Digging deeper into the IE vulnerability CVE-2014-1776 with Cyphort

1,318 views
997 views

Published on

Web browser vulnerabilities remain a fertile ground for hackers to harvest and mount attacks. Latest vulnerabilities found in Internet Explorer and urgent response from Microsoft highlights the fact that despite end of life announcements for old and less secure products, millions of users remain exposed to threats.

Web browser attacks and how the vulnerabilities are exploited
How CVE-2014-1776 impacts you
Finding and dissecting active attacks
How to mitigate impacts of browser vulnerability based attacks

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,318
On SlideShare
0
From Embeds
0
Number of Embeds
104
Actions
Shares
0
Downloads
34
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Digging deeper into the IE vulnerability CVE-2014-1776 with Cyphort

  1. 1. Digging  Deeper  into     the  IE  Vulnerability   Malware’s  Most  Wanted  Series     May  2014  
  2. 2. Your  Speakers  Today   2   Marion  Marschalek   Malware  Analyst  and  Researcher     Anthony  James   VP  of  Marke6ng  and  Products  
  3. 3. Agenda   o  IntroducFon  to  Cyphort  Labs   o  Anatomy  of  web  browser  aJacks   o  Finding  and  dissecFng  acFve  aJacks   o  CVE-­‐2014-­‐1776  details  and  impact   o  How  to  miFgate  risk   o  Q  &  A   3   Cyphort  Labs  T-­‐shirt  
  4. 4. We  work  with  the     security  ecosystem   •••••   Contribute  to  and  learn   from  malware  KB   We  enhance  malware   detecFon  accuracy   •••••   False  posiFves/negaFves   •••••   Deep-­‐dive  research     Global  malware     research  team   •••••   24X7  monitoring  for   malware  events   About  Cyphort  Labs   4  
  5. 5. VULNERABILITY   EXPLOIT   PAYLOAD  
  6. 6. Anatomy  of  a  Drive-­‐by   injects  malicious  javascript   serves  exploit   redirects  to     exploit  server   downloads  malicious  executable   AJacker   VicFm   Executes   exploit  and   payload   LegiFmate   Web  Server   Exploit   HosFng   Server   Malware   DistribuFon   Server  
  7. 7. ExploitaFon:  HosFle  Takeover   Mission  Statement:  Control  EIP   EIP  =  InstrucDon  Pointer   Control  of  EIP  =  Control  of  ExecuDon  
  8. 8. Back  to  the  Roots  ...   buffer[32]   buuuufff   feeeeero   ooverfff   loooooow   xefx65x41x01   Parameters   Saved  EBP   Return  Address   Parameters   Local  Variables   Smashing  the  Stack  for  Fun  and  Profit  –  Aleph  One,  1996   On  return  the  program  will  execute  at  0x014165ef   where  the  shellcode  is  waiFng.   Saved  EBP   Return  Address   Parameters  
  9. 9. VulnerabiliFes  Exploited  Today   Source:  Micorosoj  Security  Intelligence  Report  Vol.16  (hJp://www.microsoj.com/security/sir/)  
  10. 10. The  Zero-­‐day  Phenomenon   Source:  Before  We  Knew  It,  Symantec  Research  (hJp://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf)  
  11. 11. The  Zero-­‐day  Phenomenon   Vulnerability     introduced   Vulnerability     disclosed   Exploit  released     in  the  wild   Vendor  patch     released   Patch  widely     deployed   TIME   ATTACKS   Zero-­‐Day  AIacks  
  12. 12. Poll  #1  –  Most  expensive  exploit   Which  Zero-­‐day  exploit  do  you  think  is  most  expensive   on  the  black  market?   o  Adobe  Reader   o  Internet  Explorer   o  Flash   o  Firefox   12  
  13. 13. The  LegiFmate  Vulnerability  Market   o  Price  depends  on   vulnerability  impact   and  exploitability   o  Need  for  trusted   third  party   Source:  Forbes  (hJp://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-­‐for-­‐zero-­‐days-­‐an-­‐price-­‐list-­‐for-­‐hackers-­‐secret-­‐sojware-­‐exploits/)  
  14. 14. Web  Browser  as  Window  to  the  Endpoint  
  15. 15. Internet  Explorer  Exposed:  CVE-­‐2014-­‐1776   o  Revealed  end  of  April  2014   o  Official  patch  from  Microsoj  May  1st     o  AffecFng  IE  versions  6  to  11   o  Use-­‐Ajer-­‐Free  vulnerability  
  16. 16. .html   vshow.swf   cmmon.js   Heap  PreparaFon   DecrypFon  ExploitString   Timer  RegistraFon  for  proc()   Eval  (  ExploitString  )   Prepare  ROP  Chain   Corrupt  Memory   Invoke  Patched  toString()  send  ExploitString   via  ExternalInterface   Internet  Explorer  Exposed:  CVE-­‐2014-­‐1776  
  17. 17. Internet  Explorer  Exposed:  CVE-­‐2014-­‐1776   o  Heap  Spraying   o  User  ARer  Free   o  ROP  Chain   o  Shellcode   .html   vshow.swf   cmmon.js   Heap  PreparaFon   DecrypFon  ExploitString   Timer  RegistraFon  for  proc()   Eval  (  ExploitString  )   Prepare  ROP  Chain   Corrupt  Memory   Invoke  Patched  toString()  send  ExploitString   via  ExternalInterface  
  18. 18. Internet  Explorer  Exposed:  CVE-­‐2014-­‐1776   Stack   Code   Heap   Exploit   Heap  PreparaFon   NOP+SC   NOP+SC   NOP+SC   .....   NOP+SC   NOP+SC   ROP   Jump  Heap   Memory   o  Heap  Spraying   o  Use  ARer  Free   o  ROP  Chain   o  Shellcode  
  19. 19. Internet  Explorer  Exposed:  CVE-­‐2014-­‐1776   Class  Object   Pointer  to   vRable   Member     variables   FuncDon3()   FuncDon1()   FuncDon2()   vRable   o  Heap  Spraying   o  Use  ARer  Free   o  ROP  Chain   o  Shellcode  
  20. 20. Internet  Explorer  Exposed:  CVE-­‐2014-­‐1776   o  Heap  Spraying   o  Use  ARer  Free   o  ROP  Chain   o  Shellcode   Exploit   Overwrite  Object  Length   Corrupt  Sound  Object   Call  Stack  Pivot  +  ROP   Call  ZwProtectVirtualMemory  
  21. 21. Internet  Explorer  Exposed:  CVE-­‐2014-­‐1776   o  Heap  Spraying   o  Use  ARer  Free   o  ROP  Chain   o  Shellcode   Dynamic  resoluDon   of  API  addresses   Final  exploit  acDon  +  
  22. 22. 3  Key  MiFgaFons   Keep  Your  Systems   Up-­‐to-­‐Date  
  23. 23. 3  Key  MiFgaFons   AcFvate  EMET  4.1  
  24. 24. 3  Key  MiFgaFons   Break  the  Kill  Chain  By   Applying     HolisFc  Security  
  25. 25. Q  and  A   25   o  InformaFon  sharing   and  advanced  threats   resources   o  Blogs  on  latest   threats  and  findings   o  Tools  for  idenFfying   malware  

×