Feeds

Inside the guts of a fiendish Internet Explorer 0-day attack

Bite down, matey, surgeon Pott's got his chopper out

High performance access to file storage

Sysadmin blog The latest use-after-free vulnerability in Microsoft's Internet Explorer is being actively exploited in the wild.

While this comes as a surprise to nobody, we all get to live in fear for a while until the software giant manages to get a patch out the door. In the interests of attempting to overcome a particularly nasty bout of insomnia, I decided to find out how exactly how the exploit worked.

The rough overview, according to those who have studied the attack technique, is that there is some broken code in the MSHTML core component of Internet Explorer: specifically, in the way it allocates and releases memory after malicious JavaScript commands the web browser to select the contents of a web page, just as if the user had hit "select all" from a menu.

Some memory is grabbed to create an object associated with this "select all" operation and the command is duly executed. This action immediately triggers another part of the JavaScript set to run when any part of the page is selected. So far, so good.

The selection event handler script then writes a character to the web page. This, for reasons best known to Microsoft, causes the browser to delete the original command object and free its memory.

However, the "select all" command has not finished executing - remember, it was interrupted. The selection event handler is still running, and rewrites 100 HTML image tags with extra data. This is a textbook attempt to force the browser to reuse the memory that was previously holding the "select all" command object and fill it instead with the data in the updated tags. With a lot of luck and testing on the hackers' part, it's possible to carefully overwrite the memory that held the command object with new data. The event handler then exits.

The browser returns to handling the "select all" command, and it tries to use what it thought was its object - instead the object's memory had been freed and now contains data set by the hackers. The object holds the location of an internal browser function that needs to be called, and this value can be changed to point to malicious code - thus hijacking the flow of execution and putting hackers on the road to compromising the machine. It is a classic use-after-free bug.

The malicious code runs with the same privileges as the Internet Explorer process, and can be placed in memory prior to the attack. Once the processor is executing the hackers' code, it can be instructed to download and run a second executable, such as a rootkit, worm or whatever.

The exploit in the wild has some extra steps and layers of packaging to obfuscate the code and line up the attack on Windows XP machines. However, the relevant Metasploit module to demonstrate the attack uses two HTML files, one nested inside an iframe of the other. The parent HTML file creates an array using JavaScript, and sets the first element of that array to be an image on the page. It then sets the "src" property to a random single character. (The original proof of concept used "L", so I will too.)

The parent HTML is here.

Inside the child HTML script is where the magic happens. There are two functions; one "selects all" and the other prints a single character "L" and changes the "src" value of the image object inside the parent HTML's array to the special string that mimics the command object in memory. This is the meat of the exploit. Note that the Metasploit example doesn't have to do this 100 times.

To trigger the whole process, a couple of simple additions to the body tag are used: on loading the malicious page, the child HTML calls the function that selects all the text; this triggers the function assigned to the "on select" handler, the function that writes the changes.

The child HTML is here.

The Metasploit example includes extra JavaScript to place machine code that will attempt to compromise the machine; execution is diverted from the "select all" command to these instructions.

Frightening stuff. This is a really basic view of how to create and then divert execution to a malicious block of memory. Consider that JavaScript is generally always enabled and capable of all sorts of dynamic interaction; once you have the memory block in hand, you can do all sorts of fun things here - dropping in Zeroaccess would be just for starters. Some more clues on who is behind the exploit can be found here.

Throwing a fuzzer at IE and looking at memory dumps, or calling functions in a way that Microsoft never intended, until you identify specific code that allow you to do things like this is intensive work. No matter how well-written your application is, there are always going to be bugs like this that someone can take advantage of.

What should give systems administrators the heebie jeebies on this one is just how easy it is to use, and to extend past the basic exploit to do really creative things. ®

High performance access to file storage

More from The Register

next story
Seagate brings out 6TB HDD, did not need NO STEENKIN' SHINGLES
Or helium filling either, according to reports
European Court of Justice rips up Data Retention Directive
Rules 'interfering' measure to be 'invalid'
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Cisco reps flog Whiptail's Invicta arrays against EMC and Pure
Storage reseller report reveals who's selling what
Just what could be inside Dropbox's new 'Home For Life'?
Biz apps, messaging, photos, email, more storage – sorry, did you think there would be cake?
IT bods: How long does it take YOU to train up on new tech?
I'll leave my arrays to do the hard work, if you don't mind
Amazon reveals its Google-killing 'R3' server instances
A mega-memory instance that never forgets
USA opposes 'Schengen cloud' Eurocentric routing plan
All routes should transit America, apparently
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.