A pair of “use-after-free” aka “uninitialized memory corruption” vulnerabilities (CVE-2010-0806 and CVE-2010-3962) in Internet Explorer were reported in November 2010 and remain among the favored client-side attack vectors currently seen in the wild. Recently during my research, I have noticed a gradual increase in attacks targeting these vulnerabilities. Often these two vulnerabilities are combined into a single exploit, as both the vulnerabilities target Internet Explorer 6 and 7. Combining exploit code will of course increase the probability of a successful attack.
Lets analyze one sample that I came across recently.
Source code
hxxp://www.dxcdfghg.com/2.html
hxxp://www.dxcdfghg.com/2.js
De-obfuscated Code Analysis
De-obfuscation of the above code, shows how the exploitation of the two vulnerabilities is carried out. Lets go through each one of them sequentially.
Both exploits work in following way
-
Initiate a heap spray
-
Exploit causes a use-after-free error
-
Assembly code running at the time of the “use-after-free error” causes the CPU to execute shellcode thanks to the heap spray.
Version check – This is required to initialize the address of the shellcode. The full address is computed when heap spray is carried out.
Shellcode - Common for both the vulnerabilities.
The heap spray is carried out by different functions for the different vulnerabilities.
Exploiting CVE-2010-0806
Exploiting CVE-2010-3962
Other samples that target these vulnerabilities, which I observed during my research varies in terms of the way the Javascript code is obfuscated. However, the overall process remains the same. This again tells us why it’s important to update your browser with latest security patches.
Further research on the domain “dxcdfghg.com” reveals that the IP address bound to this domain has hosted various other malicous domains carrying out alternate attacks.
Hosting multiple malicious domains on one IP address is common practice for attackers.
Pradeep