CVE-2016-3210
published 2016-06-16CVE-2016-3210: The Microsoft (1) JScript and (2) VBScript engines, as used in Internet Explorer 11, allow remote attackers to execute arbitrary code or cause a denial of…
PriorityP276high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
21.86%
97.3th percentile
The Microsoft (1) JScript and (2) VBScript engines, as used in Internet Explorer 11, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability."
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| msrc | internet_explorer_11_on_windows_10_for_32-bit_systems | — | — |
| msrc | internet_explorer_11_on_windows_10_for_x64-based_systems | — | — |
| msrc | internet_explorer_11_on_windows_10_version_1511_for_32-bit_systems | — | — |
| msrc | internet_explorer_11_on_windows_10_version_1511_for_x64-based_systems | — | — |
| msrc | internet_explorer_11_on_windows_7_for_32-bit_systems_service_pack_1 | — | — |
| msrc | internet_explorer_11_on_windows_7_for_x64-based_systems_service_pack_1 | — | — |
| msrc | internet_explorer_11_on_windows_8.1_for_32-bit_systems | — | — |
| msrc | internet_explorer_11_on_windows_8.1_for_x64-based_systems | — | — |
| msrc | internet_explorer_11_on_windows_rt_8.1 | — | — |
| msrc | internet_explorer_11_on_windows_server_2008_r2_for_x64-based_systems_service_pac | — | — |
| msrc | internet_explorer_11_on_windows_server_2012_r2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-3210 Exploit Observed ITW M1 Nov 30"; flow:established,to_client; file.data; content:"|77 72 69 74 65 4e 28 72 6f 70 61 64 64 72 20 2b 20 69 20 2a 20 34 2c 20 72 6f 70 5b 69 5d 2c 20 34 29 3b|"; classtype:attempted-admin; sid:2023569; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_30, cve CVE_2016_3210, deployment Perimeter, confidence High, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2024_03_14;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-3210 Exploit Observed ITW M1 Nov 30"; flow:established,to_client; file.data; content:"|43 6f 6c 6c 65 63 74 47 61 72 62 61 67 65|"; nocase; content:"|73 70 72 61 79 48 65 61 70|"; nocase; content:"|73 65 74 41 64 64 72 65 73 73|"; nocase; content:"|30 78 63 36 62 65 63|"; nocase; content:"|30 78 46 46 46 46 30 30 30 30|"; nocase; classtype:attempted-admin; sid:2023568; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_30, cve CVE_2016_3210, deployment Perimeter, confidence High, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2024_03_14;)
bytes
|77 72 69 74 65 4e 28 72 6f 70 61 64 64 72 20 2b 20 69 20 2a 20 34 2c 20 72 6f 70 5b 69 5d 2c 20 34 29 3b|
bytes
|43 6f 6c 6c 65 63 74 47 61 72 62 61 67 65|
bytes
|73 70 72 61 79 48 65 61 70|
bytes
|73 65 74 41 64 64 72 65 73 73|
bytes
|30 78 63 36 62 65 63|
bytes
|30 78 46 46 46 46 30 30 30 30|
- →Exploit is associated with the Sundown Exploit Kit (tag: Exploit_Kit_Sundown); network traffic should be inspected on HTTP responses from external hosts to client endpoints for the characteristic byte patterns.
- →Exploit payload contains the string 'writeN(ropaddr + i * 4, rop[i], 4);' (decoded from |77 72 69 74 65 4e 28 72 6f 70 61 64 64 72 20 2b 20 69 20 2a 20 34 2c 20 72 6f 70 5b 69 5d 2c 20 34 29 3b|), indicating ROP chain construction targeting the scripting engine heap.
- →Exploit payload (sid:2023568) contains multiple co-occurring strings decoded as 'CollectGarbage', 'sprayHeap', 'setAddress', '0xc6bec', and '0xFFFF0000', indicating heap spray and memory manipulation primitives in the exploit script.
- →Detection should focus on HTTP responses (flow:established,to_client) carrying exploit content, consistent with a drive-by download delivery model.
- →Microsoft rates exploitation as 'More Likely' for both latest and older software releases; prioritize detection on Internet Explorer 11 endpoints running JScript/VBScript. ↗
- ·The Snort rules (sid:2023568, sid:2023569) use 'file.data' sticky buffer, which requires a Snort/Suricata version that supports this buffer for HTTP response body inspection; ensure your sensor supports this keyword.
- ·The workaround of restricting access to vbscript.dll and jscript.dll will break websites that rely on VBScript or JScript, and must be carefully evaluated before deployment. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
vendor_msrc8.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7j7w-r8q7-jxh2: The Microsoft (1) JScript and (2) VBScript engines, as used in Internet Explorer 11, allow remote attackers to execute arbitrary code or cause a denia
ghsa_unreviewed·2022-05-14
CVE-2016-3210 [HIGH] CWE-119 GHSA-7j7w-r8q7-jxh2: The Microsoft (1) JScript and (2) VBScript engines, as used in Internet Explorer 11, allow remote attackers to execute arbitrary code or cause a denia
The Microsoft (1) JScript and (2) VBScript engines, as used in Internet Explorer 11, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability."
VulnCheck
Microsoft Internet Explorer Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2016·CVSS 8.8
CVE-2016-3210 [HIGH] Microsoft Internet Explorer Improper Restriction of Operations within the Bounds of a Memory Buffer
Microsoft Internet Explorer Improper Restriction of Operations within the Bounds of a Memory Buffer
The Microsoft (1) JScript and (2) VBScript engines, as used in Internet Explorer 11, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability."
Affected: Microsoft Internet Explorer
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dl.acm.org/doi/pdf/10.1145/3465481.3465758
Microsoft
Scripting Engine Memory Corruption Vulnerability
vendor_msrc·2016-06-14·CVSS 8.8
CVE-2016-3210 [HIGH] Scripting Engine Memory Corruption Vulnerability
Scripting Engine Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
In a web-based attack scenario, an attacker could host a specially crafted website d
Suricata
ET EXPLOIT CVE-2016-3210 Exploit Observed ITW M1 Nov 30
suricata·2016-11-30·CVSS 8.8
CVE-2016-3210 [HIGH] ET EXPLOIT CVE-2016-3210 Exploit Observed ITW M1 Nov 30
ET EXPLOIT CVE-2016-3210 Exploit Observed ITW M1 Nov 30
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-3210 Exploit Observed ITW M1 Nov 30"; flow:established,to_client; file.data; content:"|77 72 69 74 65 4e 28 72 6f 70 61 64 64 72 20 2b 20 69 20 2a 20 34 2c 20 72 6f 70 5b 69 5d 2c 20 34 29 3b|"; classtype:attempted-admin; sid:2023569; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_30, cve CVE_2016_3210, deployment Perimeter, confidence High, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2024_03_14;)
Suricata
ET EXPLOIT CVE-2016-3210 Exploit Observed ITW M1 Nov 30
suricata·2016-11-30·CVSS 8.8
CVE-2016-3210 [HIGH] ET EXPLOIT CVE-2016-3210 Exploit Observed ITW M1 Nov 30
ET EXPLOIT CVE-2016-3210 Exploit Observed ITW M1 Nov 30
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-3210 Exploit Observed ITW M1 Nov 30"; flow:established,to_client; file.data; content:"|43 6f 6c 6c 65 63 74 47 61 72 62 61 67 65|"; nocase; content:"|73 70 72 61 79 48 65 61 70|"; nocase; content:"|73 65 74 41 64 64 72 65 73 73|"; nocase; content:"|30 78 63 36 62 65 63|"; nocase; content:"|30 78 46 46 46 46 30 30 30 30|"; nocase; classtype:attempted-admin; sid:2023568; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_30, cve CVE_2016_3210, deployment Perimeter, confidence High, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2024_0
No public exploits indexed.
http://www.securityfocus.com/bid/91106http://www.securitytracker.com/id/1036096https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-063http://www.securityfocus.com/bid/91106http://www.securitytracker.com/id/1036096https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-063
2016-06-16
Published
Exploited in the wild