payload decryption algorithm)
  • Pirpi payload (Pirpi.2015) is a PE DLL delivered via steganography embedded in an animated GIF (v.gif); shellcode decrypts and executes the payload hidden within the GIF using XOR/subtraction keys 0x12, 0x11, 0x85.
  • Pirpi C2 communication uses HTTP GET requests; exfiltrated data is transmitted in the HTTP Cookie header field in encrypted form — hunt for anomalous Cookie values in outbound GET traffic.
  • Pirpi checks for configuration file vcl.tmp in %APPDATA% or %TEMP% on startup; presence of this file is a host-based indicator of compromise.
  • Shellcode uses ROR-7 hashing on kernel32.dll export names to locate API functions; constant 0xC917432 identifies LoadLibraryA — use this constant as a memory/shellcode scan signature.
  • CVE-2015-3113 exploit was integrated into Magnitude exploit kit (as of June 27, 2015) and Angler exploit kit (June 29, 2015); network detections should cover these EK traffic patterns.
  • The exploit targets the video decoding component of Flash and uses ROP techniques; known targeted browsers/OS combinations are Internet Explorer on Windows 7 and below, and Firefox on Windows XP.
  • ·Pirpi uses hardcoded C2 domains encoded inside the binary as fallback if vcl.tmp configuration file is absent; specific hardcoded domains for the CVE-2015-3113 campaign are not disclosed in the sources.
  • ·UPS/APT3 is known to serve malicious payloads only within very limited windows of time and only to victims matching their desired profile, making dynamic payload retrieval for analysis difficult.
  • ·The C2 URL structure differs between Pirpi.2014 and Pirpi.2015 variants; both use HTTP GET with Cookie-based exfiltration but the URL path format is not identical across variants.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.