Posts

Magnitude Exploit Kit using HTM5 canvas element to hide Iframe (Nov 17, 2014)

The Dell SonicWALL Threats Research team analyzed a drive by attack involving the Magnitude exploit kit which leads to the download of additional malware on the target system upon successful exploit run. The malware in this case is Trojan Downloader.

Magnitude Exploit kit is an old kit present in the wild from more than a year. But recently we have observed an update in the way it redirects the victims from compromised websites to its landing page. In this update, this kit redirects the users using iframe, which is generated from a specially crafted image file, in order to evade detection from AV.

This kit uses HTML5 canvas element to read the image file byte by byte and extracts the iframe, as shown below

Fig-1 : Javascript code to extract data from image file

Below is the screenshot of crafted image file and its decode data.

Image 1 Image 2
Fig-2 : Encoded image file Fig-3 : Decoded Iframes from image file

On successful decryption, kit redirects users to its landing page. Landing Page contains HTML code to run Java applet, Flash and an iframe, which are exploits. Unlike other kits, this kits landing page doesn’t check for the browser plugins or software installed on the system.

Fig-4 : Magnitude Exploit kit’s landing page

Currently we observed that it is serving CVE-2013-2465 (Java vulnerability) & CVE-2013-2551 (IE10 vulnerability). On successful exploitation, these exploits download further malicious binaries.

Having up to date software will help in mitigating this Exploit Kit.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • Upatre.AA_14 (Trojan)
  • Injector.BLVV (Trojan)
  • Simda.B_61 (Trojan)

Microsoft Windows IE Vulnerability (CVE-2013-2551) attacks spotted in the wild (January 23, 2014)

Dell Sonicwall Threats Research team has found Internet Explorer vulnerability (CVE-2013-2551) still being exploited in the wild.
This use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code
via a crafted web site that triggers access to a deleted object.

This vulnerability has already been patched.

Following is an in-depth analysis of the attack.

Below is the crash code:

Due to this vulnerability attacker is able to control data in memory. In this case its from address 0x0c0c0c0c

The crash point:

Malicious javascript used to create a ROP Chain as follows:

We can see how the ROP Chain translates into memory

The stack trace:

We can see how the memory 0x0c0c0c0c is being written into.

Dell SonicWALL protects against this threat with the following signatures:

  • IPS: 9897 Windows IE VML shape object Memory Corruption 1 (MS13-037)
  • IPS: 9915 Windows IE VML shape object Memory Corruption 2 (MS13-037)
  • Microsoft Security Bulletin Coverage (May 14, 2013)

    Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of May, 2013. A list of issues reported, along with Dell SonicWALL coverage information follows:

    MS13-037 Cumulative Security Update for Internet Explorer (2829530)

    • CVE-2013-2551 Internet Explorer Use After Free Vulnerability
      IPS: 9897 “Windows IE VML shape object Memory Corruption”
    • CVE-2013-1313 Internet Explorer Use After Free Vulnerability
      IPS: 9601 “Windows OLE Automation Remote Code Execution 2 (MS13-020)”
      IPS: 9635 “Windows OLE Automation Remote Code Execution 3 (MS13-020)”
      IPS: 9636 “Windows OLE Automation Remote Code Execution 4 (MS13-020)”
    • CVE-2013-1312 Internet Explorer Use After Free Vulnerability
      IPS: 9899 “Windows IE DOM Object Use-After-Free 5”
    • CVE-2013-1311 Internet Explorer Use After Free Vulnerability
      IPS: 9896 “Windows IE DOM Object Use-After-Free 4”
    • CVE-2013-1310 Internet Explorer Use After Free Vulnerability
      IPS: 9895 “Windows IE DOM Object Use-After-Free 3”
    • CVE-2013-1309 Internet Explorer Use After Free Vulnerability
      IPS: 9894 “Windows IE CDispNode Use-After-Free”
    • CVE-2013-1308 Internet Explorer Use After Free Vulnerability
      IPS: 9609 “DOM Object Use-After-Free Attack 3”
    • CVE-2013-1307 Internet Explorer Use After Free Vulnerability
      IPS: 7454 “HTTP Client Shellcode Exploit 35a”
    • CVE-2013-1306 Internet Explorer Use After Free Vulnerability
      IPS: 9900 “Windows IE DOM Object Use-After-Free 6”
    • CVE-2013-1297 JSON Array Information Disclosure Vulnerability
      IPS: 9891 “Windows IE JSON Information Disclosure”
    • CVE-2013-0811 Internet Explorer Use After Free Vulnerability
      Not feasible to detect the vulnerability.

    MS13-038 Security Update for Internet Explorer (2847204)

    • CVE-2013-1347 Security Update for Internet Explorer
      IPS: 9470 “DOM Object Use-After-Free Attack 2”
      IPS: 9871 “Obfuscated HTML Code 3a”
      IPS: 9872 “Windows IE DOM Object Use-After-Free 1”
      IPS: 9873 “Windows IE DOM Object Use-After-Free 2”

    MS13-039 Vulnerability in HTTP.sys Could Allow Denial of Service (2829254)

    • CVE-2013-1305 HTTP.sys Denial of Service Vulnerability
      IPS: 9893 “Suspicious HTTP Accept-Encoding Header 1”

    MS13-040 Vulnerabilities in .NET Framework Could Allow Spoofing (2836440)

    • CVE-2013-1337 Authentication Bypass Vulnerability
      Cannot distinguish between normal and attack traffic.
    • CVE-2013-1336 XML Digital Signature Spoofing Vulnerability
      Cannot distinguish between normal and attack traffic.

    MS13-041 Vulnerability in Lync Could Allow Remote Code Execution (2834695)

    • CVE-2013-1302 Lync RCE Vulnerability
      There are no known exploits in the wild.

    MS13-42 Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2830397)

    • CVE-2013-1329 Publisher Buffer Underflow Vulnerability
      There are no known exploits in the wild.
    • CVE-2013-1328 Publisher Pointer Handling Vulnerability
      There are no known exploits in the wild.
    • CVE-2013-1327 Publisher Signed Integer Vulnerability
      There are no known exploits in the wild.
    • CVE-2013-1323 Publisher Incorrect NULL Value Handling Vulnerability
      There are no known exploits in the wild.
    • CVE-2013-1322 Publisher Invalid Range Check Vulnerability
      There are no known exploits in the wild.
    • CVE-2013-1321 Publisher Return Value Validation Vulnerability
      There are no known exploits in the wild.
    • CVE-2013-1320 Publisher Buffer Overflow Vulnerability
      There are no known exploits in the wild.
    • CVE-2013-1319 Publisher Return Value Handling Vulnerability
      There are no known exploits in the wild.
    • CVE-2013-1318 Publisher Corrupt Interface Pointer Vulnerability
      There are no known exploits in the wild.
    • CVE-2013-1317 Publisher Integer Overflow Vulnerability
      There are no known exploits in the wild.
    • CVE-2013-1316 Publisher Negative Value Allocation Vulnerability
      There are no known exploits in the wild.

    MS13-043 Vulnerability in Microsoft Word Could Allow Remote Code Execution (2830399)

    • CVE-2013-1335 Word Shape Corruption Vulnerability
      There are no known exploits in the wild.

    MS13-044 Vulnerability in Microsoft Visio Could Allow Information Disclosure (2834692)

    • CVE-2013-1301 XML External Entities Resolution Vulnerability
      IPS: 9892 “Microsoft Visio Information Disclosure”

    MS13-045 Vulnerability in Windows Essentials Could Allow Information Disclosure (2813707)

    • CVE-2013-0096 Windows Essentials Improper URI Handling Vulnerability
      There are no known exploits in the wild.

    MS13-046 Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege (2840221)

    • CVE-2013-1334 Win32k Window Handle Vulnerability
      It’s elevation of privilege, not feasible to detect.
    • CVE-2013-1333 Win32k Buffer Overflow Vulnerability
      It’s elevation of privilege, not feasible to detect.
    • CVE-2013-1332 DirectX Graphics Kernel Subsystem Double Fetch Vulnerability
      It’s elevation of privilege, not feasible to detect.