Posts

Microsoft InformationCardSigninHelper Class ActiveX control (CVE-2013-3918) exploit spotted in the Wild (November 20, 2013)

/in /by

Dell Sonicwall Threats Research team has found In The Wild exploit utilizing the InformationCardSigninHelper Class ActiveX control Vulnerability (CVE-2013-3918).
The attacks that contain a specially crafted HTML page specifically target Internet Explorer.
We were able to successfully exploit Windows XP System running IE 8.

Following are the details of the attack.

We can see the vulnerable clsid instantiated using an object tag. The attack uses both javascript and vbscript interchangeably and calls vulnerable function while setting up ROP gadgets.

The code above gets translated to following ROP chain in the memory.

The ROP chain leads to VirtualProtect

We can see the bytes are further XORed with 0x9f

Following shows how rundll32 process is created.

On successful execution, the process tries to make tcp requests to IP address 111.X.X.93 and its port 443.

We have a couple of signatures that cover the attack.

  • IPS 7600 InformationCardSigninHelper ActiveX Instantiation (MS13-090)
  • SPY 4736 CVE-2013-3918

Microsoft Security Bulletin Coverage (Nov 12, 2013)

/in /by

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of November, 2013. A list of issues reported, along with Dell SonicWALL coverage information follows:

MS13-088 Cumulative Security Update for Internet Explorer (2888505)

  • CVE-2013-3871 Internet Explorer Memory Corruption Vulnerability
    IPS: 7547 “Windows IE Use-After-Free Vulnerability (MS13-080) 1”
  • CVE-2013-3908 Internet Explorer Information Disclosure Vulnerability
    IPS: 7599 “Windows IE Information Disclosure Vulnerability (MS13-088)”
  • CVE-2013-3909 Internet Explorer Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-3910 Internet Explorer Memory Corruption Vulnerability
    IPS: 7601 “Windows IE Use-After-Free Vulnerability (MS13-088) 1”
  • CVE-2013-3911 Internet Explorer Memory Corruption Vulnerability
    IPS: 7602 “Windows IE Use-After-Free Vulnerability (MS13-088) 2”
  • CVE-2013-3912 Internet Explorer Memory Corruption Vulnerability
    IPS: 7603 “Windows IE Use-After-Free Vulnerability (MS13-088) 3”
  • CVE-2013-3914 Internet Explorer Memory Corruption Vulnerability
    IPS: 7604 “Windows IE Use-After-Free Vulnerability (MS13-088) 4”
  • CVE-2013-3915 Internet Explorer Memory Corruption Vulnerability
    IPS: 7605 “DOM Object Use-After-Free Attack 8”
  • CVE-2013-3916 Internet Explorer Memory Corruption Vulnerability
    IPS: 7605 “DOM Object Use-After-Free Attack 8”
  • CVE-2013-3917 Internet Explorer Memory Corruption Vulnerability
    IPS: 7606 “Windows IE Use-After-Free Vulnerability (MS13-088) 5”

MS13-089 Vulnerability in Windows Graphics Device Interface Could Allow Remote Code Execution (2876331)

  • CVE-2013-3940 Internet Explorer Memory Corruption Vulnerability
    SPY: 3606 “Malformed-File doc.MP.15”

MS13-090 Cumulative Security Update of ActiveX Kill Bits (2900986)

  • CVE-2013-3918 InformationCardSigninHelper Vulnerability
    IPS: 7600 “InformationCardSigninHelper ActiveX Control Memory Corruption (MS13-090)”

MS13-091 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2885093)

  • CVE-2013-0082 WPD File Format Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2013-1324 Word Stack Buffer Overwrite Vulnerability
    SPY: 3920 “Malformed-File doc.MP.16”
  • CVE-2013-1325 Word Heap Overwrite Vulnerability
    SPY: 4734 “Malformed-File doc.MP.17”

MS13-092 Vulnerability in Hyper-V Could Allow Elevation of Privilege (2893986)

  • CVE-2013-3898 Address Corruption Vulnerability
    There are no known exploits in the wild.

MS13-093 Vulnerability in Windows Ancillary Function Driver Could Allow Information Disclosure (2875783)

  • CVE-2013-3887 Ancillary Function Driver Information Disclosure Vulnerability
    There are no known exploits in the wild.

MS13-094 Vulnerability in Microsoft Outlook Could Allow Information Disclosure (2894514)

  • CVE-2013-3905 S/MIME AIA Vulnerability
    There are no known exploits in the wild.

MS13-095 Vulnerability in Digital Signatures Could Allow Denial of Service (2868626)

  • CVE-2013-3869 Digital Signatures Vulnerability
    There are no known exploits in the wild.