Exploit:Win32/CVE-2012-4969

Exploit:Win32/CVE-2012-4969 is a family of malicious HTML and Adobe Flash files that exploit a vulnerability in Internet Explorer, CVE-2012-4969, in order to download and install files of an attacker’s choice onto your computer.

Internet Explorer 6, 7, 8, 9 without MS12-063 security update are vulnerable to this malware family.

Make sure that you install all available updates from the vendor in order to avoid this exploit. You can read more about this vulnerability and download software updates from these link:

MS12-063

Note: This detection may be triggered when you visit a website that contains the malicious code. Even if you are not using a vulnerable version of the Internet Explorer, this detection may be reported when you visit a website that contains the malicious code. This does not mean that you have been compromised, rather that an attempt to compromise your computer has been made.

Threat in context

In the wild we mostly observed exploits targeting Internet Explorer 7 and 8. Depending on the exploitation method, sometimes Adobe Flash Player files in SWF format are involved in the attack. But the vulnerability itself doesn’t involve any vulnerability in the Adobe Flash Player itself. Rather, the SWF file is used to perform a heap-spraying attack to achieve reliable exploitation of use-after-free type vulnerability.

The first malware abusing this vulnerability was discovered as a 0-day in the wild. After the full details of the vulnerability were disclosed through the malware community, the adaptation of this vulnerability was quite fast and we saw an increase of detections for this family within the first few days.

What is an exploit?

Exploits are written to take advantage of weaknesses (or "vulnerabilities") in legitimate software. A project called "Common Vulnerability Enumeration" (or "CVE"), used by many vendors and organizations, gives each vulnerability a unique number, in this case "CVE-2012-4969". The portion "2012" refers to the year the vulnerability was discovered, and "4969" is a unique ID for this specific vulnerability. The official source that gives out CVE identifiers lists this at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4969.

Payload

Downloads and installs arbitrary files

If you visit a website containing the malicious code while using a vulnerable version of Internet Explorer, Exploit:Win32/CVE-2012-4969 is loaded. It then attempts to download and execute files from a remote host/URL. The files that are downloaded and executed could be any of the attacker's choice and could include additional malware.

Additional technical details

The vulnerability used for this malware family is CVE-2012-4969. The vulnerability is inside Internet Explorer handling execCommand method from the document object. It works when the handler of this method allows a portion of the process memory to be freed without being properly checked. This makes a use-after-free condition when the freed memory is later used within the code.

The following description is based on the first malware that abused this vulnerability as a 0-day. The vulnerability has since been patched and the security update is available here. The majority of this description is also generally applicable to most of the malware variants in this family.

The main malicious HTML file creates some document-related objects on the memory using the createElement method from the document object. The memory area created here will be later freed by triggering the vulnerability.

Figure 1 The code to create elements that will be freed later

The sample used a SWF file to perform a heap-spray attack to abuse the use-after-free condition caused by the vulnerability, and to load a core exploit HTML file as seen in Figure 2. But, we also observed plain JavaScript being used to perform the same functionality in other samples.

Figure 2 HTML code to load SWF file

Usually, the malicious SWF file is obfuscated and is loaded using the flash.display.loadBytes API from the obfuscated SWF file. If you decode the obfuscated SWF file, you will observe similar code to that in Figure 3. The code is performing a heap-spray attack to lay out memory space that can be used as a trampoline to the shellcode execution.

Figure 3 ActionScript code for Heap spraying attack

Figure 4 shows the ActionScript code that loads the main exploit module using the flash.external.ExternalInterface API. The code itself is not malicious, rather just loads the next layer of the HTML file. 

Figure 4 ActionScript code to load exploit HTML

The main exploit code loaded by the SWF file has similar HTML code to the following figure. The HTML tag specifying event handlers "onload" and "onselect" events is used.

Figure 5 Part of the malware

The exploitation of the vulnerability will happen inside this "onload" and "onselect" handlers. The "onload" event handler will be triggered when the document is loaded.

The "onload" event handler will trigger an "onselect" event to be triggered using the document.execCommand method with a "selectAll" argument.

The "onselect" event handler contains the main exploit code inside it. The code there will free the memory allocated for the document object by reloading new content in it. After that, it will try to run code that will be using freed memory. The memory sanity-check is not correctly performed here and will lead to use-after-free condition. This condition is combined with the heap-spray attack mentioned above, and will make the code execution happen.

Related information / Related references

The articles referenced below outline some of the technical details of the weakness this vulnerability exploits:

• What you need to know about CVE-2012-4969
• Microsoft Security Advisory (2757760)
• Microsoft Security Bulletin MS12-063 - Critical Cumulative Security Update for Internet Explorer (2744842)

Analysis by Jeong Wook (Matt) Oh