Zero Day Exploit - Internet Explorer 6.0 VML Buffer Overflow

According to W3C, VML is an application of Extensible Markup Language (XML) which defines a format for the encoding of vector information together with additional markup to describe how that information may be displayed and edited.

The Vector Markup Language (VML) supports the markup of vector graphic information in the same way that HTML supports the markup of textual information. Within VML the content is composed of paths described using connected lines and curves. The markup gives semantic and presentation information for the paths.

A previously undocumented flaw in Microsoft's Internet Explorer Web browser is reportedly being exploited by online criminals to install an entire kitchen sink of malicious software on any computer that visits any of a handful of sites currently exploiting the vulnerability.

..snip..

This new exploit, combined with two other publicly available exploits for a separate, unpatched IE flaw, should give pause to anyone using the Microsoft browser. My advice: If you or someone you care about is in the habit of cruising the Web with IE, now would be a very good time to get acquainted with another browser that doesn't use IE's rendering engine, such as Firefox or Opera.

Source :: Newly Detected IE Exploit Spells Massive Spyware Trouble (Washington Post)

Microsoft has confirmed new public reports of a vulnerability in the Microsoft Windows implementation of Vector Markup Language (VML) Microsoft is also aware of the public release of detailed exploit code that could be used to exploit this vulnerability. Based on our investigation, this exploit code could allow an attacker to execute arbitrary code on the user's system. Microsoft is aware that this vulnerability is being actively exploited.

From Microsoft Security Advisory (925568) - Vector Markup Language Could Allow Remote Code Execution

The exploit code for VML vulnerability has been released on Milworm

Currently just a DoS. EAX is controllable and currently it crashes when trying to move EBX into the location pointed to by EAX -- Shirkdog

<html xmlns:v="urn:schemas-microsoft-com:vml">

<head>
<object id="VMLRender" classid="CLSID:10072CEC-8CC1-11D1-986E-00A0C955B42E">
</object>
<style>
v\:* { behavior: url(#VMLRender); }
</style>
</head>

<body>

<v:rect style='width:120pt;height:80pt' fillcolor="red">
<v:fill method="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAABCD01" angle="-45"
focus="100%" focusposition=".5,.5" focussize="0,0"
type="gradientRadial" />
</v:rect>

</body>
</html>

CVE-2006-4868 - Stack-based buffer overflow in Microsoft Internet Explorer 6.0 on Windows XP SP2 and possibly other versions allows remote attackers to execute arbitrary code via a long fill parameter within a rect tag in a Vector Markup Language (VML) file.

MCafee Exploit - VMLFill - McAfee Avert Labs has confirmed that VirusScan's generic Buffer Overflow Protection protects against this exploit by default. Here is the link to their latest engine and DAT file.

Trend Micro - EXPL_EXECOD.A - As of this writing, there exists a proof-of-concept (POC) malware under this detection. It runs on Windows 98, ME, NT, 2000, XP, and Server 2003.

Symantec - Trojan.Vimalov - Trojan.Vimalov is a Trojan horse that downloads and executes a file from the Internet by exploiting the Microsoft Internet Explorer Vector Markup Language Buffer Overflow Vulnerability.

Bugtraq 20096 - Microsoft Internet Explorer Vector Markup Language Buffer Overflow Vulnerability

Spyware Kits like Web Attacker available for £10 or $17 - WebAttacker was updated to include exploiting a new Vector Markup Language Buffer Overflow vulnerability.

There was a post earlier on secguru that Botnet Blackhat's Earn about $430 a day. I think that this VML exploit writer is definitely going for maximum installs ( aka maximum bucks ). He seems to be installing every damn `pay per install` software and pwn'ing the victim.

From : Sunbelt blog

Just for fun, Sunbelt researcher Adam Thomas (who discovered the VML exploit yesterday) has cataloged what is installed with one installation he observed. Epic quantities of junk:

Virtumonde
Trojan-PSW.Win32.Sinowal.aq
BookedSpace Browser Plug-in
AvenueMedia.InternetOptimizer
Claria.GAIN.CommonElements
.. snip ...

A total of 48 softwares :p

IE7 is not vulnerable

The unpatched vulnerability in Microsoft's Internet Explorer that created a stir Tuesday may be exploited by 10,000 or more malicious Web sites if all their owners update to the newest version of the WebAttacker exploit kit, a security researcher said Wednesday.

WebAttacker is a modular hacker toolkit that uses a simple Web interface to let attackers choose from numerous exploits -- the VML exploit only the most recent -- to "serve" any visitor of a malicious site. The kit even identifies the operating system, say Windows XP SP2; browser used; and presence of anti-virus software, then chooses the best exploit to run, Symantec said in an entry on its security team's blog Wednesday.

"There are close to 10,000 sites either hosting WebAttacker or pointing to sites that do," Hubbard estimated. Although only about 20 sites are currently serving up the exploit, if more WebAttacker users decide to download the newest version, Hubbard expects that the numbers of malicious sites will quickly climb.

Source : TechWeb.Com

There's an unsupported third party patch for the VML vulnerability available at ZERT (isotf.org).

We haven't tested it, so we can't recommend it. But it's good to know something is available if this VML thingy really gets out of hand (which it hasn't yet).

Source : F-secure Lab News

A new spam email purporting to be from the Commonwealth Bank of Australia directs unsuspecting users to sites that use the recently discovered unpatched Internet Explorer VML processing vulnerability to attempt to install malware. At the moment this appears to be wide-spread with well over 1000 emails reported in a single organisation.

Source : AusCert

Now that we are seeing VML exploits proliferate the Internet, we thought it would be fun to grab a video capture of what happens when a workstation visits an infected site. We did a similar video when the WMF zero-day was released and our workstation was instantly flooded with Spyware applications and pop-ups galore. It was an impressive sight and obvious that you had just visited an infected site.

Source :: Websense - VML Candid Camera

Hackers have hijacked a large number of sites at web hosting firm HostGator and are seeking to plant trojans on computers of unwitting visitors to customer sites. HostGator customers report that attackers are redirecting their sites to outside web pages that use the unpatched VML exploit in Internet Explorer to install trojans on computers of users. Site owners said iframe code inserted into their web pages was redirecting users to the malware-laden pages.

-- Source :: NetCraft - Hacked HostGator Sites Distribute IE Exploit

We are seeing samples of the VML exploit that are coded to include browser / OS detection, and are able to trigger working exploits for Win 2000, 2003 and XP. Some reports indicate that client-side anti-virus is not sufficient to protect, some AV apparently only catches the VML exploit code once Internet Explorer writes the temp file to disk, which can be too late. The exploits versions seen so far usually pull and run an EXE file, but adding patterns for new EXE payloads is an arms race the AV vendors can't win.

Source : Sans - Hackers Diary

We are starting to see mass mailing lures for websites that are hosting VML exploit code. Most of the sites are using updated Web-Attacker code. A recent example that came to us from Message Labs appears to lure users to the site by claiming they have received a Yahoo! Greeting Card. The site downloads and installs an Internet Explorer Browser Helper Object that directs all HTTP posts from forms to a third party, and then collects information on end-users.

Source : WebSense Zero-Day Update - Email Lures to VML Exploits

MS06-055 - Vulnerability in Vector Markup Language Could Allow Remote Code Execution (925486)

For those fortunate enough to still be responsible for 98 boxes, I have confirmed the vgx.dll for patched 2000 boxes will also patch 98 boxes. XP's version will not work for 98.

98/2k vgx.dll details:

Vulnerable:
v 6.0.2800.1411
size: 2,283,008 bytes
Modified: 3-10-04 7:09pm

Not Vulnerable (from a patched 2k box):
v 6.0.2800.1580
size: 2,286,080 bytes
Modified: 9-18-06 2:23pm

To patch a 98 box, simply copy the vgx.dll from a patched 2k box and replace the existing vgx.dll on the 98 computer. Do not use one from XP.

ZERT offers a test in the middle of this page:
http://isotf.org/zert/download.htm

Royce