SlideShare a Scribd company logo
1 of 37
Download to read offline
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2012 High-Tech Bridge SA – www.htbridge.com
CVE 2012-1889 Microsoft XML core services
uninitialized memory vulnerability
1th July 2012
Brian MARIANI & Frédéric BOURLA
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2012 High-Tech Bridge SA – www.htbridge.com
Timeline
 Before the 30th of May 2012 attackers were exploiting a new
Microsoft Internet Explorer 0day.
 The 30th of May 2012 Google warned Microsoft about this
vulnerability existing in the core of Internet Explorer XML
services.
 The 12th of June 2012 Microsoft published a security advisory with
a temporary fix.
 On June 18th 2012 the Metasploit Project released an exploit
module.
 On June 19th 2012 a Metasploit update was released, which
proposed a 100% reliable exploit for Internet Explorer 6/7/8/9 on
Windows XP, Vista, and all the way to Windows 7 SP1.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2012 High-Tech Bridge SA – www.htbridge.com
The flaw
 The vulnerability exists in the MSXML3, MSXML4 and MSXML6
Microsoft dynamic-linked libraries.
 To trigger the flaw one must try to access an XML node (object
in memory) that has not been appropriately initialized.
 This leads to memory corruption in such a way that an
attacker could execute arbitrary code in the context of the
current user.
 This category of flaw can frequently be abused by arranging
the heap and stack memory areas with memory addresses
previously known by the attacker before the weak code triggers
the bug.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2012 High-Tech Bridge SA – www.htbridge.com
What is XML?
According to Wikipedia:
 The Extensible Markup Language (XML) defines a set of rules
for encoding documents in a format that is both human-readable
and machine-readable.
 The design goals of XML emphasize simplicity, generality, and
usability over the Internet.
 It is a textual data format with strong support via Unicode for
many programming languages.
 It is also widely used for the representation of arbitrary data
structures, typically in web services.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2012 High-Tech Bridge SA – www.htbridge.com
Details about the crash
 The crash is produced in the msxml3.dll module.
 The function name where Internet Explorer generates the access
violation is _dispatchImpl::InvokeHelper.
 The instruction which produces the crash is a call to a pointer
generated by the content of the ECX register plus the 0x18h
value.
 In the present document we analyze the whole process from the
heap and stack spray, until the bug is triggered and the code
execution is reached.
 Our lab environment is an English Windows XP SP3 operating
system with IE 6.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2012 High-Tech Bridge SA – www.htbridge.com
Crash proof of concept
 A working proof of concept could be coded in these two ways:
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2012 High-Tech Bridge SA – www.htbridge.com
The crash in Windbg
 Here is the crash within WinDBG debugger:
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2012 High-Tech Bridge SA – www.htbridge.com
Loading the vulnerable module
 In order to analyze this flaw we first create a simple HTML file.
 The main purpose is to load the vulnerable module first.
 Once the module is just loaded in memory, a breakpoint is set at
the very beginning of the function
_dispatchImpl::InvokeHelper.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2012 High-Tech Bridge SA – www.htbridge.com
Loading the vulnerable module
 The msxml3.dll module is now loaded at the 0x7498000
memory address.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2012 High-Tech Bridge SA – www.htbridge.com
Some important points
 Until the HTML page is rendered the _dispatchImpl::InvokeHelper
function will be called four times, however the instruction which permits
arbitrary code execution will be hit at the fourth entry.
 Before the _dispatchImpl::InvokeHelper function is reached the heap will
be already prepared in order to contain the or al,0x0C sled which gently
leads to the execution of shellcode.
 The or al,0x0C instruction does not affects any critical data. The goal is to
"slide" the flow of code to its ultimate destination.
 Since the shellcode is sitting in multiple chunks in the heap right after the or
al,0x0C sled the probability of successful arbitrary code execution is very
high. (see slide 13)
 The stack will be sprayed with fake pointers 0c0c0c08 in order to
successfully reach the or al,0x0c sled. (see slide 17)
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2012 High-Tech Bridge SA – www.htbridge.com
Analysis of the vulnerability (1)
 After the _dispatchImpl::InvokeHelper function is first reached, this is
the status of the call stack.
 At this point the heap is already arranged with the or al,0x0C pattern.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2012 High-Tech Bridge SA – www.htbridge.com
Analysis of the vulnerability (2)
 It is possible to observe the copy procedure of the dword values 0c0c0c0c
into the heap area.
 The copy routine is executed from the msvcrt!memcpy function which was
called by the jscript.dll module.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2012 High-Tech Bridge SA – www.htbridge.com
Analysis of the vulnerability (3)
 After finishing the aforementioned copy procedure, the heap is
properly arranged:
Beginning of Shellcode
Or al,0x0c Sled
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2012 High-Tech Bridge SA – www.htbridge.com
Analysis of the vulnerability (4)
 This is the call stack when the function
_dispatchImpl::InvokeHelper is hit the second time:
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2012 High-Tech Bridge SA – www.htbridge.com
Analysis of the vulnerability (5)
 Here is the call stack after the vulnerable function is thirdly
reached:
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2012 High-Tech Bridge SA – www.htbridge.com
Analysis of the vulnerability (6)
 Finally, we can observe the call stack after the
_dispatchImpl::InvokeHelper function has been accessed for the fourth
time.
 At this point the fake pointers were written into the stack, as shown in the
next slide.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2012 High-Tech Bridge SA – www.htbridge.com
Analysis of the vulnerability (7)
 The fake pointers copy procedure is being executed by the memcpy
routine called from the jscript module.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2012 High-Tech Bridge SA – www.htbridge.com
Analysis of the vulnerability (8)
 Here is the status of the stack after finishing the aforementioned
routine.
Fake pointers
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2012 High-Tech Bridge SA – www.htbridge.com
Analysis of the vulnerability (9)
 As said before, from this point the vulnerable code will finally lead to
arbitrary code execution.
 The function prolog is executed as usual.
 At the 0x749BD6C3 address 0x10C bytes are reserved for the local
variables, thus we can observe the previously injected fake pointers.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2012 High-Tech Bridge SA – www.htbridge.com
Analysis of the vulnerability (10)
 At the address 0x749BD6C9 other arguments are pushed in
order to call the SetErrorInfo function from the Oleaut32.dll
module.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2012 High-Tech Bridge SA – www.htbridge.com
Analysis of the vulnerability (11)
 After returning from the SetErrorInfo function the routine
FindIndex is also called:
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2012 High-Tech Bridge SA – www.htbridge.com
Analysis of the vulnerability (12)
 When the code returns from the FindIndex function the EAX
value is set to zero.
 Thus, the conditional jump at the address 0x749BD6FC is not
performed.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2012 High-Tech Bridge SA – www.htbridge.com
Analysis of the vulnerability (13)
 The flow of code continues until it reaches the instruction “lea eax,
[ebp-0x1c]” which loads the EAX register with one of the fake
pointers.
 This starts to be interesting. However we have not hit the bug yet. :]
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2012 High-Tech Bridge SA – www.htbridge.com
Analysis of the vulnerability (14)
 Later, the code flow calls the Oleaut32!VariantInit function.
 We will not go deeper into this function as this is not interesting
for this analysis.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2012 High-Tech Bridge SA – www.htbridge.com
Analysis of the vulnerability (15)
 After returning from the Oleaut32!VariantInit function the code pushes the EBX register
which was previously set to zero.
 Later, the code loads EAX with a pointer of injected dword values.
 However the low word was partially corrupted during the execution. Nevertheless this will
not affect the arbitrary code execution.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2012 High-Tech Bridge SA – www.htbridge.com
Analysis of the vulnerability (16)
 The code continues running until it reaches a call to the pointer of
[esi+0x20] which resolves to the DOMNode::_invokeDOMNode
function.
 We are not going deeper into all the subsequent calls from this point,
however the next slide shows the call stack until reaching the last
function into the process of creating the XML node. During this phase
the “get_definition” function is finally accessed.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2012 High-Tech Bridge SA – www.htbridge.com
Analysis of the vulnerability (17)
 The Node::get_definition function is accessed.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2012 High-Tech Bridge SA – www.htbridge.com
Analysis of the vulnerability (18)
 When the code returns from the DOMNode::_invokeDOMNode
function the value of the EAX register is set to 1.
 So the JL jump at the address 0x749BD74B is not executed.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2012 High-Tech Bridge SA – www.htbridge.com
Analysis of the vulnerability (19)
 After the non-taken jump the code takes a dword from
[ebp+0x14] and moves it into the EAX register.
 EAX now holds the 0x0c0c0c08 value.
!
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2012 High-Tech Bridge SA – www.htbridge.com
Analysis of the vulnerability (20)
 But wait… The value is directly moved into the EAX register… And what was
indeed the previously moved value?
 Decompiling the msxml3.dll module with IDA shows us that the value matches
with a local variable that was not properly initialized.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2012 High-Tech Bridge SA – www.htbridge.com
Analysis of the vulnerability (21)
 Later, because of the comparison between EAX and EBX at
0x749BD754 the JZ jump instruction at 0x749BD758 is not taken.
 The code continues… And lastly, the content of the EAX pointer is
transferred into the ECX register.
!
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2012 High-Tech Bridge SA – www.htbridge.com
Analysis of the vulnerability (22)
 Since from the address 0x749BD75F the following instructions will not
modify the ECX register, the call instruction at the address
0x749BD772 will successfully reach the or al,0x0c sled.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2012 High-Tech Bridge SA – www.htbridge.com
Analysis of the vulnerability (23)
 The or al,0x0c sled is successfully executed until it finds the
shellcode.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2012 High-Tech Bridge SA – www.htbridge.com
Analysis of the vulnerability (24)
 Shellcode execution is achieved:
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2012 High-Tech Bridge SA – www.htbridge.com
Some temporary mitigations
 Microsoft created a new workaround in the form of a fix-it.
 The “Fix it” package makes a minor change at runtime to either
msxml3.dll, msxml4.dll or msxml6.dll modules every time
Internet Explorer is loaded.
 This modification causes Internet Explorer to properly initialize the
previously uninitialized variable which is the main problem of this
vulnerability.
 Deploy the Enhanced Mitigation Experience Toolkit.
 Configure Internet Explorer to prompt before running Active
Scripting or disable Active Scripting in the Internet and Local
Intranet security zones.
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2012 High-Tech Bridge SA – www.htbridge.com
REFERENCES
 http://technet.microsoft.com/en-
us/security/advisory/2719615
 http://support.microsoft.com/kb/2719615
 http://googleonlinesecurity.blogspot.co.uk/2012/06/micros
oft-xml-vulnerability-under.html
 https://community.rapid7.com/community/metasploit/blog/
2012/06/18/metasploit-exploits-critical-microsoft-
vulnerabilities
 http://blogs.technet.com/b/srd/archive/2012/06/13/msxml-
fix-it-before-fixing-it.aspx
 http://en.wikipedia.org/wiki/XML
 http://research.swtch.com/sparse
 http://www.corelan.be
ORIGINAL SWISS ETHICAL HACKING
Your texte here ….
©2012 High-Tech Bridge SA – www.htbridge.com
THANK-YOU FOR READING
Your questions are always welcome!
brian.mariani@htbridge.ch
frederic.bourla@htbridge.ch

More Related Content

Viewers also liked

January12scholarship bulletin
January12scholarship bulletinJanuary12scholarship bulletin
January12scholarship bulletin
abesadam
 
Digipack Deconstruction 2: AC/DC - High Voltage
Digipack Deconstruction 2: AC/DC - High VoltageDigipack Deconstruction 2: AC/DC - High Voltage
Digipack Deconstruction 2: AC/DC - High Voltage
TomSmellsGood
 
A team - bsc update - march 2012
A team - bsc update - march 2012A team - bsc update - march 2012
A team - bsc update - march 2012
bscisteam
 
Cisco mortensen
Cisco mortensenCisco mortensen
Cisco mortensen
CIRB_CIBG
 

Viewers also liked (20)

Котел твердотопливный длительного горения protherm бобёр 50dlo
Котел твердотопливный длительного горения protherm бобёр 50dloКотел твердотопливный длительного горения protherm бобёр 50dlo
Котел твердотопливный длительного горения protherm бобёр 50dlo
 
JN3050 lecture two 2012
JN3050 lecture two 2012JN3050 lecture two 2012
JN3050 lecture two 2012
 
January12scholarship bulletin
January12scholarship bulletinJanuary12scholarship bulletin
January12scholarship bulletin
 
Digipack Deconstruction 2: AC/DC - High Voltage
Digipack Deconstruction 2: AC/DC - High VoltageDigipack Deconstruction 2: AC/DC - High Voltage
Digipack Deconstruction 2: AC/DC - High Voltage
 
δημητρα ευγενια
δημητρα ευγενιαδημητρα ευγενια
δημητρα ευγενια
 
A team - bsc update - march 2012
A team - bsc update - march 2012A team - bsc update - march 2012
A team - bsc update - march 2012
 
Servicos outubro 2014
Servicos outubro 2014Servicos outubro 2014
Servicos outubro 2014
 
Газовый настенный котел Baxi Eco Four 24 F
Газовый настенный котел Baxi Eco Four 24 FГазовый настенный котел Baxi Eco Four 24 F
Газовый настенный котел Baxi Eco Four 24 F
 
Using the library and referencing in a digital age
Using the library and referencing in a digital ageUsing the library and referencing in a digital age
Using the library and referencing in a digital age
 
Твердотопливный напольный котел Buderus Logano S111-2 12
Твердотопливный напольный котел Buderus Logano S111-2 12 Твердотопливный напольный котел Buderus Logano S111-2 12
Твердотопливный напольный котел Buderus Logano S111-2 12
 
Frogappt1
Frogappt1Frogappt1
Frogappt1
 
ICAEW/Grant Thornton UK Business Confidence Monitor Q3 2013
ICAEW/Grant Thornton UK Business Confidence Monitor Q3 2013ICAEW/Grant Thornton UK Business Confidence Monitor Q3 2013
ICAEW/Grant Thornton UK Business Confidence Monitor Q3 2013
 
Dave Marvit - Normalizing Data
Dave Marvit - Normalizing DataDave Marvit - Normalizing Data
Dave Marvit - Normalizing Data
 
The Expat's Way Principles
The Expat's Way PrinciplesThe Expat's Way Principles
The Expat's Way Principles
 
How Random Points distributes on a plane? (To see the variety of the shape)
How Random Points distributes on a plane?  (To see the variety of the shape)How Random Points distributes on a plane?  (To see the variety of the shape)
How Random Points distributes on a plane? (To see the variety of the shape)
 
A cross-layer approach to energy management in manufacturing
A cross-layer approach to energy management in manufacturingA cross-layer approach to energy management in manufacturing
A cross-layer approach to energy management in manufacturing
 
Газовый напольный котел Protherm Медведь
Газовый напольный котел Protherm МедведьГазовый напольный котел Protherm Медведь
Газовый напольный котел Protherm Медведь
 
Visi logic getting-started
Visi logic   getting-startedVisi logic   getting-started
Visi logic getting-started
 
Faculty web page
Faculty web pageFaculty web page
Faculty web page
 
Cisco mortensen
Cisco mortensenCisco mortensen
Cisco mortensen
 

Similar to CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability

The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
Mario Heiderich
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
Stephan Chenette
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
qqlan
 

Similar to CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability (20)

Spying Internet Explorer 8.0
Spying Internet Explorer 8.0Spying Internet Explorer 8.0
Spying Internet Explorer 8.0
 
Novell GroupWise Multiple Untrusted Pointer Dereferences Exploitation
Novell GroupWise Multiple Untrusted Pointer Dereferences ExploitationNovell GroupWise Multiple Untrusted Pointer Dereferences Exploitation
Novell GroupWise Multiple Untrusted Pointer Dereferences Exploitation
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
 
Inline Hooking in Windows
Inline Hooking in WindowsInline Hooking in Windows
Inline Hooking in Windows
 
Userland Hooking in Windows
Userland Hooking in WindowsUserland Hooking in Windows
Userland Hooking in Windows
 
Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007Automated JavaScript Deobfuscation - PacSec 2007
Automated JavaScript Deobfuscation - PacSec 2007
 
Exploit ie using scriptable active x controls version English
Exploit ie using scriptable active x controls version EnglishExploit ie using scriptable active x controls version English
Exploit ie using scriptable active x controls version English
 
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
 
How to write clean & testable code without losing your mind
How to write clean & testable code without losing your mindHow to write clean & testable code without losing your mind
How to write clean & testable code without losing your mind
 
Discussing Errors in Unity3D's Open-Source Components
Discussing Errors in Unity3D's Open-Source ComponentsDiscussing Errors in Unity3D's Open-Source Components
Discussing Errors in Unity3D's Open-Source Components
 
Browser exploitation SEC-T 2019 stockholm
Browser exploitation SEC-T 2019 stockholmBrowser exploitation SEC-T 2019 stockholm
Browser exploitation SEC-T 2019 stockholm
 
Buffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackBuffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the Stack
 
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...
 
Buffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The Stack
 
CONFidence 2015: Nietypowe problemy bezpieczeństwa w aplikacjach webowych - M...
CONFidence 2015: Nietypowe problemy bezpieczeństwa w aplikacjach webowych - M...CONFidence 2015: Nietypowe problemy bezpieczeństwa w aplikacjach webowych - M...
CONFidence 2015: Nietypowe problemy bezpieczeństwa w aplikacjach webowych - M...
 
A client-side vulnerability under the microscope!
A client-side vulnerability under the microscope!A client-side vulnerability under the microscope!
A client-side vulnerability under the microscope!
 
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)
ADVANCED MALWARE THREATS --  NO HAT 2019 (BERGAMO / ITALY)ADVANCED MALWARE THREATS --  NO HAT 2019 (BERGAMO / ITALY)
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)
 
A Check of the Open-Source Project WinSCP Developed in Embarcadero C++ Builder
A Check of the Open-Source Project WinSCP Developed in Embarcadero C++ BuilderA Check of the Open-Source Project WinSCP Developed in Embarcadero C++ Builder
A Check of the Open-Source Project WinSCP Developed in Embarcadero C++ Builder
 
.NET MALWARE THREATS -- BHACK CONFERENCE 2019
.NET MALWARE THREATS -- BHACK CONFERENCE 2019.NET MALWARE THREATS -- BHACK CONFERENCE 2019
.NET MALWARE THREATS -- BHACK CONFERENCE 2019
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
 

More from High-Tech Bridge SA (HTBridge)

More from High-Tech Bridge SA (HTBridge) (11)

Welcome in the World Wild Web
Welcome in the World Wild WebWelcome in the World Wild Web
Welcome in the World Wild Web
 
Fuzzing: An introduction to Sulley Framework
Fuzzing: An introduction to Sulley FrameworkFuzzing: An introduction to Sulley Framework
Fuzzing: An introduction to Sulley Framework
 
Manipulating Memory for Fun & Profit
Manipulating Memory for Fun & ProfitManipulating Memory for Fun & Profit
Manipulating Memory for Fun & Profit
 
In-Memory Fuzzing with Java (Publication from High-Tech Bridge)
In-Memory Fuzzing with Java (Publication from High-Tech Bridge)In-Memory Fuzzing with Java (Publication from High-Tech Bridge)
In-Memory Fuzzing with Java (Publication from High-Tech Bridge)
 
Cybercrime in nowadays businesses - A real case study of targeted attack
Cybercrime in nowadays businesses - A real case study of targeted attackCybercrime in nowadays businesses - A real case study of targeted attack
Cybercrime in nowadays businesses - A real case study of targeted attack
 
Frontal Attacks - From basic compromise to Advanced Persistent Threat
Frontal Attacks - From basic compromise to Advanced Persistent ThreatFrontal Attacks - From basic compromise to Advanced Persistent Threat
Frontal Attacks - From basic compromise to Advanced Persistent Threat
 
Defeating Data Execution Prevention and ASLR in Windows
Defeating Data Execution Prevention and ASLR in WindowsDefeating Data Execution Prevention and ASLR in Windows
Defeating Data Execution Prevention and ASLR in Windows
 
Structured Exception Handler Exploitation
Structured Exception Handler ExploitationStructured Exception Handler Exploitation
Structured Exception Handler Exploitation
 
Fake malware and virus scanners
Fake malware and virus scannersFake malware and virus scanners
Fake malware and virus scanners
 
Become fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacksBecome fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacks
 
Client-side threats - Anatomy of Reverse Trojan attacks
Client-side threats - Anatomy of Reverse Trojan attacksClient-side threats - Anatomy of Reverse Trojan attacks
Client-side threats - Anatomy of Reverse Trojan attacks
 

Recently uploaded

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Recently uploaded (20)

[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software Engineering
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational Performance
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 

CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability

  • 1. ORIGINAL SWISS ETHICAL HACKING Your texte here …. ©2012 High-Tech Bridge SA – www.htbridge.com CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability 1th July 2012 Brian MARIANI & Frédéric BOURLA
  • 2. ORIGINAL SWISS ETHICAL HACKING Your texte here …. ©2012 High-Tech Bridge SA – www.htbridge.com Timeline  Before the 30th of May 2012 attackers were exploiting a new Microsoft Internet Explorer 0day.  The 30th of May 2012 Google warned Microsoft about this vulnerability existing in the core of Internet Explorer XML services.  The 12th of June 2012 Microsoft published a security advisory with a temporary fix.  On June 18th 2012 the Metasploit Project released an exploit module.  On June 19th 2012 a Metasploit update was released, which proposed a 100% reliable exploit for Internet Explorer 6/7/8/9 on Windows XP, Vista, and all the way to Windows 7 SP1.
  • 3. ORIGINAL SWISS ETHICAL HACKING Your texte here …. ©2012 High-Tech Bridge SA – www.htbridge.com The flaw  The vulnerability exists in the MSXML3, MSXML4 and MSXML6 Microsoft dynamic-linked libraries.  To trigger the flaw one must try to access an XML node (object in memory) that has not been appropriately initialized.  This leads to memory corruption in such a way that an attacker could execute arbitrary code in the context of the current user.  This category of flaw can frequently be abused by arranging the heap and stack memory areas with memory addresses previously known by the attacker before the weak code triggers the bug.
  • 4. ORIGINAL SWISS ETHICAL HACKING Your texte here …. ©2012 High-Tech Bridge SA – www.htbridge.com What is XML? According to Wikipedia:  The Extensible Markup Language (XML) defines a set of rules for encoding documents in a format that is both human-readable and machine-readable.  The design goals of XML emphasize simplicity, generality, and usability over the Internet.  It is a textual data format with strong support via Unicode for many programming languages.  It is also widely used for the representation of arbitrary data structures, typically in web services.
  • 5. ORIGINAL SWISS ETHICAL HACKING Your texte here …. ©2012 High-Tech Bridge SA – www.htbridge.com Details about the crash  The crash is produced in the msxml3.dll module.  The function name where Internet Explorer generates the access violation is _dispatchImpl::InvokeHelper.  The instruction which produces the crash is a call to a pointer generated by the content of the ECX register plus the 0x18h value.  In the present document we analyze the whole process from the heap and stack spray, until the bug is triggered and the code execution is reached.  Our lab environment is an English Windows XP SP3 operating system with IE 6.
  • 6. ORIGINAL SWISS ETHICAL HACKING Your texte here …. ©2012 High-Tech Bridge SA – www.htbridge.com Crash proof of concept  A working proof of concept could be coded in these two ways:
  • 7. ORIGINAL SWISS ETHICAL HACKING Your texte here …. ©2012 High-Tech Bridge SA – www.htbridge.com The crash in Windbg  Here is the crash within WinDBG debugger:
  • 8. ORIGINAL SWISS ETHICAL HACKING Your texte here …. ©2012 High-Tech Bridge SA – www.htbridge.com Loading the vulnerable module  In order to analyze this flaw we first create a simple HTML file.  The main purpose is to load the vulnerable module first.  Once the module is just loaded in memory, a breakpoint is set at the very beginning of the function _dispatchImpl::InvokeHelper.
  • 9. ORIGINAL SWISS ETHICAL HACKING Your texte here …. ©2012 High-Tech Bridge SA – www.htbridge.com Loading the vulnerable module  The msxml3.dll module is now loaded at the 0x7498000 memory address.
  • 10. ORIGINAL SWISS ETHICAL HACKING Your texte here …. ©2012 High-Tech Bridge SA – www.htbridge.com Some important points  Until the HTML page is rendered the _dispatchImpl::InvokeHelper function will be called four times, however the instruction which permits arbitrary code execution will be hit at the fourth entry.  Before the _dispatchImpl::InvokeHelper function is reached the heap will be already prepared in order to contain the or al,0x0C sled which gently leads to the execution of shellcode.  The or al,0x0C instruction does not affects any critical data. The goal is to "slide" the flow of code to its ultimate destination.  Since the shellcode is sitting in multiple chunks in the heap right after the or al,0x0C sled the probability of successful arbitrary code execution is very high. (see slide 13)  The stack will be sprayed with fake pointers 0c0c0c08 in order to successfully reach the or al,0x0c sled. (see slide 17)
  • 11. ORIGINAL SWISS ETHICAL HACKING Your texte here …. ©2012 High-Tech Bridge SA – www.htbridge.com Analysis of the vulnerability (1)  After the _dispatchImpl::InvokeHelper function is first reached, this is the status of the call stack.  At this point the heap is already arranged with the or al,0x0C pattern.
  • 12. ORIGINAL SWISS ETHICAL HACKING Your texte here …. ©2012 High-Tech Bridge SA – www.htbridge.com Analysis of the vulnerability (2)  It is possible to observe the copy procedure of the dword values 0c0c0c0c into the heap area.  The copy routine is executed from the msvcrt!memcpy function which was called by the jscript.dll module.
  • 13. ORIGINAL SWISS ETHICAL HACKING Your texte here …. ©2012 High-Tech Bridge SA – www.htbridge.com Analysis of the vulnerability (3)  After finishing the aforementioned copy procedure, the heap is properly arranged: Beginning of Shellcode Or al,0x0c Sled
  • 14. ORIGINAL SWISS ETHICAL HACKING Your texte here …. ©2012 High-Tech Bridge SA – www.htbridge.com Analysis of the vulnerability (4)  This is the call stack when the function _dispatchImpl::InvokeHelper is hit the second time:
  • 15. ORIGINAL SWISS ETHICAL HACKING Your texte here …. ©2012 High-Tech Bridge SA – www.htbridge.com Analysis of the vulnerability (5)  Here is the call stack after the vulnerable function is thirdly reached:
  • 16. ORIGINAL SWISS ETHICAL HACKING Your texte here …. ©2012 High-Tech Bridge SA – www.htbridge.com Analysis of the vulnerability (6)  Finally, we can observe the call stack after the _dispatchImpl::InvokeHelper function has been accessed for the fourth time.  At this point the fake pointers were written into the stack, as shown in the next slide.
  • 17. ORIGINAL SWISS ETHICAL HACKING Your texte here …. ©2012 High-Tech Bridge SA – www.htbridge.com Analysis of the vulnerability (7)  The fake pointers copy procedure is being executed by the memcpy routine called from the jscript module.
  • 18. ORIGINAL SWISS ETHICAL HACKING Your texte here …. ©2012 High-Tech Bridge SA – www.htbridge.com Analysis of the vulnerability (8)  Here is the status of the stack after finishing the aforementioned routine. Fake pointers
  • 19. ORIGINAL SWISS ETHICAL HACKING Your texte here …. ©2012 High-Tech Bridge SA – www.htbridge.com Analysis of the vulnerability (9)  As said before, from this point the vulnerable code will finally lead to arbitrary code execution.  The function prolog is executed as usual.  At the 0x749BD6C3 address 0x10C bytes are reserved for the local variables, thus we can observe the previously injected fake pointers.
  • 20. ORIGINAL SWISS ETHICAL HACKING Your texte here …. ©2012 High-Tech Bridge SA – www.htbridge.com Analysis of the vulnerability (10)  At the address 0x749BD6C9 other arguments are pushed in order to call the SetErrorInfo function from the Oleaut32.dll module.
  • 21. ORIGINAL SWISS ETHICAL HACKING Your texte here …. ©2012 High-Tech Bridge SA – www.htbridge.com Analysis of the vulnerability (11)  After returning from the SetErrorInfo function the routine FindIndex is also called:
  • 22. ORIGINAL SWISS ETHICAL HACKING Your texte here …. ©2012 High-Tech Bridge SA – www.htbridge.com Analysis of the vulnerability (12)  When the code returns from the FindIndex function the EAX value is set to zero.  Thus, the conditional jump at the address 0x749BD6FC is not performed.
  • 23. ORIGINAL SWISS ETHICAL HACKING Your texte here …. ©2012 High-Tech Bridge SA – www.htbridge.com Analysis of the vulnerability (13)  The flow of code continues until it reaches the instruction “lea eax, [ebp-0x1c]” which loads the EAX register with one of the fake pointers.  This starts to be interesting. However we have not hit the bug yet. :]
  • 24. ORIGINAL SWISS ETHICAL HACKING Your texte here …. ©2012 High-Tech Bridge SA – www.htbridge.com Analysis of the vulnerability (14)  Later, the code flow calls the Oleaut32!VariantInit function.  We will not go deeper into this function as this is not interesting for this analysis.
  • 25. ORIGINAL SWISS ETHICAL HACKING Your texte here …. ©2012 High-Tech Bridge SA – www.htbridge.com Analysis of the vulnerability (15)  After returning from the Oleaut32!VariantInit function the code pushes the EBX register which was previously set to zero.  Later, the code loads EAX with a pointer of injected dword values.  However the low word was partially corrupted during the execution. Nevertheless this will not affect the arbitrary code execution.
  • 26. ORIGINAL SWISS ETHICAL HACKING Your texte here …. ©2012 High-Tech Bridge SA – www.htbridge.com Analysis of the vulnerability (16)  The code continues running until it reaches a call to the pointer of [esi+0x20] which resolves to the DOMNode::_invokeDOMNode function.  We are not going deeper into all the subsequent calls from this point, however the next slide shows the call stack until reaching the last function into the process of creating the XML node. During this phase the “get_definition” function is finally accessed.
  • 27. ORIGINAL SWISS ETHICAL HACKING Your texte here …. ©2012 High-Tech Bridge SA – www.htbridge.com Analysis of the vulnerability (17)  The Node::get_definition function is accessed.
  • 28. ORIGINAL SWISS ETHICAL HACKING Your texte here …. ©2012 High-Tech Bridge SA – www.htbridge.com Analysis of the vulnerability (18)  When the code returns from the DOMNode::_invokeDOMNode function the value of the EAX register is set to 1.  So the JL jump at the address 0x749BD74B is not executed.
  • 29. ORIGINAL SWISS ETHICAL HACKING Your texte here …. ©2012 High-Tech Bridge SA – www.htbridge.com Analysis of the vulnerability (19)  After the non-taken jump the code takes a dword from [ebp+0x14] and moves it into the EAX register.  EAX now holds the 0x0c0c0c08 value. !
  • 30. ORIGINAL SWISS ETHICAL HACKING Your texte here …. ©2012 High-Tech Bridge SA – www.htbridge.com Analysis of the vulnerability (20)  But wait… The value is directly moved into the EAX register… And what was indeed the previously moved value?  Decompiling the msxml3.dll module with IDA shows us that the value matches with a local variable that was not properly initialized.
  • 31. ORIGINAL SWISS ETHICAL HACKING Your texte here …. ©2012 High-Tech Bridge SA – www.htbridge.com Analysis of the vulnerability (21)  Later, because of the comparison between EAX and EBX at 0x749BD754 the JZ jump instruction at 0x749BD758 is not taken.  The code continues… And lastly, the content of the EAX pointer is transferred into the ECX register. !
  • 32. ORIGINAL SWISS ETHICAL HACKING Your texte here …. ©2012 High-Tech Bridge SA – www.htbridge.com Analysis of the vulnerability (22)  Since from the address 0x749BD75F the following instructions will not modify the ECX register, the call instruction at the address 0x749BD772 will successfully reach the or al,0x0c sled.
  • 33. ORIGINAL SWISS ETHICAL HACKING Your texte here …. ©2012 High-Tech Bridge SA – www.htbridge.com Analysis of the vulnerability (23)  The or al,0x0c sled is successfully executed until it finds the shellcode.
  • 34. ORIGINAL SWISS ETHICAL HACKING Your texte here …. ©2012 High-Tech Bridge SA – www.htbridge.com Analysis of the vulnerability (24)  Shellcode execution is achieved:
  • 35. ORIGINAL SWISS ETHICAL HACKING Your texte here …. ©2012 High-Tech Bridge SA – www.htbridge.com Some temporary mitigations  Microsoft created a new workaround in the form of a fix-it.  The “Fix it” package makes a minor change at runtime to either msxml3.dll, msxml4.dll or msxml6.dll modules every time Internet Explorer is loaded.  This modification causes Internet Explorer to properly initialize the previously uninitialized variable which is the main problem of this vulnerability.  Deploy the Enhanced Mitigation Experience Toolkit.  Configure Internet Explorer to prompt before running Active Scripting or disable Active Scripting in the Internet and Local Intranet security zones.
  • 36. ORIGINAL SWISS ETHICAL HACKING Your texte here …. ©2012 High-Tech Bridge SA – www.htbridge.com REFERENCES  http://technet.microsoft.com/en- us/security/advisory/2719615  http://support.microsoft.com/kb/2719615  http://googleonlinesecurity.blogspot.co.uk/2012/06/micros oft-xml-vulnerability-under.html  https://community.rapid7.com/community/metasploit/blog/ 2012/06/18/metasploit-exploits-critical-microsoft- vulnerabilities  http://blogs.technet.com/b/srd/archive/2012/06/13/msxml- fix-it-before-fixing-it.aspx  http://en.wikipedia.org/wiki/XML  http://research.swtch.com/sparse  http://www.corelan.be
  • 37. ORIGINAL SWISS ETHICAL HACKING Your texte here …. ©2012 High-Tech Bridge SA – www.htbridge.com THANK-YOU FOR READING Your questions are always welcome! brian.mariani@htbridge.ch frederic.bourla@htbridge.ch