• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Exploits   »   CVE-2016-3298: Microsoft Puts the Lid on Another IE Zero-day Used in AdGholas Campaign

CVE-2016-3298: Microsoft Puts the Lid on Another IE Zero-day Used in AdGholas Campaign

  • Posted on:October 31, 2016 at 9:00 am
  • Posted in:Exploits, Vulnerabilities
  • Author:
    Henry Li (Threats Analyst )
0

Microsoft’s Patch Tuesday for October fixed another previous zero-day vulnerability in Internet Explorer (IE) via MS16-118 and MS16-126: CVE-2016-3298. Before the lid was put on it, the security flaw was employed alongside CVE-2016-3351 by operators of the AdGholas malvertising campaign, analysis and disclosure of which were made with our collaboration with Proofpoint’s @kafeine last July 2016. The campaign was notable for the economies of scale and scope it achieved in its heyday until its operations were stymied. As shared by @kafeine, it was even integrated in Neutrino exploit kit’s malvertising chain as a malicious JavaScript.

Like CVE-2013-7331, CVE-2015-2413, and CVE-2016-3351, CVE-2016-3298 is an information disclosure vulnerability. Attackers utilized these to check for the presence of local files/directories, or obtain confidential system data that can be leveraged in further attacks. They are all related to file handling protocol, which are best mitigated with file protocol-related code auditing.

Exploiting CVE-2016-3298 enables attackers to check for specific antivirus (AV) software installed in the system in order to avoid AV detection and threat research/analysis. This sounds innocuous, but determining if the system is unsecure eases—and even automates—the undertaking of sneaking malware into it.

CVE ActiveX Object Protocol Affected Browser
CVE-2013-7331 Yes xmldom res IE
CVE-2015-2413 No null res IE
CVE-2016-3351 No null mineType IE/Edge
CVE-2016-3298 Yes xmldom mhtml IE

Figure 1. Information disclosure vulnerabilities in Microsoft’s IE and Edge browsers

AdGholas’s malvertising campaigns heavily relied on stealth. This is reflected by how it exploited non-critical flaws that unfortunately tend to be undetected and/or unpatched for quite some time. How was this vulnerability leveraged in their operations?

 

CVE-2016-3298: A Technical Rundown

Drawing on sample codes derived from an AdGholas campaign, we simplified them to a Proof of Concept (PoC) code:

    function directory_exist(e) {
        var r;
        try {
            r = new ActiveXObject("Microsoft.XMLDOM");
            r.async = 0;
            file_path = "mhtml:file:/progra~1/malwar~1"
r_s = '<!DOCTYPE _ SYSTEM "' + file_path + '">';
            r.loadXML(r_s )
        } catch (s) {
            alert( s.toString( ))
        }
        return r && r.parseError.errorCode
    }

The PoC code uses the Microsoft.XMLDOM ActiveX Object to check for a specific directory in the system. Microsoft.XMLDOM has a function defined as: loadXML( string ).

The parameter string can be in the format,<!DOCTYPE rootElement SYSTEM “URIreference”>. The URIreference, which points to a file containing the declarations, can be a string like: mhtml:file:filepath. With this URI (Uniform Resource Identifier)/scheme, IE’s inetcomm.dll module will call the MimeOleParseMhtmUrlW function to parse the URI.

If an attacker gave a special/custom URI, like mhtml:file:/progra~1/malwar~1, MimeOleParseMhtmUrlW will get the error file URI file:/progra~1/malwar~1 (if URIreference is the same as the special URI). The loadXML call stack will be:

Figure 2. loadXML call stack resulting from an attacker’s special URI

Figure 3. Code fragment of the CInetFile::INetAsyncOpen function

CVE-2016-3298’s key point function is urlmon!CINetFile::InetAsyncOpen. CInetFile::INetAsyncOpen calls GetFileAttributeW to get the filepath attribute. If the filepath is not present in the system, the return error code is 0x800c005. If it exists—and is a directory—return error code will be 0x800c0015. CInetFile::InetAsyncOpen error code will be assigned to parseError.errorCode. Via the error code, attackers can check if the directory exists in the system or not.

 

CVE-2016-3298 in Exploit Kit
When integrated to exploit kit, it plays the role of a sleuth to evade detection and analysis:

  • It scans for presence of AV software
  • It checks if firewall is installed in the system
  • It determines if the browser is running in sandbox
  • It inspects the system for packet capture software
  • It runs the exploit if it confirms none are present in the system

Figure 4. Sample code segment in exploit kit that checks for security tools in the system

 

Patching CVE-2016-3298

Microsoft’s cumulative update, rolled out on October 11, covered Internet Explorer 9 to 11 on Windows clients and servers, and was accompanied with a patch for Vista, Server 2008 (SP2 and R2 SP1) and Windows 7 (SP1). The patches addressed the vulnerability by changing how the Microsoft Internet Messaging API (inetcomm.dll) handles objects in memory—inetcomm.dll’s patched version is 6.1.7601.23548; if unpatched, it’s 6.1.7601.17514.

Figure 5. Difference in MimeOleParseMhtmUrlW function for the unpatched (left) and patched version (right) using patch analysis tool PatchDiff2

The patched MimeOleParseMhtmUrlW function will check if mhtml is followed by a fileurl. If it is, it will call the URLCanonicalizeWfunction to canonicalize the fileurl. Using file:/progra~1/malwar~1 as example: after getting the canonicalized fileurl, file:///progra~1/malwar~1, the CActiveUrlRequest::Start function will return with error code 0x800c000e whether the fileurl exists on the system or not. This prevents attackers from determining whether the directory is present on the system.

Figure 6. Code fragment of the CActiveUrlRequest::Start function

 

Trend Micro Solutions

A vulnerable system can be exposed to a plethora of threats. Keeping it up-to-date with the latest patches plays a critical role in mitigating the risks for end-users and especially businesses. Trend Micro’s Vulnerability Protection and OfficeScan’s Intrusion Defense Firewall plug-in shield endpoints from identified and unknown vulnerability exploits before patches are deployed.

Trend Micro™ Deep Security™ protects networks through this Deep Packet Inspection (DPI) rule:

  • 1007985-Microsoft Internet Explorer Information Disclosure Vulnerability (CVE-2016-3298)

TippingPoint customers are protected from attacks exploiting this vulnerability with this MainlineDV filter:

  • 25148: HTTP: Microsoft Internet Explorer Internet Messaging API Information Disclosure Vulnerability

 

With additional analysis by Brooks Li.

Hat tip to @kafeine for sharing the sample from which we made the PoC code.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: AdGholasCVEInternet ExplorermalvertisingVulnerabilities

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2019

  • Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration.
    Read our security predictions for 2019.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • (Almost) Hollow and Innocent: Monero Miner Remains Undetected via Process Hollowing
  • Waterbear is Back, Uses API Hooking to Evade Security Product Detection
  • December Patch Tuesday: Vulnerabilities in Windows components, RDP, and PowerPoint Get Fixes
  • Obfuscation Tools Found in the Capesand Exploit Kit Possibly Used in “KurdishCoder” Campaign
  • Mobile Cyberespionage Campaign Distributed Through CallerSpy Mounts Initial Phase of a Targeted Attack

Popular Posts

  • Mac Backdoor Linked to Lazarus Targets Korean Users
  • More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting
  • New Magecart Attack Delivered Through Compromised Advertising Supply Chain
  • September Patch Tuesday Bears More Remote Desktop Vulnerability Fixes and Two Zero-Days
  • Microsoft November 2019 Patch Tuesday Reveals 74 Patches Before Major Windows Update

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.