Digging	
  Deeper	
  into	
  	
  
the	
  IE	
  Vulnerability	
  
Malware’s	
  Most	
  Wanted	
  Series	
  	
  
May	
  2014...
Your	
  Speakers	
  Today	
  
2	
  
Marion	
  Marschalek	
  
Malware	
  Analyst	
  and	
  Researcher	
  
	
  
Anthony	
  J...
Agenda	
  
o  IntroducFon	
  to	
  Cyphort	
  Labs	
  
o  Anatomy	
  of	
  web	
  browser	
  aJacks	
  
o  Finding	
  and	...
We	
  work	
  with	
  the	
  	
  
security	
  ecosystem	
  
•••••	
  
Contribute	
  to	
  and	
  learn	
  
from	
  malware...
VULNERABILITY	
  
EXPLOIT	
  
PAYLOAD	
  
Anatomy	
  of	
  a	
  Drive-­‐by	
  
injects	
  malicious	
  javascript	
  
serves	
  exploit	
  
redirects	
  to	
  	
  
...
ExploitaFon:	
  HosFle	
  Takeover	
  
Mission	
  Statement:	
  Control	
  EIP	
  
EIP	
  =	
  InstrucDon	
  Pointer	
  
C...
Back	
  to	
  the	
  Roots	
  ...	
  
buffer[32]	
  
buuuufff	
  
feeeeero	
  
ooverfff	
  
loooooow	
  
xefx65x41x01	
  
Par...
VulnerabiliFes	
  Exploited	
  Today	
  
Source:	
  Micorosoj	
  Security	
  Intelligence	
  Report	
  Vol.16	
  (hJp://ww...
The	
  Zero-­‐day	
  Phenomenon	
  
Source:	
  Before	
  We	
  Knew	
  It,	
  Symantec	
  Research	
  (hJp://users.ece.cmu...
The	
  Zero-­‐day	
  Phenomenon	
  
Vulnerability	
  	
  
introduced	
  
Vulnerability	
  	
  
disclosed	
  
Exploit	
  re...
Poll	
  #1	
  –	
  Most	
  expensive	
  exploit	
  
Which	
  Zero-­‐day	
  exploit	
  do	
  you	
  think	
  is	
  most	
  ...
The	
  LegiFmate	
  Vulnerability	
  Market	
  
o  Price	
  depends	
  on	
  
vulnerability	
  impact	
  
and	
  exploitab...
Web	
  Browser	
  as	
  Window	
  to	
  the	
  Endpoint	
  
Internet	
  Explorer	
  Exposed:	
  CVE-­‐2014-­‐1776	
  
o  Revealed	
  end	
  of	
  April	
  2014	
  
o  Official	
  patch...
.html	
   vshow.swf	
  
cmmon.js	
  
Heap	
  PreparaFon	
  
DecrypFon	
  ExploitString	
  
Timer	
  RegistraFon	
  for	
  ...
Internet	
  Explorer	
  Exposed:	
  CVE-­‐2014-­‐1776	
  
o  Heap	
  Spraying	
  
o  User	
  ARer	
  Free	
  
o  ROP	
  Ch...
Internet	
  Explorer	
  Exposed:	
  CVE-­‐2014-­‐1776	
  
Stack	
  
Code	
  
Heap	
  
Exploit	
  
Heap	
  PreparaFon	
  
N...
Internet	
  Explorer	
  Exposed:	
  CVE-­‐2014-­‐1776	
  
Class	
  Object	
  
Pointer	
  to	
  
vRable	
  
Member	
  	
  
...
Internet	
  Explorer	
  Exposed:	
  CVE-­‐2014-­‐1776	
  
o  Heap	
  Spraying	
  
o  Use	
  ARer	
  Free	
  
o  ROP	
  Cha...
Internet	
  Explorer	
  Exposed:	
  CVE-­‐2014-­‐1776	
  
o  Heap	
  Spraying	
  
o  Use	
  ARer	
  Free	
  
o  ROP	
  Cha...
3	
  Key	
  MiFgaFons	
  
Keep	
  Your	
  Systems	
  
Up-­‐to-­‐Date	
  
3	
  Key	
  MiFgaFons	
  
AcFvate	
  EMET	
  4.1	
  
3	
  Key	
  MiFgaFons	
  
Break	
  the	
  Kill	
  Chain	
  By	
  
Applying	
  	
  
HolisFc	
  Security	
  
Q	
  and	
  A	
  
25	
  
o  InformaFon	
  sharing	
  
and	
  advanced	
  threats	
  
resources	
  
o  Blogs	
  on	
  lates...
Upcoming SlideShare
Loading in …5
×

Digging deeper into the IE vulnerability CVE-2014-1776 with Cyphort

1,428 views

Published on

Web browser vulnerabilities remain a fertile ground for hackers to harvest and mount attacks. Latest vulnerabilities found in Internet Explorer and urgent response from Microsoft highlights the fact that despite end of life announcements for old and less secure products, millions of users remain exposed to threats.

Web browser attacks and how the vulnerabilities are exploited
How CVE-2014-1776 impacts you
Finding and dissecting active attacks
How to mitigate impacts of browser vulnerability based attacks

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,428
On SlideShare
0
From Embeds
0
Number of Embeds
105
Actions
Shares
0
Downloads
37
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Digging deeper into the IE vulnerability CVE-2014-1776 with Cyphort

  1. 1. Digging  Deeper  into     the  IE  Vulnerability   Malware’s  Most  Wanted  Series     May  2014  
  2. 2. Your  Speakers  Today   2   Marion  Marschalek   Malware  Analyst  and  Researcher     Anthony  James   VP  of  Marke6ng  and  Products  
  3. 3. Agenda   o  IntroducFon  to  Cyphort  Labs   o  Anatomy  of  web  browser  aJacks   o  Finding  and  dissecFng  acFve  aJacks   o  CVE-­‐2014-­‐1776  details  and  impact   o  How  to  miFgate  risk   o  Q  &  A   3   Cyphort  Labs  T-­‐shirt  
  4. 4. We  work  with  the     security  ecosystem   •••••   Contribute  to  and  learn   from  malware  KB   We  enhance  malware   detecFon  accuracy   •••••   False  posiFves/negaFves   •••••   Deep-­‐dive  research     Global  malware     research  team   •••••   24X7  monitoring  for   malware  events   About  Cyphort  Labs   4  
  5. 5. VULNERABILITY   EXPLOIT   PAYLOAD  
  6. 6. Anatomy  of  a  Drive-­‐by   injects  malicious  javascript   serves  exploit   redirects  to     exploit  server   downloads  malicious  executable   AJacker   VicFm   Executes   exploit  and   payload   LegiFmate   Web  Server   Exploit   HosFng   Server   Malware   DistribuFon   Server  
  7. 7. ExploitaFon:  HosFle  Takeover   Mission  Statement:  Control  EIP   EIP  =  InstrucDon  Pointer   Control  of  EIP  =  Control  of  ExecuDon  
  8. 8. Back  to  the  Roots  ...   buffer[32]   buuuufff   feeeeero   ooverfff   loooooow   xefx65x41x01   Parameters   Saved  EBP   Return  Address   Parameters   Local  Variables   Smashing  the  Stack  for  Fun  and  Profit  –  Aleph  One,  1996   On  return  the  program  will  execute  at  0x014165ef   where  the  shellcode  is  waiFng.   Saved  EBP   Return  Address   Parameters  
  9. 9. VulnerabiliFes  Exploited  Today   Source:  Micorosoj  Security  Intelligence  Report  Vol.16  (hJp://www.microsoj.com/security/sir/)  
  10. 10. The  Zero-­‐day  Phenomenon   Source:  Before  We  Knew  It,  Symantec  Research  (hJp://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf)  
  11. 11. The  Zero-­‐day  Phenomenon   Vulnerability     introduced   Vulnerability     disclosed   Exploit  released     in  the  wild   Vendor  patch     released   Patch  widely     deployed   TIME   ATTACKS   Zero-­‐Day  AIacks  
  12. 12. Poll  #1  –  Most  expensive  exploit   Which  Zero-­‐day  exploit  do  you  think  is  most  expensive   on  the  black  market?   o  Adobe  Reader   o  Internet  Explorer   o  Flash   o  Firefox   12  
  13. 13. The  LegiFmate  Vulnerability  Market   o  Price  depends  on   vulnerability  impact   and  exploitability   o  Need  for  trusted   third  party   Source:  Forbes  (hJp://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-­‐for-­‐zero-­‐days-­‐an-­‐price-­‐list-­‐for-­‐hackers-­‐secret-­‐sojware-­‐exploits/)  
  14. 14. Web  Browser  as  Window  to  the  Endpoint  
  15. 15. Internet  Explorer  Exposed:  CVE-­‐2014-­‐1776   o  Revealed  end  of  April  2014   o  Official  patch  from  Microsoj  May  1st     o  AffecFng  IE  versions  6  to  11   o  Use-­‐Ajer-­‐Free  vulnerability  
  16. 16. .html   vshow.swf   cmmon.js   Heap  PreparaFon   DecrypFon  ExploitString   Timer  RegistraFon  for  proc()   Eval  (  ExploitString  )   Prepare  ROP  Chain   Corrupt  Memory   Invoke  Patched  toString()  send  ExploitString   via  ExternalInterface   Internet  Explorer  Exposed:  CVE-­‐2014-­‐1776  
  17. 17. Internet  Explorer  Exposed:  CVE-­‐2014-­‐1776   o  Heap  Spraying   o  User  ARer  Free   o  ROP  Chain   o  Shellcode   .html   vshow.swf   cmmon.js   Heap  PreparaFon   DecrypFon  ExploitString   Timer  RegistraFon  for  proc()   Eval  (  ExploitString  )   Prepare  ROP  Chain   Corrupt  Memory   Invoke  Patched  toString()  send  ExploitString   via  ExternalInterface  
  18. 18. Internet  Explorer  Exposed:  CVE-­‐2014-­‐1776   Stack   Code   Heap   Exploit   Heap  PreparaFon   NOP+SC   NOP+SC   NOP+SC   .....   NOP+SC   NOP+SC   ROP   Jump  Heap   Memory   o  Heap  Spraying   o  Use  ARer  Free   o  ROP  Chain   o  Shellcode  
  19. 19. Internet  Explorer  Exposed:  CVE-­‐2014-­‐1776   Class  Object   Pointer  to   vRable   Member     variables   FuncDon3()   FuncDon1()   FuncDon2()   vRable   o  Heap  Spraying   o  Use  ARer  Free   o  ROP  Chain   o  Shellcode  
  20. 20. Internet  Explorer  Exposed:  CVE-­‐2014-­‐1776   o  Heap  Spraying   o  Use  ARer  Free   o  ROP  Chain   o  Shellcode   Exploit   Overwrite  Object  Length   Corrupt  Sound  Object   Call  Stack  Pivot  +  ROP   Call  ZwProtectVirtualMemory  
  21. 21. Internet  Explorer  Exposed:  CVE-­‐2014-­‐1776   o  Heap  Spraying   o  Use  ARer  Free   o  ROP  Chain   o  Shellcode   Dynamic  resoluDon   of  API  addresses   Final  exploit  acDon  +  
  22. 22. 3  Key  MiFgaFons   Keep  Your  Systems   Up-­‐to-­‐Date  
  23. 23. 3  Key  MiFgaFons   AcFvate  EMET  4.1  
  24. 24. 3  Key  MiFgaFons   Break  the  Kill  Chain  By   Applying     HolisFc  Security  
  25. 25. Q  and  A   25   o  InformaFon  sharing   and  advanced  threats   resources   o  Blogs  on  latest   threats  and  findings   o  Tools  for  idenFfying   malware  

×