• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Exploits   »   Technical Analysis of CVE-2012-1889 Exploit HTML_EXPLOYT.AE Part 3

Technical Analysis of CVE-2012-1889 Exploit HTML_EXPLOYT.AE Part 3

  • Posted on:July 4, 2012 at 6:26 am
  • Posted in:Exploits, Malware, Vulnerabilities
  • Author:
    Kim Chanwoo (Security Specialist)
0

As discussed in our previous blog entries, we found an exploit (Trend Micro detection HTML_EXPLOYT.AE) that targets a vulnerability found in Microsoft XML Core Services (CVE-2012-1889). Based on our analysis, HTML_EXPLOYT.AE contains three key features: its usage of Microsoft XML Core Services, heap spray, and No ROP (Return-Oriented-Programming) function. Our two initial blog entries already gave in-depth details on how HTML_EXPLOYT.AE uses Microsoft XML Core Services and how it executes heap spray method. This time, we focus on the No ROP function of HTML_EXPLOYT.AE, which leads to the downloading of a backdoor (detected as BKDR_POISON.HUQA).

HTML_EXPLOYT.AE Feature 3: No ROP(Return-Oriented-Programming) function

Let’s check how HTML_EXPLOYT.AE executes malicious code in the heap- sprayed area after successfully exploiting CVE-2012-1889.

When we checked the exploit code, we did not find any ROP (Return-Oriented-Programming) function. This means HTML_EXPLOYT.AE jumps directly to the malicious code in the heap-sprayed memory area.

The Data Execution Prevention (DEP) in Internet Explorer version 8, 9, 10 DEP is enabled, which prevents HTML_EXPLOYT.AE from jumping heap sprayed area. Let us now check the protection conditions of heap sprayed areas with Windbg extensions.

On IE 9 and 10 where DEP is enabled by default, HTML_EXPLOYT.AE fails to jump to the heap sprayed area. This is because there is no PAGE_EXECUTE flag, which executes access to the committed region of pages. DEP detects the attack scenario and mitigates the threat by terminating the application.

However, IE8 is a different story since its DEP status can be enabled or disabled. On a DEP disabled scenario, HTML_EXPLOYT.AE can proceed with its malicious task without problem. On the other hand, if DEP is enabled, the attack is prevented. It should be noted that in earlier versions of Internet Explorer (version 7, 6 etc.), DEP settings are disabled by default.

After exploiting CVE-2012-1889, HTML_EXPLOYT.AE then downloads the backdoor BKDR_POISON.HUQA and executes it in the infected system.

Once executed, BKDR_POISON.HUQA connects to specific malicious remote user via command-and-control (C&C) servers using TCP port 80. In effect, the malicious user can perform any malicious routines onto the infected system, which includes stealing system-related information.

Because Microsoft XML Core Services is installed on most PCs, this exploit poses a significant threat among users. Furthermore, its attack code was made public, which may empower potential attackers to use the code for their future schemes.

Trend Micro users are protected from this threat via Smart Protection Network™, which detects the malware HTML_EXPLOYT.AE and BKDR_POISON.HUQA via file reputation services. It also blocks access to the related C&C servers via web reputation services. More importantly, Trend Micro Deep Security and Officescan with IDF enabled prevent attacks exploiting CVE-201-1889 via the rule 1005061- Microsoft XML Core Services Remote Code Execution Vulnerability (CVE-2012-1889).

For added protection, users must update their systems with the latest security patch made available by software vendors such as Microsoft. To know more about the related vulnerability, users may refer Microsoft’s security bulletin. Microsoft also released a fix tool as a workaround solution for this vulnerability. Users must observe best computing practices, such as avoiding visiting unknown websites and opening email messages from dubious sources.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.