Posts

Comele – New IE zero-day exploit (Jan 15, 2010)

SonicWALL UTM Research team found reports of new zero-day vulnerability (CVE-2010-0249) in Internet Explorer DOM operations that leads to arbitrary code execution. The vulnerability exists in the way Internet Explorer handles certain DOM operations that allow access to invalid pointer after an object is deleted. Successful exploitation of this vulnerability can be used for allowing remote code execution.

This vulnerability was supposedly part of the targeted attack campaign used against Google, Adobe and other major companies that was reported by Google. Microsoft has acknowledged this issue in their security advisory and is currently investigating the vulnerability.

SonicWALL UTM Research team got hold of a zero-day exploit for this vulnerability which is a specially crafted web page containing heavily encoded malicious Javascript code. This exploit functions on any version of Internet Explorer with JavaScript enabled and Data Execution Prevention (DEP) disabled. A decoded version of the malicious page can be seen below:

screenshot

If the exploit is successful in exploiting the vulnerability, it attempts to download and execute a malicious executable via HTTP connection to following URL:

  • http://demo1.ftp(REMOVED)/ad.jpg [ Detected as GAV: Roarur.DR (Trojan) ]

The downloaded malware executable is a Trojan dropper that performs following activities on the victim machine:

  • Drops another Trojan as (Windows System)Rasmon.dll [ Detected as GAV: Roarur.DLL (Trojan) ]
  • Injects the dropped Trojan Rasmon.dll into the address space of svchost.exe and starts a new service ‘UpsMYi’
  • Performs registry modifications:
    • HKLMSYSTEMControlSet001ServicesRaS7BL8ParametersServiceDll = “%System%rasmon.dll”
    • HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesRaS7BL8ImagePath = “%System%svchost.exe -k netsvcs”

There is no patch currently available from Microsoft and the only way to mitigate this vulnerability is by setting IE’s Internet zone security to high. Microsoft may release an out-of-band patch for this threat outside of the normal monthly patch cycle.

SonicWALL Gateway AntiVirus provides protection against this threat via GAV: Comele (Exploit) signature.

MS IE Aurora Memory Corruption (Jan 15, 2010)

A 0day memory corruption vulnerability, codenamed Aurora, in the Internet Explorer browser has been disclosed. Most versions of the product are affected by the flaw. The vulnerability can be leveraged by accessing a freed or deleted DOM object through scripting. This action manifests itself internally as an invalid memory pointer reference which can in turn be manipulated to divert process flow of the browser. Exploitation resulting in code execution has been proven to be rather consistent and stable across all vulnerable versions of the affected product except for version 7 and 8 providing that DEP has been enabled.

The vulnerability is reported to have been exploited in targeted attacks. Exploitation requires the attacker to entice the target user to follow an HTTP link to the site hosting malicious code. The target browser has to have scripting enabled to be vulnerable.

Due to the nature of the bug and the virtually limitless ways of hiding or otherwise obfuscating malicious code exploiting the flaw, it is not feasible to develop an IPS signature that would encompass all attack cases. However, SonicWALL already has numerous existing IPS signatures that detect and block popular shell code used in HTML attacks which may be blocking attacks targeting this flaw. SonicWALL has released an additional IPS signature addressing the publicly released exploit and its variations. The following signature has been released:

  • 4711 – Javascript ASCII Table Lookup Attempt

The vendor has released a security advisory addressing this issue. Mitre has assigned the vulnerability the id CVE-2010-0249. A working public exploit has also been released by the metasploit project.