Exploit Kits Quickly Adopt Exploit Thanks to Open Source Release

A security researcher recently published source code
for a working exploit for CVE-2016-0189 and the Neutrino Exploit Kit
(EK) quickly adopted it.

CVE-2016-0189 was originally exploited as a zero-day vulnerability
in targeted
attacks in Asia
. The vulnerability resides within scripting
engines in Microsoft’s Internet Explorer (IE) browser, and is
exploited to achieve Remote Code Execution (RCE). According to the
researcher’s repository, the open source exploit affects IE on at
least Windows 10. It is possible that attackers could use or repurpose
the attack for earlier versions of Windows.

Microsoft patched CVE-2016-0189
in May on Patch Tuesday
. Applying this patch will protect a
system from this exploit.

Attack Details

The popular Neutrino EK was quick to adopt this exploit. Neutrino
works by embedding multiple exploits into one Shockwave Flash (SWF)
file. Once run, the SWF profiles the victim’s system – shown in Figure
1 – to determine which of its embedded exploits to use.

Figure 1. Neutrino EK SWF profiles a victim

Next, it decrypts and runs the applicable exploit, as shown in
Figure 2. This is different from most other EKs, in which an earlier
HTML/JavaScript stage profiles the browser and selectively downloads
exploits from the server.

Figure 2. Decrypt and embed the selected exploit
into an iframe

In this example, Neutrino embedded exploits for five vulnerabilities
that have been patched since May or earlier: three for Adobe Flash
Player (CVE-2016-4117, CVE-2016-1019, CVE-2015-8651) and two for
Internet Explorer (CVE-2016-0189, CVE-2014-6332). CVE-2016-0189 is the
newest addition to Neutrino’s arsenal.


This CVE-2016-0189 vulnerability stems from a failure to put a lock
on an array before working on it. This omission can lead to an issue
when the array is changed while another function is in the middle of
working on it. Memory corruption can occur if the “valueOf “ property
of the array is set to a script function that changes the array size,
as shown in Figure 3.

Figure 3. Neutrino setting triggering conditions

After Microsoft released the patch, a security researcher compared
the original and patched programs to identify the root cause of the
vulnerability and create a fully functioning exploit. The exploit
embedded within Neutrino is identical to this researcher’s exploit,
except for the code that runs after initial control.

*** This is a Security Bloggers Network syndicated blog from Threat Research Blog authored by Threat Research Blog. Read the original post at: http://www.fireeye.com/blog/threat-research/2016/07/exploit_kits_quickly.html