Zero-day XML Core Services vulnerability included in Blackhole exploit kit

A couple of weeks ago (12 June 2012) we published an advisory for a vulnerability in Microsoft XML Core Services, also known as CVE-2012-1889.

The vulnerability is a true zero-day, being exploited in the wild, with no patch yet available from Microsoft.

The main concern in such situations is the speed with which we see exploit kits updating to target new vulnerabilities.

This is hardly surprising: web drive-by download attacks are responsible for the majority of user infections nowadays, and it is exploit kits that are used to construct these attacks.

As soon as we see exploit kits targeting new vulnerabilities we can expect to see a lot more users getting infected – especially if the vulnerabilities are zero-days.

Unfortunately, as noted in the ISC Diary, only a few days after the initial advisory was posted, a metasploit module was created and published.

Expectations were duly set for rapid uptake by the popular exploit kits.

Sure enough, within a week, CVE-2012-1889 exploiting code very similar to that published to Metasploit was seen within the landing page of a Blackhole exploit kit site.

(Thanks and hat-tip to the eagle-eyed researcher who first spotted this – ChrisW, who works at a UK University.)

The code is bundled alongside the various other exploits that Blackhole currently targets. The landing page itself is obfuscated in the usual manner we expect for Blackhole, using the latest anti-emulation tricks in an attempt to thwart detection. (Sophos products detect and block this as Mal/ExpJS-N.)

When the code is deobfuscated, the usual functions used to target the vulnerabilities we associate with Blackhole are evident. However, within this particular page was a new function (spl7), that targeted CVE-2012-1889. The function used well-described heapspray techniques to deliver the shellcode, prior to exploiting the vulnerability in order that execution passes to that shellcode.

The shellcode is pretty straightforward, attempting to download the payload (a dll) from a remote server, writing it to the temp folder.

So, let’s take a quick review of the timeline of these events:

  • 30 May 2012: Vulnerability reported to Microsoft
  • 12 June 2012: Microsoft publishes advisory
  • 12 June 2012: Sophos publishes advisory
  • 14 June 2012: Sophos publishes Exp/20121889-A
  • 16 June 2012: Metasploit module published
  • 18 June 2012: Sophos raises threat level to critical
  • 21 June 2012: Updated Blackhole exploit kit spotted
  • 27 June 2012: Sophos lowers threat level to high

Curiously enough, at the time of writing, I have not seen other Blackhole sites targeting the vulnerability.

To be honest, after seeing that first site, I was expecting a significant proportion, if not all, of the Blackhole sites to be using it within a few days.

We can only speculate as to why this new exploit isn’t widespread. Is the exploit code unreliable? Is it being reserved for specific, new (expensive!) variants of the kit?

For now, it is a case of watch this space…