1. #1
    Capt.Jack's Avatar
    Capt.Jack is offline Moderator
    Join Date
    Sep 2010
    Posts
    296

    Default New Internet Explorer vulnerability affecting all versions of IE

    Today we released Security Advisory 2488013 to notify customers of a new publicly-disclosed vulnerability in Internet Explorer (IE). This vulnerability affects all versions of IE. Exploiting this vulnerability could lead to unauthorized remote code execution inside the iexplore.exe process.

    Proof-of-concept exploit bypasses ASLR and DEP

    The Metasploit project recently published an exploit for this vulnerability using a known technique to evade ASLR (Address Space Layout Randomization) and bypass DEP (Data Execution Prevention).

    In a few words, Internet Explorer loads mscorie.dll, a library that was not compiled with /DYNAMICBASE (thus not supporting ASLR and being located always at the same base) when processing some html tags. Attackers use these predictable mappings to evade ASLR and bypass DEP by using ROP (return oriented programming) gadgets from these DLLs in order to allocate executable memory, copying their shellcode and jumping into it. Note that without that predictable mapping, the only public ways to evade ASLR and DEP is through:

    Use of this (in case the current vulnerability allows) or another vulnerability as an information leak.
    Using techniques such as JIT-spraying or similar ones. Please note IE only JITs IE9ís javascript and there are security mitigations in place. But third party plugins could JIT in an insecure manner.
    We have recently blogged on the effectiveness of ASLR and DEP here.

    Recommendation: Use Enhanced Mitigation Experience Toolkit (EMET) to dynamically rebase all loaded DLLs

    In order to minimize the risk of exploitation, users could install EMET and proceed to protect the iexplore.exe process as shown in the BlueHat video.

    Exploits that attempt to bypass ASLR and DEP would use several ROP gadgets for several purposes. To understand why EMET is an effective workaround for these exploits, letís focus on the stack pivot gadgets which set the stack pointer to the attacker controlled data (heap spray in our case):

    0:000> u 63f0575b L4
    mscorie!_chkstk+0x1b:
    63f0575b 94 xchg eax,esp
    63f0575c 8b00 mov eax,dword ptr [eax]
    63f0575e 890424 mov dword ptr [esp],eax
    63f05761 c3 ret
    0:000>
    When EMET is in place, this type of exploit will most likely fail. This is because of at least three mitigations:

    Mandatory ASLR: This mitigation will force the mscorie.dll to be located on random addresses each time.
    Heap Spray pre-allocation: Some of these exploits use some common used heap pages for placing ROP data such as 0x0c0c0c0c.
    EAT Filtering: Running shellcode can potentially be blocked by this mitigation.
    Although the later two mitigations in the list above are not bullet proof and can be evaded, Mandatory ASLR is a solid one for closing the mscorie.dll exploitation vector. When the exploit attempts to jump into the ROP gadget that it believes to be at a predictable memory address, it will hit an access violation and crash the process:

    0:000> u 63f0575b L4
    63f0575b ?? ???
    ^ Memory access error in 'u 63f0575b l4'
    0:000>
    And the exploit will fail.

    Thanks to Richard van Eeden, Bruce Dang, and Jonathan Ness from the MSRC Engineering team for the help investigating this issue.

    --

    Fermin J. Serna, Security Software Engineer

    *Posting is provided "AS IS" with no warranties, and confers no rights.*

    Source: New Internet Explorer vulnerability affecting all versions of IE - Security Research & Defense - Site Home - TechNet Blogs

  2. #2
    HappyAndyK's Avatar
    HappyAndyK is offline Site Administrator
    Join Date
    Jun 2008
    Posts
    7,312

  3. #3
    kunu's Avatar
    kunu is offline Windows Enthusiast
    Join Date
    Oct 2010
    Posts
    97

    Default

    very useful share Capt

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Log in

Log in

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22