The hits keep on coming from the Hacking Team. After three separate Adobe Flash zero-days, another vulnerability that could take over user systems has been found. Our latest discovery is in Internet Explorer, and has been acknowledged by Microsoft and patched as part of the regular Patch Tuesday cycle as MS15-065. It has been designated as CVE-2015-2425. While we did find proof-of-concept (POC) code, there are still no known attacks exploiting this vulnerability.
This zero-day vulnerability is a just-in-time (JIT) function UAF (Use-After-Free) vulnerability in jscript9.dll, specifically in the MutationObserver object. It occurs when MutationObserver tries to keep track of an element that has been already destroyed. Only Internet Explorer 11 is affected, as the older versions of the browser do not support this feature..
The POC code we found confirms that an exploit can crash Internet Explorer 11 every time it is loaded. The crash point is at JMP EAX, where the value of EAX is an invalid heap address whose memory property is MEM_RESERVE, and this heap address was a JIT function address before it was freed. Internet Explorer 11 crashes as seen below; the EIP value is the same as EAX.
Figure 1. Internet Explorer crash
The function in jscrpt9.dll where the crash occurs is in the following picture:
Figure 2. Function where jscript9.dll crashes
Is it exploitable?
Microsoft has confirmed that this particular vulnerability is exploitable.
An ideal attack would use a heap spray to occupy the freed memory before it is used. However, because the freed memory is JIT memory and the freed memory is reserved by the heap for JIT generation, a normal heap spray is not possible. But a JIT spray can occupy this kind of memory, so JIT spray may be used to spray shellcode into the freed memory location. If the JMP EAX instruction jumps into the sprayed shellcode, this shellcode will be run within the context of the IE tab process.
Simply put, if an attacker successfully exploits the vulnerability, he can basically run any code on the system. The extent of the attacker’s advances, though, is dependent on the OS version. On Windows 7, the IE11 tab process has the same privilege as the IE11 frame process. The shellcode will be run with the same privileges as the logged in user. On Windows 8.1 and later, the privilege of IE11 tab process is low by default. A successful attack would require a separate privilege escalation vulnerability.
The Hacking Team data has been available to the public (and attackers) for just over a week, which means it is readily available to attackers. We suggest that users running a vulnerable version of Internet Explorer 11 update to a patched version immediately; a patch has been made available as part of this month’s Patch Tuesday cycle.
While only POC code exists, the vulnerability is still exploitable. We are monitoring for possible threats or attacks that target this vulnerability. We will update this post if any attacks are found in the wild.
Timeline of posts related to the Hacking Team
|July 5||The Italian company Hacking Team was hacked, with more than 400GB of confidential company data made available to the public.|
Three exploits – two for Flash Player and one for the Windows kernel—were initially found in the information dump. One of these [CVE-2015-5119] was a Flash zero-day.
The Windows kernel vulnerability (CVE-2015-2387) existed in the open type font manager module (ATMFD.dll) and can be exploited to bypass the sandbox mitigation mechanism.
|July 11||Two new Flash zero-day vulnerabilities, CVE-2015-5122 and CVE-2015-5123, were found in the hacking team dump.|
|July 13||Further analysis of the hacking team dump revealed that the company used UEFI BIOS rootkit to keep their Remote Control System (RCS) agent installed in their targets’ systems.|
|July 14||A new zero-day vulnerability (CVE-2015-2425) was found in Internet Explorer.|
|July 16||On the mobile front, a fake news app designed to bypass Google Play was discovered.|
|July 20||A new zero-day vulnerability (CVE-2015-2426) was found in Windows, which Microsoft fixed in an out-of-band patch.|
|July 21||Analysis of the RCSAndroid spying tool revealed that Hacking Team can listen to calls and roots devices to get in.|
|July 28||A recent campaign compromised Taiwan and Hong Kong sites to deliver Flash exploits related to Hacking Team.|