Posts

Internet Explorer Vulnerability CVE-2014-1776 Exploit Analysis(May 23, 2014)

Dell Sonicwall Threat research team has analyzed the Internet Explorer Vulnerability CVE-2014-1776.
Earlier, we had addressed this vulnerability when Microsoft had released an out of band Security Advisory(2963983).

Following, shows an Analysis of how this attack is carried out.

The attack gets to the victim’s system via a webpage containing crafted malicious HTML document that exploits a use-after-free condition to achieve memory corruption.

The HTML contains reference to SWF which also does bulk of work.
Following shows the decompiled ActionScript that shows how Vector object is used along with the reference to eim which is an external javascript function.

The eim function contains code to trigger vulnerability point.

SWF is also tasked to check the browser version and act accordingly.

It also checks and sets the cookie to monitor the number of runs.

This is how ActionScript looks up the ZwprotectVirtualmemory utilized to create a reliable executable shellcode using ROP Chain.

We have implemented following signatures to detect the attack.

  • IPS:3787 Internet Explorer Memory Corruption Vulnerability (CVE-2014-1776)
  • SPY:3367 Malformed-File swf.OT.9
  • SPY:2290 Malformed-File swf.OT.8

Microsoft Security Bulletin Coverage (May 13, 2014)

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of May, 2014. A list of issues reported, along with Dell SonicWALL coverage information are as follows:

MS14-021 Security Update for Internet Explorer (2965111)

  • CVE-2014-1776 Internet Explorer Memory Corruption Vulnerability
    IPS: 3787 “Internet Explorer Memory Corruption Vulnerability (CVE-2014-1776)”
    SPY: 3371 “Malformed-File html.MP.6”
    SPY: 3372 “Malformed-File html.MP.7”
    SPY: 3367 “Malformed-File swf.OT.9”
    SPY: 2290 “Malformed-File swf.OT.8”
    GAV: 23155 “CVE-2014-1776”

MS14-029 Security Update for Internet Explorer (2962482)

  • CVE-2014-1815 Internet Explorer Memory Corruption Vulnerability
    IPS: 3869 “Windows IE Memory Corruption Vulnerability (MS14-029) 2”
    CVE-2014-0310 Internet Explorer Memory Corruption Vulnerability
    IPS: 3867 “Windows IE Memory Corruption Vulnerability (MS14-029) 1”

MS14-022 Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2952166)

  • CVE-2014-0251 SharePoint Page Content Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-1754 SharePoint XSS Vulnerability
    IPS: 3868 “Microsoft SharePoint Server XSS 11 (MS14-022)”
    IPS: 1369 “Cross-Site Scripting (XSS) Attack 1”
    IPS: 6753 “Cross-Site Scripting (XSS) Attack 8”
  • CVE-2014-1813 Web Applications Page Content Vulnerability
    There are no known exploits in the wild.

MS14-023 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2961037)

  • CVE-2014-1756 Microsoft Office Chinese Grammar Checking Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-1808 Token Reuse Vulnerability
    There are no known exploits in the wild.

MS14-025 Vulnerability in Group Policy Preferences Could Allow Elevation of Privilege (2962486)

  • CVE-2014-1812 Group Policy Preferences Password Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

MS14-026 Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732)

  • CVE-2014-1806 TypeFilterLevel Vulnerability
    There are no known exploits in the wild.

MS14-027 Vulnerability in Windows Shell Handler Could Allow Elevation of Privilege (2962488)

  • CVE-2014-1807 Windows Shell File Association Vulnerability
    There are no known exploits in the wild.

MS14-028 Vulnerabilities in iSCSI Could Allow Denial of Service (2962485)

  • CVE-2014-0255 iSCSI Target Remote Denial of Service Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-0256 iSCSI Target Remote Denial of Service Vulnerability
    There are no known exploits in the wild.

MS14-024 Vulnerability in a Microsoft Common Control Could Allow Security Feature Bypass (2961033)

  • CVE-2014-1809 MSCOMCTL ASLR Vulnerability
    There are no known exploits in the wild.

Microsoft out-of-band Security Advisory for IE (April 27, 2014)

Microsoft has released an out-of-band bulletin Microsoft Security Advisory (2963983) on April 26th, 2014 that addresses a Remote-Code -Execution vulnerability in Microsoft Internet Explorer. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. This vulnerability affects Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11. This vulnerability has been referred by CVE as CVE-2014-1776.

Dell SonicWALL threat team researched this vulnerability and created following IPS signatures to cover the attack.

  • IPS: 3787 Windows IE Remote Code Execution Vulnerability (CVE-2014-1776)

Note that in order to be protected make sure Dell SonicWALL Intrusion Prevention service is enabled and signature set is up-to-date.

Dell SonicWALL has some existing signatures to detect VML file downloads which will mitigate the risk of exposure to this vulnerability:

  • APP:3617 XML — VML File (HTTP Download) 1a
  • APP:3269 XML — VML File (HTTP Download) 1b
  • APP:3629 XML — VML File (HTTP Download) 2a
  • APP:3271 XML — VML File (HTTP Download) 2b
  • APP:3630 XML — VML File (HTTP Download) 3a
  • APP:3272 XML — VML File (HTTP Download) 3b
  • APP:4058 XML — VML File (HTTP Download) 4a
  • APP:3284 XML — VML File (HTTP Download) 4b

To further limit your risk to the vulnerability please follow the steps below:

  • Apply the Security Patch from Microsoft released on May 1, 2014. Microsoft has also released the update for Windows XP although the support for Windows XP was discontinued on April 8th, 2014.
  • Do not open unknown URLs from external Emails.
  • Keep your Microsoft Email clients such as Outlook in restricted site zone, which is set by default.
  • Internet Explorer runs in a restricted mode known as Enhanced Security Configuration is safe. They are set as default on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.
  • Set Internet and Local intranet security zone settings to “High”.
  • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.
  • Deploy the EMET (Enhanced Mitigation Experience Toolkit) 4.1.
  • Unregister VGX.DLL by running command: “%SystemRoot%System32regsvr32.exe” -u “%CommonProgramFiles%Microsoft SharedVGXvgx.dll” in command prompt.
  • Modify the Access Control List on VGX.DLL to be more restrictive.
  • Enable Enhanced Protected Mode for Internet Explorer 11 and Enable 64-bit Processes for Enhanced Protected Mode.

For the Microsoft vulnerabilities covered by SonicWALL, please refer to SonicWALL MAPP for details.

Last updated on May 2nd, 2014.