CVE 2013-0074 & 3896 Silverlight Exploit Artifacts

Tuesday, May 13, 2014 Posted by Corey Harrell
Artifact Name

Exploit Artifacts for CVE 2013-0074/3896 (Silverlight) Vulnerabilities

Attack Vector Category



Two vulnerabilities present in Microsoft Silverlight 5 that in combination enable an attacker to execute arbitary code.

CVE 2013-3896 affects Microsoft Silverlight 5 before 5.1.20913.0. The vulnerability is due to not properly validating pointers during access to Silverlight elements, which allows remote attackers to obtain sensitive information via a crafted Silverlight application. The significance of this vulnerability as explained in TrendMicro's  A Look At A Silverlight Exploit article:

"The exploit uses this vulnerability to leak a pointer address in memory, and then uses this leaked address to compute the base address of, bypassing ASLR. Later, this base address is used to compute the ROP gadgets in order to bypass DEP."  

CVE 2013-0074 affects Microsoft Silverlight 5 before 5.1.20125.0. The vulnerability is due to not properly validating pointers during HTML object rendering, which allows remote attackers to execute arbitrary code via a crafted Silverlight application. The TrendMicro article stated this vulnerability "is used to control the execution flow to jump to the ROP gadget."

Attack Description

The significance of these Silverlight vulnerabilities is their usage in mass attacks through exploit kits. Furthermore, Packetstorm security posted the exploit code for these vulnerabilities making them public and thus available to anyone to use them including exploit kits' authors.

This description was obtained from the very detailed Malware don't need Coffee blog post CVE-2013-0074/3896 (Silverlight) integrates Exploit Kits. To truly understand this attack I highly recommend reading this blog post.

     1. User visits a malicious website.

     2. The website serves up a malicious Silverlight application to compromise the system.

Exploits Tested

Metasploit exploit/windows/browser/ms13_022_silverlight_script_object

Target System Information

Windows 7 SP0 x86 Virtual Machine with Silverlight v 5.0.60818.0 (no Silverlight applications were executed on the system prior to test)

Different Artifacts based on Administrator Rights

Not tested

Different Artifacts based on Tested Software Versions

Not tested

Potential Artifacts

The potential artifacts include the 2013-0074/3896 exploit and the changes the exploit causes in the operating system environment. The artifacts can be grouped under the following three areas:

     * Temporary File Creation
     * Indications of the Vulnerable Application Executing
     * Internet Activity

Note: the documenting of the potential artifacts attempted to identify the overall artifacts associated with the vulnerability being exploited as opposed to the specific artifacts unique to the Metasploit. As a result, the actual artifact storage locations and filenames are inside of brackets in order to distinguish what may be unique to the testing environment.

     Temporary File Creation

- Webpage created in a temporary Internet files storage location on the system within the timeframe of interest. [C:\ Users\lab\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I87XK24W\nXKoGc[1].htm] The webpage contains the code to load the Silverlight application exploit. The code includes: the data/type variables indicating " application/x-silverlight-2" and the InitParams indicating what to load. The image below shows the webpage code (please note: the InitParams in Metasploit contains the code to execute while on other systems it may point to an actual file)

     Indications of the Vulnerable Application Executing

- Folder activity involving the Silverlight application. [C:\Users\lab\AppData\LocalLow\Microsoft\Silverlight]

- File creation inside the Silverlight application folder. [C:\ Users\lab\AppData\LocalLow\Microsoft\Silverlight\BIT65AC.tmp and C: \Users\lab\AppData\LocalLow\Microsoft\Silverlight\mssl.lck]

- Registry modification involving Silverlight in the user profile's NTUSER.DAT hive the exploit executed under. [HKU\Software\AppDataLow\Software\Microsoft\Silverlight and HKU\ Software\AppDataLow\Software\Microsoft\Silverlight\Permissions] (note: this artifact may be due to Silverlight executing for the first time)

- Entries for Silverlight programs that executed for the first time on the system inside the RecentFileCache.bcf file (Windows 7 artifact) [c:\program files\microsoft silverlight\5.0.61118.0\agcp.exe]

- References to Silverlight programs in the CONHOST.EXE's prefetch file handles [\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MICROSOFT SILVERLIGHT\5.0.61118.0\COREGEN.EXE]

     Internet Activity

- Web browser history of user accessing websites within the timeframe of interest. [lab user account accessed the computer running Metasploit]

- Files located in the Temporary Internet Files folder. [Users\lab\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5]

Timeline View of Potential Artifacts

The images below shows the above artifacts in a timeline of the file system from the test Windows 7 SP0 system. The timeline only includes the file system metadata. The purpose of the timeline is to help illustrate what the artifacts look like on a compromised system.

A few tidbits about items listed in the timeline that are not discussed above. First, in numerous tests when Silverlight executes it initiates activity in the C:\Windows\SoftwareDistribution\DataStore. This folder is associated with Windows updates and at times it referenced Silverlight activity.  Secondly, in numerous tests when Silverlight executes there is activity in the C:\Windows\System32\wdi folder. The files didn't specifically reference Silverlight but the activity was consistent. In both cases, I opted to not include these artifacts until it can be determined that this activity is directly associated with Silverlight being exploited.

     * MFT Timeline

     * Change Journal Timeline


Post a Comment