This post was originally published on this site is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to

On May 8, 2016, FireEye detected an attack exploiting a previously
unknown vulnerability in Adobe Flash Player (CVE-2016-4117) and
reported the issue to the Adobe Product Security Incident Response
Team (PSIRT). Adobe released a patch for the vulnerability in APSB16-15
just four days later.

Attackers had embedded the Flash exploit inside a Microsoft Office
document, which they then hosted on their web server, and used a
Dynamic DNS (DDNS) domain to reference the document and payload. With
this configuration, the attackers could disseminate their exploit via
URL or email attachment. Although this vulnerability resides within
Adobe Flash Player, threat actors designed this particular attack for
a target running Windows and Microsoft Office.

Attack Summary

Upon opening the document, the exploit downloads and executes a
payload from the attacker’s server. To avoid suspicion, the attacker
then shows the victim a decoy document. The full exploit chain
proceeds as follows:

  1. The victim opens the malicious Office

    1. The Office document
      renders an embedded Flash file.

      1. If the Flash Player version is older than,
        the attack aborts.
      2. Otherwise, the attack runs
        the encoded Flash exploit.
  2. The exploit runs embedded native shellcode.
    1. The shellcode downloads and executes a
      second shellcode from the attacker’s server.
  3. The second shellcode:
      and executes malware.
    2. Downloads and displays a decoy
  4. The malware connects to a second
    server for command and control (C2) and waits for further

This process is shown in Figure 1.

Figure 1 Attack flow chart

CVE-2016-4117 Exploitation Details

An out-of-bound read vulnerability exists in the
DeleteRangeTimelineOperation module. By extending the
DeleteRangeTimelineOperation class, one can define a property that
conflicts with the inner interface name. In this exploit, the author
chose “placement” as the property name, as shown in Figure 2.
Referencing the interface causes the ActionScript Virtual Machine to
call the internal function getBinding to get a bind id. Because the
“placement” property conflicts with the “placement” interface name,
the attacker can manipulate the bind id, and ultimately induce type confusion.

Figure 2 Placement interface vs. class definition

Memory layout

Before triggering the vulnerability, the exploit defines an object
that extends ByteArray. The definition is modified to contain easily
distinguishable values that aid in locating objects in memory. Then,
the exploit allocates a set of these objects to control the memory
layout (Figure 3).  

Figure 3 Prepare heap memory layout

These objects look as follows when in memory:

The exploit then uses the type-confused DeleteRangeTimelineOperation
object to read out of bounds and find one of the extended ByteArray
objects based upon looking for the pre-defined property values (shown
in Figure 4), and manipulates the data buffer pointer to an
attacker-controlled area.

Figure 4 Finding target ByteArray

With the ability to read and write individual values in the extended
ByteArray object, the attacker can corrupt one of the objects to
extend its length to 0xffffffff, and its data buffer to address 0.
Future reads and writes to the corrupted ByteArray may then access all
of the user space memory (Figure 5).

Figure 5 RW primitive and execute shellcode

Code execution

Once the exploit can read and write arbitrarily in memory, it
executes embedded shellcode. The shellcode downloads a second stage of
shellcode from the attacker’s server, which then downloads and
executes the malware payload and displays the decoy document.


CVE-2016-4117 was recently exploited in targeted attacks. Just four
days after notification, Adobe released a security update for Flash
Player that patched the underlying vulnerability. Users who require
Flash Player in their environment should download this timely patch to
protect their systems from exploitation. Additionally, Flash Player
users could consider employing additional mitigations, such as EMET
from Microsoft, to make their systems more difficult and costly to exploit.

At L Technology Group, we know technology alone will not protect us from the risks associated with in cyberspace. Hackers, Nation States like Russia and China along with “Bob” in HR opening that email, are all real threats to your organization. Defending against these threats requires a new strategy that incorporates not only technology, but also intelligent personnel who, eats and breaths cybersecurity. Together with proven processes and techniques combines for an advanced next-generation security solution. Since 2008 L Technology Group has develop people, processes and technology to combat the ever changing threat landscape that businesses face day to day.

Call Toll Free (855) 999-6425 for a FREE Consultation from L Technology Group,