Blog Zscaler

Recevez les dernières mises à jour du blog de Zscaler dans votre boîte de réception

S'abonner
Security Research

Obfuscated Exploits Continue To Target CVE-2010-0806 And CVE-2010-3962

image
THREATLABZ
juillet 14, 2011 - 2 Min de lecture

 

A pair of “use-after-free” aka “uninitialized memory corruption” vulnerabilities (CVE-2010-0806 and CVE-2010-3962) in Internet Explorer were reported in November 2010 and remain among the favored client-side attack vectors currently seen in the wild. Recently during my research, I have noticed a gradual increase in attacks targeting these vulnerabilities. Often these two vulnerabilities are combined into a single exploit, as both the vulnerabilities target Internet Explorer 6 and 7. Combining exploit code will of course increase the probability of a successful attack.

 

Lets analyze one sample that I came across recently.

Source code

hxxp://www.dxcdfghg.com/2.html

Image

Image

hxxp://www.dxcdfghg.com/2.js

Image

De-obfuscated Code Analysis

De-obfuscation of the above code, shows how the exploitation of the two vulnerabilities is carried out. Lets go through each one of them sequentially.

Both exploits work in following way

  • Initiate a heap spray

  • Exploit causes a use-after-free error

  • Assembly code running at the time of the “use-after-free error” causes the CPU to execute shellcode thanks to the heap spray.

Version check – This is required to initialize the address of the shellcode. The full address is computed when heap spray is carried out.

Image

Shellcode - Common for both the vulnerabilities.

Image

The heap spray is carried out by different functions for the different vulnerabilities.

Exploiting CVE-2010-0806

Image

Exploiting CVE-2010-3962

Image

Other samples that target these vulnerabilities, which I observed during my research varies in terms of the way the Javascript code is obfuscated. However, the overall process remains the same. This again tells us why it’s important to update your browser with latest security patches.

Further research on the domain “dxcdfghg.com” reveals that the IP address bound to this domain has hosted various other malicous domains carrying out alternate attacks.

Image

Hosting multiple malicious domains on one IP address is common practice for attackers.

Pradeep

form submtited
Merci d'avoir lu l'article

Cet article a-t-il été utile ?

Recevez les dernières mises à jour du blog de Zscaler dans votre boîte de réception

En envoyant le formulaire, vous acceptez notre politique de confidentialité.