Tuesday, December 9, 2008

Zero Day en IE 7.x o "The Fire Bug in front of Big Hole "



La gente de los laboratorios de Mcaffe estan alertando de un troyano que explota una vulnerabilidad en Internet Explorer 7 actualizado con todos los patch´s.

Por supuesto que esto comenzó a se reportado en China ( recuerdan este post ? Te voy a hackear y no vas a entender ? )

En las palabras de la gente de AverLabs :

The root cause was found to be the incorrect handling of certain XML tags in Internet Explorer 7.x that references already freed memory in the mshtml.dll.

We have confirmed this vulnerability to be affecting, at least, a fully patched Windows XP SP3 and a Vista SP1 system. The exploit uses publicly known heap-spray techniques that enable control over a vtable pointer, allowing arbitrary code execution.


Entonces el problema se encuentra en el manejo errado de algunos tags XML en IE 7.x en la librería mshtml.dll.

Lo interesante que esta vulnerabilidad afecta a Windows XP SP3 y Vista SP1 totalmente patcheados y después que Microsoft publico hoy 4 patchs para IE.

El antivirus de Mcaffe detecta el troyano Downloader-AZN , pero según la nota pueden existir otras variantes.

Me gusto la imagen y refleja esta situación, el titulo de la misma es :

The Fire Bug in front of Big Hole


Update : Sitios que poseen codigo hostil ( Son todos Chinos )

baidu.bbtu01.cn - 61.160.213.194
baidu.bbtu02.cn - 61.160.213.194
baidu.bbtu03.cn - 61.160.213.194
baidu.bbtu04.cn - 61.160.213.194
baidu.bbtu05.cn - 61.160.213.194
baidu.bbtu06.cn - 61.160.213.194
baidu.bbtu07.cn - 61.160.213.194

baidu-baiduxin1.cn - 121.12.173.218
baidu-baiduxin2.cn - does not resolve - possibly hostile in the future
baidu-baiduxin3.cn - 59.34.197.63
baidu-baiduxin4.cn - 121.12.173.218
baidu-baiduxin5.cn - 61.143.211.187
baidu-baiduxin6.cn - 121.12.173.218
baidu-baiduxin7.cn - 121.12.173.218
baidu-baiduxin8.cn - 121.12.173.218
baidu-baiduxin9.cn - 59.34.197.63


baidu-baiduzi1.cn - 121.12.173.218
baidu-baiduzi2.cn - 121.12.173.218
baidu-baiduzi3.cn - 121.12.173.218
baidu-baiduzi4.cn - 121.12.173.218
baidu-baiduzi5.cn - 121.12.173.218
baidu-baiduzi6.cn - 121.12.173.218
baidu-baiduzi7.cn - 121.12.173.218
baidu-baiduzi8.cn - 121.12.173.218

baidu-du1.cn - 59.34.197.63
baidu-du2.cn - 202.108.22.180
baidu-du3.cn - 59.34.197.63
baidu-du4.cn - 59.34.197.63
baidu-du5.cn - 121.12.173.218
baidu-du6.cn - 121.12.173.218
baidu-du7.cn - 59.34.197.63
baidu-du8.cn - 121.12.173.218
baidu-du9.cn - 61.143.211.187

sllwrnm1.cn - 59.34.216.92
sllwrnm2.cn - 59.34.216.92
sllwrnm3.cn - does not resolve - possibly hostile in the future
sllwrnm4.cn - 59.34.216.92
sllwrnm5.cn - 59.34.216.92
sllwrnm6.cn - 59.34.216.92
sllwrnm7.cn - 59.34.216.92
sllwrnm8.cn - 59.34.216.92
sllwrnm9.cn - 59.34.216.92
sllwrnm10.cn - 59.34.216.92


sllwbd1.cn - 61.164.118.209
sllwbd2.cn - 61.164.118.209
sllwbd3.cn - 61.164.118.209
sllwbd4.cn - 59.34.216.92
sllwbd5.cn - 59.34.216.92
sllwbd6.cn - 59.34.216.92
sllwbd7.cn - 59.34.216.92
sllwbd8.cn - 59.34.216.92
sllwbd9.cn - 59.34.216.139
sllwbd10.cn - 59.34.216.92

zlwrnm1.cn - does not resolve - possibly hostile in the future
zlwrnm2.cn - does not resolve - possibly hostile in the future
zlwrnm3.cn - does not resolve - possibly hostile in the future
zlwrnm4.cn - does not resolve - possibly hostile in the future
zlwrnm5.cn - 59.34.216.139
zlwrnm6.cn - does not resolve - possibly hostile in the future
zlwrnm7.cn - 59.34.216.139
zlwrnm8.cn - 59.34.216.139
zlwrnm9.cn - 59.34.216.139
zlwrnm10.cn - 59.34.216.139
zlwrnm11.cn - 59.34.216.139
zlwrnm12.cn - 59.34.216.139
zlwrnm13.cn - 59.34.216.139
zlwrnm14.cn - 59.34.216.139
zlwrnm15.cn - 59.34.216.139
zlwrnm16.cn - does not resolve - possibly hostile in the future
zlwrnm17.cn - 59.34.216.139
zlwrnm18.cn - 59.34.216.139
zlwrnm19.cn - 61.164.118.209
zlwrnm20.cn - 61.164.118.209

360avva.akvvv.cn - 58.53.128.136
vip.4s3w.cn - 121.10.107.233
cc4y7.cn - 58.215.76.155
hhhh8886.cn - 121.12.104.88
qqqqttrr.cn - 121.12.104.88
rrrrrrryyy.cn - 121.12.104.88
wwwwyyyyy.cn - 121.12.104.88
fyesn.cn - 121.10.107.233

info : http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081210

Update 11/12/08

Excelente post explicando el exploit
Patch Tuesdays and Drive-by Sundays




No comments: