Posts

Microsoft Security Bulletin Coverage (March 11, 2014)

/in /by

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of March, 2014. A list of issues reported, along with Dell SonicWALL coverage information follows:

MS14-012 Cumulative Security Update for Internet Explorer (2925418)

  • CVE-2014-0297 Internet Explorer Memory Corruption Vulnerability
    IPS: 3462 Windows IE Memory Corruption Vulnerability (MS14-012) 6
  • CVE-2014-0298 Internet Explorer Memory Corruption Vulnerability
    IPS: 5764 Windows IE Memory Corruption Vulnerability (MS14-010) 6
  • CVE-2014-0299 Internet Explorer Memory Corruption Vulnerability
    IPS: 3469 Windows IE Memory Corruption Vulnerability (MS14-012) 8
  • CVE-2014-0302 Internet Explorer Memory Corruption Vulnerability
    IPS: 3479 Windows IE Memory Corruption Vulnerability (MS14-012) 11
  • CVE-2014-0303 Internet Explorer Memory Corruption Vulnerability
    IPS: 3480 Windows IE Memory Corruption Vulnerability (MS14-012) 12
  • CVE-2014-0304 Internet Explorer Memory Corruption Vulnerability
    IPS: 3472 Windows IE Memory Corruption Vulnerability (MS14-012) 10
  • CVE-2014-0305 Internet Explorer Memory Corruption Vulnerability
    IPS: 3461 Windows IE Memory Corruption Vulnerability (MS14-012) 4
  • CVE-2014-0306 Internet Explorer Memory Corruption Vulnerability
    IPS: 3464 Windows IE Memory Corruption Vulnerability (MS14-012) 5
  • CVE-2014-0307 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-0308 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-0309 Internet Explorer Memory Corruption Vulnerability
    IPS: 3466 Windows IE Memory Corruption Vulnerability (MS14-012) 7
  • CVE-2014-0311 Internet Explorer Memory Corruption Vulnerability
    IPS: 3471 Windows IE Memory Corruption Vulnerability (MS14-012) 9
  • CVE-2014-0312 Internet Explorer Memory Corruption Vulnerability
    IPS: 3468 Windows IE Memory Corruption Vulnerability (MS14-012) 14
  • CVE-2014-0313 Internet Explorer Memory Corruption Vulnerability
    IPS: 3467 Windows IE Memory Corruption Vulnerability (MS14-012) 13
  • CVE-2014-0314 Internet Explorer Memory Corruption Vulnerability
    IPS: 3448 Windows IE Memory Corruption Vulnerability (MS14-012) 3
  • CVE-2014-0321 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-0322 Internet Explorer Memory Corruption Vulnerability
    SPY: 4825 Malformed-File html.MP.2
  • CVE-2014-0324 Internet Explorer Memory Corruption Vulnerability
    IPS: 3444 Windows IE Memory Corruption Vulnerability (MS14-012) 1

MS14-013 Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (2929961)

  • CVE-2014-0301 DirectShow Memory Corruption Vulnerability
    There are no known exploits in the wild.

MS14-014 Vulnerability in Silverlight Could Allow Security Feature Bypass (2932677)

  • CVE-2014-0319 Silverlight DEP/ASLR Bypass Vulnerability
    There are no known exploits in the wild.

MS14-015 Vulnerabilities in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2930275)

  • CVE-2014-0300 Win32k Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-0323 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.

MS14-016 Vulnerability in Security Account Manager Remote (SAMR) Protocol Could Allow Security Feature Bypass (2934418)

  • CVE-2014-0317 SAMR Security Feature Bypass Vulnerability
    There are no known exploits in the wild.

Internet Explorer Zero Day(CVE-2014-0322) Exploit Analysis (Feb 21, 2014)

/in /by

Last week, we reported our Preliminary analysis of Internet Explorer Zero Day Exploit targeting CVE-2014-0322.
This article is a continuation of our analysis.
We also have a detailed writeup on Malware analysis of dropped Binaries.

Attack Flow

In the SWF de-compilation below, we can see another file, Erido.jpg downloaded which contains bytes that are used to drop malware after successfully exploiting the Vulnerability.

Here is the crash point which shows mshtml.dll,

The following sequence of functions is called in the context of IE which shows Exploit is successful.

Sqlrenew.txt dropped in Temp Folder

Stream.exe dropped in Temp Folder

The control shows to be executed from 0x1a1bXXXX address range and multiple WriteFile calls do respective file write operations.

We can see below that the module sqlrevew.txt is loaded. When the user exits IE, stream.exe is spawned as a Process.

Following is our Detection Coverage.

  • IPS:6315 HTTP Client Shellcode Exploit 11a
  • IPS:7454 HTTP Client Shellcode Exploit 35a
  • GAV: CVE-2014-0322#swf (Exploit)
  • GAV: CVE-2014-0322#html (Exploit)

Latest Internet Explorer Zero Day (CVE-2014-0322) Exploited In The Wild (Feb 14, 2014)

/in /by

Dell Sonicwall Threats Research Team has spotted latest Zero Day that exploits Vulnerability CVE-2014-0322.
This exploit targets Internet Explorer 10 which contains a specially crafted JavaScript that causes Use-After-Free condition.
The exploit was getting served from an infected website which since has taken down the malicious HTML.

Following shows the structure of the exploit.

Here an ActiveXObject is getting instantiated.

We can see the code for Memory Corruption.

Here function puIHa3 has a check for presence of a DLL followed by reference to swf file.
Also, we can see the exploit specifically checks for the presence of IE 10.

The swf file has function ExternalInterface which is invoking puIHa3 in the JavaScript above.

Swf is also responsible for further allocating bytes to carry out successful exploitation.

We have implemented following signatures to detect the attack.

  • IPS: 6315 HTTP Client Shellcode Exploit 11a
  • IPS: 7454 HTTP Client Shellcode Exploit 35a
  • GAV: CVE-2014-0322#swf (Exploit)
  • GAV: CVE-2014-0322#html (Exploit)