As discussed in our previous blog entries, we found an exploit (Trend Micro detection HTML_EXPLOYT.AE) that targets a vulnerability found in Microsoft XML Core Services (CVE-2012-1889). Based on our analysis, HTML_EXPLOYT.AE contains three key features: its usage of Microsoft XML Core Services, heap spray, and No ROP (Return-Oriented-Programming) function. Our two initial blog entries already gave in-depth details on how HTML_EXPLOYT.AE uses Microsoft XML Core Services and how it executes heap spray method. This time, we focus on the No ROP function of HTML_EXPLOYT.AE, which leads to the downloading of a backdoor (detected as BKDR_POISON.HUQA).
HTML_EXPLOYT.AE Feature 3: No ROP(Return-Oriented-Programming) function
Let’s check how HTML_EXPLOYT.AE executes malicious code in the heap- sprayed area after successfully exploiting CVE-2012-1889.
When we checked the exploit code, we did not find any ROP (Return-Oriented-Programming) function. This means HTML_EXPLOYT.AE jumps directly to the malicious code in the heap-sprayed memory area.
The Data Execution Prevention (DEP) in Internet Explorer version 8, 9, 10 DEP is enabled, which prevents HTML_EXPLOYT.AE from jumping heap sprayed area. Let us now check the protection conditions of heap sprayed areas with Windbg extensions.
On IE 9 and 10 where DEP is enabled by default, HTML_EXPLOYT.AE fails to jump to the heap sprayed area. This is because there is no PAGE_EXECUTE flag, which executes access to the committed region of pages. DEP detects the attack scenario and mitigates the threat by terminating the application.
However, IE8 is a different story since its DEP status can be enabled or disabled. On a DEP disabled scenario, HTML_EXPLOYT.AE can proceed with its malicious task without problem. On the other hand, if DEP is enabled, the attack is prevented. It should be noted that in earlier versions of Internet Explorer (version 7, 6 etc.), DEP settings are disabled by default.
After exploiting CVE-2012-1889, HTML_EXPLOYT.AE then downloads the backdoor BKDR_POISON.HUQA and executes it in the infected system.
Once executed, BKDR_POISON.HUQA connects to specific malicious remote user via command-and-control (C&C) servers using TCP port 80. In effect, the malicious user can perform any malicious routines onto the infected system, which includes stealing system-related information.
Because Microsoft XML Core Services is installed on most PCs, this exploit poses a significant threat among users. Furthermore, its attack code was made public, which may empower potential attackers to use the code for their future schemes.
Trend Micro users are protected from this threat via Smart Protection Network™, which detects the malware HTML_EXPLOYT.AE and BKDR_POISON.HUQA via file reputation services. It also blocks access to the related C&C servers via web reputation services. More importantly, Trend Micro Deep Security and Officescan with IDF enabled prevent attacks exploiting CVE-201-1889 via the rule 1005061- Microsoft XML Core Services Remote Code Execution Vulnerability (CVE-2012-1889).
For added protection, users must update their systems with the latest security patch made available by software vendors such as Microsoft. To know more about the related vulnerability, users may refer Microsoft’s security bulletin. Microsoft also released a fix tool as a workaround solution for this vulnerability. Users must observe best computing practices, such as avoiding visiting unknown websites and opening email messages from dubious sources.
