Analysis of The Recent Zero-Day Vulnerability in IE9/IE10

Any vulnerability in Internet Explorer is a large issue, but last week’s zero-day vulnerability (designated as CVE-2014-0322) is particularly interesting. It used what we call a “hybrid exploit”, where the malicious exploit code is split across multiple components that use differing technology: in this case, the exploit code was split between JavaScript and Adobe Flash. The use of “hybrid exploits” provides attackers with a way to evade existing mitigation technology like ASLR and DEP.

Let’s go over how this exploit was delivered to users. The victim website was compromised, and two malicious files were uploaded to it:

Erido.jpg (detected as HTML_EXPLOIT.PB, MD5 hash: 00ae7a1514809749a57d4d05d8c969b5)
Tope.swf (detected as SWF_EXPLOIT.PB, MD5 hash: 732b6a98b0a7b2ee795f2193a041520d)

The overall flow can be found in the following diagram, which will be explained in the text.

Figure 1. Overall control flow

A page on the website (img.html) was modified with additional JavaScript and an iframe to load the malicious Flash file, as follows:

<embed src=Tope.swf width=10 height=10></embed>

When called, the Flash file carries out a heap spray. Control is then passed back to the JavaScript, via a function call in the Flash file. The actual malicious code that triggers CVE-2014-0322 is actually found here, and not in the Flash file. (To prevent further attacks that may exploit this vulnerability, we will not provide further details about the exploit.) Control is then passed back to the Flash file, where the code responsible for arbitrary memory reads and writes is located.

From here on, the goal of the code is simple: it searches for return-oriented programming (ROP) gadgets in the memory (specifically, it uses ROP gadgets in ntdll.dll), constructs the ROP chain, and overwrite the virtual table of a Flash object in order to hijack the execution flow of the Flash virtual machine.

Two ROP gadgets were used in this attack:

77a646a8 94 xchg eax,esp // Pivot the stack pointer
ntdll!ZwProtectVirtualMemory (1a1b3000, 1000, PAGE_EXECUTE_READWRITE)

The first ROP gadget pivots the stack pointer to let it point to controlled data; the second gadget calls ZwProtectVirtualMemory to change this shellcode’s protection to PAGE_EXECUTE_READWRITE, to bypass DEP protection.

If this shellcode needs to call APIs, it will first check whether the API is hooked inlineby checking the starting byte code of the API. If that is the case, then it will skip the first 5 bytes of the API, to escape from the hook. This technique is used to bypass the detection of security products that are watching for this behavior.

Figure 2. Malicious shellcode

The above shellcode does the following:

Decode two PE files using the data in the file Erido.jpg
Drops the two PE files to:
- %Temp%\sqlrenew.txt
- %Temp%\stream.exe
Load the contents of sqlrenew.txt into memory
Return to the caller to prevent a Flash or IE crash

The contents of sqlrenew.txt merely executes the other dropped file, stream.exe – with one difference. However, this will only happen when IE has been terminated and the module itself is being unloaded.

Figure 3. Malicious shellcode

Conclusions

Any zero-day vulnerability in a widely used program like Internet Explorer is significant, but this one appears to be doubly so. To avoid known exploit mitigation techniques like ASLR and DEP, this attack uses multiple web objects interacting with each other to carry out the exploit instead of a single easily detected file.

It is likely that we will see more of this technique in the future as cybercriminals try to make their exploits more effective on all platforms. Both developers and security vendors will need to respond to this emerging threat in order to keep users safe.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Analysis of The Recent Zero-Day Vulnerability in IE9/IE10