A security researcher recently published source code for a working exploit for CVE-2016-0189 and the Neutrino Exploit Kit (EK) quickly adopted it.
CVE-2016-0189 was originally exploited as a zero-day vulnerability in targeted attacks in Asia. The vulnerability resides within scripting engines in Microsoft’s Internet Explorer (IE) browser, and is exploited to achieve Remote Code Execution (RCE). According to the researcher’s repository, the open source exploit affects IE on at least Windows 10. It is possible that attackers could use or repurpose the attack for earlier versions of Windows.
Microsoft patched CVE-2016-0189 in May on Patch Tuesday. Applying this patch will protect a system from this exploit.
The popular Neutrino EK was quick to adopt this exploit. Neutrino works by embedding multiple exploits into one Shockwave Flash (SWF) file. Once run, the SWF profiles the victim’s system – shown in Figure 1 – to determine which of its embedded exploits to use.
Figure 1. Neutrino EK SWF profiles a victim
Figure 2. Decrypt and embed the selected exploit into an iframe
In this example, Neutrino embedded exploits for five vulnerabilities that have been patched since May or earlier: three for Adobe Flash Player (CVE-2016-4117, CVE-2016-1019, CVE-2015-8651) and two for Internet Explorer (CVE-2016-0189, CVE-2014-6332). CVE-2016-0189 is the newest addition to Neutrino’s arsenal.
This CVE-2016-0189 vulnerability stems from a failure to put a lock on an array before working on it. This omission can lead to an issue when the array is changed while another function is in the middle of working on it. Memory corruption can occur if the “valueOf “ property of the array is set to a script function that changes the array size, as shown in Figure 3.
Figure 3. Neutrino setting triggering conditions
After Microsoft released the patch, a security researcher compared the original and patched programs to identify the root cause of the vulnerability and create a fully functioning exploit. The exploit embedded within Neutrino is identical to this researcher’s exploit, except for the code that runs after initial control.