Blast, 2015/04/22 10:11

In retrospect, the first two articles outlined the following content of IE: the history of IE, new features in various versions, simple HTML rendering logic and the security challenges of Internet Explorer.

From the beginning of this chapter, we will continue to take Nethorse as an opportunity to gradually tell the relevant knowledge of VULNERABILITY analysis and security countermeasures of IE. The script Pioneer series will last for 4 chapters. The first 2 chapters will introduce common encryption methods and countermeasures in nethorse. The analysis of Shellcode will be introduced in the following two chapters.

III.1 HTML and Nethorse attacks 2 — Permission issues


Scripting is essential, and the last chapter covered basic obfuscation, or more accurately coding, because escape is really all about coding.

I want to introduce this chapter from the example of the net horse that actually happened.

Look at the code above. This is a horse hanging page that happens in the real world. These mounted servers may stop at any time, so I have archived this page, please see Resources (1) (unzip password www.wooyun.org), attachment 1. Since it is directly captured by the horse page, antivirus software may report viruses. If you are concerned about security issues, it is recommended to process samples in a virtual environment.

This nethorse exploits the VBScript integer overflow vulnerability (CVE-2014-6332). This famous vulnerability has a lot of analysis online, if you don’t know, you can refer to these analysis articles. Since this chapter only introduces the content at the script level, the binary analysis will be carried out in the following chapters. Some vulnerabilities will be selected for analysis according to the length of the chapter.

Below is a brief description of the scripts and attack points involved in this section.

Internet Explorer 11 (Edge mode) does not support VBScript anymore, so the rendering mode is forced to be IE8. To support VBScript execution.

#! html <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >Copy the code

Next, two SCRIPT tags appear on the page:

Some of you might be wondering about the order in which the code should be executed. In IE, the order in which the script should be executed is:

(1) who executes first whose block (SCRIPT) comes first;

(2) In each block, the function is parsed first, but not executed. After the function is parsed, the first line of the outermost Public code is executed.

(3) If there is no fault-tolerant statement in each block, the code behind the block will not run after the wrong code is encountered. But it doesn’t affect other chunks of content;

(4) In Javascript, fault tolerant code is try{}catch(…). {}, in VBScript, the fault-tolerant code is: On Error Resume Next;

As you can see in section 1, a function is defined that calls CreateObject to create wscript.shell, Microsoft.xmlhttp, and adodb.stream.

The GUids of these three objects are:

Wscript.shell: 72C24DD5-D70A-438B-8A42-98424B88AFB8 Microsoft.XMLHTTP: ED8C108E-4349-11D2-91A4-00C04F7969E8 *(progid: Microsoft. XMLHTTP. 1.0). The ADODB library Stream: 00000566-0000-0010-8000-00 aa006d2ea4Copy the code

Wscript.shell, adodb. Stream guID, wscript. shell, adodb. Stream guID, wscript. shell, adodb. Stream guID

The Safe for Script and Safe for init for both ActiveX objects are set to False, which prevents them from being loaded in the Internet Zone. If you use them in the local zone, Internet Explorer will pop up:

The default level for the Internet domain is medium-high, where such scripts are prohibited from executing (and an exception is raised).

If successfully executed, the vulnerability will turn off the security check switch, resulting in all objects that were previously marked as unsafe being created and run successfully, even without any existing defense mechanisms (such as ASLR, etc.) to attack the user’s computer.

You can see that the net horse finally runs this function. This function simply downloads an EXE and runs it. The EXE is a Trojan horse program.

And others, the horse that final, the first is to create an iframe to Trojan exe: HXXP: / / 116.255.195.114 / server. Exe, and then use the window. The open () open a new window, the url is also the exe.

The result of both statements is for IE (and other browsers) to pop up a download prompt:

This is the last step of pit users, as long as the user does not run there is no problem, and this URL was almost all the domestic kill soft into the library, presumably will not deceive how many people.

Note that the site also has a 1.js file, the js file is 404, the contents of which we do not know. But look at the front so obvious “JS hanging horse” words, perhaps the author is the CONTENT of this JS together and into this web page may also.

Finally, we know that this page wants users to download Server.exe. Just from the kill soft report, this EXE is a remote control program. Sandboxie+OllyDbg or VMWare+ debugging tools are easy and convenient debugging environments for such moderate volume Trojan programs. The latter may take up more memory, but the former is relatively light and easy to organize. But be careful not to let some virus samples slip out of the sandbox and affect the real system. This part is beyond the scope of this series and will not be covered in detail.

In search of hang a horse site list today, I also saw the following example (attachment 2), which is similar to a panda Ramnit virus infection, he is I said before, every HTML to hang a script, the script need local access to prompt execution, but one thousand users click allow, in this way, The virus will come back to life (perhaps this code works better with CVE-2014-6332 above) :

Figure: An example of Ramnit infection

Files infected by the virus can be repaired by almost any antivirus software.

III.2 HTML and Cyberhorse attacks 3 – anti-obfuscation


Now that we’ve covered the simple example, let’s look at some examples with some confusion.

The examples in this section are not very difficult and can certainly be solved easily with careful observation. Some of the more difficult examples will be covered in the next chapter.

1. Results of JS compression;


Let’s take a look at this example, detailed in Attachment 3. This script is an exploit of cVE-2004-0204, taken from an old weblog. At first glance, it looks complicated and disgusting, but if you remember from the previous chapter, eval ends up executing a function in the first argument, which in this case is a function, So simply replace eval with alert and execute to get the content:

In the red box is the Trojan to download the file address.

But it’s not good to know why, so let’s read the code briefly:

You can see that the function is actually:

#! javascript eval( function (p,a,c,k,e,d){} (p, a , c ,k ,e ,d) )Copy the code

This essentially passes the return value of this anonymous function with six arguments to the eval execution, so the return value is code that has been decrypted at least once.

If you still don’t know, look at it this way:

#! javascript var a = function(){return 1}(); alert(a.toString());Copy the code

Initially (2007), this code was mostly used on hangers, except for a few JS libraries, but jSPack has since been adopted by many sites due to its ability to compress code. If you want to generate code like this, do a Baidu search for eval compression.

2. Simple code reading


In this page (Attachment 4), we see that there is a very strange encrypted code,

By reading the code, you can see that there are actually two pieces of code:

Define the function xViewState(); Call the function xViewState().Copy the code

By reading the function xViewState, we can see that the first half of the text is decrypting the data, and the only place that the page or script interacts with is document.write. Therefore, replace document.write with alert to know what it will write to the page.

Note that what document.write writes to the DOM is rendered immediately.

It appears that it is writing a style message, moving.nemonn to -9999px top, which means that the content will not be visible to the page. Why do you do that? You know what I mean: Black chains.

Another hidden spot in the page, reading this code may make it clearer what it is trying to do:

Figure: Black chain code not shown on the home page

This approach has been targeted by Google. Script encryption can be counted as a “counter” to Google.

3. Tool processing


Given how easy it is to hijack an object in javascript, the tools I provide also have a simple substitution:

4. Example of Exploit Kit

This is a simpler example of the Landing Page of the notorious Nuclear Exploit Kit.

Nuclear EP Landing Page (Annex 5)

#! html <SCRIPT> ... </SCRIPT> <ELEMENTS> DATA </ELEMENTS> <SCRIPT> ... </SCRIPT>Copy the code

Since the content of ELEMENTS is necessarily unexecutable, the analysis should focus on the content in the middle of the SCRIPT.

Confuse the first paragraph first. You can see that comments take up half of the code, so delete them in batches first.

Then format the JS code,

Then, with a bit of finishing (Attachment 6), you can see that it’s almost easy to see what this code does:

The third SCRIPT block of the page (Attachment 6, LN78)

#! html <script>aiTsnQh(EOHCnD("iaTyv")); </script>Copy the code

The EOHCnD function is actually called, which is defined as:

From reading,

LN29: Generate object document; LN30: Call document[" getElementById "](divId).innerhtml [" replace "](/[]/g, ") to remove the space; Ln32-33: actual confusion of substr; Ln37-50: from the first byte, substr every 2 words, converted to a number, if less than 10 unchanged, greater than 10 -2, then saved in the MvBLCx variable LN52: returns the decrypted character.Copy the code

That is, the EOHCnD is simply the decryption function, so we simply execute the page and print its return value.

The third SCRIPT block is changed to console. log:

Declassified content (Annex 7). The script passes the parameters to the exploit (SWF, Attachment 8) for execution. We’ll talk about SWF later.

This is all the decryption content in this chapter, you can compare the malicious script in the attachment for some decryption tests. Next, an overview of ActiveX in IE.

III.3 ActiveX Processing mode and Security Restrictions when Internet Explorer Renders Web Pages


ActiveX objects have long been a source of delight for bug diggers when Internet Explorer renders web pages. ActiveX controls are reusable components based on COM (Microsoft’s Component object model). Because it can be “Active” on all sorts of things, that’s probably why it got its name.

An ActiveX control can create an instance with the tag or with CreateObject or New ActiveXObject in a script.

Figure: Code exploiting the CVE-2010-0886 overflow vulnerability under XP passing an excessively long Docbase parameter to an object

An ActiveX object is a binary file, so if the binary contains some dangerous operation, it must be possible to do something bad to the user’s machine. Because ActiveX controls can do almost anything ordinary programs can do, malicious ActiveX controls can be deadly, especially in Internet Explorer, where safety and convenience are in conflict with each other when a web page is loaded with specified ActiveX controls.

One of the negative arguments about ActiveX is that it has the same permissions as Internet Explorer on XP because of “historical issues”, and most people log in as administrators, so ActiveX also has administrator permissions. This problem was remedied with the introduction of Internet Explorer protection mode in Vista.

A brief introduction to Safe For Scripting For ActiveX. Controls labeled Safe For Scripting should not be exploited by untrusted scripts (simply provided by someone else, and not foreseen by the developer) that compromise privacy, execute files, or simply interfere with the normal functionality of other software.

There is also the passing of parameters. When the incoming initialization data is untrusted (e.g., when I specify a control background color to be RGB(999, -1, “ABC “), the plugin will not collapse or therefore stop working (Safe For Initializing). Who knows what the user will pass to you.

In order For ActiveX to interact with IE Scripting, you must ensure that the plug-in is Safe to execute For any script host and register it as “Safe For Scripting.”

There are two ways to do this, either by writing keys to the registry or by inheriting the IObjectSafety interface (ATL also provides an IObjectSafetyImpl for your convenience).

Figure: An example of a control using IObjectSafety

IObjectSafety GetInterfaceSafetyOptions, SetInterfaceSafetyOptions the function, GetInterfaceSafetyOptions should return the security features of the ActiveX control (Safe For Init? Safe For Scripting?) , SetInterfaceSafetyOptions invoked by the host, what tell controls should have security features.

Figure: IObjectSafety definition, refer to the VC runtime objSafe.h code

Graph: GetInterfaceSafetyOptions implementation, in the VC runtime atlctl. H specific code

The specific content of this part can refer to “COM essence theory”.

is no exception. OBJECT corresponds to class CObjectElement, which is derived from CElement.

When parsed to OBJECT, the OBJECT will:

1. Try to read parameters and find CLSID and other parameters. 2. Read the CODEBASE value and parse it into Property Bag. This value can be: 2.1 absolute URL; 2.2 relative URL (http://drops.wooyun.org/xx.cab#version=xxx); (xx. Cab# version= XXX) (#version= XXX) 3. 4. Load the OBJECT.Copy the code

When loading an OBJECT, IE will:

1. Check the cache. This cache will cache some Pointers to IDispatch. 2. Ensure that ActiveX controls can be safely loaded and accessed; If this step fails, IE returns E_ACCESSDENIED.Copy the code

IsSafeToScript is a COleSite function that will:

1. Check whether the user has disabled ActiveX security detection (check whether URLACTION_ACTIVEX_OVERRIDE_SCRIPT_SAFETY is set);Copy the code

Graph: the MSDN, https://msdn.microsoft.com/en-us/library/ms537178.aspx

2. If the current content is a Java Applet, check whether the user allows the Applet to be loaded. 3. Check the IObjectSafety property of the control, marked Safe For Scripting. 4. When the user selects prompt, a reminder is displayed, informing the user that the ActiveX plug-in to be loaded is unsafe. 5. Load the control when it is safe.Copy the code

The security of ActiveX controls is improved by IE. The security of ActiveX controls is improved by IE.

By default, most Activex controls are disabled. When a web site requests an Activex control, Internet Explorer pops a message bar:

Image: Message bar, via Google Image

Photo: Security alert, via Google Image

The control is loaded when the user is sure.

These plug-ins do not fall into the “majority” category:

A. Upgrade to IE7 plug-ins that have been used before; B. IE7 prestores a whitelist, which is all verified, and many are common ActiveX; C. Controls that users download and install in the browser;Copy the code

Figure: Whitelist, location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved

2. Internet Explorer 8 (+Vista) introduced per-user (non-admin) ActiveX, which allows users to install ActiveX controls with non-administrator privileges. Microsoft said this was a move to give users better access to the UAC feature. Because if you install a malicious ActiveX control with normal user permissions, the overall system security is not seriously affected except for the current user, because the ActiveX control has the same permissions as the current user.

In Internet Explorer 8, ActiveX can also be enabled by website. Since then, KillBits has also been integrated into Windows Update so That Microsoft can pick up the pieces if ActiveX problems occur.

Internet Explorer in Vista also introduced protected mode, which runs at a low integrity level, meaning sensitive data cannot be written even if ActiveX is compromised.

3. In Internet Explorer 9, ActiveX Filtering was added, allowing users to disable controls on all web sites without prompting.

4. The loading of ActiveX controls in IE10 will undergo multiple tests, including group policy, permission check, etc. ActiveX controls have the same permissions as browsers. When EPM is enabled, only ActiveX controls that support EPM (and have 32/ 64-bit files and Appcontainer-compatible) will be loaded.

IE11 (+Windows 8) automatically scans ActiveX and prevents malicious ActiveX from running.

Microsoft also pushed some out-of-date ActiveX features, presumably taking a page from Chrome and Firefox, to block some outdated ActiveX features.

Spartan (IE12) does not support ActiveX and BHO.

Instead, you install it with an “extension system.” “Old style” (Intranet, requiring old version support) sites are rendered using IE11. (4)

Whether Or not Spartan can make the transition to security and compatibility depends on how Microsoft refines its “extension system” to make it more secure or just another mess.

With reference materials


(1) Download all examples in this article, unzip the password www.wooyun.org

(2) Self-written Redoce 3 decryption tool, the last version of March 2013, is no longer maintained

(3] https://www.blackhat.com/presentations/bh-usa-08/Kim/BH_US_08_Kim_Vista_and_ActiveX_control_WhitePaper.pdf

(4] http://blogs.msdn.com/b/ie/archive/2015/01/22/project-spartan-and-the-windows-10-january-preview-build.aspx