Bypassing Windows ASLR using “Run without permission” Add-ons

This is just a short post highlighting a couple of products that if installed could be used to bypass ASLR in Internet Explorer.

  • DivX Player 10.0.2
  • Yahoo Messenger 11.5.0.228
  • AOL Instant Messenger 7.5.14.8

These products contain a number of libraries that does not get ASLRed when loaded in memory due to not being compiled with the dynamicbase flag. These libraries can easily be loaded in Internet Explorer as they get registered on the system to run without permissions therefore no prompts are given. Below are the lists of libraries that can be loaded via ProgID or ClassID.

Dll     - C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll
ProgID  - OVSHelper.OVSHelperCOM.1
ClassID - C6E31427-FD7E-4C53-B568-124B191E5DC4
Version - 1.1.0.12
-
Dll     - C:\Program Files\DivX\DivX Web Player\npdivx32.dll
ProgID  - npdivx.DivXBrowserPlugin.1
ClassID - 67DABFBF-D0AB-41FA-9C46-CC0F21721616
Version - 3.0.1.5
-
Dll     - C:\Program Files\DivX\DivX Web Player\npdivx32.dll
ProgID  - nprovi.RoviStreamPlayer.1
ClassID - 7F64C4F7-2D43-42fe-B7E7-CE5873E7D8B6
Version - 3.0.1.5
-
Dll     - C:\Program Files\Yahoo!\Messenger\YPagerChecker.dll
ProgID  - YPagerChecker.MessengerChecker.1
ClassID - DA4F543C-C8A9-4E88-9A79-548CBB46F18F
Version - 1.1.0.3
-
Dll     - C:\Program Files\AIM\isAim.dll
ProgID  - isaim.aimlocator.1
ClassID - BAEB32D0-732D-11D2-8BF4-0060B0A4A9EA
Version - 2.0.0.0

To view which libraries that can be loaded without permission go to “Manage Add-ons” which can be accessed from Internet Explorer – Tools – Manage Add-ons and choose “Run without permission” in the show dropdown list.

The below script you can use to test if any of these libraries get loaded or just click here to run it now. Libraries taking base address 0x10000000 will get rebased if one is already loaded. Note that for the Yahoo Messenger object check does not work so will fail but the library will still get loaded if installed. Also depending where you download AOL Instant Messenger the latest version is 8.0.6.1 which does not contain isAim.dll library.

<HTML>
<SCRIPT language="JavaScript"> 
//
if (DivX1() == "DivX")
{
   document.write("DivX VOD Helper Plug-in npovshelper.dll loaded<br>");
}
if (DivX2() == "DivX")
{
   document.write("DivX Web Player (DivXBrowserPlugin) npdivx32.dll loaded<br>");
}
if (DivX3() == "DivX")
{
   document.write("DivX Web Player (RoviStreamPlayer) npdivx32.dll loaded<br>");
}
if (Aol() == "AIM")
{
   document.write("AOL Messenger isAim.dll loaded<br>");
}
if (Yahoo() == "YahooM")
{
   document.write("Yahoo Messenger YPagerChecker.dll loaded<br>");
}
//
function DivX1() 
{
   var divxver = "";
   var divx = 0;
   var err = 0;
   try {
         divx = new ActiveXObject("OVSHelper.OVSHelperCOM.1") 
   } catch (err) {
      document.write("DivX VOD Helper Plug-in npovshelper.dll failed<br>");
   }
   if ((typeof divx) == "object") {
      divxver = "DivX";
   }
   return divxver;
}
function DivX2() 
{
   var divxver = "";
   var divx = 0;
   var err = 0;
   try {
         divx = new ActiveXObject("npdivx.DivXBrowserPlugin.1")
   } catch (err) {
      document.write("DivX Web Player (DivXBrowserPlugin) npdivx32.dll failed<br>");
   }
   if ((typeof divx) == "object") {
      divxver = "DivX";
   }
   return divxver;
}
function DivX3() 
{
   var divxver = "";
   var divx = 0;
   var err = 0;
   try {
         divx = new ActiveXObject("nprovi.RoviStreamPlayer.1")
   } catch (err) {
      document.write("DivX Web Player (RoviStreamPlayer) npdivx32.dll failed<br>");
   }
   if ((typeof divx) == "object") {
      divxver = "DivX";
   }
   return divxver;
}
function Aol() 
{
   var aolver = "";
   var aol = 0;
   var err = 0;
   try {
         aol = new ActiveXObject("isaim.aimlocator.1")
   } catch (err) {
      document.write("AOL Messenger isAim.dll failed<br>");
   }
   if ((typeof aol) == "object") {
      aolver = "AIM";
   }
   return aolver;
}
function Yahoo() 
{
   var yahoover = "";
   var yahoo = 0;
   var err = 0;
   try {
         yahoo = new ActiveXObject("YPagerChecker.MessengerChecker.1")  
   } catch (err) {
      document.write("Yahoo Messenger YPagerChecker.dll failed<br>");
   }
   if ((typeof yahoo) == "object") {
      yahoover = "YahooM";
   }
   return yahoover;
}
</SCRIPT>
</HTML>

Checking with Process Explorer you’ll see something like this

There are a number of mitigations available so bypassing ASLR using modules not set with the dynamicbase bit should be old news by now.

  • Install Microsoft EMET which supports multiple mitigation technologies, one being Mandatory Address Space Layout Randomization (ASLR) forcing module addresses to be randomized for a target process
  • Upgrade to Internet Explorer 10 or 11 where additional patches will be installed enabling it to use ForceASLR on Windows 7
  • Upgrade to Windows 8 which supports ForceASLR where Internet Explorer tells the OS to randomize all modules loaded by the browser
  • Disable the libraries from “Manage Add-ons”

Running Internet Explorer 10/11 or EMET all addresses will get randomized as you can see below

Leave a Reply

Your email address will not be published. Required fields are marked *