Posts

Internet Explorer Vulnerability(MS12-043) Exploited in the Wild (August 30, 2013)

/in /by

Dell Sonicwall Threats Research team has found multiple instances of malicious websites exploiting this old Internet Explorer Vulnerability. This vulnerability is already patched and has been assigned CVE-2012-1889. Metasploit also has a module msxml_get_definition_code_exec and we can see some similarities in the exploit code as outlined below.

There is obfuscation, heap allocation and shellcode setup.

Vulnerable “MSXML3” control is included followed by its function call “definition” that triggers the condition.

Debugging shows heap spray and download of the url containing malicious executable.

A separate variant uses IP address for executable download

We detect multiple variants of this attack by following IPS signatures

  • 7967 Microsoft XML Core Services Uninitialized Object Access 1
  • 8007 Microsoft XML Core Services Uninitialized Object Access 6
  • 7610 HTTP Client Shellcode Exploit 68b
  • 7370 HTTP Client Shellcode Exploit 68a
  • 5416 HTTP Client Shellcode Exploit 15a
  • 4604 HTTP Client Shellcode Exploit 1a
  • 4605 HTTP Client Shellcode Exploit 2

Well-known Zero-day Vulnerabilities 2012 Summary (Aug 9, 2012)

/in /by

A zero-day attack or threat is an attack that exploits a previously unknown vulnerability in a computer application, operation system etc. Multiple zero-day vulnerabilities can be found each year. The following are the well-known zero-day vulnerabilities for the first half year of 2012. Dell SonicWALL coverage for these vulnerabilities and references are also listed:

With the deployed signatures, Dell SonicWALL has prevented the customers from being attacked. The following are the statistics within last 20 days:

2012 Zero-day hits

To better protect our customers, Dell SonicWALL has partnered with Microsoft on the MAPP program, and here is the MAPP landing page: https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=380.

In the above page, you can find all the Microsoft released vulnerabilities and our coverage for the past two years. Dell SonicWALL has been successfully cooperated with Microsoft for the vulnerabilities detecting and preventing, for example, the latest 0day vulnerability CVE-2012-1889, we have deployed the signatures at the same day when Microsoft released the public advisory: MAPP Partners with Updated Protections

In addition to the signatures of detecting 0day vulnerabilities, we have more than 200 shellcode detection IPS signatures, which proactively detects and blocks many attacks in the wild. The following are some examples of the IPS signatures:

  • 4569 HTTP Server Shellcode Exploit 8
  • 4573 Server Application Shellcode Exploit 10
  • 4574 HTTP Server Shellcode Exploit 10
  • 4584 Server Application Shellcode Exploit 17
  • 4598 Server Application Shellcode Exploit 3
  • 4601 HTTP Server Shellcode Exploit 11

Microsoft Security Bulletin Coverage (July 10, 2012)

/in /by

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of July, 2012. A list of issues reported, along with Dell SonicWALL coverage information follows:

MS12-043 Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2722479)

  • CVE-2012-1889 MSXML Uninitialized Memory Corruption Vulnerability
    IPS: 7967 – Microsoft XML Core Services Uninitialized Object Access 1

MS12-044 Cumulative Security Update for Internet Explorer (2719177)

  • CVE-2012-1522 Cached Object Remote Code Execution Vulnerability
    IPS: 8124 – HTTP Client Shellcode Exploit 70a
  • CVE-2012-1524 Attribute Remove Remote Code Execution Vulnerability
    IPS: 8120 – Suspicious Javascript Attribute Remove Code

MS12-045 Vulnerability in Microsoft Data Access Components Could Allow Remote Code Execution (2698365)

  • CVE-2012-1891 ADO Cachesize Heap Overflow RCE Vulnerability
    IPS: 8119 – Microsoft ADO Cachesize Heap Overflow Exploit

MS12-046 Vulnerabilities in Visual Basic for Applications Could Allow Remote Code Execution (27907960)

  • CVE-2012-1854 Visual Basic for Applications Insecure Library Loading Vulnerability
    IPS: 1023 – Binary Planting Attempt 1
    IPS: 5726 – Binary Planting Attempt 2
    IPS: 6847 – Binary Planting Attempt 3

MS12-047 Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2718523)

  • CVE-2012-1890 Keyboard Layout Vulnerability
    This is a local vulnerability. There is no feasible method of detection at gateway level.
  • CVE-2012-1893 Win32k Incorrect Type Handling Vulnerability
    This is a local vulnerability. There is no feasible method of detection at gateway level.

MS12-048 Vulnerability in Windows Shell Could Allow Remote Code Execution (2691442)

  • CVE-2012-0175 Command Injection Vulnerability
    IPS: 8118 – Suspicious Filename Transfer Through SMB

MS12-049 Vulnerability in TLS Could Allow Information Disclosure (2655992)

  • CVE-2012-1870 TLS Protocol Vulnerability
    There is no feasible method of detection at gateway level.

MS12-050 Vulnerabilities in SharePoint Could Allow Elevation of Privilege (2695502)

  • CVE-2012-1858 HTML Sanitization Vulnerability
    IPS: 7960 – Cross-Site Scripting (XSS) Attempt 32
  • CVE-2012-1859 XSS scriptresx.ashx Vulnerability
    IPS: 1849 – Cross-Site Scripting (XSS) Attempt 20
  • CVE-2012-1860 Sharepoint Search Scope Vulnerability
    There is no feasible method of detection at gateway level.
  • CVE-2012-1861 SharePoint Script in Username Vulnerability
    There is no feasible method of detection at gateway level.
  • CVE-2012-1863 Sharepoint Reflected List Parameter Vulnerability
    IPS: 1849 – Cross-Site Scripting (XSS) Attempt 20

MS12-051 Vulnerability in Microsoft Office for Mac Could Allow Elevation of Privilege (2721015)

  • CVE-2012-1894 Office for Mac Improper Folder Permissions Vulnerability
    There is no feasible method of detection at gateway level.

Microsoft XML Core Services Uninitialized Object Access (June 22, 2012)

/in /by

Microsoft XML Core Services (MSXML) is a set of services that allow building Windows-native XML-based applications. All MSXML products are exposed as Component Object Model (COM) objects. Each version of MSXML exposes its own set of CLSIDs and ProgIDs.

A memory corruption vulnerability exists in Microsoft XML Core Services. Specifically, the vulnerable MSXML objects fail to handle parameter exceptions when certain method is invocated. A remote attacker can exploit this vulnerability by enticing a user to open a specially crafted web page. Successful exploitation could result in arbitrary code execution in the context of the currently logged-in user. Failed attacks will cause denial-of-service conditions.

The vulnerability has been assigned as CVE-2012-1889.

SonicWALL has released multiple IPS signatures to detect and block specific exploitation attempts targeting this vulnerability. The signatures are listed below:

  • 7967 Microsoft XML Core Services Uninitialized Object Access 1
  • 7968 Microsoft XML Core Services Uninitialized Object Access 2
  • 7969 Microsoft XML Core Services Uninitialized Object Access 3
  • 7970 Microsoft XML Core Services Uninitialized Object Access 4
  • 7971 Microsoft XML Core Services Uninitialized Object Access 5
  • 8007 Microsoft XML Core Services Uninitialized Object Access 6
  • 8008 Microsoft XML Core Services Uninitialized Object Access 7
  • 8009 Microsoft XML Core Services Uninitialized Object Access 8
  • 8010 Microsoft XML Core Services Uninitialized Object Access 9
  • 8011 Microsoft XML Core Services Uninitialized Object Access 10
  • 8012 Microsoft XML Core Services Uninitialized Object Access 11
  • 8013 Microsoft XML Core Services Uninitialized Object Access 12

Microsoft Security Bulletin Coverage (Jun 12, 2012)

/in /by

SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of June, 2012. A list of issues reported, along with SonicWALL coverage information follows:

MS12-036 Vulnerability in Remote Desktop Could Allow Remote Code Execution (2685939)

  • CVE-2012-0173 Remote Desktop Protocol Vulnerability
    There is no feasible method of detection at gateway level.

MS12-037 Cumulative Security Update for Internet Explorer (2699988)

  • CVE-2012-1523 Center Element Remote Code Execution Vulnerability
    IPS: 7959 – Microsoft IE Center Element Exploit
  • CVE-2012-1858 HTML Sanitization Vulnerability
    IPS: 7960 – Cross-Site Scripting (XSS) Attempt 32
  • CVE-2012-1872 EUC-JP Character Encoding Vulnerability
    There is no feasible method of detection.
  • CVE-2012-1873 Null Byte Information Disclosure Vulnerability
    IPS: 7961 – Microsoft IE Null Byte Information Disclosure Exploit
  • CVE-2012-1874 Developer Toolbar Remote Code Execution Vulnerability
    IPS: 7962 – Microsoft IE Developer Toolbar Memory Corruption
  • CVE-2012-1875 Same ID Property Remote Code Execution Vulnerability
    IPS: 7963 – Microsoft IE Same ID Property Exploit
  • CVE-2012-1876 Col Element Remote Code Execution Vulnerability
    IPS: 7454 – HTTP Client Shellcode Exploit 35a
  • CVE-2012-1877 Title Element Change Remote Code Execution Vulnerability
    GAV: 20231 – Malformed-File html.MP.5
  • CVE-2012-1878 OnBeforeDeactivate Event Remote Code Execution Vulnerability
    GAV: 20228 – Malformed-File html.MP.4
  • CVE-2012-1879 insertAdjacentText Remote Code Execution Vulnerability
    IPS: 4665 – HTTP Client Shellcode Exploit 13a
  • CVE-2012-1880 insertRow Remote Code Execution Vulnerability
    GAV: 20227 – Malformed-File html.MP.3
  • CVE-2012-1881 OnRowsInserted Event Remote Code Execution Vulnerability
    GAV: 20225 – Malformed-File html.MP.2
  • CVE-2012-1882 Scrolling Events Information Disclosure Vulnerability
    There is no feasible method of detection.

MS12-038 Vulnerability in .NET Framework Could Allow Remote Code Execution (2706726)

  • CVE-2012-1855 .NET Framework Memory Access Vulnerability
    IPS: 7964 – Malformed ZIP File 12

MS12-039 Vulnerabilities in Lync Could Allow Remote Code Execution (2707956)

  • CVE-2011-3402 TrueType Font Parsing Vulnerability
    GAV: 19421 – Malformed.ttf.MP.1
  • CVE-2012-0159 TrueType Font Parsing Vulnerability
    GAV: 18601 – Malformed-File ttf.MP.2
  • CVE-2012-1849 Lync Insecure Library Loading Vulnerability
    IPS: 1023 – Binary Planting Attempt 1
    IPS: 5726 – Binary Planting Attempt 2
    IPS: 6847 – Binary Planting Attempt 3
  • CVE-2012-1858 HTML Sanitization Vulnerability
    IPS: 7960 – Cross-Site Scripting (XSS) Attempt 32

MS12-040 Vulnerability in Microsoft Dynamics AX Enterprise Portal Could Allow Elevation of Privilege (2709100)

  • CVE-2012-1857 Dynamics AX Enterprise Portal XSS Vulnerability
    IPS: 1369 – Cross-Site Scripting (XSS) Attempt 1

MS12-041 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2709162)

  • CVE-2012-1864 String Atom Class Name Handling Vulnerability
    This is a local elevation of privilege vulnerability.
  • CVE-2012-1865 String Atom Class Name Handling Vulnerability
    This is a local elevation of privilege vulnerability.
  • CVE-2012-1866 Clipboard Format Atom Name Handling Vulnerability
    This is a local elevation of privilege vulnerability.
  • CVE-2012-1867 Font Resource Refcount Integer Overflow Vulnerability
    This is a local elevation of privilege vulnerability.
  • CVE-2012-1868 Win32k.sys Race Condition Vulnerability
    This is a local elevation of privilege vulnerability.

MS12-042 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2711167)

  • CVE-2012-0217 User Mode Scheduler Memory Corruption Vulnerability
    This
    is a local elevation of privilege vulnerability.
  • CVE-2012-1515 BIOS ROM Corruption Vulnerability
    This is a local elevation of privilege vulnerability.

Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2719615)

  • CVE-2012-1889 MSXML Uninitialized Memory Corruption Vulnerability
    IPS: 7967 – ACTIVEX Suspicious ActiveX Method 7
    IPS: 7968 – ACTIVEX Suspicious ActiveX Method 8
    IPS: 7969 – ACTIVEX Suspicious ActiveX Method 9
    IPS: 7970 – ACTIVEX Suspicious ActiveX Method 10
    IPS: 7971 – ACTIVEX Suspicious ActiveX Method 11