Rare Silverlight Zero-Day Uncovered in Hacking Team Saga

Written by

A rare Silverlight zero-day vulnerability has been uncovered, which would allow an attacker to gain full access to a compromised computer.

The research discovery, made by Kaspersky Lab, began with the compromise and data dump of Hacking Team, the infamous Italian spyware company—and has resulted in the zero-day being patched in Microsoft’s Security Bulletin yesterday.

For those who are not familiar with the subject, Hacking Team was founded in 2003 and specialized in selling spyware and surveillance tools to governments and law enforcement agencies. On July 5, 2015, a large amount of data from the company was leaked to the Internet with a hacker known as “Phineas Fisher” claiming responsibility for the breach. Previously, “Phineas Fisher” did a similar attack against Gamma International, another company in the spyware/surveillance business.

In the midst of this came a story about how a Russian hacker, Vitaliy Toropov, made $45,000 selling a 0-day Flash exploit to Hacking Team. The article also mentioned that Toropov offered the company a Microsoft Silverlight exploit written more than two years ago, which is still effective.

“If that was true, it would be a heavyweight bug, with huge potential to successfully attack a lot of major targets,” explained Kaspersky, in a detailed analysis. “For instance, when you install Silverlight, it not only registers itself in Internet Explorer, but also in Mozilla Firefox, so the attack vector could be quite large.”

To catch this possibly unknown Silverlight exploit, Kaspersky started investigating the other exploits written by Toropov, who has a comprehensive profile on OVSDB and PacketStorm. One of the archives turned up a readme file that describes a Silverlight bug, as well as source codes for the proof of concept (PoC) exploit. Kaspersky implemented its detection and sat back to see if an APT group would use it.

“Since Vitaliy Toropov was offering it to Hacking Team, we also assumed that he sold it to other buyers, and what good is a zero-day if you don’t use it?” the researchers explained. “Unfortunately, for several months, nothing happened.”

In late November, one of the firm’s generic detections for Toropov’s 2013 Silverlight exploit was triggered, and separately, a sample was uploaded to a multiscanner service from Lao People’s Democratic Republic (Laos). The file was compiled in July 21, 2015, which is about two weeks after the Hacking Team breach, leaving some question about whether this was Vitaliy Toropov’s 2013 Silverlight zero-day which he tried to sell to Hacking Team, or a new one.

There is evidence that this is one of his exploits, such as the presence of custom error strings. And due to copyright reasons, Kaspersky couldn’t check if the leaked Hacking Team archive has this exploit as well.

“Comparing the analysis of this file with the previous work of Vitaliy Toropov makes us think that the author of the recently discovered exploit, and the author of POCs published on OSVDB in the name of Toropov, is the same person,” said Costin Raiu, director of the Global Research and Analysis Team at Kaspersky Lab, via email. “At the same time we do not completely exclude the possibility that we found yet another zero-day exploit in Silverlight. Overall, this research helped to make cyberspace a little safer by discovering a new zero-day and responsibly disclosing it. We encourage all users of Microsoft products to update their systems as soon as possible to patch this vulnerability.”

Kaspersky disclosed the bug to Microsoft, which confirmed the zero-day (CVE-2016-0034) and issued a patch on January 12.

Photo © A. Penkov/Shutterstock.com

What’s hot on Infosecurity Magazine?