CVE-2015-2419 Archives

Dell Sonicwall Threat Research team has observed Rig Exploit kit, using exploits for Adobe Flash and IE vulnerabilities in its arsenal.

Redirection Chain:

Malicious javascript code is injected into compromised website to redirect victim to Kit’s Landing page.

Fig-1 : Compromised webpage with injected Javascript

This exploit kit uses Iframe redirection technique as shown below:

Fig-2 :Injected script has an iframe pointing to Kit’s landing page.

Exploit Kit’s landing page contains three HTML script elements as shown below:

Fig-3 : Kit’s Landing Page

First script element defines two custom variables. The next two scripts are used to decrypt data and add new HTML script elements.

The purpose of the data decrypted by the second script element is to play a malicious flash file, which exploits Adobe Flash vulnerability [CVE-2015-8416], as shown below:

Fig-4 : Decrypted data of second script

Similarly, the data decrypted by the third script tag, exploits vulnerability present in IE [CVE-2015-2419] as shown below:

Fig-5 : Decrypted data of third script

Fig-6 : packet capture with URI pattern

Sonicwall Gateway AntiVirus provides protection against this threat via the following signatures:

GAV: RigHtm.EKA (Exploit)

GAV: RigSWF.EKA (Exploit)

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of July, 2015. A list of issues reported, along with Dell SonicWALL coverage information are as follows:

MS15-058 Vulnerabilities in SQL Server Could Allow Remote Code Execution

CVE-2015-1761 SQL Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2015-1762 SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2015-1763 SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.

MS15-065 Security Update for Internet Explorer

CVE-2015-1729 Internet Explorer Information Disclosure Vulnerability
IPS: 5962 “Internet Explorer Cross-domain Information Disclosure (MS14-065) 2”
CVE-2015-1733 Internet Explorer Memory Corruption Vulnerability
IPS: 11026 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 10”
CVE-2015-1738 Internet Explorer Memory Corruption Vulnerability
IPS: 11027 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 11”
CVE-2015-1767 Internet Explorer Memory Corruption Vulnerability
IPS: 11028 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 12”
CVE-2015-2372 VBScript Memory Corruption Vulnerability
IPS: 11029 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 13”
CVE-2015-2383 Internet Explorer Memory Corruption Vulnerability
IPS: 11030 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 14”
CVE-2015-2384 Internet Explorer Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2015-2385 Internet Explorer Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2015-2388 Internet Explorer Memory Corruption Vulnerability
IPS: 11031 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 15”
CVE-2015-2389 Internet Explorer Memory Corruption Vulnerability
IPS: 11032 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 16”
CVE-2015-2390 Internet Explorer Memory Corruption Vulnerability
IPS: 11033 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 17”
CVE-2015-2391 Internet Explorer Memory Corruption Vulnerability
IPS: 11034 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 18”
CVE-2015-2397 Internet Explorer Memory Corruption Vulnerability
IPS: 7638 “DOM Object Use-After-Free Attack 2”
CVE-2015-2398 Internet Explorer XSS Filter Bypass Vulnerability
There are no known exploits in the wild.
CVE-2015-2401 Internet Explorer Memory Corruption Vulnerability
IPS: 11036 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 20”
CVE-2015-2402 Internet Explorer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2015-2403 Internet Explorer Memory Corruption Vulnerability
IPS: 2175 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 1”
CVE-2015-2404 Internet Explorer Memory Corruption Vulnerability
IPS: 2190 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 2”
CVE-2015-2406 Internet Explorer Memory Corruption Vulnerability
IPS: 2191 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 3”
CVE-2015-2408 Internet Explorer Memory Corruption Vulnerability
IPS: 2192 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 4”
CVE-2015-2410 Internet Explorer Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2015-2411 Internet Explorer Memory Corruption Vulnerability
IPS: 2198 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 5”
CVE-2015-2412 Internet Explorer Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2015-2413 Internet Explorer Information Disclosure Vulnerability
IPS: 2207 “Internet Explorer Information Disclosure Vulnerability (MS15-065) 1”
CVE-2015-2414 Internet Explorer Information Disclosure Vulnerability
IPS: 2208 “Internet Explorer Information Disclosure Vulnerability (MS15-065) 2”
CVE-2015-2419 Jscript9 Memory Corruption Vulnerability
IPS: 2209 “Internet Explorer JScript9 Memory Corruption Vulnerability (MS15-065)”
CVE-2015-2421 Internet Explorer ASLR Bypass
IPS: 2210 “Internet Explorer ASLR Bypass Vulnerability (MS15-065)”
CVE-2015-2422 Internet Explorer Memory Corruption Vulnerability
IPS: 2233 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 6”
CVE-2015-2425 Internet Explorer Memory Corruption Vulnerability
IPS: 2234 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 7”
CVE-2015-2372 VBScript Memory Corruption Vulnerability
IPS: 11029 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 13”
CVE-2015-2398 Internet Explorer XSS Filter Bypass Vulnerability
There are no known exploits in the wild.
CVE-2015-2402 Internet Explorer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2015-2419 Jscript9 Memory Corruption Vulnerability
IPS: 2209 “Internet Explorer JScript9 Memory Corruption Vulnerability (MS15-065)”
CVE-2015-2421 Internet Explorer ASLR Bypass
IPS: 2210 “Internet Explorer ASLR Bypass Vulnerability (MS15-065)”

MS15-066 Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution

CVE-2015-2372 VBScript Memory Corruption Vulnerability
There are no known exploits in the wild.

MS15-067 Vulnerability in RDP Could Allow Remote Code Execution

CVE-2015-2373 Remote Desktop Protocol (RDP) Remote Code Execution Vulnerability
There are no known exploits in the wild.

MS15-068 Vulnerabilities in Windows Hyper-V Could Allow Remote Code Execution

CVE-2015-2361 Hyper-V Buffer Overflow Vulnerability
There are no known exploits in the wild.
CVE-2015-2362 Hyper-V System Data Structure Vulnerability
There are no known exploits in the wild.

MS15-069 Vulnerabilities in Windows Could Allow Remote Code Execution

CVE-2015-2368 Windows DLL Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2015-2369 DLL Planting Remote Code Execution Vulnerability
There are no known exploits in the wild.

MS15-070 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution

CVE-2015-2376 Microsoft Office Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2015-2377 Microsoft Office Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2015-2378 Microsoft Excel DLL Remote Code Execution Vulnerability
IPS:5726 “Binary Planting Attack 2”
CVE-2015-2379 Microsoft Office Memory Corruption Vulnerability
SPY:3107 “Malformed-File doc.MP.24”
CVE-2015-2380 Microsoft Office Memory Corruption Vulnerability
SPY:3106 “Malformed-File doc.MP.23”
CVE-2015-2415 Microsoft Office Memory Corruption Vulnerability
GAV:37640 “Olemal.A”
CVE-2015-2424 Microsoft Office Memory Corruption Vulnerability
There are no known exploits in the wild.

MS15-071 Vulnerability in Netlogon Could Allow Elevation of Privilege

CVE-2015-2374 Elevation of Privilege Vulnerability in Netlogon
There are no known exploits in the wild.

MS15-072 Vulnerability in Windows Graphics Component Could Allow Elevation of Privilege

CVE-2015-2364 Graphics Component EOP Vulnerability
SPY:3105 “Malformed-File swf.MP.234”

MS15-073 Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege

CVE-2015-2363 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2015-2365 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2015-2366 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2015-2367 Win32k Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2015-2381 Win32k Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2015-2382 Win32k Information Disclosure Vulnerability
There are no known exploits in the wild.

MS15-074 Vulnerability in Windows Installer Service Could Allow Elevation of Privilege

CVE-2015-2371 Windows Installer EoP Vulnerability
There are no known exploits in the wild.

MS15-075 Vulnerabilities in OLE Could Allow Elevation of Privilege

CVE-2015-2416 OLE Elevation of Privilege Vulnerability
SPY:3105 “Malformed-File swf.MP.234”
CVE-2015-2417 OLE Elevation of Privilege Vulnerability
SPY:3105 “Malformed-File swf.MP.234”

MS15-076 Vulnerability in Windows Remote Procedure Call Could Allow Elevation of Privilege

CVE-2015-2370 Windows RPC Elevation of Privilege Vulnerability
There are no known exploits in the wild.

MS15-076 Vulnerability in ATM Font Driver Could Allow Elevation of Privilege

CVE-2015-2387 ATMFD.DLL Memory Corruption Vulnerability
GAV:20469 “Dropper.A_767”

Posts

RIG Exploit Kit (March 9th, 2016)

Microsoft Security Bulletin Coverage (July 14, 2015)

About SonicWall

Products

Solutions

Customers

Support