Old IE Attack is now Cool

Friday, May 10, 2013 @ 05:05 PM gHale


A 15-month-old Internet Explorer exploit is now a part of the Cool Exploit Kit crimeware package.

Microsoft reported the inclusion of CVE-2012-1876 in Cool, a vulnerability in IE the software giant patched last June.

RELATED STORIES
Stealthy Server Malware Spreading
Multistage Attack Proves Fruitful
Apache Backdoor Leads to Blackhole
Firewall Hole Found, Patched

This is a remote code execution heap-based buffer overflow flaw that impacts IE 6-9. Researchers from VUPEN demonstrated a successful exploit during the 2012 Pwn2Own contest that was able to bypass ASLR and DEP data execution protections built into Windows. VUPEN’s exploit beat a fully patched version of IE 9 running on a Windows 7 machine.

“This can be achieved by leaking an address of the mshtml.dll module, building a heap spray based on this address and triggering the vulnerability again to execute the payload,” VUPEN said in a blogpost, adding its researchers combined this exploit with another Zero Day in order to bypass IE’s Protected mode.

“After triggering the vulnerability for a memory leak to disclose interesting addresses, it is possible to trigger the same vulnerability once again to achieve code execution by overflowing the same buffer in memory with arbitrary values,” VUPEN said.

Microsoft’s Justin Kim said Cool is the only kit to carry the IE exploit.

“For a while it seemed exploit kit writers were not too interested in this vulnerability,” Kim said.

The IE exploit is not the only new addition to Cool. Microsoft said Adobe Reader and Flash exploits have also joined the party (CVE-2012-0755 and CVE-2013-0634). The IE attack, however, opens the spectrum of potential victims because of a return-oriented programming technique that allows it to identify the DLL a process is running on, and match a malicious payload to the corresponding DLL.

“The exploit includes not only one but 18 different attack payloads, giving attackers the ability to leverage 18 different versions ofmshtml.dll. In the past, there was only one payload per exploit targeting one specific version of the module, usually XP system files or several other 3rd-party files that are without address space layout randomization (ASLR) protection enabled,” Kim said. “With this enhancement in exploit stability, the exploit is capable of exploiting a larger population of victims, including those using Windows Vista and Windows 7.”

The Cool Exploit Kit was first detected in October in a spate of attacks involving the Reveton ransomware. The discovery of Cool happened after French researcher Kafeine discovered an exploit for a Windows vulnerability first exploited by Duqu. The same exploit ended up in the Blackhole Exploit Kit, leading experts to conclude the same group was running both.



Leave a Reply

You must be logged in to post a comment.