CVE-2 0 1 4-4 1 1 4 sample analysis-vulnerability warning-the black bar safety net

2014-10-1800:00:00

佚名

www.myhack58.com

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.97 High

EPSS

Percentile

99.7%

JSON

Author: Nie. Meining posted on: 2014-10-17 2 0:5 8 classification: Debug

Analysis a bit in these two days compared to the fire of the CVE-2 0 1 4-4 1 1 4, sample upload analysis platform immediately Alarm:

! CVE-2014-4114_0.jpg

Detailed analysis of the results: <http://124.16.139.43:8081/CloudServer/rp_report?df=22fbbcfa5646497e57ee238a180d1b367789984a> to

Oddly enough captures the exception code that was not found in subsequent acts, the Internet looked a vulnerability description, found that the vulnerability should be a logical vulnerability, the attack is successful while it may not appear abnormal code. Then finishing a little background analysis data, found that the exception from the A OGL. DLL somewhere in the cycle assignment:

! CVE-2014-4114_1.jpg

Each time the instruction is executed, the eax value is slowly increased, eventually came to the illegal page, causing access violation, though the word SEH the abnormal harmony, so the previous analysis report on link in the process of running on the screenshot can not see. Background analysis of data fragment:

! CVE-2014-4114_2.jpg

Looks a lot like traversing an array or something causing the address out of bounds error, with this online for the vulnerability DESCRIPTION is inconsistent. Again check the relevant information, to find out the vulnerabilities in xp on the system cannot be triggered successfully… But maybe it was the analysis of the system captures the exception code reasons.

In order to obtain accurate behavior analysis results, the analysis of the mirror were replaced with Windows 7 again after the upload of the sample, and sure enough intercept to follow-up the malicious behavior, the behavior of the graph as follows, since the analysis of the system and the external network isolation, and therefore the IP address 94.185.85.122 replaced 1 9 2. 1 6 8. 4. 2 5 2 ）：

! CVE-2014-4114.jpg

Detailed analysis of the results: <http://124.16.139.43:8081/CloudServer/rp_report?df=b141cc7a775ab1e28e5bc66e441c37849de74341> to

For this 0day, personal sensory analysis platform of the test results is also good, in the default xp Image Capture to the exception in win7 on a mirror intercepted the complete behavior. The analysis platform is also in gradually improve, everyone is welcome to trial, and put forward valuable opinion! Platform demo address: <http://124.16.139.43:8081/CloudServer> to