{"id":13261,"date":"2015-07-12T12:06:05","date_gmt":"2015-07-12T04:06:05","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=13261"},"modified":"2015-07-13T17:49:32","modified_gmt":"2015-07-13T09:49:32","slug":"%e5%8f%88%e4%be%86%e4%ba%86-hacking-team-%e8%b3%87%e6%96%99%e5%a4%96%e6%b4%a9%e6%b7%bb%e6%96%b0%e7%9a%84-adobe-flash-%e9%9b%b6%e6%99%82%e5%b7%ae%e6%bc%8f%e6%b4%9e-cve-2015-5123","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=13261","title":{"rendered":"\u53c8\u4f86\u4e86!! Hacking Team \u8cc7\u6599\u5916\u6d29\u6dfb\u65b0\u7684 Adobe Flash \u96f6\u6642\u5dee\u6f0f\u6d1e (CVE-2015-5123)"},"content":{"rendered":"

\u4ee5\u5354\u52a9\u57f7\u884c\u76e3\u63a7\u4efb\u52d9,\u51fa\u552e\u9593\u8adc\u7a0b\u5f0f\u7d66\u5404\u570b\u653f\u5e9c\u8207\u57f7\u6cd5\u55ae\u4f4d\u800c\u5099\u53d7\u722d\u8b70\u7684Hacking Team\u516c\u53f8,\u8fd1\u65e5\u906d\u5230\u653b\u64ca<\/a>\uff0c\u7e3d\u91cf\u8fd1400GB\u7684\u516c\u53f8\u5167\u90e8\u6587\u4ef6,\u6a94\u6848\u7a0b\u5f0f\u7b49\u8cc7\u6599\u88ab\u516c\u958b\u3002\u5728\u6b64\u6b21\u6d29\u9732\u7684\u6587\u4ef6\u4e2d\uff0c\u5305\u542b\u4e86Hacking Team\u7684\u5ba2\u6236\u8cc7\u6599\u3001\u8ca1\u52d9\u6587\u4ef6\u3001\u5408\u7d04\u3001\u5167\u90e8E-mail\u90f5\u4ef6,\u6839\u64da\u5831\u5c0e<\/a>\u7dad\u57fa\u89e3\u5bc6\uff08WikiLeaks\uff09\u516c\u5e03<\/a>\u4e86Hacking Team\u5167\u90e8\u8d85\u904e100\u842c\u7b46\u96fb\u5b50\u90f5\u4ef6\uff0c\u4e26\u63d0\u4f9b\u4e86\u641c\u5c0b\u6a5f\u5236\u3002\u5176\u4e2d\u5305\u542b\u4e86601\u7b46\u8207\u53f0\u7063\u76f8\u95dc\u8cc7\u6599\u3002<\/p><\/blockquote>\n

\u5728\u9023\u7e8c\u5169\u500b Adobe Flash Player \u96f6\u6642\u5dee\u6f0f\u6d1e\u56e0 Hacking Team \u8cc7\u6599\u5916\u6d29<\/a>\u4e8b\u4ef6\u800c\u66dd\u5149\u4e4b\u5f8c\uff0c\u8da8\u52e2\u79d1\u6280<\/a>\u53c8\u767c\u73fe\u4e86\u53e6\u4e00\u500b Adobe Flash Player \u96f6\u6642\u5dee\u6f0f\u6d1e (CVE-2015-5123)\u3002Adobe \u5728\u63a5\u7372\u6211\u5011\u901a\u5831\u4e4b\u5f8c\u5df2\u767c\u5e03\u4e86\u4e00\u9805\u5b89\u5168\u516c\u544a<\/a>\u3002\u6b64\u6f0f\u6d1e\u7684\u5206\u985e\u70ba\u91cd\u5927\u6f0f\u6d1e\uff0c\u56e0\u70ba\u99ed\u5ba2\u4e00\u65e6\u653b\u64ca\u6210\u529f\uff0c\u5c31\u53ef\u80fd\u53d6\u5f97\u7cfb\u7d71\u7684\u638c\u63a7\u6b0a\u3002\u6b64\u6f0f\u6d1e\u7684\u5f71\u97ff\u5c64\u9762\u6db5\u84cb Windows\u3001Mac \u548c Linux \u5e73\u53f0\u4e0a\u7684\u6240\u6709 Adobe Flash \u7248\u672c\u3002<\/p>\n

\"Attack<\/a><\/p>\n

\u554f\u984c\u6839\u6e90\u5206\u6790<\/em><\/strong><\/p>\n

\u6839\u64da\u8da8\u52e2\u79d1\u6280<\/a>\u7684\u5206\u6790\uff0c\u6b64\u6f0f\u6d1e\u4e00\u6a23\u662fvalueOf \u6280\u5de7<\/em>\u6240\u5c0e\u81f4\u7684\u554f\u984c\u3002\u4e0d\u904e\u6709\u5225\u65bc\u524d\u5169\u500b Flash \u96f6\u6642\u5dee\u6f0f\u6d1e\u7684\u662f\uff0c\u5b83\u5229\u7528\u7684\u662f BitmapData<\/em> \u7269\u4ef6\uff0c\u800c\u975e TextLine<\/em> \u548c ByteArray<\/em>\u3002<\/p>\n

\u4ee5\u4e0b\u662f\u89f8\u767c\u8a72\u6f0f\u6d1e\u7684\u6b65\u9a5f\uff1a<\/p>\n

    \n
  1. \u5efa\u7acb\u4e00\u500b\u65b0\u7684 BitmapData<\/em> \u7269\u4ef6\uff0c\u6e96\u5099\u597d\u5169\u500b Array<\/em> \u7269\u4ef6\uff0c\u7522\u751f\u5169\u500b\u65b0\u7684 MyClass<\/em> \u7269\u4ef6\uff0c\u7136\u5f8c\u5c07 MyClass<\/em> \u7269\u4ef6\u5206\u5225\u6307\u6d3e\u81f3\u524d\u9762\u5169\u500b Array<\/em> \u7269\u4ef6\u3002<\/li>\n
  2. \u8986\u5beb MyClass <\/em>\u7269\u4ef6\u7684 valueOf<\/em> \u51fd\u5f0f\uff0c\u7136\u5f8c\u547c\u53eb paletteMap<\/em> \u4e26\u50b3\u5165\u524d\u8ff0\u5169\u500b Array<\/em> \u7576\u6210\u53c3\u6578\u3002BitmapData.paletteMap<\/em> \u5c07\u89f8\u767c valueOf<\/em> \u51fd\u5f0f\u3002<\/li>\n
  3. \u5728 valueOf \u51fd\u5f0f\u4e2d\u547c\u53eb dispose()<\/em> \u4f86\u91cb\u653e BitmapData<\/em> \u7269\u4ef6\u7684\u8a18\u61b6\u9ad4\uff0c\u5c0e\u81f4 Flash Player \u7576\u6389\u3002<\/li>\n<\/ol>\n

    \u76ee\u524d\u8da8\u52e2\u79d1\u6280<\/a>\u6b63\u5bc6\u5207\u76e3\u63a7\u662f\u5426\u6709\u4efb\u4f55\u99ed\u5ba2\u653b\u64ca\u904b\u7528\u5230\u9019\u9805\u6982\u5ff5\u9a57\u8b49 (POC) \u6f0f\u6d1e\u3002\u4e00\u6709\u6700\u65b0\u6d88\u606f\u6216\u65b0\u7684\u767c\u73fe\uff0c\u6211\u5011\u6703\u7acb\u5373\u66f4\u65b0\u9019\u7bc7\u6587\u7ae0\u3002\u7531\u65bc Hacking Team \u8cc7\u6599\u5916\u6d29<\/a>\u4e8b\u4ef6\u5df2\u7d93\u5ee3\u70ba\u516c\u958b\uff0c\u56e0\u6b64\u4f7f\u7528\u8005\u5df2\u6709\u906d\u5230\u653b\u64ca\u7684\u5371\u96aa\u3002\u6240\u4ee5\uff0c\u5efa\u8b70\u4f7f\u7528\u8005\u66ab\u6642\u5148\u505c\u7528 Adobe Flash Player\uff0c\u76f4\u5230 Adobe \u91cb\u51fa\u4fee\u88dc\u7a0b\u5f0f\u70ba\u6b62\u3002<\/p>\n

    \u8da8\u52e2\u79d1\u6280\u7684\u8da8\u52e2\u79d1\u6280Deep Discovery<\/a>\u5df2\u80fd\u5229\u7528\u6c99\u76d2\u6a21\u64ec\u5206\u6790\u4e26\u642d\u914d\u7a0b\u5e8f\u78bc (Script) \u5206\u6790\u5f15\u64ce\u4f86\u4e3b\u52d5\u9632\u7bc4\u9019\u9805\u5a01\u8105\uff0c\u56e0\u6b64\u4f7f\u7528\u8005\u5927\u53ef\u5b89\u5fc3\u3002\u5b83\u80fd\u900f\u904e\u884c\u70ba\u4f86\u5075\u6e2c\u9019\u9805\u5a01\u8105\uff0c\u4e0d\u9700\u4efb\u4f55\u66f4\u65b0\u3002\u8da8\u52e2\u79d1\u6280Deep Security<\/a>\u00a0\u53ef\u5229\u7528\u4e0b\u5217\u6df1\u5c64\u5c01\u5305\u6aa2\u67e5 (DPI) \u898f\u5247\u4f86\u9632\u7bc4\u4f7f\u7528\u8005\u96fb\u8166\u906d\u5230\u6b64\u6f0f\u6d1e\u5a01\u8105\uff1a<\/p>\n