Through the Cyber Advanced Warning System, NSS Labs is already observing reliable exploits for CVE-2014-6332 in the wild. Microsoft released security updates on November 11, 2014 to patch this vulnerability. According to the National Vulnerability database, “This vulnerability exists in OLE in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted web site, aka ‘Windows OLE Automation Array Remote Code Execution Vulnerability.’” This vulnerability impacts every version of Windows from Windows 95 onward and has a CVSS rating of 9.3
This bug is caused by improper handling of resizing an array in the VBSCRIPT engine; the inclusion of Script in Internet Explorer provides a readily accessible attack vector for threat actors. The exploit bypasses all of the Microsoft protections, including DEP and ASLR. NSS Labs has so far observed this exploit working reliably on Internet Explorer 7, 8, and 9.
Timeline of Events
During this phase an SWF object is created on the fly and embedded in the page using COM interfacing (clsid:D27CDB6E-AE6D-11cf-96B8-444553540000) and used for repetitive clickjacking.
If a PC is detected, exploitation of CVE-2014-6332 will take place as submitted on http://hi.baidu.com/yuange1975/item/c846a94d76fe00a861d7b900 by @yuange; the exploit runs and a malware package is dropped. This is a copy of the original PoC with minor modifications to allow for some obfuscation.
Dropper name: v3k.exe
Md5 hash: 74CE6CB9F8B983297F936936BCABC698
NSS Labs recommends
More to follow with analysis and IDA DB for the reversed dropper and its embedded contents.
Follow us on Twitter (@NSSLabs) to keep informed as new research is released.