Unicorn Just Got Real

Abstract image of a tornado and binary code

Through the Cyber Advanced Warning System, NSS Labs is already observing reliable exploits for CVE-2014-6332 in the wild. Microsoft released security updates on November 11, 2014 to patch this vulnerability. According to the National Vulnerability database, “This vulnerability exists in OLE in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted web site, aka ‘Windows OLE Automation Array Remote Code Execution Vulnerability.’” This vulnerability impacts every version of Windows from Windows 95 onward and has a CVSS rating of 9.3

This bug is caused by improper handling of resizing an array in the VBSCRIPT engine; the inclusion of Script in Internet Explorer provides a readily accessible attack vector for threat actors. The exploit bypasses all of the Microsoft protections, including DEP and ASLR. NSS Labs has so far observed this exploit working reliably on Internet Explorer 7, 8, and 9.

Timeline of Events

  • Nov 11, 2014 – Microsoft releases the patch for CVE-2014-6332.
  • Nov 11, 2014 – A Chinese researcher identified by the Twitter handle @yuange releases the proof of concept (PoC) exploit.
  • Nov 12,2014 – Metasploit Module is created for CVE-2014-6332.
  • Nov 17, 2014 – NSS Labs observes the first attacks exploiting CVE-2014-6332 in the wild via the Cyber Advanced Warning System.

Analysis

Upon visiting the URL hxxp://www.xx.co.kr a JavaScript will fingerprint the targeted host to determine if it is a PC. If not, then it will attempt to detect whether it is an Android device from a predefined list (“Android,” “iPhone,” “Windows Phone,” “iPod,” “BlackBerry,” “MeeGo,” “SymbianOS”). If so, the user is redirected to http://xx.xx.xx.xx:8080/new.apk, which serves an APK to install.

During this phase an SWF object is created on the fly and embedded in the page using COM interfacing (clsid:D27CDB6E-AE6D-11cf-96B8-444553540000) and used for repetitive clickjacking.

If a PC is detected, exploitation of CVE-2014-6332 will take place as submitted on http://hi.baidu.com/yuange1975/item/c846a94d76fe00a861d7b900 by @yuange; the exploit runs and a malware package is dropped. This is a copy of the original PoC with minor modifications to allow for some obfuscation.

Dropper name: v3k.exe

Md5 hash: 74CE6CB9F8B983297F936936BCABC698

Sha-1: B76B514707CD560F973DD66124D2C1101D75078A

NSS Labs recommends

  • Apply the MS14-064 Security updates as soon as possible.

More to follow with analysis and IDA DB for the reversed dropper and its embedded contents.

Part 2 of this blog series can be found here.

Follow us on Twitter (@jayendra363, @halsten & @9ee1) to keep informed as new research is released.

References:

http://blog.trendmicro.com/trendlabs-security-intelligence/a-killer-comb...

Follow us on Twitter (@NSSLabs) to keep informed as new research is released.

TAGS: CVE, Microsoft / Internet Explorer