The vulnerability used ROP-chain technique and was exploited in Campaign Operation DeputyDog.
The vulnerability was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well.
Vulnerability details
Advisory: SB2013091701 - Remote code execution in Microsoft Internet Explorer
Vulnerable component: Microsoft Internet Explorer
CVE-ID: CVE-2013-3893
CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C
CWE-ID: CWE-416 - Use After Free
Description:
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error in SetMouseCapture implementation. A remote attacker can create specially crafted JavaScript, place it on a Web page, trick the victim into visiting it using Internet Explorer, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Known APT campaigns:
Operation DeputyDog
The campaign began on August 19, 2013 and targeted Japanese organizations. According to FireEye researchers, who detected the campaign, the attack payload was connected to the host in Hong Kong and the malware тАУ to the host in South Korea.
Public Exploits:
- Micorosft Internet Explorer - SetMouseCapture Use-After-Free (Metasploit) [Exploit-DB]
- Microsoft Internet Explorer 8 - 'SetMouseCapture ' Use After Free [Exploit-DB]
External links:
https://technet.microsoft.com/en-us/library/security/2887505
https://technet.microsoft.com/en-us/library/security/ms13-080
https://blogs.technet.microsoft.com/srd/2013/09/17/cve-2013-3893-fix-it-workaround-available/
https://blogs.technet.microsoft.com/srd/2013/10/08/ms13-080-addresses-two-vulnerabilities-under-limi...
https://nakedsecurity.sophos.com/2013/10/11/anatomy-of-an-exploit-ie-zero-day-part-1/
https://nakedsecurity.sophos.com/2013/10/25/anatomy-of-an-exploit-inside-the-cve-2013-3893-internet-...
https://www.f-secure.com/en/web/labs_global/cve-2013-3893
https://community.rapid7.com/community/metasploit/blog/2013/09/30/metasploit-releases-cve-2013-3893-...
https://www.symantec.com/security_response/vulnerability.jsp?bid=62453
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=70073
http://eromang.zataz.com/2015/12/22/cve-2013-3893-microsoft-internet-explorer-setmousecapture-uaf/
https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-part-2-zero-day-exploit-ana...
https://sgros-students.blogspot.com/2014/01/exploiting-and-analysing-cve-2013-3893.html
https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/product-coverage-and-mitigation...
https://securityintelligence.com/trusteers-exploit-prevention-stops-attacks-targeting-new-ie-zero-da...
https://media.paloaltonetworks.com/lp/endpoint-security/blog/cve-2013-3893-analysis-of-the-new-ie-0-...
http://tipstrickshack.blogspot.com/2013/10/exploit-for-all-ie-versioncve-2013-3893.html