Lucene search

Kenneth Johnson FIREEYE:0A49354849202DA95FE69EEC5811E6DD

HistoryJul 14, 2016 - 4:37 p.m.

Exploit Kits Quickly Adopt Exploit Thanks to Open Source Release

2016-07-1416:37:00

Kenneth Johnson

www.fireeye.com

613

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.974 High

EPSS

Percentile

99.9%

JSON

A security researcher recently published source code for a working exploit for CVE-2016-0189 and the Neutrino Exploit Kit (EK) quickly adopted it.

CVE-2016-0189 was originally exploited as a zero-day vulnerability in targeted attacks in Asia. The vulnerability resides within scripting engines in Microsoft’s Internet Explorer (IE) browser, and is exploited to achieve Remote Code Execution (RCE). According to the researcher’s repository, the open source exploit affects IE on at least Windows 10. It is possible that attackers could use or repurpose the attack for earlier versions of Windows.

Microsoft patched CVE-2016-0189 in May on Patch Tuesday. Applying this patch will protect a system from this exploit.

Attack Details

The popular Neutrino EK was quick to adopt this exploit. Neutrino works by embedding multiple exploits into one Shockwave Flash (SWF) file. Once run, the SWF profiles the victim’s system – shown in Figure 1 – to determine which of its embedded exploits to use.

Figure 1. Neutrino EK SWF profiles a victim

Next, it decrypts and runs the applicable exploit, as shown in Figure 2. This is different from most other EKs, in which an earlier HTML/JavaScript stage profiles the browser and selectively downloads exploits from the server.

Figure 2. Decrypt and embed the selected exploit into an iframe

In this example, Neutrino embedded exploits for five vulnerabilities that have been patched since May or earlier: three for Adobe Flash Player (CVE-2016-4117, CVE-2016-1019, CVE-2015-8651) and two for Internet Explorer (CVE-2016-0189, CVE-2014-6332). CVE-2016-0189 is the newest addition to Neutrino’s arsenal.

CVE-2016-0189

This CVE-2016-0189 vulnerability stems from a failure to put a lock on an array before working on it. This omission can lead to an issue when the array is changed while another function is in the middle of working on it. Memory corruption can occur if the “valueOf “ property of the array is set to a script function that changes the array size, as shown in Figure 3.

Figure 3. Neutrino setting triggering conditions

After Microsoft released the patch, a security researcher compared the original and patched programs to identify the root cause of the vulnerability and create a fully functioning exploit. The exploit embedded within Neutrino is identical to this researcher’s exploit, except for the code that runs after initial control.