HackDig : Dig high-quality web security articles for hackers

A Look Inside a CVE-2013-3918 Exploit

2014-08-15 09:18

Editor’s Note: Berman Enconado is a senior software security engineer in the Security Labs. He’s been in the industry for more than 10 years and has given talks to local universities on several occasions as part of the company’s security awareness drives.

Last November 8, our friends at FireEye had discovered an exploit malware that targets a zero-day software vulnerability in Microsoft’s Internet Explorer (IE) Active X control. It was found hosted on a compromised US-based website. Internet users who visit it while using IE8 on Windows XP or IE9 on Windows 7 would fall victim to a drive-by-download attack. Thankfully, Microsoft already issued a patch for this flaw last week. If you haven’t updated your OS yet, now is the time to do it.

Users of our VIPRE products are already protected from the said exploit. We detect it as Exploit.HTML.CVE-2013-3918.a.

We were able to retrieve a piece of the exploit malware and thought of giving our regular Labs blog readers a comprehensive, blow-by-blow retelling of its behavior, which we did below. Here is a malformed HTML website I used to test the exploit on.

CDA99A7C92A63D6095A5BA4CACC6ED89Figure 1. The outcome
(click to enlarge)

As you can see, there’s nothing special about it. All one can see is a white page with the text “Hello man” on it. What users don’t know is that infiltration and code execution happens in the background. They don’t see anything happening until it’s already too late.

So, let’s begin.

What Happens When the Exploit is Run

The exploit uses a technique known as return-oriented programming (ROP), allowing itself to run in non-executable memory areas. Once an end-user system has been successfully infiltrated, it swaps the stack and heap addresses in memory that the OS allocates for it. By using this technique, it’s possible to bypass memory protection implemented by Windows for these types of attack. The figure below illustrates another memory protection alteration that this exploit uses so that its shellcode can execute.

83EC7CB1DF2D6D90386EDAD3613A77ACFigure 2. ROP in action
(click to enlarge)

2E7757EF38BDD3336FFDD5DE1852070DFigure 3. Memory protection changes of the stack
(click to enlarge)

Once done, it passes execution to its shellcode which then decrypts and computes for which APIs it needs to inject itself to another process that it will spawn later on. These APIs are:

  • CreateProcessA
  • CreateRemoteThread
  • CreateThread
  • LoadLibraryA
  • OpenProcess
  • VirtualAllocEx
  • Winexec
  • WriteProcessMemory

This exploit uses these APIs to create a process named “rundll32″ in IE, to write another section (a new process) of its shellcode and to activate that process (via CreateRemoteThread). To thwart of detection from security tools, it hides behind multiple layers of encryption and executes multiple jump commands in memory. “rundll32″ contains the code for setting up a connection to a remote location.

20D806DFE6FD7C44E3F35FA63DE6146CFigure 4. A section of the decrypting code

A482063797882B285731A06CE2172127Figure 5. Decryption in rundll32

An interesting feature of this exploit’s payload is the way it calls for the APIs it needs. It initially sets up a jump table that points to a single function that performs the JMP call varying only in the values pushed by the PUSH calls. It is highly likely that the exploit does this so it can prevent researchers from easily identifying the calls it uses and to quickly analyze and debug the contents of its body. This is an uncommon technique but hardly rare.


66DD9C4D09633C970BC381C9274C5070Figures 6-7. The jump (JMP) table for calling APIs

While its previous characteristics are trivial, the main purpose of this payload is to connect to a remote server that can be used or is being used for targeted attacks. It connects and listens to the specific IP address, 111(dot)68(dot)9(dot)93.

5A0BAF74C704A0FBAD9AD5927588621Cclick to enlarge

D2CEDC130BD2409E856304F650F8EC9AFigures 8-9. Connects to a remote server
(click to enlarge)

How to Protect Your Systems from Exploits

As we already know, most software we use today were not designed with security on mind. They’re bound to have inert flaws and holes that bad guys who know where to look can potentially take advantage of to serve their criminal purpose. As such, it is very important to keep all your software, regardless of the OS you’re using now, updated to their latest versions. It’s also equally important to have a good AV software that can protect you from in-the-wild exploits.

Berman Enconado

The post A Look Inside a CVE-2013-3918 Exploit appeared first on ThreatTrack Security Labs Blog.

Source: /gYTvukStQxK/3~/ytiruceskcarttaerht/r~/moc.elgoog.yxorpdeef

“A Look Inside a CVE-2013-3918 Exploit”0 Comments

Submit A Comment



Blog :

Verification Code:


Tag Cloud