1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. Attack: Microsoft Windows LSASS Memory Corruption DOS

Attack: Microsoft Windows LSASS Memory Corruption DOS

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects attempt to exploit a remote code execution vulnerability by passing special arguments into a method of Alipay Password Input ActiveX control.

Additional Information

Alipay ActiveX Control is a web browser add-on application designed to work with the Alipay online payment service. Alipay is a division of Alibaba.com.

The vulnerability affects the passsword input control with a CLSID of {66F50F46-70A0-4A05-BD5E-FBCC0F9641EC} from the 'pta.dll' library. The issue occurs when input is passed to the 'idx' parameter of the library's 'remove()' function. The user-supplied input is used as a function pointer after being multiplied by (2**4) and added to 16. An attacker can leverage this issue to execute code at an address equal to [[(idx << 4)+8]+8].

To exploit this issue, attackers must entice victims into opening malicious HTML content that instantiates the affected control.

Exploiting this issue allows remote attackers to execute arbitrary machine code in the context of applications using the affected ActiveX control and possibly to compromise affected computers.

Affected

  • Alipay Alipay
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube