Recently, a DeepSight honeypot was compromised by a rogue Web site that served a variety of malicious scripts to users. From the dozens of Web sites that we investigate everyday, what makes this case special is the fact that this is the first detected instance of in-the-wild exploitation of Microsoft Internet Explorer Speech API 4 COM Object Instantiation Buffer Overflow Vulnerability (BID 24426).This exploit appears to be a derivation of the publicly available exploit released at milw0rm.com. The vulnerability lies in the way two COM objects in the Speech API 4, namely Windows DirectSpeechSynthesisModule (XVoice.dll, EEE78591-FE22-11D0-8BEF-0060081841DE ) and DirectSpeechRecognition Module (XListen.dll,4E3D9D1F-0C63-11D1-8BFB-0060081841DE), handle certain user input. The malicious attacker can instantiate these COM objects via Internet Explorer, and pass overly long arguments to certain routines. In this case, the exploit passes a maliciously crafted argument (ModeName) tothe DirectSS.FindEngine function. The overflowed buffer is then populated with attacker-supplied shellcode over-writing the StructuredException Handler, thus resulting in the execution of arbitrary code.This exploit is being detected as Bloodhound Exploit.150 by Norton AntiVirus.
Upon further investigation we found that this Web site was also serving an exploit that leveraged an unpatched vulnerability in a very popular Chinese peer-to-peer file sharing application called Xunlei (Thunderbolt in English). Xunlei has an estimated user base of around 80 million, which makes it a very lucrative target to exploit.The vulnerability lies in the Xunlei WebThunder, which can be used as a Web-based alternative for the original application accessible through browsers like Microsoft Internet Explorer. However, the COM control ‘ThunderServer.webThunder.1’ (03507A1A-E0C5-4404-AA26-205385C0892D) fails to properly validate the supplied user-input. The attackers abused a certain sequence of routines supplied by this COM control inorder to download arbitrary files on the user’s system. This exploit is being detected as Downloader by Norton AntiVirus. Both of these client side exploits deliver the same malicious payload, which is being detected as W32.Looked.BK.
Another interesting aspect of this attack is the clever JavaScript obfuscation techniques that are used to hide these attacks. At first glance, what appeared to be a garbled Web page turns out to be an obfuscated JavaScript exploit using up to six levels of obfuscation. This is primarily used to evade security products like Web applications that implement on-the-fly script parsers. This is how the exploit is obfuscated:
1. For the original exploit, all the variable names are randomized and the string values are replaced by their hexadecimal counterparts.
2. It is then encoded using a wrapper function which performs mathematical substitution operations on the code.
3. The wrapper function is further encoded using the JavaScript escape() function.
4. All the new-line characters in the resulting code are then escaped.
5. It is then packed with a routine which performs another set of substitution operations on the code.
Client-side attacks have become the most prominent vector in the ever-evolving threat landscape. With their increased reach, ease, and effectiveness, such attacks have become the bread and butter of online criminals. Almost every other day we hear of another legitimate Web site being compromised to enable such attacks, with innocuous users bearing the brunt of them. We anticipate that the frequency and the complexity of such attacks will increase in the near future. To avoid falling victim to such an attack, users should patch their system regularly, update their antivirus definitions, and browse only trusted Web sites.
Message Edited by SR Blog Moderator on 08-25-2008 03:16 PM