Posts

Internet Explorer Memory Corruption Vulnerability CVE-2017-0202

/in /by

A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code
in the context of the current user, a.k.a. “Internet Explorer Memory Corruption Vulnerability.”

When the PoC is run in Internet Explorer , it crashes IE. As seen in the image the crash happens at MSHTML!CStyleSheetArray::BuildListOfProbableRules when the script tries to set an attribute to an invalid value.
This attribute was set already in the StyleSheet.

An attacker could host a malicious website to exploit this vulnerability (CVE-2017-0202), and lure the victim into visiting the website. The vulnerability could corrupt memory in such a way that the attacker
could execute arbitrary code on victim’s machine.

The call stack shows that the crash happens after “ApplyStyleSheets” suggesting a type confusion about the Style sheet element as seen in the code

The disassembly looks like this :

SonicWALL Threat Research Team has researched this vulnerability and released following signature to protect their customers.

  • IPS 12709: Internet Explorer Memory Corruption Vulnerability (APR 17) 1

Microsoft Security Bulletin Coverage for April 2017

/in /by

SonicWall has analyzed and addressed Microsoft and Adobe’s security advisories for the month of April, 2017. A list of issues reported, along with SonicWall coverage information are as follows:

Microsoft Coverage

  • CVE-2017-0058 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0093 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0106 Microsoft Outlook Remote Code Execution Vulnerability
    SPY:4460 Malformed-File rtf.MP.18

  • CVE-2017-0155 Windows Graphics Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0156 Windows Graphics Component Elevation of Privilege Vulnerability
    SPY:1450 Malformed-File exe.MP.30

  • CVE-2017-0158 Scripting Engine Memory Corruption Vulnerability
    IPS:12715 Scripting Engine Memory Corruption Vulnerability (APR 17) 2

  • CVE-2017-0159 ADFS Security Feature Bypass Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0160 .NET Remote Code Execution Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0162 Hyper-V Remote Code Execution Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0163 Hyper-V Remote Code Execution Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0164 Active Directory Denial of Service Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0165 Windows Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0166 LDAP Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0167 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0168 Hyper-V Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0169 Hyper-V Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0178 Hyper-V Denial of Service Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0179 Hyper-V Denial of Service Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0180 Hyper-V Remote Code Execution Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0181 Hyper-V Remote Code Execution Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0182 Hyper-V Denial of Service Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0183 Hyper-V Denial of Service Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0184 Hyper-V Denial of Service Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0185 Hyper-V Denial of Service Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0186 Hyper-V Denial of Service Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0188 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0189 Win32k Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0191 Windows Denial of Service Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0192 ATMFD.dll Information Disclosure Vulnerability
    SPY:1433 Malformed-File pfb.MP.2

  • CVE-2017-0194 Microsoft Office Memory Corruption Vulnerability
    IPS:12716 Microsoft Office Memory Corruption Vulnerability (APR 17)

  • CVE-2017-0195 Microsoft Office XSS Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0197 Office DLL Loading Vulnerability
    IPS:12718 ceutil.dll Insecure Library Loading

  • CVE-2017-0199 Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API
    SPY:1446 Malformed-File rtf.MP.17

  • CVE-2017-0200 Microsoft Edge Memory Corruption Vulnerability
    IPS:12717 Microsoft Edge Memory Corruption Vulnerability (APR 17) 2

  • CVE-2017-0201 Scripting Engine Memory Corruption Vulnerability
    IPS:12708 Scripting Engine Memory Corruption Vulnerability (APR 17) 1

  • CVE-2017-0202 Internet Explorer Memory Corruption Vulnerability
    IPS:12709 Internet Explorer Memory Corruption Vulnerability (APR 17) 1

  • CVE-2017-0203 Microsoft Edge Security Feature Bypass Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0204 Microsoft Office Security Feature Bypass Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0205 Microsoft Edge Memory Corruption Vulnerability
    IPS:12710 Microsoft Edge Memory Corruption Vulnerability (APR 17) 1

  • CVE-2017-0207 Microsoft Office Spoofing Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0208 Scripting Engine Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0210 Internet Explorer Elevation of Privilege Vulnerability
    IPS:12712 Internet Explorer Elevation of Privilege (APR 17) 1

  • CVE-2017-0211 Windows OLE Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

  • CVE-2013-6629 libjpeg Information Disclosure Vulnerability
    There are no known exploits in the wild.

Adobe Coverage

APSB17-10 Security updates for Adobe Flash Player:

  • CVE-2017-3058 Adobe Flash Player Use After Free Vulnerability
    Spy:1417 Malformed-File swf.MP.549

  • CVE-2017-3059 Adobe Flash Player Use After Free Vulnerability
    Spy:1418 Malformed-File swf.MP.550

  • CVE-2017-3060 Adobe Flash Player Memory Corruption Vulnerability
    Spy:1419 Malformed-File swf.MP.551

  • CVE-2017-3061 Adobe Flash Player Memory Corruption Vulnerability
    Spy:1420 Malformed-File swf.MP.552

  • CVE-2017-3062 Adobe Flash Player Use After Free Vulnerability
    Spy:1421 Malformed-File swf.MP.553

  • CVE-2017-3063 Adobe Flash Player Use After Free Vulnerability
    Spy:1422 Malformed-File swf.MP.554

  • CVE-2017-3064 Adobe Flash Player Memory Corruption Vulnerability
    Spy:1423 Malformed-File swf.MP.555

APSB17-11 Security Updates for Adobe Acrobat and Reader:

  • CVE-2017-3013 Adobe Acrobat Reader Insecure Library Loading Vulnerability
    Spy:1406 M
    alformed-File pdf.MP.219

  • CVE-2017-3014 Adobe Acrobat Reader Use After Free Vulnerability
    Spy:1407 Malformed-File pdf.MP.220

  • CVE-2017-3017 Adobe Acrobat Reader Memory Corruption Vulnerability
    Spy:1408 Malformed-File pdf.MP.221

  • CVE-2017-3019 Adobe Acrobat Reader Memory Corruption Vulnerability
    Spy:1409 Malformed-File pdf.MP.222

  • CVE-2017-3020 Adobe Acrobat Reader Memory Address Leak Vulnerability
    Spy:1410 Malformed-File pdf.MP.223

  • CVE-2017-3021 Adobe Acrobat Reader Memory Address Leak Vulnerability
    Spy:1411 Malformed-File pdf.MP.224

  • CVE-2017-3022 Adobe Acrobat Reader Memory Address Leak Vulnerability
    Spy:1412 Malformed-File pdf.MP.225

  • CVE-2017-3023 Adobe Acrobat Reader Memory Corruption Vulnerability
    Spy:1413 Malformed-File pdf.MP.226

  • CVE-2017-3024 Adobe Acrobat Reader Memory Corruption Vulnerability
    Spy:1414 Malformed-File pdf.MP.227

  • CVE-2017-3025 Adobe Acrobat Reader Memory Corruption Vulnerability
    Spy:1415 Malformed-File pdf.MP.228

  • CVE-2017-3026 Adobe Acrobat Reader Use After Free Vulnerability
    Spy:1416 Malformed-File pdf.MP.229

  • CVE-2017-3029 Adobe Acrobat Reader Memory Address Leak Vulnerability
    Spy:1405 Malformed-File pdf.MP.218

  • CVE-2017-3032 Adobe Acrobat Reader Memory Address Leak Vulnerability
    Spy:1424 Malformed-File pdf.MP.235

  • CVE-2017-3033 Adobe Acrobat Reader Memory Address Leak Vulnerability
    Spy:1432 Malformed-File pdf.MP.232

  • CVE-2017-3042 Adobe Acrobat Reader Heap Overflow Vulnerability
    Spy:1425 Malformed-File tif.MP.5
    Spy:1426 Malformed-File tif.MP.6
    Spy:1428 Malformed-File tif.MP.7

  • CVE-2017-3044 Adobe Acrobat Reader Memory Corruption Vulnerability
    Spy:1430 Malformed-File pdf.MP.230

  • CVE-2017-3045 Adobe Acrobat Reader Memory Address Leak Vulnerability
    Spy:1431 Malformed-File pdf.MP.231

  • CVE-2017-3046 Adobe Acrobat Reader Memory Address Leak Vulnerability
    Spy:1434 Malformed-File pdf.MP.233

  • CVE-2017-3047 Adobe Acrobat Reader Use After Free Vulnerability
    Spy:1435 Malformed-File pdf.MP.234

  • CVE-2017-3048 Adobe Acrobat Reader Heap Overflow Vulnerability
    Spy:1436 Malformed-File tif.MP.8

  • CVE-2017-3049 Adobe Acrobat Reader Heap Overflow Vulnerability
    Spy:1437 Malformed-File tif.MP.9

  • CVE-2017-3050 Adobe Acrobat Reader Memory Corruption Vulnerability
    Spy:1438 Malformed-File gif.MP.1

  • CVE-2017-3051 Adobe Acrobat Reader Memory Corruption Vulnerability
    Spy:1441 Malformed-File jpg.MP.5

  • CVE-2017-3052 Adobe Acrobat Reader Memory Address Leak Vulnerability
    Spy:1443 Malformed-File emf.MP.13
    Spy:1445 Malformed-File emf.MP.14
  • CVE-2017-3053 Adobe Acrobat Reader Memory Address Leak Vulnerability
    Spy:1447 Malformed-File jpg.MP.6

  • CVE-2017-3055 Adobe Acrobat Reader Heap Overflow Vulnerability
    Spy:1448 Malformed-File pdf.MP.237

  • CVE-2017-3056 Adobe Acrobat Reader Memory Corruption Vulnerability
    Spy:4237 Malformed-File pdf.MP.238

  • CVE-2017-3057 Adobe Acrobat Reader Use After Free Vulnerability
    Spy:1449 Malformed-File pdf.MP.236