As discussed in our previous blog entries, we’ve found an exploit (Trend Micro detection HTML_EXPLOYT.AE) that targets a vulnerability found in Microsoft XML Core Services (CVE-2012-1889). Based on our analysis, HTML_EXPLOYT.AE contains three key features: its usage of Microsoft XML Core Services, heap spray, and No ROP (Return-Oriented-Programming) function. Our two initial blog entries already gave in-depth details on how HTML_EXPLOYT.AE uses Microsoft XML Core Services and how it executes heap spray method. This time, we focus on the No ROP function of HTML_EXPLOYT.AE, which leads to the downloading of a backdoor (detected as BKDR_POISON.HUQA).
HTML_EXPLOYT.AE Feature 3: No ROP(Return-Oriented-Programming) function
Let’s check how HTML_EXPLOYT.AE executes malicious code in the heap- sprayed area after successfully exploiting CVE-2012-1889.
The Data Execution Prevention (DEP) in Internet Explorer version 8, 9, 10 DEP is enabled, which prevents HTML_EXPLOYT.AE from jumping heap sprayed area. Let us now check the protection conditions of heap sprayed areas with Windbg extensions.
On IE 9 and 10 where DEP is enabled by default, HTML_EXPLOYT.AE fails to jump to the heap sprayed area. This is because there is no PAGE_EXECUTE flag, which executes access to the committed region of pages. DEP detects the attack scenario and mitigates the threat by terminating the application.
Because Microsoft XML Core Services is installed on most PCs, this exploit poses a significant threat among users. Furthermore, its attack code was made public, which may empower potential attackers to use the code for their future schemes.
Trend Micro users are protected from this threat via Smart Protection NetworkT, which detects the malware HTML_EXPLOYT.AE and BKDR_POISON.HUQA via file reputation services. It also blocks access to the related C&C servers via web reputation services. More importantly, Trend Micro Deep Security and Officescan with IDF enabled prevent attacks exploiting CVE-201-1889 via the rule 1005061- Microsoft XML Core Services Remote Code Execution Vulnerability (CVE-2012-1889).
For added protection, users must update their systems with the latest security patch made available by software vendors such as Microsoft. To know more about the related vulnerability, users may refer Microsoft’s security bulletin. Users should also observe best computing practices, such as avoiding visiting unknown websites and opening email messages from dubious sources.
Leave a reply