The vulnerability has being used during 1 month before disclosure. The campaign started with spam emails enticing users to open its attachment, typically a Microsoft Word document (or a zip file of a Microsoft Word document), which contained inside the malicious Flash exploit.
Microsoft - Exploit:SWF/CVE-2011-0611.C, NOD32 - JS/Exploit.Pdfka.OXL.Gen, Symantec - Trojan.Pidief, Ikarus - Exploit.JS.ShellCode.
Vulnerability details
Advisory: SB2011041101 - Remote code execution in Adobe Flash Player
Vulnerable component: Adobe Flash Player
CVE-ID: CVE-2011-0611
CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C
CWE-ID: CWE-119 - Memory corruption
Description:
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error in authplay.dll component. A remote attacker can create a specially Flash (.swf) file embedded in a Microsoft Word (.doc) file, trick the victim into opening it, trigger memory corruption, and execute arbitrary code on the system with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Public Exploits:
- Adobe Reader X 10.0.0 < 10.0.1 - Atom Type Confusion Exploit [Exploit-DB]
- Adobe Flash Player 10.2.153.1 - SWF Memory Corruption (Metasploit) [Exploit-DB]
External links:
https://www.fireeye.com/blog/threat-research/2013/02/operation-beebus.html
https://secunia.com/?action=fetch&filename=Secunia_Whitepaper_CVE-2011-0611.pdf
https://support.symantec.com/en_US/article.TECH157906.html
http://www.adobe.com/support/security/advisories/apsa11-02.html
http://www.adobe.com/support/security/bulletins/apsb11-07.html
http://www.adobe.com/support/security/bulletins/apsb11-08.html
https://blogs.technet.microsoft.com/mmpc/2011/04/12/analysis-of-the-cve-2011-0611-adobe-flash-player...
http://contagiodump.blogspot.com/2011/04/apr-8-cve-2011-0611-flash-player-zero.html
https://blog.qualys.com/securitylabs/2011/04/15/placeholder
http://www.kahusecurity.com/2011/flash-0day-found-in-drive-by/
http://www.securitytube.net/video/1747
http://poc-hack.blogspot.com/2011/04/adobe-flash-player-cve-2011-0611-swf.html
http://securityaffairs.co/wordpress/27224/cyber-crime/kaspersky-report-energetic-bear.html