October 31, 2014

Zero day vulnerability in Microsoft XML Core Services turned into Metasploit module

(LiveHacking.Com) – Details on how to exploit a vulnerability in Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 have been posted on to the Internet and subsequently converted into a Metasploit module. Last week Microsoft issued a security advisory about a vulnerability in Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 that can allow remote code execution if a user views a specially crafted webpage using Internet Explorer.

The vulnerability, which also affects  Office 2003 and Office 2007 , exists when MSXML attempts to access an object in memory that has not been initialized, which may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user. Microsoft does not yet have a  patch for this problem, but there is a FixIt workaround that basically disables the vulnerable component in IE. The vulnerability was discovered by Google, which said it saw the flaw being exploited in the wild in targeted attacks.

Windows XP systems can be exploited reliably without any third-party component, however Windows 7 and Windows Vista PCs need to be running an old Java virtual machine that came with a non-ASLR version of the msvcr71.dll. Systems without Java or where a different version of the msvcr71 DLL exists can’t be exploited, but IE will still crash.

McAfee says it found out about the vulnerability nearly three weeks ago. “The exploit works across all major Windows platforms, including Windows Vista and Windows 7. It leverages return-oriented programming (ROP) exploitation technology to bypass with data execution (DEP) and address space layout randomization (ASLR) protections, and hook-hopping evasion techniques to evade host-based IPS detections,” wrote Yichong Lin. “On Windows XP, the vulnerability can be reliably exploited without any third-party component. We found the exploit tried to download and execute a binary from a remote server. The server was hosted by Yahoo and was taken down the same day we reported this to Microsoft.

There is also a demonstration of how to exploit the vulnerability using Metasploit on YouTube: MS12-037 Internet Explorer Same ID CVE-2012-1875 Vulnerability Metasploit Demo

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks