Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: MSXML 4.0 exploit in the wild - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
MSXML 4.0 exploit in the wild
We've received a report of the MSXML 0-day exploit being used in the wild. This is the exploit Johannes wrote a couple of days ago (http://isc.sans.org/diary.php?storyid=1825).

The exploit does not seem to be in wide use just yet, but that can, of course (and we expect it to), change very quickly.

For the exploit to work it *needs* Microsoft XML Core Services to be installed. Microsoft XML Core Services are not installed by default on Windows XP, but there seems to be a lot of packages using it, Visual Studio appears to be one common one. You can check in the Add or Remove Programs applet if you have it installed.

The exploit works in both IE6 and IE7, which makes sense since it's exploiting a vulnerability in an ActiveX object, not in the browser itself.

When executed the exploit creates an MSXML 4.0 ActiveX object (88d969c5-f192-11d4-a65f-0040963251e5). It then uses multiple setRequestHeader() method calls to execute shellcode which is included with the exploit.

Once executed the shellcode (of course) first downloads the first stage downloader. At the moment it's a file called tester.dat:

16ac9982d177a47a20c4717183493e95  tester.dat

This downloader then downloads subsequent files (yet to be analysed).

It looks like some AV vendors are beggining to detect the exploit. At this moment it is being detected by McAfee as Exploit-XMLCoreSrvcs and Symantec as Bloodhound.Exploit.96. Microsoft also detects it as Exploit:HTML/Xmlreq.A.

The best protection, is to prevent the XMLHTTP 4.0 ActiveX Control from running in Internet Explorer, as stated in Microsoft's advisory: http://www.microsoft.com/technet/security/advisory/927892.mspx.


I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Riyadh April 2019

Bojan

376 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!