Via Symatec Deepsight -
Recently, a DeepSight honeypot was compromised by a rogue website that served a variety of malicious scripts to users. From the dozens of websites that we investigate everyday, what makes this case special is the fact that this is the first detected instance of in-the-wild exploitation of Microsoft Internet Explorer Speech API 4 COM Object Instantiation Buffer Overflow Vulnerability (BID 24426). This exploit appears to be a derivation of the publicly available exploit released at milw0rm.com. The vulnerability lies in the way two COM objects in the Speech API 4, namely Windows DirectSpeechSynthesis Module (XVoice.dll, EEE78591-FE22-11D0-8BEF-0060081841DE ) and DirectSpeechRecognition Module (XListen.dll, 4E3D9D1F-0C63-11D1-8BFB-0060081841DE), handle certain user input. The malicious attacker can instantiate these COM objects via Internet Explorer, and pass overly long arguments to certain routines. In this case, the exploit passes a maliciously crafted argument (ModeName) to the DirectSS.FindEngine function. The overflowed buffer is then populated with attacker-supplied shellcode over-writing the Structured Exception Handler, thus resulting in the execution of arbitrary code. This exploit is being detected as Bloodhound Exploit.150 by Norton AntiVirus.
No comments:
Post a Comment