cbcvebase.
CVE-2013-1347
published 2013-05-05

CVE-2013-1347: Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that…

PriorityP186high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
77.89%
99.5th percentile
Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly allocated or (2) is deleted, as exploited in the wild in May 2013.

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

ip93.171.216.118
ip93.188.161.235
hash164de09635532bb0a4fbe25ef3058b86dac332a03629fc91095a4c7841b559da
hashD667833E4915C385321B553785732BBED3009C2A
hash1218d79fca1aca48e13a5e6e582cdc5c4d24c3367328c56d61d975a757509335
hashac9294849559c94d5e85cb113ce8ca61bca2e576a97a9e81f66321496ddada61
hash5ee0761f5eda01985d5f93a5e50a1247fb5c17deba1d471b05fc09751d09a08e
hasha26f3225aa7e7b5263033dee682153fb7a4332429782c5755a9eaebe8a5df095
hash334eeaf5ea3920b612b4e26bbe3e0cccbc431c2e
filenamentsys391.exe
pathC:\Documents and Settings\Administrator\Application Data\ Broker services\WbemMonitor .exe
pathC:\Documents and Settings\Administrator\Application Data\ Broker services\plugs\mmc.exe
urlhttp://93.188.161.235/check2/muees27jxt/shot.jpg
urlhttp://93.188.161.235/check2/muees27jxt/tl.jpg
urlhttp://93.188.161.235/check2/muees27jxt/fl.jpg
urlhttp://93.188.161.235/check2/muees27jxt/inf.jpg
urlhttp://93.171.216.118/check_value.php
filenameconfig.html
filenamexsainfo.jpg
snort
SIDs 26569-26572
snort
SIDs: 26569 through 26572, 26603 and 26668
  • JavaScript IDS evasion in the LightsOut kit encodes strings by interleaving digits that must be removed; e.g. removing all digits from '836f4974362o65679305r82637150N61617044a77736359m99323481e9388' yields 'forName'.
  • The DoL watering-hole attack injected a redirect from the compromised website to an attacker-controlled host rather than hosting exploit files directly; look for injected iframe/redirect code pointing to external hosts on otherwise legitimate sites.
  • The Elderwood-linked CFR compromise used specific filenames (news.html, robots.txt, today.swf, xsainfo.jpg, config.html) on the compromised server; presence of these files on a non-Elderwood site is a strong indicator of compromise.
  • The first stage dropper (ntsys391.exe) copies itself to a path containing a trailing space in the directory name ('Broker services\WbemMonitor .exe') — the space before .exe is anomalous and useful for host-based detection.
  • ·The LightsOut exploit kit dynamically builds payloads per request (e.g. the r7 JAR may be rebuilt per request by PHP), so hashes of kit-generated files may not be stable across campaigns.
  • ·At the time of the Talos report, CVE-2013-1347 was not yet being exploited in monitored exploit kits (only Metasploit had a public module), so kit-based IOCs may not have been fully representative of all in-the-wild activity.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.