In February, Microsoft awarded $100,000 to Yu Yang (@Tombkeeper) for reporting a new mitigation bypass technique as part of Microsoft’s Bounty Program. Yu later demonstrated his research at CanSecWest in March. In his slides, he mentioned that a "god mode" of Internet Explorer could be turned on by a one byte overwrite. However, he had to heavily redact this information due to an agreement between himself and Microsoft.
After his slides were released, researchers began working to determine what the missing parts were. And before long, Yuki Chen (@guhe120), a Chinese researcher, posted his answer. Although the code was removed soon after posting, a copy was still maintained and used by Metasploit. Following this code, another researcher posted his VB script version using more advanced techniques. Yu Yang then pasted his shellcode that used similar methods to run arbitrary code, showing that the method Yuki Chen used is exactly the one that won Yu the $100,000 award.
The main idea of new exploitation technique is to alter a flag that is used to control the security setting of an ActiveX object. If an attacker could modify it, then any script can be run, such as downloading and executing a PE file, without any notification or alert. Further details were discussed in depth last month on Rapid7’s blog. The most interesting aspect of this method is that it could bypass all existing mitigation techniques including DEP/ASLR/EMET, and it also defeats some academic methods such as Control Flow Integrity (CFI). So this raises another question: If there are no mitigation functions, do we have any other ways to defend against attacks similar to this?
The first line of defense is the IPS. Although an attacker can use a variety of obfuscation techniques for HTML, we are still able to extract some features to create signatures. To address such an issue, we’ve created signatures 36442, 36468, and 36469 to provide coverage for the security flag overwrite. Although we are not aware of any attacks using this technique, these signatures have proven effective in our testing against code publicly available on the Internet.
When we take a closer look at the three exploits in our blog post last month, we see that various exploit techniques are based on a singular condition, which is arbitrary memory access. Only when attackers have the right to read/write any address can they utilize either Flash or ActiveX methods to get code execution. If we went even further, all three vulnerabilities are Use-After-Free bugs. The three vulnerabilities each contain code to alter a user-controlled address, and the code can be distilled down to the following operations:
|xor [xyz], 0x20000||inc [xyz]||inc [xyz]|
Here, xyz indicates a user-controlled address that contains the length of a vector object or length of an Int32Array. Using these operations, attackers are able to modify the length values to create an object with an incorrect size, which will allow for read and write operations to occur in memory that is not part of the vector object. The attackers can then use this object to perform further operations such as modification of security flag in ActiveX.
To prevent such attacks, a better idea is to detect if an arbitrary address is accessed during execution. In WildFire, we added modules for web browser scripts and third party plugins such as Flash. One such module leverages the fact that the length of a vector object is always consistent with memory allocation, which means we can deduce the memory usage from the sum of the length of all allocated vectors.
If the calculated value does not match the real value, it indicates some of the vector objects may have been modified. Using this method, we are able to provide length checking for Flash vector objects. This module validates the accessing behavior at runtime. If the length were suspicious, the detection module stops the malicious operation.
Through our enterprise security platform, including IPS and WildFire, we continue to innovate and prevent advanced exploitation techniques. Leave a comment below let us know what you think.