Inside the guts of a fiendish Internet Explorer 0-day attack

Bite down, matey, surgeon Pott's got his chopper out

The Essential Guide to IT Transformation

Sysadmin blog The latest use-after-free vulnerability in Microsoft's Internet Explorer is being actively exploited in the wild.

While this comes as a surprise to nobody, we all get to live in fear for a while until the software giant manages to get a patch out the door. In the interests of attempting to overcome a particularly nasty bout of insomnia, I decided to find out how exactly how the exploit worked.

The rough overview, according to those who have studied the attack technique, is that there is some broken code in the MSHTML core component of Internet Explorer: specifically, in the way it allocates and releases memory after malicious JavaScript commands the web browser to select the contents of a web page, just as if the user had hit "select all" from a menu.

Some memory is grabbed to create an object associated with this "select all" operation and the command is duly executed. This action immediately triggers another part of the JavaScript set to run when any part of the page is selected. So far, so good.

The selection event handler script then writes a character to the web page. This, for reasons best known to Microsoft, causes the browser to delete the original command object and free its memory.

However, the "select all" command has not finished executing - remember, it was interrupted. The selection event handler is still running, and rewrites 100 HTML image tags with extra data. This is a textbook attempt to force the browser to reuse the memory that was previously holding the "select all" command object and fill it instead with the data in the updated tags. With a lot of luck and testing on the hackers' part, it's possible to carefully overwrite the memory that held the command object with new data. The event handler then exits.

The browser returns to handling the "select all" command, and it tries to use what it thought was its object - instead the object's memory had been freed and now contains data set by the hackers. The object holds the location of an internal browser function that needs to be called, and this value can be changed to point to malicious code - thus hijacking the flow of execution and putting hackers on the road to compromising the machine. It is a classic use-after-free bug.

The malicious code runs with the same privileges as the Internet Explorer process, and can be placed in memory prior to the attack. Once the processor is executing the hackers' code, it can be instructed to download and run a second executable, such as a rootkit, worm or whatever.

The exploit in the wild has some extra steps and layers of packaging to obfuscate the code and line up the attack on Windows XP machines. However, the relevant Metasploit module to demonstrate the attack uses two HTML files, one nested inside an iframe of the other. The parent HTML file creates an array using JavaScript, and sets the first element of that array to be an image on the page. It then sets the "src" property to a random single character. (The original proof of concept used "L", so I will too.)

The parent HTML is here.

Inside the child HTML script is where the magic happens. There are two functions; one "selects all" and the other prints a single character "L" and changes the "src" value of the image object inside the parent HTML's array to the special string that mimics the command object in memory. This is the meat of the exploit. Note that the Metasploit example doesn't have to do this 100 times.

To trigger the whole process, a couple of simple additions to the body tag are used: on loading the malicious page, the child HTML calls the function that selects all the text; this triggers the function assigned to the "on select" handler, the function that writes the changes.

The child HTML is here.

The Metasploit example includes extra JavaScript to place machine code that will attempt to compromise the machine; execution is diverted from the "select all" command to these instructions.

Frightening stuff. This is a really basic view of how to create and then divert execution to a malicious block of memory. Consider that JavaScript is generally always enabled and capable of all sorts of dynamic interaction; once you have the memory block in hand, you can do all sorts of fun things here - dropping in Zeroaccess would be just for starters. Some more clues on who is behind the exploit can be found here.

Throwing a fuzzer at IE and looking at memory dumps, or calling functions in a way that Microsoft never intended, until you identify specific code that allow you to do things like this is intensive work. No matter how well-written your application is, there are always going to be bugs like this that someone can take advantage of.

What should give systems administrators the heebie jeebies on this one is just how easy it is to use, and to extend past the basic exploit to do really creative things. ®

The Essential Guide to IT Transformation

More from The Register

next story
Sysadmin Day 2014: Quick, there's still time to get the beers in
He walked over the broken glass, killed the thugs... and er... reconnected the cables*
VMware builds product executables on 50 Mac Minis
And goes to the Genius Bar for support
Auntie remains MYSTIFIED by that weekend BBC iPlayer and website outage
Still doing 'forensics' on the caching layer – Beeb digi wonk
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Microsoft says 'weird things' can happen during Windows Server 2003 migrations
Fix coming for bug that makes Kerberos croak when you run two domain controllers
Cisco says network virtualisation won't pay off everywhere
Another sign of strain in the Borg/VMware relationship?
Forrester says Australia, not China, is next boom market for cloud
It's cloudy but fine down under, analyst says
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.