Operation Clandestine Fox: Zero-Day Affecting IE 6 Through 11 Used in Targeted Attacks

FireEye researchers have been analyzing the attacks

By Eduard Kovacs on April 28th, 2014 08:28 GMT

FireEye researchers have revealed the existence of an Internet Explorer zero-day vulnerability that’s being exploited by cybercriminals in targeted attacks. Microsoft has confirmed the security hole and the company has provided recommendations on how to mitigate attacks until a permanent fix is made available.

According to FireEye, the zero-day impacts Internet Explorer versions 6 through 11. However, the cyberattacks they’ve observed target only IE 9 through IE 11.

The attacks are part of a campaign dubbed “Operation Clandestine Fox.” The advanced persistent threat (APT) group that’s behind the attacks has been seen before. Experts highlight the fact that the group has had access to a number of Internet Explorer, Firefox and Flash zero-day exploits in the past.

“They are extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure,” FireEye experts noted.

As far as the exploit is concerned, it leverages a new use-after-free vulnerability and it relies on a previously known Flash exploitation technique in order to grant the attacker arbitrary memory access.

By using this exploit, the attacker can bypass both address space layout randomization (ASLR) and data execution prevention (DEP) protections.

The exploitation consists of four phases: preparing the heap, arbitrary memory access, runtime ROP generation, and ROP and shellcode.

In the first phase, the victim is lured to an exploit page that’s set up to load a Flash SWF file that’s designed to manipulate the heap layout via a technique called “heap feng shui.”

“It allocates Flash vector objects to spray memory and cover address 0×18184000. Next, it allocates a vector object that contains a flash.Media.Sound() object, which it later corrupts to pivot control to its ROP chain,” experts explained.

Then, in the second phase, “The SWF file calls back to Javascript in IE to trigger the IE bug and overwrite the length field of a Flash vector object in the heapspray. The SWF file loops through the heapspray to find the corrupted vector object, and uses it to again modify the length of another vector object.”

The corrupted vector object is leveraged to ultimately bypass ASLR and DEP protections.

“With full memory control, the exploit will search for ZwProtectVirtualMemory, and a stack pivot (opcode 0×94 0xc3) from NTDLL. It also searches for SetThreadContext in kernel32, which is used to clear the debug registers.” FireEye noted regarding the third phase of the attack.

“With the addresses of the aforementioned APIs and gadget, the SWF file constructs a ROP chain, and prepends it to its RC4 decrypted shellcode. It then replaces the vftable of a sound object with a fake one that points to the newly created ROP payload. When the sound object attempts to call into its vftable, it instead pivots control to the attacker’s ROP chain.”

In the final phase, the shellcode calls URLDownloadToCacheFileA to download the next stage of the payload, which is disguised as an image.

There are some security features that mitigate potential attacks, including the Enhanced Protected Mode (EPM) introduced with Internet Explorer 10, and Enhanced Mitigation Experience Toolkit (EMET). Furthermore, the attack doesn’t work if the Adobe Flash plugin is disabled.

Once Microsoft completes its analysis of the exploit, it will decide on whether it will release an out-of-band update, or if it will fix the issue with the next monthly security updates.
Internet Explorer zero-day vulnerability used in targeted attacks
   Internet Explorer zero-day vulnerability used in targeted attacks