Exploiting ActionScript3 interpreter

Wednesday 3 October 11:30 - 12:00, Red room

Boris Larin (Kaspersky Lab)
Anton Ivanov (Kaspersky Lab)



At the end of 2017 we discovered an Adobe Flash Player zero-day vulnerability (CVE-2017-11292) which was used in the BlackOasis APT. This case demonstrates that Adobe Flash Player is still a good target for threat actors.

CVE-2017-11292 is a particularly interesting type-confusion vulnerability, and there are no public reports describing it.

In this presentation we will present and release our own 'ActionScript3' processor module and debug plug-in for IDA Pro. These tools work together to complement each other, and have already shown good results in in-the-wild exploit debugging.

We analysed the Actionscript Virtual Machine (AVM) and found a way to increase analysis with the rich possibilities of IDA Pro and APIs.

In our presentation we will cover the following:

  • What exploitation techniques are used by threat actors now in Flash exploits
  • A detailed description of CVE-2017-11292
  • How to find new vulnerabilities in Adobe Flash Player
  • Our self-made IDA Pro plug-ins for analysis and debugging of Flash exploits.

 

Boris-Larin-web.jpg

Boris Larin

Boris Larin is a malware analyst at Kaspersky Lab, focused on exploits and network attack detection. His main fields of interest are reverse engineering, code deobfuscation and vulnerability research. He is also the author of educational materials for Kaspersky Academy and runs a malware reverse engineering course at Harbour.Space University in Barcelona. In his free time he likes to investigate and examine the security of embedded devices.

@oct0xor

 

Anton-Ivanov-web.jpg

 Anton Ivanov

Anton graduated from Russia's Higher School of Economics in 2013, with a degree in information technology. Anton also has a Master's degree from the Russian Presidential Academy of National Economy and Public Administration. Anton joined Kaspersky Lab in 2011 as malware analyst. Now he leads the behavioural detection team. Anton has several patents relating to malware detection.

@antonivanovm


   Download slides

Other VB2018 papers

VB2018 partner presentation (TBA)

Panel discussion: Will WHOIS go dark? Threat intelligence in the post GDPR era.

Michael Osterman (Osterman Research)
Norm Ritchie (Secure Domain Foundation)
Tom Bartel (Return Path Data Services)
Mark Kendrick (DomainTools)

Tricky sample? Hack it easy! Applying dynamic binary instrumentation to lightweight malware behaviour analysis

Maksim Shudrak (Salesforce)

Back to VB2018 Programme page

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.