Exploitalert - Database of Exploits

Microsoft Internet Explorer 11 MSHTML.DLL Remote Binary Planting Vulnerability

CVE	Category	Price	Severity
CVE-2016-0160	CWE-426	$50,000	High

Author	Risk	Exploitation Type	Date
John Doe	High	Remote	2016-04-17

CPE
cpe:cpe:/a:microsoft:internet_explorer:11.0

CVSS	EPSS	EPSSP
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Local	AV	The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Attack Requirements	Present	AT	The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack. These include: A race condition must be won to successfully exploit the vulnerability. The successfulness of the attack is conditioned on execution conditions that are not under full control of the attacker. The attack may need to be launched multiple times against a single target before being successful. Network injection. The attacker must inject themselves into the logical network path between the target and the resource requested by the victim (e.g. vulnerabilities requiring an on-path attacker).
Privileges Required	Low	PR	The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
Scope	Unchanged	S	An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality	High	C	There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity	High	I	There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability	High	A	There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.

https://cxsecurity.com/ascii/WLB-2016040113

Microsoft Internet Explorer 11 MSHTML.DLL Remote Binary Planting VulnerabilityAbstract -------- Microsoft Internet Explorer 11 MSHTML.DLL Remote Binary Planting Vulnerability Affected Version: MSHTML.DLL 11.0.9600.18231 and probably below on Windows 7 SP1 Vendor Homepage: http://www.microsoft.com Severity: high Status: fixed CVE-ID: CVE-2016-0160 Description ----------- Microsoft Internet Explorer 11 ships with MSHTML.DLL referencing various DLLs which are not present on a Windows 7 SP1 installation, Windows 10 is not affected, other Windows versions have not been tested. According to [1] "MSHTML.DLL is at the heart of Internet Explorer and takes care of its HTML and Cascading Style Sheets (CSS) parsing and rendering functionality." Every application using MSHTML.DLL directly or another DLL which incorporates MSHTML.DLL (like SHELL32.dll) is prone to binary planting[2] (including services running as SYSTEM). So this issue is not restricted to Microsoft applications. In addition certain applications like Microsoft Word/Excel/Powerpoint/Project/powershell/... as well as a certain number of third party software are prone to remote binary planting due to using MSHTML.DLL in some ways. Technical Details ----------------- MSHTML.DLL on Windows 7 SP1 has missing dependencies for the following DLLs: API-MS-WIN-APPMODEL-RUNTIME-L1-1-0.DLL API-MS-WIN-CORE-WINRT-ERROR-L1-1-0.DLL API-MS-WIN-CORE-WINRT-L1-1-0.DLL API-MS-WIN-CORE-WINRT-ROBUFFER-L1-1-0.DLL API-MS-WIN-CORE-WINRT-STRING-L1-1-0.DLL API-MS-WIN-SHCORE-SCALING-L1-1-1.DLL DCOMP.DLL IESHIMS.DLL Since all mentioned DLLs are available on a Windows 10 installation my assumption is that this might be due to developing for Windows 10 and backporting to Windows 7. Whenever an application is using MSHTML.DLL either directly or via indirect dependencies from SHELL32.DLL for instance it tries to find API-MS-WIN-APPMODEL-RUNTIME-L1-1-0.DLL using the DLL search order (see [3]). If a user and/or a remote attacker is able to control one directory in the system's DLL search path he can escalate privileges from user to SYSTEM in case of a vulnerable service running as SYSTEM. If a user is tricked to open e.g. a word document from a Windows or even WebDAV share holding additionally a malicious DLL named API-MS-WIN-APPMODEL-RUNTIME-L1-1-0.DLL it is loaded and executed in the user's context. Proof-of-Concept Remote Binary Planting --------------------------------------- 1. Add a Word document to a share (e.g. hello.docx) accessible from a vulnerableWindows installation. 2. Add a "malicious" DLL to the same directory and name it api-ms-win-appmodel-runtime-l1-1-0.dll 3. Mount the remote Windows share on a Windows 7 PC 4. Double-Click hello.docx (with Microsoft Word or Word Viewer) The "malicious" DLL is loaded and executed in addition to Word Solution -------- Microsoft published the following security advisory MS16-037 [4] Additional Note: The issue is completely fixed only if also MS16-041 is installed [5]! Advisory Timeline ----------------- 30. Dec 2015 - Informed Microsoft Security Response Center 31. Dec 2015 - MSRC confirmed receipt 13. Feb 2016 - Requested status update 17. Feb 2016 - MSRC confirmed issue 12. Apr 2016 - MS16-037 published 15. Apr 2016 - Public Disclosure Author ------ Sandro Poppi <spoppi.sec () gmail com> References ---------- [1] https://msdn.microsoft.com/en-us/library/aa741312%28v=vs.85%29.aspx [2] http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx [3] https://msdn.microsoft.com/en-us/library/windows/desktop/ff919712%28v=vs.85%29.aspx [4] https://technet.microsoft.com/en-us/library/security/ms16-037 [5] https://technet.microsoft.com/en-us/library/security/ms16-041

Impressum