A recently debuted exploit kit (EK), called "Cool EK," and detected by us with the name Exploit:JS/Coolex, has been known to include various exploits targeting Oracle JRE, Adobe Reader, Adobe Flash Player to Windows kernel-mode drivers. If you’re unlucky enough to visit a webpage that hosts Cool EK, you might encounter all these exploits in the one place, turned against you in a barrage designed to compromise your computer.

Recently there was an update to the kit’s armaments to include new exploits that are using vulnerabilities identified as CVE-2012-0755, CVE-2013-0634, and CVE-2012-1876. Each of these exploits targets a different application: Adobe Reader, Adobe Flash, and Internet Explorer respectively.

What was really interesting about this update was found in the exploit for CVE-2012-1876. This is a heap overflow vulnerability which occurs while manipulating HTML table contents, leading to possible remote code execution (RCE) to compromise visitors' unpatched computers. This vulnerability was reported by an external researcher group during last year’s Pwn2Own competition held by HP TippingPoint ZDI. It was addressed by MS12-037. For a while it seemed exploit kit writers were not too interested in this vulnerability, until the Cool EK writers included this exploit in their January update. Cool EK is currently the only kit to include this vulnerability exploit in its arsenal.

CVE-2012-1876 in Cool EK is interesting because it uses a return-oriented programming (ROP) technique that is able to leverage multiple versions of a DLL, which increases the potential pool of victims. The technique identifies the version of DLL the process is running on, then heap-sprays the attack payload that is specific to that version. The exploit includes not only one but 18 different attack payloads, giving attackers the ability to leverage 18 different versions of mshtml.dll. In the past, there was only one payload per exploit targeting one specific version of the module, usually XP system files or several other 3rd-party files that are without address space layout randomization (ASLR) protection enabled. With this enhancement in exploit stability, the exploit is capable of exploiting a larger population of victims, including those using Windows Vista and Windows 7.

So this targeting broader range of victims is possible due to the characteristic of this heap overflow vulnerability. The exploit uses this vulnerability to leak specific information to identify such DLL version information. While there were similar cases of spraying different payloads per version on Reader exploits, those exploits use script-level API calls to know such information. This exploit is leaking memory to achieve the same purpose but by different and harder means.

Image of the ROP table

Exploitation for this IE vulnerability involves leaking process memory to bypass ASLR protection. With this leaked memory information, the attacker can figure out the base address of a loaded module, defeating the purpose of ASLR protection. Then it leaks another piece of information to calculate how far this value is located from the base address, which could well imply the version of the module running. Knowing the version, the exploit then generates an ROP chain with an adjusted base address, using a gadget set from only that specific version of the module. There are three parts to the attack payload that the exploit sprays, ROP chain, egg-hunter bypass, and shellcode:

  1. The ROP chain calls into VirtualProtect to allow execution on the sprayed memory.
  2. The egg-hunter bypass looks for a specific gadget from ntdll. This is used to bypass the export address table access filtering (EAF) feature of Enhanced Mitigation Experience Toolkit (EMET).
  3. The shellcode tries to download from this URL hxxp://<13 hex letters>.<removed>challenge.com/<removed>/new.png and drops it as C:\users\Administrator\AppData\Local\Temp\wpbtK.dll or C:\users\Administrator\AppData\Local\Temp\wpbt1.dll. The DLL file is registered as a service on the system via regsvr32.

Although there is currently a low prevalence for this update in Cool EK, it is expected that it will propagate soon. It is often stealthed and not visible to web surfers, so caution is required when visiting unfamiliar websites. And more importantly – update your software. Do it regularly and do it often. See MS12-037 for more details.

Justin Kim
MMPC