Posts

Microsoft Windows IE Vulnerability(CVE-2013-1347) attacks spotted in the Wild (Oct 17, 2013)

Dell Sonicwall Threats Research team has found the old Internet Explorer vulnerability(CVE-2013-1347) still getting actively exploited.
This is the same vulnerability exploited in the Department of Labor Attacks earlier this year.
This is a use-after-free condition which occurs when an Object gets deleted but its reference is re-used causing memory corruption thereby allowing arbitrary code execution.

Following is an in-depth analysis of the attack.

Malicious Javascript is shown below employing ROP techniques.

image

Debugging shows successful exploitation of the vulnerability

image

This page includes payload which downloads a binary which is saved as C:rund11.exe

image

image

Another binary is downloaded as shown.

image

This binary upon execution sends requests to following domains.

image

Following signatures are already proactively detecting the attack.

  • IPS:9470 DOM Object Use-After-Free Attack 2
  • IPS:9872 Windows IE DOM Object Use-After-Free (MS13-038) 1
  • IPS:9873 Windows IE DOM Object Use-After-Free (MS13-038) 2

Microsoft Security Bulletin Coverage (May 14, 2013)

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of May, 2013. A list of issues reported, along with Dell SonicWALL coverage information follows:

MS13-037 Cumulative Security Update for Internet Explorer (2829530)

  • CVE-2013-2551 Internet Explorer Use After Free Vulnerability
    IPS: 9897 “Windows IE VML shape object Memory Corruption”
  • CVE-2013-1313 Internet Explorer Use After Free Vulnerability
    IPS: 9601 “Windows OLE Automation Remote Code Execution 2 (MS13-020)”
    IPS: 9635 “Windows OLE Automation Remote Code Execution 3 (MS13-020)”
    IPS: 9636 “Windows OLE Automation Remote Code Execution 4 (MS13-020)”
  • CVE-2013-1312 Internet Explorer Use After Free Vulnerability
    IPS: 9899 “Windows IE DOM Object Use-After-Free 5”
  • CVE-2013-1311 Internet Explorer Use After Free Vulnerability
    IPS: 9896 “Windows IE DOM Object Use-After-Free 4”
  • CVE-2013-1310 Internet Explorer Use After Free Vulnerability
    IPS: 9895 “Windows IE DOM Object Use-After-Free 3”
  • CVE-2013-1309 Internet Explorer Use After Free Vulnerability
    IPS: 9894 “Windows IE CDispNode Use-After-Free”
  • CVE-2013-1308 Internet Explorer Use After Free Vulnerability
    IPS: 9609 “DOM Object Use-After-Free Attack 3”
  • CVE-2013-1307 Internet Explorer Use After Free Vulnerability
    IPS: 7454 “HTTP Client Shellcode Exploit 35a”
  • CVE-2013-1306 Internet Explorer Use After Free Vulnerability
    IPS: 9900 “Windows IE DOM Object Use-After-Free 6”
  • CVE-2013-1297 JSON Array Information Disclosure Vulnerability
    IPS: 9891 “Windows IE JSON Information Disclosure”
  • CVE-2013-0811 Internet Explorer Use After Free Vulnerability
    Not feasible to detect the vulnerability.

MS13-038 Security Update for Internet Explorer (2847204)

  • CVE-2013-1347 Security Update for Internet Explorer
    IPS: 9470 “DOM Object Use-After-Free Attack 2”
    IPS: 9871 “Obfuscated HTML Code 3a”
    IPS: 9872 “Windows IE DOM Object Use-After-Free 1”
    IPS: 9873 “Windows IE DOM Object Use-After-Free 2”

MS13-039 Vulnerability in HTTP.sys Could Allow Denial of Service (2829254)

  • CVE-2013-1305 HTTP.sys Denial of Service Vulnerability
    IPS: 9893 “Suspicious HTTP Accept-Encoding Header 1”

MS13-040 Vulnerabilities in .NET Framework Could Allow Spoofing (2836440)

  • CVE-2013-1337 Authentication Bypass Vulnerability
    Cannot distinguish between normal and attack traffic.
  • CVE-2013-1336 XML Digital Signature Spoofing Vulnerability
    Cannot distinguish between normal and attack traffic.

MS13-041 Vulnerability in Lync Could Allow Remote Code Execution (2834695)

  • CVE-2013-1302 Lync RCE Vulnerability
    There are no known exploits in the wild.

MS13-42 Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2830397)

  • CVE-2013-1329 Publisher Buffer Underflow Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-1328 Publisher Pointer Handling Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-1327 Publisher Signed Integer Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-1323 Publisher Incorrect NULL Value Handling Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-1322 Publisher Invalid Range Check Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-1321 Publisher Return Value Validation Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-1320 Publisher Buffer Overflow Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-1319 Publisher Return Value Handling Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-1318 Publisher Corrupt Interface Pointer Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-1317 Publisher Integer Overflow Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-1316 Publisher Negative Value Allocation Vulnerability
    There are no known exploits in the wild.

MS13-043 Vulnerability in Microsoft Word Could Allow Remote Code Execution (2830399)

  • CVE-2013-1335 Word Shape Corruption Vulnerability
    There are no known exploits in the wild.

MS13-044 Vulnerability in Microsoft Visio Could Allow Information Disclosure (2834692)

  • CVE-2013-1301 XML External Entities Resolution Vulnerability
    IPS: 9892 “Microsoft Visio Information Disclosure”

MS13-045 Vulnerability in Windows Essentials Could Allow Information Disclosure (2813707)

  • CVE-2013-0096 Windows Essentials Improper URI Handling Vulnerability
    There are no known exploits in the wild.

MS13-046 Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege (2840221)

  • CVE-2013-1334 Win32k Window Handle Vulnerability
    It’s elevation of privilege, not feasible to detect.
  • CVE-2013-1333 Win32k Buffer Overflow Vulnerability
    It’s elevation of privilege, not feasible to detect.
  • CVE-2013-1332 DirectX Graphics Kernel Subsystem Double Fetch Vulnerability
    It’s elevation of privilege, not feasible to detect.

Microsoft out-of-band Security Advisory for IE 8 (May 4, 2013)

Microsoft has released an out-of-band bulletin Microsoft Security Advisory (2847140) addressing an IE 8 vulnerability on May 3, 2013. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. The vulnerability does not affect other IE versions.

This vulnerability has been referred by CVE as CVE-2013-1347.

Dell SonicWALL threat team has researched this vulnerability at the same day and created three IPS signatures to capture the attack traffic. The following are the list of the IPS signatures.

  • 9871 EXPLOIT HTTP Client Shellcode Exploit 77
  • 9872 WEB-CLIENT HTTP Client Suspicious Function Call
  • 9873 WEB-CLIENT HTTP Client Suspicious Function Call 2

For the Microsoft vulnerabilities covered by SonicWALL, please refer to SonicWALL MAPP for details.

Update(May 8, 2013): the Fix It Information has been released by Microsoft on May 8, 2013.