CVE-2014-0322: Microsoft Internet Explorer 0-day Vulnerability.

  • Post author:
  • Reading time:4 mins read

A use-after-free vulnerability is present in Microsoft Internet Explorer 10 ( CVE-2014-0322 ), which allows remote attackers to execute arbitrary code.

This vulnerability exploited in the wild as a Watering hole attack, in which the attacker injects a javascript or hidden iframe into a website, which will redirect to a malicious page. Therefore, a good vulnerability management tool can resolve these issues.

In this attack, users who visited the compromised site will encounter an iframe that redirects to the malicious page in the background. However, the below image shows the Wireshark captured traffic of the redirected URL. Vulnerability Management System can prevent these attacks.

Wireshark:

Wireshark Capture

The Redirected page embeds a Flash file, which in turn executes the malicious code.

Tope.swf

The loaded Tope.swf file will cause heap sprays with the below data repeatedly.

Heap Dump

The below image shows the heap before and after the Heap spray.

VMmap

The control then is transferred to the javascript from flash file, defined in the tope.as3(Action Script of the Flash file)

Js Control

Then the javascript will check for EMET.DLL (The Enhanced Mitigation Experience Toolkit) and Internet Explorer 10 from user agent. It will exit the process if the file is present or if it’s not Internet Explorer 10.

EMET.dll

IE Crash

Then the control is transferred back to the swf, which will download the payload as tope.jpg and extract two files to the temporary folder.

  • sqlrenew.txt
  • stream.exe (md5: c869c75ed1998294af3c676bdbd56851)

Tope.swf will load the contents of the sqlrenew.txt into memory and this helps in the execution of stream.exe

Sqlrenew.txt

That stream.exe is creating three more files,

  • stream.exe
    • MediaCenter.exe
      • regsvr32.exe
    • cmd.exe

Next, MediaCenter.exe and cmd.exe processes are getting created, as shown in the below picture.
stream.exe

And MediaCenter.exe looks like a legitimate file and is also digital sign and verified as MICRO DIGITAL INC.

Mediacenter.exe

This will finally contact a remote server, oa.ameteksen.com (198.2.209.211), and is in use to send sensitive information.

  • Thanga Prakash