Never-Ending Zero-Day Story

Yesterday, it was reported that an Internet Explorer zero-day threat was actively being exploited in the wild. We did a quick analysis and have some interesting findings.

The exploit contains four parts:

  • Exploit.html. First-stage exploiting web page (initialize variables and load the .swf file).
  • Moh2010.swf. Encrypted SWF using DoSWF, it contains shellcode and heap spray code. After the heap spray is done, it loads Protect.html to trigger the vulnerability.
  • Protect.html. Detects browser/Flash version and triggers the vulnerability
  • 111.exe. The Trojan

Unlike common exploits that have everything in HTML/JavaScript, this threat hides all important elements such as shellcode and heap spray code in the encrypted SWF file. The exploitation part is very simple. It targets only Windows XP SP3 and IE8. So there is no need to bypass ASLR; it uses only an ROP payload to bypass Windows data execution prevention. The ROP gadget is hardcoded from the msvcrt.dll module.

0:008> u 0x77c15ed5
msvcrt!_pi_by_2_to_61+0x12db:
77c15ed5 94              xchg    eax,esp
77c15ed6 c3              ret

The ROP payload calls kernel32!VirtualAlloc to change the memory-holding shellcode to RWX.

0c10104c 00000000 0c18fa00 00005500 00001000 kernel32!VirtualAllocEx
0:008> !address eax
0c120000 : 0c18f000 – 00006000
Type     00020000 MEM_PRIVATE
Protect  00000040 PAGE_EXECUTE_READWRITE
State    00001000 MEM_COMMIT
Usage    RegionUsageIsVAD

The actual shellcode is XORed with opcode 0xE2, and it also uses a hook-hopping technique when calling APIs like urlmon!URLDownloadToCacheFileW, kernel32!CreateFileW, and kernel32!WinExec. Hook hopping is commonly used to bypass common security protection like AV and HIPS. After successful exploitation, the shellcode will download a Trojan from a remote server.

Coverage/Mitigation

McAfee NSP will release the UDS “UDS-HTTP: Microsoft Internet Explorer Use-After-Free exCommand Heap Stray Code Execution” to cover the threat.

McAfee HIPS 8.0 P2 can block the zero-day exploit with the following Generic Buffer Overflow Protection signatures:

  • 6013 – Suspicious Function Invocation – CALL Not Found
  • 6048 – Suspicious Function Invocation – Different Stack

AV Detection is available in the current Beta DATs as “Exploit-IEexecCommand

Thanks my colleagues Xiaobo Chen and Hirosh Joseph for the analysis.