Posts

Windows OLE CVE-2014-6332 exploit spotted in the wild (Dec 17,2014)

Remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability is due to Internet Explorer improperly accessing OLE objects in memory. This allows remote attackers to execute arbitrary code via a crafted web site.

CVE-2014-6332 aka Windows OLE Automation Array Remote Code Execution Vulnerability is being exploited in the wild. The vulnerability is due to insufficient error handling when using ReDim Preserve in VBscript.

The exploit code does type confusion. If error occurs during array-redimensioning , the old array size is not preserved . This allows the attacker to read/write memory outside the limits of the original array.

As one can see from the call stack that the vulnerable dll is OLEAUT32.DLL

Microsoft had already released a patch for the vulnerability.Dell SonicWALL Threat Research Team has researched this vulnerability and released the following IPS signature to protect their customers.

  • IPS 5978 : Windows OLE Automation Array Remote Code Execution

Microsoft Security Bulletin Coverage (November 12, 2014)

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of November, 2014. A list of issues reported, along with Dell SonicWALL coverage information are as follows:

MS14-064 Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443)

  • CVE-2014-6332 Windows OLE Automation Array Remote Code Execution Vulnerability
    SPY: 2230 “Malformed-File html.MP.53”
  • CVE-2014-6352 Windows OLE Remote Code Execution Vulnerability
    SPY: 1578 “Malformed-File xml.TL.37”

MS14-065 Cumulative Security Update for Internet Explorer (3003057)

  • CVE-2014-4143 Internet Explorer Memory Corruption Vulnerability
    SPY: 2228 “Malformed-File html.MP.50”
  • CVE-2014-6323 Internet Explorer Clipboard Information Disclosure Vulnerability
    SPY: 2229 “Malformed-File html.MP.51”
  • CVE-2014-6337 Internet Explorer Memory Corruption Vulnerability
    IPS: 5931 “Microsoft Internet Explorer Use After Free”
  • CVE-2014-6339 Internet Explorer ASLR Bypass Vulnerability
    IPS: 5943 “Internet Explorer Out of Bound access(MS14-065)”
  • CVE-2014-6340 Internet Explorer Cross-domain Information Disclosure Vulnerability
    IPS: 5955 “Internet Explorer Information Disclosure (MS14-065)”
  • CVE-2014-6341 Internet Explorer Memory Corruption Vulnerability
    IPS: 5957 “Microsoft Internet Explorer Use After Free(MS14-065) 1”
  • CVE-2014-6342 Internet Explorer Memory Corruption Vulnerability
    IPS: 5959 “Internet Explorer Out of Bound access(MS14-065) 2”
  • CVE-2014-6343 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-6344 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-6345 Internet Explorer Cross-domain Information Disclosure Vulnerability
    IPS: 5962 “Internet Explorer Cross-domain Information Disclosure (MS14-065) 2”
  • CVE-2014-6346 Internet Explorer Cross-domain Information Disclosure Vulnerability
    IPS: 5958 “Internet Explorer Cross-domain Information Disclosure (MS14-065) 1”
  • CVE-2014-6347 Internet Explorer Memory Corruption Vulnerability
    IPS: 5915 “Internet Explorer Memory Corruption Vulnerability (MS14-065) 1”
  • CVE-2014-6348 Internet Explorer Memory Corruption Vulnerability
    IPS: 5918 “Internet Explorer Memory Corruption Vulnerability (MS14-065) 2”
  • CVE-2014-6349 Internet Explorer Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-6350 Internet Explorer Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-6351 Internet Explorer Memory Corruption Vulnerability
    IPS: 5924 “Internet Explorer Memory Corruption Vulnerability (MS14-065) 3”
  • CVE-2014-6353 Internet Explorer Memory Corruption Vulnerability
    IPS: 5934 “Internet Explorer Memory Corruption Vulnerability (MS14-065) 4”

MS14-066 Vulnerability in Schannel Could Allow Remote Code Execution (2992611)

  • CVE-2014-6321
    IPS: 5963 “Microsoft Schannel Remote Code Execution (MS14-066)”

MS14-067 Vulnerability in XML Core Services Could Allow Remote Code Execution (2993958)

  • CVE-2014-4118 MSXML Remote Code Execution Vulnerability
    There are no known exploits in the wild.

MS14-069 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3009710)

  • CVE-2014-6333 Microsoft Office Double Delete Remote Code Execution Vulnerability
    IPS: 5954 “Microsoft Office Remote Code Execution (MS14-069) 1”
  • CVE-2014-6334 Microsoft Office Bad Index Remote Code Execution Vulnerability
    IPS: 5956 “Microsoft Office Remote Code Execution (MS14-069) 2”
  • CVE-2014-6335 Microsoft Office Invalid Pointer Remote Code Execution Vulnerability
    IPS: 1578 “Microsoft Word Invalid Pointer Remote Code Execution (MS14-069)”

MS14-070 Vulnerability in TCP/IP Could Allow Elevation of Privilege (2989935)

  • CVE-2014-4076 TCP/IP Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

MS14-071 Vulnerability in Windows Audio Service Could Allow Elevation of Privilege (3005607)

  • CVE-2014-6322 Windows Audio Service Vulnerability
    There are no known exploits in the wild.

MS14-072 Vulnerability in .NET Framework Could Allow Elevation of Privilege (3005210)

  • CVE-2014-4149 TypeFilterLevel Vulnerability
    There are no known exploits in the wild.

MS14-073 Vulnerability in Microsoft SharePoint Foundation Could Allow Elevation of Privilege (3000431)

  • CVE-2014-4116 SharePoint Elevation of Privilege Vulnerability
    IPS: 6753 “Cross-Site Scripting (XSS) Attack 8”

MS14-074 Vulnerability in Remote Desktop Protocol Could Allow Security Feature Bypass (3003743)

  • CVE-2014-6318 Remote Desktop Protocol (RDP) Failure to Audit Vulnerability
    There are no known exploits in the wild.

MS14-076 Vulnerability in Internet Information Services (IIS) Could Allow Security Feature Bypass (2982998)

  • CVE-2014-4078 IIS Security Feature Bypass Vulnerability
    There are no known exploits in the wild.

MS14-077 Vulnerability in Active Directory Federation Services Could Allow Information Disclosure (3003381)

  • CVE-2014-6331 Active Directory Federation Services Information Disclosure Vulnerability
    There are no known exploits in the wild.

MS14-078 Vulnerability in IME (Japanese) Could Allow Elevation of Privilege (2992719)

  • CVE-2014-4077 Microsoft IME (Japanese) Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

MS14-079 Vulnerability in Kernel Mode Driver Could Allow Denial of Service (3002885)

  • CVE-2014-6317 Denial of Service in Windows Kernel Mode Driver Vulnerability
    There are no known exploits in the wild.