Technical Analysis of CVE-2012-1889 Exploit HTML_EXPLOYT.AE Part 1

Last month, Microsoft released a fix tool in order to address a vulnerability in Microsoft XML Core Services. The said vulnerability, according to the Microsoft Security Advisory, could allow remote code execution if a user views a specifically crafted webpage using Internet Explorer. It has been given the identifier CVE-2012-1889.

Since the vulnerability exists in Microsoft XML Core Services by way of IE, which is installed on most of PCs in the world, we assume that this attack code would give users the extremely big impact once it is exploited by malicious users. Another factor that would contribute to is impact is the fact that its attack code was made public.

In line with this, we’d like to share the results of our analysis of a malware which exploits CVE-2012-1889. Trend Micro products detect this particular malware as HTML_EXPLOYT.AE.

HTML_EXPLOYT.AE Overview

HTML_EXPLOYT.AE may arrive in a system through a variety of means, such as email or a malicious website. It attempts to exploit CVE-2012-1889 via Internet Explorer.

It should be noted that this specific exploit does not have a function to bypass DEP (Data Execution Prevention). If HTML_EXPLOYT.AE runs on an Internet Explorer with DEP enabled, it causes IE to crash.

However, considering that the attack code for this exploit has been released in the wild, it is possible that we will see a sample that can bypass DEP and ASLR.

HTML_EXPLOYT.AE has three main features, which we will discuss in a 3-part blog series. For part 1, we will discuss the usage of Microsoft XML Core Services.

HTML_EXPLOYT.AE Feature 1: Usage of Microsoft XML Core Services

HTML_EXPLOYT.AE uses object element by using Classid to exploit Microsoft XML Core Services.

Specifically, HTML_EXPLOYT.AE exploits CVE-2012-1889 by referring to uninitialized object.

In order to confirm the root cause of CVE-2012-1889 vulnerability, it is better to check how this code has been used in normally. So here we have the code to exploit CVE-2012-1889, with the heap spray codes deleted:

Now let’s check the vulnerable code above when executed normally:

The upper [eax] points to an object by a virtual function of “msxml3!Document::`vftable”” and[ ecx+18h] point to the “msxml3!Document::weakRelease” function. Its vftable is the following:

From this we can see that the exploit HTML_EXPLOYT.AE takes advantage of the Microsoft XML Core Service (mxml3.dll) vulnerability. Internet Explorer Microsoft XML Core Service (mxml3.dll) uses this module in order to process HTML/XML codes making this program and other applications that uses this module, vulnerable to this attack.

Based on this, we can conclude that it is possible for attackers to use other vectors in order to exploit the Microsoft XML Core Service vulnerability.

Trend Micro protects users from this threat via Smart Protection Network™, which detects and deletes HTML_EXPLOYT.AE. Furthermore, Deep Security prevents attacks exploiting CVE-201-1889 via IDF rule 1005061- Microsoft XML Core Services Remote Code Execution Vulnerability (CVE-2012-1889).

In the second installation of our 3-part series about this exploit, we will share our findings regarding the second feature of HTML_EXPLOYT.AE: Heap Spray.

Post from: TrendLabs | Malware Blog – by Trend Micro

Technical Analysis of CVE-2012-1889 Exploit HTML_EXPLOYT.AE Part 1