“Gifts” From Hacking Team Continue, IE Zero-Day Added to Mix
The hits keep on coming from the Hacking Team. After three separate Adobe Flash zero-days, another vulnerability that could take over user systems has been found. Our latest discovery is in Internet Explorer, and has been acknowledged by Microsoft and patched as part of the regular Patch Tuesday cycle as MS15-065. It has been designated as CVE-2015-2425. While we did find proof-of-concept (POC) code, there are still no known attacks exploiting this vulnerability.
This zero-day vulnerability is a just-in-time (JIT) function UAF (Use-After-Free) vulnerability in jscript9.dll, specifically in the MutationObserver object. It occurs when MutationObserver tries to keep track of an element that has been already destroyed. Only Internet Explorer 11 is affected, as the older versions of the browser do not support this feature..
The POC code we found confirms that an exploit can crash Internet Explorer 11 every time it is loaded. The crash point is at JMP EAX, where the value of EAX is an invalid heap address whose memory property is MEM_RESERVE, and this heap address was a JIT function address before it was freed. Internet Explorer 11 crashes as seen below; the EIP value is the same as EAX.
Figure 1. Internet Explorer crash
The function in jscrpt9.dll where the crash occurs is in the following picture:
Figure 2. Function where jscript9.dll crashes
Is it exploitable?
Microsoft has confirmed that this particular vulnerability is exploitable.
An ideal attack would use a heap spray to occupy the freed memory before it is used. However, because the freed memory is JIT memory and the freed memory is reserved by the heap for JIT generation, a normal heap spray is not possible. But a JIT spray can occupy this kind of memory, so JIT spray may be used to spray shellcode into the freed memory location. If the JMP EAX instruction jumps into the sprayed shellcode, this shellcode will be run within the context of the IE tab process.
Simply put, if an attacker successfully exploits the vulnerability, he can basically run any code on the system. The extent of the attacker’s advances, though, is dependent on the OS version. On Windows 7, the IE11 tab process has the same privilege as the IE11 frame process. The shellcode will be run with the same privileges as the logged in user. On Windows 8.1 and later, the privilege of IE11 tab process is low by default. A successful attack would require a separate privilege escalation vulnerability.
The Hacking Team data has been available to the public (and attackers) for just over a week, which means it is readily available to attackers. We suggest that users running a vulnerable version of Internet Explorer 11 update to a patched version immediately; a patch has been made available as part of this month’s Patch Tuesday cycle.
While only POC code exists, the vulnerability is still exploitable. We are monitoring for possible threats or attacks that target this vulnerability. We will update this post if any attacks are found in the wild.