New IE zero day vulnerability

Discussion in 'other security issues & news' started by Fly, Nov 9, 2013.

Thread Status:
Not open for further replies.
  1. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,794
    Location:
    Texas
    This appears to be new.
     
  3. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  4. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Sounds like this would bypass quite a lot of security software.
     
  5. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Yes another Vulnerability in a Microsoft Graphics Component !

    If you have rundll32.exe set to Block/Prompt it can't get even to the second stage, so you would be safe, as i am ;)

    rundll32.exe.png

     
  7. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    The exploit launches it from the injected shellcode. Do you think PG or other 3rd party anti-exec still going to block it under this circumstance?
     
  8. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Depends on what system calls Process Guard hooks. If it hooks CreateProcess(), and rundll32 is not trusted, then it will raise the alarm. So yes, I'd think CloneRanger's setup would work.

    OTOH, your average antivirus probably wouldn't know what hit it.
     
  9. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    Okay that's good to know, thanks! I've been under the impression that shellcode is going to bypass HIPS and anti-exec software, and not just antivirus.
     
  10. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Don't take my word on it. :eek:

    In this case though the shellcode is injected into a spawned program (rundll32.exe). The problem is more that that's a Windows component, and might be trusted by default by security programs.
     
  11. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    Understood, thanks again :)
     
  12. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    GJ is pretty much correct. The shellcode is used to call the API that executes the binary rundll32.exe. Rundll32.exe has its own arguments, so the attacker can then have that process execute commands on its behalf.

    If an AE doesn't have it as a trusted component or whatever the hell they're calling them now, and if it's hooking the call (it almost certainly would be) it'll stop it.

    Exploits always start with shell (well, not really, but this type does). That isn't a get-out-of-AE free key or anything, AE just kicks in once the attacker starts messing around with the APIs that AE's monitor. Attackers are, as always, free to use any of the other thousands of API calls available.

    Hope that clears it up a bit.
     
  13. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    Yes that helps, thanks. But one thing I just noticed:

    I thought the shellcode injected itself into the browser's memory heap, or whatever they call it?? So i figured from there it spawns Rundll32.exe?
     
  14. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Eh, the word 'shellcode' kinda means a lot of things. We're not really talking about exploiting the processes memory int erms of rundll32.exe, it's just that it exploits MSIE, controls MSIE's memory/ control flow, and then the attacker controlled MSIE calls (in a completely valid manner) rundll32.exe. rundll32.exe then acts as a 'host' for the next 'stage of shellcode'.

    The attackers most likely picked that binary because it's a typically trusted component and it's not really misbehaving when it takes in a dll or some other content and runs it - that's what it exists to do.
     
  15. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    Complicated stuff but interesting all the same :) I guess the msvcrt.dll PE headers, mentioned in the article, are read as part of the "fingerprinting" process of the attack, so the attacker's server will send a specific exploit based on the information in the headers?
     
  16. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    http://www.fireeye.com/blog/technic...linked-to-deputydog-uses-diskless-method.html
     
  17. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    4,097
    Update: Microsoft to patch just-revealed Windows zero-day tomorrow
    November 11, 2013
    http://www.computerworld.com/s/arti...patch_just_revealed_Windows_zero_day_tomorrow

    -----------------
    Microsoft plans to address zero-day IE bug on Tuesday
    http://news.cnet.com/8301-1009_3-57611860-83/microsoft-plans-to-address-zero-day-ie-bug-on-tuesday/
     
  18. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    I wonder if/when support for this one will appear in Metasploit.:D
     
Loading...
Thread Status:
Not open for further replies.