Posts

Windows IE Button Element Use-After-Free (Dec 31, 2012)

/in /by

Microsoft has released an out-of-band Microsoft Security Advisory (2794220) addressing an IE vulnerability on Dec 29th, 2012. The vulnerability is involved in Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8. But Internet Explorer 9 and Internet Explorer 10 are not affected. The vulnerabilities is referred by CVE as CVE-2012-4792.

Dell SonicWALL UTM team has researched this vulnerability as soon as possible and created a couple of IPS signatures to capture the attack traffic. The following are the list of the IPS signatures.

  • 9445 Windows IE Button Element Use-After-Free 1
  • 9446 Windows IE Button Element Use-After-Free 2

For the Microsoft vulnerabilities covered by Dell SonicWALL, please refer to SonicWALL MAPP for details.

Update: we have also released another SonicAlert IE 0 day used in watering hole attacks (Jan 2, 2013) addressing a specific exploit in the wild.

IE 0 day used in watering hole attacks (Jan 2, 2013)

/in /by

Dell SonicWALL UTM Research team received reports of a new zero day exploit targeting Internet Explorer being employed in watering hole attacks. These attacks target a use-after-free vulnerability in Internet Explorer version 8 running on Windows XP or Windows 7 operating systems. Versions 6 and 7 of Internet Explorer are also vulnerable to this exploit but were not targetted in this attack. This vulnerability is documented under CVE-2012-4792 and Microsoft has released an advisory for it.

A watering hole attack involves planting exploits and payload on compromised sites which are likely to be visited by the victims being targetted. In this case, the site of a think tank headquartered in the US and an organization selling energy generation equipment also headquartered in the US were compromised and the exploits were loaded on to their sites. The attacks were targetting visitors of these sites with a Backdoor Trojan.

Infection Cycle

The exploit is attempted using an SWF and multiple Javascript components. The exploit is only attempted if the flash plugin is installed, IE version is 8, speicifc language packs are installed and Java version 6 is installed. On successful exploit, it leads to the download and execution of a Backdoor Trojan.

image

The initial DLL payload is XOR’ed using the key ‘0x83’ and is decrypted by the SWF component. This in turn drops a Backdoor Trojan which does the following:

  • It creates a copy of itself appended with random overlay(different hash/footprint in each infection):
    %COMMONPROGRAMFILES%DirectDB.exe [Detected as “GAV: Shyape.B (Trojan)”
  • It creates an instance of iexplorer.exe and injects code in to it
  • It attempts to contact a remote server which was found to be offline at the time of analysis. The initial request intercepted with the aid of a simulated server is shown below:

    • image

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Bogidow.A (Exploit)
  • GAV: Bifrose.N (Trojan)
  • GAV: Shyape.A (Trojan)
  • GAV: Shyape.B (Trojan)
  • IPS: 9445 Windows IE Button Element Use-After-Free 1
  • IPS: 9446 Windows IE Button Element Use-After-Free 2