Posts

Microsoft Security Bulletin Coverage (Jan 12, 2016)

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of January, 12, 2016. A list of issues reported, along with Dell SonicWALL coverage information are as follows:

MS16-001 Cumulative Security Update for Internet Explorer

  • CVE-2016-0002 Scripting Engine Memory Corruption Vulnerability
    IPS: 11383 “Scripting Engine Memory Corruption Vulnerability (MS16-001) 1”
  • CVE-2016-0005 Internet Explorer Elevation of Privilege Vulnerability
    IPS: 11384 “Internet Explorer Elevation of Privilege Vulnerability (MS16-001) 2 “

MS16-002 Cumulative Security Update for Microsoft Edge

  • CVE-2016-0003 Microsoft Edge Memory Corruption Vulnerability
    IPS: 11385 “Microsoft Edge Memory Corruption Vulnerability (MS16-002) 3 “
  • CVE-2016-0024 Scripting Engine Memory Corruption Vulnerability
    IPS: 11386 “Scripting Engine Memory Corruption Vulnerability (MS16-002) 4 “

MS16-003 Cumulative Security Update for Jscript and VBScript to Address Remote Code Execution

  • CVE-2016-0002 Scripting Engine Memory Corruption Vulnerability
    IPS: 11383 “Scripting Engine Memory Corruption Vulnerability (MS16-001) 1”

MS16-004 Security Updates for Microsoft Office to Address Remote Code Execution

  • CVE-2015-6117 Microsoft SharePoint Security Feature Bypass
    There are no known exploits in the wild.
  • CVE-2016-0010 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-0012 ASLR bypass vulnerability
    IPS: 11387 “ASLR bypass vulnerability (MS16-004) 5”
  • CVE-2016-0035 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.

MS16-005 Security Update for Windows Kernel-Mode Drivers to Address Remote Code Execution

  • CVE-2016-0008 Windows GDI32.dll ASLR Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-0009 Win32k Remote Code Execution Vulnerability
    There are no known exploits in the wild.

MS16-006 Security Update for Silverlight to Address Remote Code Execution

  • CVE-2016-0034 Silverlight Runtime Remote Code Execution Vulnerability
    IPS: 11388 “Silverlight Runtime Remote Code Execution Vulnerability (MS16-006) 5”

MS16-007 Security Update for Microsoft Windows to Address Remote Code Execution

  • CVE-2016-0014 DLL Loading Elevation of Privilege Vulnerability
    This is a local Vulnerability
  • CVE-2016-0015 DirectShow Heap Corruption Remote Code Execution Vulnerability
    IPS: 11389 “DirectShow Heap Corruption Remote Code Execution Vulnerability (MS16-007) 6”
  • CVE-2016-0016 DLL Loading Remote Code Execution Vulnerability
    IPS: 11390 “DLL Loading Remote Code Execution Vulnerability (MS16-007) 7”
  • CVE-2016-0018 DLL Loading Remote Code Execution Vulnerability
    IPS: 11391 “DLL Loading Remote Code Execution Vulnerability (MS16-007) 8”
  • CVE-2016-0019 Windows Remote Desktop Protocol Security Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-0020 MAPI DLL Loading Elevation of Privilege Vulnerability
    This is a local Vulnerability

MS16-008 Security Update for Windows Kernel to Address Elevation of Privilege

  • CVE-2016-0006 Windows Mount Point Elevation of Privilege Vulnerability
    IPS: 11392 ” Windows Mount Point Elevation of Privilege Vulnerability(MS16-008) 9″
  • CVE-2016-0007 Windows Mount Point Elevation of Privilege Vulnerability
    IPS: 11393 ” Windows Mount Point Elevation of Privilege Vulnerability(MS16-008) 10″

MS16-010 Security Update in Microsoft Exchange Server to Address Spoofing

  • CVE-2016-0029 Exchange Spoofing Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-0030 Exchange Spoofing Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-0031 Exchange Spoofing Vulnerability
    There are no known exploits
    in the wild.
  • CVE-2016-0032 Exchange Spoofing Vulnerability
    There are no known exploits in the wild.

Microsoft Silverlight Remote Code Execution Vulnerability – CVE-2016-0034 (Mar 18,2016)

Microsoft Silverlight is a powerful development tool for creating interactive user experiences for Web and mobile applications. Silverlight is a free plug-in, powered by the .NET framework and compatible with multiple browsers. Microsoft Silverlight 5 before 5.1.41212.0 mishandles negative offsets during decoding, which allows remote attackers to execute arbitrary code or cause a denial of service (object-header corruption) via a crafted web site, aka “Silverlight Runtime Remote Code Execution Vulnerability.”

The vulnerability is triggered when the System.Text.Decoder class tries to allocate buffer using value returned by GetChars() function. The attacker can override the GetChars function in a derived class to return a negative value.This leads to memory corruption.

To exploit this vulnerability an attacker could host a specially crafted Silverlight application on a website and entice the user to click it. Successful exploitation could lead to remote code execution in context of the logged in user.

The overridden GetChars function in the derived class looks like this

IE crashes when System.Text.Decoder class tries to allocate a negative buffer size.

The exploit code is an obfuscated .net assembly. The decompiled and deobfuscated dll code looks like this

Demcompiled

Deobfuscated

The exploit code tries to decode a long byte array.

Attaching a debugger we see that the malicious dll sprays the memory with malicious code . We can also see some code that could tamper with registry.

The graphical view of exploit code looks like this.

Dell SonicWALL Threat Research Team has researched this vulnerability and released following signature to protect their customers

  • IPS 11388: Microsoft Silverlight Remote Code Execution (MS16-006)