Dissecting Flash with EASE (Experimental ActionScript Emulator)

Bing Liu Fortinet

In today's online world, Adobe Flash's ubiquity is hardly deniable. The reasons for this success are diverse and can be speculated upon, but one consequence is certain: Flash is becoming a major vector of infection to the eyes of cybercriminals.

And, while Flash zero-day vulnerabilities are revealed at a steady pace, even other exploits, for example browser-related ones, are starting to leverage Flash. Indeed, the following two abilities in the Flash Player are precious to the attackers:

1. Bypassing DEP/ASLR through ActionScript driven JIT-Spraying. To ensure that it will run on as many different machines as possible, DEP/ASLR bypassing is a 'must' for modern exploits. It can be achieved via return into libc techniques, but JIT-Spraying provides a more generic and an overall easier solution.

2. Evading detection through ActionScript packer. The exploits for Flash vulnerabilities are regularly trying to hide in Flash binaries, leveraging the power of ActionScript to bury themselves under several layers of obfuscation. This renders detection (and reverse engineering!) tremendously difficult. Worse, the exploits for browser-related vulnerabilities start using the same evasive technique (by embedding malicious HTML/JavaScript code in Flash binaries).

To attempt to solve these two major issues, we developed an ActionScript emulator. It has the ability to detect Heapspray/JIT-Spray and to unpack the embedded Flash/HTML/JavaScript as well.

Based on the emulator, we also developed a simple scanner. It is rule-based and can flag known exploits in a flash, as well as zero-days (in some cases), thanks to the Heapspray/JIT-Spray detector.

In this paper, we will discuss the techniques implemented in our emulator and scanner by dissecting two Flash samples. Limits and countermeasure will also be discussed.