The CVE-2015-3090 exploit is a memory corruption and was discovered and reported by Chris Evans of Google Project Zero.
“The exploit for CVE-2015-3090 involves a race condition in the shader class, in which asynchronously modifying the width/height of a shader object while starting a shader job will result in a memory corruption vulnerability. Angler uses this to execute arbitrary code and infect unpatched users’ systems,” reported FireEye in their last blog post.
The popular security researcher known by the name of Kafeine confirmed that also the exploit for CVE-2015-3090 was added to Angler Kit.
“As spotted by FireEye Angler EK is now exploiting CVE-2015-3090 patched with Flash 126.96.36.199” wroteKafeine.
The way that the exploit work is:
Check if target is vulnerable.
Create a vector of length 0x400 filled with vectors of length 0xA6.
Create a ShaderJob and set its width to 0.
Start the ShaderJob.
Set the ShaderJob width to 0x25E.
Wait 0x12C before continuing.
Loop through the vector from step 2, and find one whose length is not 0xA6 or 0xA6*2. This is the corrupted vector used for out-of-bounds memory accesses.
Post-corruption exploitation techniques are the same as last month’s CVE-2015-0359 exploit, culminating in a control-flow transfer to the attacker via bytearray.toString circumventing CFG.
Kafeine during his tests was able to exploit the flaw and serve the Bedep malware on the infected machines (normally Angler exploit kit uses Bedep in Flash player vulnerabilities).
Bedep was also explained in detail in a previous Fireye post, and it’s a “highly active malvertising operation involving Bedep ad fraud activity and malicious redirection to Exploit Kits (EK) via a multitude of advertising and search-affiliated domains.”
Experts at Trustwave observed a group of cyber criminals helping spread pro-Russia propaganda by inflating video views with a malvertising campaign. The threat actors behind the malvertising campaign used the Angler exploit kit to infect victims with the Bedep trojan, recently used to hit also the adult web site xHamster. According to the experts, the victims were infected after they visited a tourism website that hosted the Angler exploit kit.
I guess that we will not need to wait a lot to have more news about Angler kit.
About the Author Elsio Pinto
Elsio Pinto (@high54security) is at the moment the Lead Mcafee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog http://high54security.blogspot.com/
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.