Inside the guts of a fiendish Internet Explorer 0-day attack

Bite down, matey, surgeon Pott's got his chopper out

Application security programs and practises

Sysadmin blog The latest use-after-free vulnerability in Microsoft's Internet Explorer is being actively exploited in the wild.

While this comes as a surprise to nobody, we all get to live in fear for a while until the software giant manages to get a patch out the door. In the interests of attempting to overcome a particularly nasty bout of insomnia, I decided to find out how exactly how the exploit worked.

The rough overview, according to those who have studied the attack technique, is that there is some broken code in the MSHTML core component of Internet Explorer: specifically, in the way it allocates and releases memory after malicious JavaScript commands the web browser to select the contents of a web page, just as if the user had hit "select all" from a menu.

Some memory is grabbed to create an object associated with this "select all" operation and the command is duly executed. This action immediately triggers another part of the JavaScript set to run when any part of the page is selected. So far, so good.

The selection event handler script then writes a character to the web page. This, for reasons best known to Microsoft, causes the browser to delete the original command object and free its memory.

However, the "select all" command has not finished executing - remember, it was interrupted. The selection event handler is still running, and rewrites 100 HTML image tags with extra data. This is a textbook attempt to force the browser to reuse the memory that was previously holding the "select all" command object and fill it instead with the data in the updated tags. With a lot of luck and testing on the hackers' part, it's possible to carefully overwrite the memory that held the command object with new data. The event handler then exits.

The browser returns to handling the "select all" command, and it tries to use what it thought was its object - instead the object's memory had been freed and now contains data set by the hackers. The object holds the location of an internal browser function that needs to be called, and this value can be changed to point to malicious code - thus hijacking the flow of execution and putting hackers on the road to compromising the machine. It is a classic use-after-free bug.

The malicious code runs with the same privileges as the Internet Explorer process, and can be placed in memory prior to the attack. Once the processor is executing the hackers' code, it can be instructed to download and run a second executable, such as a rootkit, worm or whatever.

The exploit in the wild has some extra steps and layers of packaging to obfuscate the code and line up the attack on Windows XP machines. However, the relevant Metasploit module to demonstrate the attack uses two HTML files, one nested inside an iframe of the other. The parent HTML file creates an array using JavaScript, and sets the first element of that array to be an image on the page. It then sets the "src" property to a random single character. (The original proof of concept used "L", so I will too.)

The parent HTML is here.

Inside the child HTML script is where the magic happens. There are two functions; one "selects all" and the other prints a single character "L" and changes the "src" value of the image object inside the parent HTML's array to the special string that mimics the command object in memory. This is the meat of the exploit. Note that the Metasploit example doesn't have to do this 100 times.

To trigger the whole process, a couple of simple additions to the body tag are used: on loading the malicious page, the child HTML calls the function that selects all the text; this triggers the function assigned to the "on select" handler, the function that writes the changes.

The child HTML is here.

The Metasploit example includes extra JavaScript to place machine code that will attempt to compromise the machine; execution is diverted from the "select all" command to these instructions.

Frightening stuff. This is a really basic view of how to create and then divert execution to a malicious block of memory. Consider that JavaScript is generally always enabled and capable of all sorts of dynamic interaction; once you have the memory block in hand, you can do all sorts of fun things here - dropping in Zeroaccess would be just for starters. Some more clues on who is behind the exploit can be found here.

Throwing a fuzzer at IE and looking at memory dumps, or calling functions in a way that Microsoft never intended, until you identify specific code that allow you to do things like this is intensive work. No matter how well-written your application is, there are always going to be bugs like this that someone can take advantage of.

What should give systems administrators the heebie jeebies on this one is just how easy it is to use, and to extend past the basic exploit to do really creative things. ®

Eight steps to building an HP BladeSystem

More from The Register

next story
Sysadmin Day 2014: Quick, there's still time to get the beers in
He walked over the broken glass, killed the thugs... and er... reconnected the cables*
Apple fanbois SCREAM as update BRICKS their Macbook Airs
Ragegasm spills over as firmware upgrade kills machines
SHOCK and AWS: The fall of Amazon's deflationary cloud
Just as Jeff Bezos did to books and CDs, Amazon's rivals are now doing to it
Amazon Reveals One Weird Trick: A Loss On Almost $20bn In Sales
Investors really hate it: Share price plunge as growth SLOWS in key AWS division
EU's top data cops to meet Google, Microsoft et al over 'right to be forgotten'
Plan to hammer out 'coherent' guidelines. Good luck chaps!
US judge: YES, cops or feds so can slurp an ENTIRE Gmail account
Crooks don't have folders labelled 'drug records', opines NY beak
Auntie remains MYSTIFIED by that weekend BBC iPlayer and website outage
Still doing 'forensics' on the caching layer – Beeb digi wonk
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
prev story


Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.