CVE-2016-0189 Exploits spotted in the Wild

August 26, 2016

The Microsoft JScript and VBScript engines, as used in Internet Explorer allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted website,aka "Scripting Engine Memory Corruption Vulnerability,"

Dell SonicWALL Threat research team has observed that this CVE-2016-0189 is being exploited in the wild.

There is a proof of concept for this CVE available here.If you compare the PoC and the exploit you find that the attacker has added few new functions and variables.

By inserting alerts in the code one can see that the attacker is trying to invoke PowerShell process and transfer information back to the attacker's website (url argument of code)

Running the exploit we can see that IE crashes and the vulnerable dll is jscript.dll/vbscript.dll

This happens when attacker reduces the array size and then tries to access an array element which isn't there after the resize, resulting in a use after free condition.

Using process monitor tool one can see that IE opens a powershell process

Looking at PowerShell event properties one can see that the attacker is trying to download an executable from a malicious website.

Dell SonicWALL Threat Research Team has researched this vulnerability and released following signature to protect their customers.

  • IPS 11594: Scripting Engine Memory Corruption Vulnerability (MS16-051) 1