Microsoft InformationCardSigninHelper Class ActiveX control exploit spotted in the Wild
Dell Sonicwall Threats Research team has found In The Wild exploit utilizing the InformationCardSigninHelper Class ActiveX control Vulnerability (CVE-2013-3918).
The attacks that contain a specially crafted HTML page specifically target Internet Explorer.
We were able to successfully exploit Windows XP System running IE 8.
Following are the details of the attack.
The code above gets translated to following ROP chain in the memory.
The ROP chain leads to VirtualProtect
We can see the bytes are further XORed with 0x9f
Following shows how rundll32 process is created.
On successful execution, the process tries to make tcp requests to IP address 111.X.X.93 and its port 443.
We have a couple of signatures that cover the attack.
- IPS 7600 InformationCardSigninHelper ActiveX Instantiation (MS13-090)
- SPY 4736 CVE-2013-3918