Your texte here ….         CVE 2012-1889 Security Update                   Analysis19th July 2012Brian MARIANI &ETHICAL HA...
Timeline   Your texte here June 2012 Microsoft published a     The 12th of ….     security advisory with a temporary fix ...
Some important details   Your texte here …. is the continuation of the     This document     previous publication: “Micro...
Security update    Your texte here …. ORIGINAL SWISS ETHICAL HACKING                  ©2012 High-Tech Bridge SA – www.htbr...
Files size comparison   Your identify all files implied in the security update     We texte here ….     process with moni...
Binary Diffing   Your texte here …. is a technique for performing     Binary Diffing     automated binary differential an...
Turbodiff   Your texte here ….     Turbodiff was programmed by Nicolás Economou.   It was presented at the Argentinian s...
Turbodiff results           (1)   Your texte here …. two binary files, turbodiff creates an     After analyzing the     a...
Turbodiff results         (2)   Your texte herethe differences between the two files:     After examining ….      – 25 fu...
Turbodiff results          (3)   Your texte here ….     Let’s      check       the       changes         in      the     ...
Flow analysis             (1)749bd756 _dispatchImpl::InvokeHelper     Your texte here …. ORIGINAL SWISS ETHICAL HACKING   ...
Flow analysis             (2)749bd756 _dispatchImpl::InvokeHelper     Your texte here ….     749bd7de call dword ptr [esi+...
Flow analysis             (3)749bd756 _dispatchImpl::InvokeHelper     Your texte here ….     749bd7de call dword ptr [esi+...
Flow analysis             (4)749bd756 _dispatchImpl::InvokeHelper     Your texte here ….     749bd7de call dword ptr [esi+...
Flow analysis             (5)749bd756 _dispatchImpl::InvokeHelper     Your texte here ….     749bd7de call dword ptr [esi+...
Flow analysis             (6)749bd756 _dispatchImpl::InvokeHelper     Your texte here ….     749bd7de call dword ptr [esi+...
Flow analysis              (7)749bd756 _dispatchImpl::InvokeHelper     Your texte here ….     749bd7de call dword ptr [esi...
Flow analysis              (8)749bd756 _dispatchImpl::InvokeHelper     Your texte here ….     749bd7de call dword ptr [esi...
Flow analysis            (9)                                                               After returning to the    Your ...
Flow analysis            (10)                                                               After returning to the    Your...
Flow analysis            (11)                                                               After returning to the    Your...
Flow analysis              (12)                                                                 After returning to the    ...
Flow analysis              (13)                                                                 After returning to the    ...
Conclusions   Yourwe have seen the main change in the XML security     As texte here ….     update for Windows XP-SP3 is ...
References   Your texte here ….     http://www.microsoft.com/fr-     fr/download/details.aspx?id=30290   http://support....
Acknowledgments   Your texte here ….     Thanks to Nicolas Economou from coresecurity     for allowing us to publish the ...
Thanks for reading    Your texte here ….         Your questions are always welcome!                        brian.mariani@h...
Upcoming SlideShare
Loading in …5
×

CVE-2012-1889: Security Update Analysis

444 views
373 views

Published on

CVE-2012-1889: Security Update Analysis by Brian MARIANI & Frédéric BOURLA from High-Tech Bridge.

Since the 30th of May 2012 hackers were abusing the Microsoft XML core services vulnerability. The 10th of July 2012 Microsoft finally published a security advisory which fixes this issue. The present document and video explains the details about this fix. As a lab test we used a Windows XP workstation with Service Pack 3. The Internet explorer version is 6.0.

Presentation page (with video): https://www.htbridge.com/publications/cve_2012_1889_security_update_analysis.html

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
444
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
8
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

CVE-2012-1889: Security Update Analysis

  1. 1. Your texte here …. CVE 2012-1889 Security Update Analysis19th July 2012Brian MARIANI &ETHICAL HACKING ORIGINAL SWISS Frédéric BOURLA ©2012 High-Tech Bridge SA – www.htbridge.com
  2. 2. Timeline  Your texte here June 2012 Microsoft published a The 12th of …. security advisory with a temporary fix related to the msxml core services vulnerability which is heavily exploited in the wild.  On June 18th 2012 Metasploit released a working exploit.  On June 19th 2012 a 100% reliable exploit for Internet Explorer 6/7/8/9 on Windows XP/Vista, and Windows 7 SP1 was published by metasploit.  On July 9th 2012 Microsoft finally released a security update in order to patch this vulnerability. ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  3. 3. Some important details  Your texte here …. is the continuation of the This document previous publication: “Microsoft XML core services uninitialized memory vulnerability”.  In this new presentation we will analyze the security update released on July 9th 2012 which fixes several DLL libraries, specially the msxml3.dll one.  The lab environment is an English Windows XP SP3 workstation.  For simplicity, ASLR and DEP security options are deactivated. ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  4. 4. Security update Your texte here …. ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  5. 5. Files size comparison  Your identify all files implied in the security update We texte here …. process with monitoring tools, such as Process Monitor. Actually, the file which interests us is the msxml3.dll library.  To successfully compare unpatched and patched files, we first make a copy of the unpatched library to an analysis directory.  We apply the security update and we copy again the patched DLL file into the previous directory, with a new destination file name.  After downloading and applying the security update and comparing the size of this particular file, we can notice a tiny difference of 66 bytes. ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  6. 6. Binary Diffing  Your texte here …. is a technique for performing Binary Diffing automated binary differential analysis.  This becomes very useful for reverse engineering patches as well as program updates.  Some of the available binary diffing tools are: – Bindiff – PatchDiff – Darumgrim – Turbodiff  Here, we used Turbodiff. ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  7. 7. Turbodiff  Your texte here …. Turbodiff was programmed by Nicolás Economou.  It was presented at the Argentinian security conference Ekoparty in 2009.  It is a heuristic based IDA Plugin aimed for binary diffing.  This tools was developed in C++.  It provides an Architecture Independent Diffing. ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  8. 8. Turbodiff results (1)  Your texte here …. two binary files, turbodiff creates an After analyzing the ana file from the IDA idb file.  The aforementioned ana file will be used later in order to detect the suspicious and changed functions.  Later turbodiff displays its results: ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  9. 9. Turbodiff results (2)  Your texte herethe differences between the two files: After examining …. – 25 functions are marked as suspicious. – 72 functions are marked as changed. ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  10. 10. Turbodiff results (3)  Your texte here …. Let’s check the changes in the DOMNode::get_definition(IXMLDOMNode) function which is the most important procedure involved in this vulnerability. before after  As we can see the instruction mov [edi], ebx was added into the get_definition function.  In order to understand this minor change let’s analyzed the whole process. ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  11. 11. Flow analysis (1)749bd756 _dispatchImpl::InvokeHelper Your texte here …. ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  12. 12. Flow analysis (2)749bd756 _dispatchImpl::InvokeHelper Your texte here …. 749bd7de call dword ptr [esi+0x20]{msxml3!DOMNode::_invokeDOMNode ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  13. 13. Flow analysis (3)749bd756 _dispatchImpl::InvokeHelper Your texte here …. 749bd7de call dword ptr [esi+0x20]{msxml3!DOMNode::_invokeDOMNode 749d42da msxml3!DOMNode::_invokeDOMNode ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  14. 14. Flow analysis (4)749bd756 _dispatchImpl::InvokeHelper Your texte here …. 749bd7de call dword ptr [esi+0x20]{msxml3!DOMNode::_invokeDOMNode 749d42da msxml3!DOMNode::_invokeDOMNode 749d6499 msxml3!DOMNode::get_definition ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  15. 15. Flow analysis (5)749bd756 _dispatchImpl::InvokeHelper Your texte here …. 749bd7de call dword ptr [esi+0x20]{msxml3!DOMNode::_invokeDOMNode 749d42da msxml3!DOMNode::_invokeDOMNode This is the local variable value that will be retrieved later by the 749d6499 msxml3!DOMNode::get_definition _dispatch::InvokeHelper function 749d64d2 mov edi,[ebp+0xc] ss:0023:0013dff8=0013e138 ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  16. 16. Flow analysis (6)749bd756 _dispatchImpl::InvokeHelper Your texte here …. 749bd7de call dword ptr [esi+0x20]{msxml3!DOMNode::_invokeDOMNode 749d42da msxml3!DOMNode::_invokeDOMNode This is the local variable value that will be retrieved later by the 749d6499 msxml3!DOMNode::get_definition _dispatch::InvokeHelper function 749d64d2 mov edi,[ebp+0xc] ss:0023:0013dff8=0013e138 ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  17. 17. Flow analysis (7)749bd756 _dispatchImpl::InvokeHelper Your texte here …. 749bd7de call dword ptr [esi+0x20]{msxml3!DOMNode::_invokeDOMNode 749d42da msxml3!DOMNode::_invokeDOMNode This is the local variable value that will be retrieved later by the 749d6499 msxml3!DOMNode::get_definition _dispatch::InvokeHelper function 749d64d2 mov edi,[ebp+0xc] ss:0023:0013dff8=0013e138 749d6514 mov [edi],ebx ds:0023:0013e138=0c0c0c08 ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  18. 18. Flow analysis (8)749bd756 _dispatchImpl::InvokeHelper Your texte here …. 749bd7de call dword ptr [esi+0x20]{msxml3!DOMNode::_invokeDOMNode 749d42da msxml3!DOMNode::_invokeDOMNode This is the local variable value that will be retrieved later by the 749d6499 msxml3!DOMNode::get_definition _dispatch::InvokeHelper function 749d64d2 mov edi,[ebp+0xc] ss:0023:0013dff8=0013e138 This instruction corresponds to the security update. The content of the edi will be initialized to zero 749d6514 mov [edi],ebx ds:0023:0013e138=0c0c0c08 ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  19. 19. Flow analysis (9) After returning to the Your texte here …. _dispatchImpl::InvokeHelper function the previous sanitized pointer is moved into the eax register _dispatchImpl::InvokeHelper 749bd7e9 mov eax,[ebp-0x14] ss:0023:0013e138=00000000 ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  20. 20. Flow analysis (10) After returning to the Your texte here …. _dispatchImpl::InvokeHelper function the previous sanitized pointer is moved into the eax register _dispatchImpl::InvokeHelper 749bd7e9 mov eax,[ebp-0x14] ss:0023:0013e138=00000000 749bd7ec cmp eax,ebx ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  21. 21. Flow analysis (11) After returning to the Your texte here …. _dispatchImpl::InvokeHelper function the previous sanitized pointer is moved into the eax register _dispatchImpl::InvokeHelper 749bd7e9 mov eax,[ebp-0x14] ss:0023:0013e138=00000000 749bd7ec cmp eax,ebx ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  22. 22. Flow analysis (12) After returning to the Your texte here …. _dispatchImpl::InvokeHelper function the previous sanitized pointer is moved into the eax register _dispatchImpl::InvokeHelper 749bd7e9 mov eax,[ebp-0x14] ss:0023:0013e138=00000000 749bd7ec cmp eax,ebx The conditional jump will be executed 749bd7f0 jz msxml3!_dispatchImpl::InvokeHelper+0xc2 (749bd818) ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  23. 23. Flow analysis (13) After returning to the Your texte here …. _dispatchImpl::InvokeHelper function the previous sanitized pointer is moved into the eax register _dispatchImpl::InvokeHelper 749bd7e9 mov eax,[ebp-0x14] ss:0023:0013e138=00000000 749bd7ec cmp eax,ebx The conditional jump will be executed 749bd7f0 jz msxml3!_dispatchImpl::InvokeHelper+0xc2 (749bd818) The call responsible to execute the payload is no more reachable due to the conditional jump 749bd80a call dword ptr [ecx+0x18] ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  24. 24. Conclusions  Yourwe have seen the main change in the XML security As texte here …. update for Windows XP-SP3 is the mov [edi],ebx instruction. 749d6514 891F mov [edi],ebx  This instruction sanitizes the value that will be retrieved later by the _dispatchImpl::InvokeHelper function.  If one modifies the two bytes instruction (891F) with NOPs instructions (9090) the whole security updated could be deactivate.  Apply the security update (KB2719985) as soon as you can since this vulnerability is heavily exploited in the wild nowadays. ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  25. 25. References  Your texte here …. http://www.microsoft.com/fr- fr/download/details.aspx?id=30290  http://support.microsoft.com/kb/2719985  http://www.openrce.org/forums/posts/82  http://corelabs.coresecurity.com/index.php?modul e=Wiki&action=attachment&type=publication&pag e=Heuristicas_aplicadas_a_la_comparacion_%28_d iffeo_%29_de_binarios&file=Economou_2009- binary_diffing.pdf ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  26. 26. Acknowledgments  Your texte here …. Thanks to Nicolas Economou from coresecurity for allowing us to publish the document using its utility Turbodiff :]  http://corelabs.coresecurity.com/index.php?modul e=Wiki&action=view&type=tool&name=turbodiff ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  27. 27. Thanks for reading Your texte here …. Your questions are always welcome! brian.mariani@htbridge.ch frederic.bourla@htbridge.ch ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com

×