Well, that didn’t take long. The XMLHTTP 4.0 ActiveX vulnerability that we reported on this past weekend now has an exploit to go with it.
From SANS:
“The exploit does not seem to be in wide use just yet, but that can, of course (and we expect it to), change very quickly.
For the exploit to work it *needs* Microsoft XML Core Services to be installed. Microsoft XML Core Services are not installed by default on Windows XP, but there seems to be a lot of packages using it, Visual Studio appears to be one common one. You can check in the Add or Remove Programs applet if you have it installed.
The exploit works in both IE6 and IE7, which makes sense since it’s exploiting a vulnerability in an ActiveX object, not in the browser itself.
When executed the exploit creates an MSXML 4.0 ActiveX object (88d969c5-f192-11d4-a65f-0040963251e5). It then uses multiple setRequestHeader() method calls to execute shellcode which is included with the exploit.
Once executed the shellcode (of course) first downloads the first stage downloader. At the moment it’s a file called tester.dat:
16ac9982d177a47a20c4717183493e95 tester.dat
This downloader then downloads subsequent files (yet to be analysed).
It looks like some AV vendors are beggining to detect the exploit. At this moment it is being detected by McAfee as Exploit-XMLCoreSrvcs and Symantec as Bloodhound.Exploit.96. Microsoft also detects it as Exploit:HTML/Xmlreq.A.
The best protection, is to prevent the XMLHTTP 4.0 ActiveX Control from running in Internet Explorer, as stated in Microsoft’s advisory: http://www.microsoft.com/technet/security/advisory/927892.mspx.”
Tags: MSXML, XMLHTTP 4.0 ActiveX, XML Vulnerability, XML Exploit
Explore
Security Bloggers Network
