MSXML 4.0 exploit in the wild

Published: 2006-11-09
Last Updated: 2006-11-09 14:20:45 UTC
by Bojan Zdrnja (Version: 2)
0 comment(s)
We've received a report of the MSXML 0-day exploit being used in the wild. This is the exploit Johannes wrote a couple of days ago (http://isc.sans.org/diary.php?storyid=1825).

The exploit does not seem to be in wide use just yet, but that can, of course (and we expect it to), change very quickly.

For the exploit to work it *needs* Microsoft XML Core Services to be installed. Microsoft XML Core Services are not installed by default on Windows XP, but there seems to be a lot of packages using it, Visual Studio appears to be one common one. You can check in the Add or Remove Programs applet if you have it installed.

The exploit works in both IE6 and IE7, which makes sense since it's exploiting a vulnerability in an ActiveX object, not in the browser itself.

When executed the exploit creates an MSXML 4.0 ActiveX object (88d969c5-f192-11d4-a65f-0040963251e5). It then uses multiple setRequestHeader() method calls to execute shellcode which is included with the exploit.

Once executed the shellcode (of course) first downloads the first stage downloader. At the moment it's a file called tester.dat:

16ac9982d177a47a20c4717183493e95  tester.dat

This downloader then downloads subsequent files (yet to be analysed).

It looks like some AV vendors are beggining to detect the exploit. At this moment it is being detected by McAfee as Exploit-XMLCoreSrvcs and Symantec as Bloodhound.Exploit.96. Microsoft also detects it as Exploit:HTML/Xmlreq.A.

The best protection, is to prevent the XMLHTTP 4.0 ActiveX Control from running in Internet Explorer, as stated in Microsoft's advisory: http://www.microsoft.com/technet/security/advisory/927892.mspx.

Update:  Snort Rule: 8727 and 8728


Keywords:
0 comment(s)

Comments


Diary Archives