Monday, March 4, 2024

Root Cause of Powerful Internet Explorer (IE) Zero-day Vulnerability that Allow Attackers to Perform Remote Hacking

New Internet Explorer Zero-day remote code execution vulnerability has been discovered that allows an attacker could execute arbitrary code and take the complete control of the infected system.

Once the attacker successfully exploits this zero-day vulnerability then they could take control of an affected system and if the victims logged in with administrative user rights then the attacker can view, change, or delete data also they create a new account with full rights.

Same vulnerability used by APT Cyber groups exploited Windows Computers during it was unpatched by Microsoft.

This Zero-day vulnerability affected all the Windows OS versions, Windows Server 2008, Windows Server 2012.

An exploit that discovered from Virus total to trigger this Zero-day Vulnerability ( CVE-2018-8174)it has been analyzed using sandbox system and it successfully exploits fully patched version of Microsoft Word.

This vulnerability specifically existing in the VBScript engine and the way it handles objects in memory.

Cyber Criminals abuse the method called URL moniker to load an IE exploit in Word to perform a further attack and this is the first public exploit using this Technique.

This is one of the powerful technique to create a various exploit in future by cyber criminals and researchers believes that this technique will be heavily abused by attackers in the future.

How Does this Zero-day Vulnerability Works

An initially malicious sample that discovered from Virustotal has been analyzed through sandbox and discovered that it bypasses the fully patched version of MS word has been exploited.

An exploit is distributed through malicious Microsoft Word document and once it opens by the victims then it downloads the exploit as the second stage of HTML page containing VBScript code.

Initial Payload deliverable obfuscated  Rich Text Format (RTF) document contains an exploit for Internet Explorer (IE) along with  nibble drop“ obfuscation technique with only one Object.

Deobfuscation of-the object data reveals an OLE object that contains a URL Moniker CLSID which helps to resemble an older vulnerability (CVE-2017-0199) by this Exploit.

Here Word will try to execute the file with the default file handler based on its attributes which allows an attacker to directly call ShellExecute and launch a payload.

After the further investigation, Kaspersky researchers conclude that the vulnerability is actually in VBScript, not in Microsoft Word and also said, This is the first time we’ve seen a URL Moniker used to load an IE exploit.
 This technique allows one to load and render a web page using the IE engine, even if default browser on a victim’s machine is set to something different.

HTML page contains obfuscated both function names and integer values where the VB Script has been downloaded.

                                                            Obfuscated IE exploit

Later Exploit has been deobfuscated and researchers had a look on first function called (‘TriggerVuln’) in the deobfuscated version.

Following Proof-of-concept code will helps to trigger this vulnerability in IE browser.

                                                   CVE-2018-8174 Proof Of Concept

Finally, Researchers conclude the Root cause of this vulnerability is Inside the VBScriptClass:: Release function, the reference count is checked only once, at the beginning of the function.

   A root cause of CVE-2018-8174 – ‘refCount’ being checked only once, before TerminateClass function

This exploit immediately shared the relevant information with Microsoft and they confirmed and fixed CVE-2018-8174.

Website

Latest articles

New Silver SAML Attack Let Attackers Forge Any SAML Response To Entra ID

SolarWinds cyberattack was one of the largest attacks of the century in which attackers...

AI Worm Developed by Researchers Spreads Automatically Between AI Agents

Researchers have developed what they claim to be one of the first generative AI...

20 Million+ Cutout.Pro User Records Leaked On Hacking Forums

CutOut.Pro, an AI-powered photo and video editing platform, has reportedly suffered a data breach,...

CWE Version 4.14 Released: What’s New!

The Common Weakness Enumeration (CWE) project, a cornerstone in the cybersecurity landscape, has unveiled...

RisePro Stealer Attacks Windows Users Steals Sensitive Data

A new wave of cyber threats has emerged as the RisePro information stealer targets...

Golden Corral Restaurant Chain Hacked: 180,000+ Users’ Data Stolen

The Golden Corral Corporation, a popular American restaurant chain, has suffered a significant data...

CISA Warns Of Hackers Exploiting Multiple Flaws In Ivanti VPN

Threat actors target and abuse VPN flaws because VPNs are often used to secure...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles