Subscribe to the RSS feed in case you are interested in updates
Ivanlef0u released a POC for the exploit used in targeted attacks :
More information :
Mitigations :
- Disable display of icons (regedit changes proposed by the MS Bulletin)
- Use of Kernel mode protection drivers (Ariad, Sophos, etc.pp)
Callstack:
kd> g
Breakpoint 1 hit
eax=00000001 ebx=00f5ee7c ecx=0000c666 edx=00200003 esi=00000001 edi=7c80a6e4
eip=7ca78712 esp=00f5e9c4 ebp=00f5ec18 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
SHELL32!_LoadCPLModule+0x10d:
001b:7ca78712 ff15a0159d7c call dword ptr [SHELL32!_imp__LoadLibraryW (7c9d15a0)] ds:0023:7c9d15a0={kernel32!LoadLibraryW (7c80aeeb)}
kd> dd esp
00f5e9c4 00f5ee7c 000a27bc 00f5ee78 00000000
00f5e9d4 00000020 00000008 00f5ee7c 00000000
00f5e9e4 00000000 0000007b 00000000 00000000
00f5e9f4 00200073 002000e0 0000064c 0000028c
00f5ea04 1530000a 00000000 003a0043 0064005c
00f5ea14 006c006c 0064002e 006c006c 006d002e
00f5ea24 006e0061 00660069 00730065 00000074
00f5ea34 00090608 7c92005d 00000000 00000007
kd> db 00f5ee7c
00f5ee7c 43 00 3a 00 5c 00 64 00-6c 00 6c 00 2e 00 64 00 C.:.\.d.l.l...d.
00f5ee8c 6c 00 6c 00 00 00 92 7c-c8 f2 f5 00 00 17 72 02 l.l....|......r.
00f5ee9c 4b d2 00 00 d8 f2 f5 00-8b d2 a1 7c 00 00 00 00 K..........|....
00f5eeac ac 80 9d 7c 30 d8 0d 00-34 d8 0d 00 b8 d7 0d 00 ...|0...4.......
00f5eebc 9a d2 a1 7c 30 d8 0d 00-c8 f2 f5 00 50 40 15 00 ...|0.......P@..
00f5eecc 50 40 15 00 00 00 00 00-b8 00 92 7c 40 b7 0c 00 P@.........|@...
00f5eedc a8 ef f5 00 41 00 92 7c-18 07 09 00 5d 00 92 7c ....A..|....]..|
00f5eeec c8 f2 f5 00 00 ef f5 00-00 00 00 00 b8 00 92 7c ...............|
kd> kv
ChildEBP RetAddr Args to Child
00f5ec18 7ca81a74 00f5ee7c 000a27bc 00f5f2c4 SHELL32!_LoadCPLModule+0x10d (FPO: [1,145,4])
00f5ee50 7ca82543 00f5ee74 000a27bc 000a27c0 SHELL32!CPL_LoadAndFindApplet+0x4a (FPO: [4,136,4])
00f5f294 7cb56065 000a25b4 000a27bc 000a27c0 SHELL32!CPL_FindCPLInfo+0x46 (FPO: [4,264,4])
00f5f2b8 7ca13714 00000082 00000000 00000104 SHELL32!CCtrlExtIconBase::_GetIconLocationW+0x7b (FPO: [5,0,0])
00f5f2d4 7ca1d306 000a25ac 00000082 00f5f570 SHELL32!CExtractIconBase::GetIconLocation+0x1f (FPO: [6,0,0])
00f5f410 7ca133b6 000dd7e0 00000082 00f5f570 SHELL32!CShellLink::GetIconLocation+0x69 (FPO: [6,68,4])
00f5f77c 7ca03c88 000dd7e0 00000000 0015aa00 SHELL32!_GetILIndexGivenPXIcon+0x9c (FPO: [5,208,4])
00f5f7a4 7ca06693 00131c60 000dd7e0 0015aa00 SHELL32!SHGetIconFromPIDL+0x90 (FPO: [5,0,4])
00f5fe20 7ca12db0 00131c64 0015aa00 00000000 SHELL32!CFSFolder::GetIconOf+0x24e (FPO: [4,405,4])
00f5fe40 7ca15e3c 00131c60 00131c64 0015aa00 SHELL32!SHGetIconFromPIDL+0x20 (FPO: [5,0,0])
00f5fe68 7ca03275 000f8090 0014d5b0 0014a910 SHELL32!CGetIconTask::RunInitRT+0x47 (FPO: [1,2,4])
00f5fe84 75f11b9a 000f8090 75f11b18 75f10000 SHELL32!CRunnableTask::Run+0x54 (FPO: [1,1,4])
00f5fee0 77f49598 00155658 000cb748 77f4957b BROWSEUI!CShellTaskScheduler_ThreadProc+0x111 (FPO: [1,17,0])
00f5fef8 7c937ac2 000cb748 7c98e440 0014cfe0 SHLWAPI!ExecuteWorkItem+0x1d (FPO: [1,0,4])
00f5ff40 7c937b03 77f4957b 000cb748 00000000 ntdll!RtlpWorkerCallout+0x70 (FPO: [Non-Fpo])
00f5ff60 7c937bc5 00000000 000cb748 0014cfe0 ntdll!RtlpExecuteWorkerRequest+0x1a (FPO: [3,0,0])
00f5ff74 7c937b9c 7c937ae9 00000000 000cb748 ntdll!RtlpApcCallout+0x11 (FPO: [4,0,0])
00f5ffb4 7c80b729 00000000 00edfce4 00edfce8 ntdll!RtlpWorkerThread+0x87 (FPO: [1,7,0])
00f5ffec 00000000 7c920250 00000000 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])
Breakpoint 1 hit
eax=00000001 ebx=00f5ee7c ecx=0000c666 edx=00200003 esi=00000001 edi=7c80a6e4
eip=7ca78712 esp=00f5e9c4 ebp=00f5ec18 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
SHELL32!_LoadCPLModule+0x10d:
001b:7ca78712 ff15a0159d7c call dword ptr [SHELL32!_imp__LoadLibraryW (7c9d15a0)] ds:0023:7c9d15a0={kernel32!LoadLibraryW (7c80aeeb)}
kd> dd esp
00f5e9c4 00f5ee7c 000a27bc 00f5ee78 00000000
00f5e9d4 00000020 00000008 00f5ee7c 00000000
00f5e9e4 00000000 0000007b 00000000 00000000
00f5e9f4 00200073 002000e0 0000064c 0000028c
00f5ea04 1530000a 00000000 003a0043 0064005c
00f5ea14 006c006c 0064002e 006c006c 006d002e
00f5ea24 006e0061 00660069 00730065 00000074
00f5ea34 00090608 7c92005d 00000000 00000007
kd> db 00f5ee7c
00f5ee7c 43 00 3a 00 5c 00 64 00-6c 00 6c 00 2e 00 64 00 C.:.\.d.l.l...d.
00f5ee8c 6c 00 6c 00 00 00 92 7c-c8 f2 f5 00 00 17 72 02 l.l....|......r.
00f5ee9c 4b d2 00 00 d8 f2 f5 00-8b d2 a1 7c 00 00 00 00 K..........|....
00f5eeac ac 80 9d 7c 30 d8 0d 00-34 d8 0d 00 b8 d7 0d 00 ...|0...4.......
00f5eebc 9a d2 a1 7c 30 d8 0d 00-c8 f2 f5 00 50 40 15 00 ...|0.......P@..
00f5eecc 50 40 15 00 00 00 00 00-b8 00 92 7c 40 b7 0c 00 P@.........|@...
00f5eedc a8 ef f5 00 41 00 92 7c-18 07 09 00 5d 00 92 7c ....A..|....]..|
00f5eeec c8 f2 f5 00 00 ef f5 00-00 00 00 00 b8 00 92 7c ...............|
kd> kv
ChildEBP RetAddr Args to Child
00f5ec18 7ca81a74 00f5ee7c 000a27bc 00f5f2c4 SHELL32!_LoadCPLModule+0x10d (FPO: [1,145,4])
00f5ee50 7ca82543 00f5ee74 000a27bc 000a27c0 SHELL32!CPL_LoadAndFindApplet+0x4a (FPO: [4,136,4])
00f5f294 7cb56065 000a25b4 000a27bc 000a27c0 SHELL32!CPL_FindCPLInfo+0x46 (FPO: [4,264,4])
00f5f2b8 7ca13714 00000082 00000000 00000104 SHELL32!CCtrlExtIconBase::_GetIconLocationW+0x7b (FPO: [5,0,0])
00f5f2d4 7ca1d306 000a25ac 00000082 00f5f570 SHELL32!CExtractIconBase::GetIconLocation+0x1f (FPO: [6,0,0])
00f5f410 7ca133b6 000dd7e0 00000082 00f5f570 SHELL32!CShellLink::GetIconLocation+0x69 (FPO: [6,68,4])
00f5f77c 7ca03c88 000dd7e0 00000000 0015aa00 SHELL32!_GetILIndexGivenPXIcon+0x9c (FPO: [5,208,4])
00f5f7a4 7ca06693 00131c60 000dd7e0 0015aa00 SHELL32!SHGetIconFromPIDL+0x90 (FPO: [5,0,4])
00f5fe20 7ca12db0 00131c64 0015aa00 00000000 SHELL32!CFSFolder::GetIconOf+0x24e (FPO: [4,405,4])
00f5fe40 7ca15e3c 00131c60 00131c64 0015aa00 SHELL32!SHGetIconFromPIDL+0x20 (FPO: [5,0,0])
00f5fe68 7ca03275 000f8090 0014d5b0 0014a910 SHELL32!CGetIconTask::RunInitRT+0x47 (FPO: [1,2,4])
00f5fe84 75f11b9a 000f8090 75f11b18 75f10000 SHELL32!CRunnableTask::Run+0x54 (FPO: [1,1,4])
00f5fee0 77f49598 00155658 000cb748 77f4957b BROWSEUI!CShellTaskScheduler_ThreadProc+0x111 (FPO: [1,17,0])
00f5fef8 7c937ac2 000cb748 7c98e440 0014cfe0 SHLWAPI!ExecuteWorkItem+0x1d (FPO: [1,0,4])
00f5ff40 7c937b03 77f4957b 000cb748 00000000 ntdll!RtlpWorkerCallout+0x70 (FPO: [Non-Fpo])
00f5ff60 7c937bc5 00000000 000cb748 0014cfe0 ntdll!RtlpExecuteWorkerRequest+0x1a (FPO: [3,0,0])
00f5ff74 7c937b9c 7c937ae9 00000000 000cb748 ntdll!RtlpApcCallout+0x11 (FPO: [4,0,0])
00f5ffb4 7c80b729 00000000 00edfce4 00edfce8 ntdll!RtlpWorkerThread+0x87 (FPO: [1,7,0])
00f5ffec 00000000 7c920250 00000000 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])
.png)
