A Tale of 3 Vulnerabilities, CVE-2014-1776 Exploit Linked to Previous Attacks

Summary

  • The exploit code used in the recent CVE-2014-1776 attacks shares many similar characteristics with code that exploited CVE-2014-0322 and CVE-2013-3163.
  • The shared techniques, variable names and code structure suggest these exploits share a common author or template.
  • Palo Alto Networks customers are protected by from exploitation of CVE-2014-1776 with content release 433-2194.

Late last month reports surfaced that a new Internet Explorer vulnerability (CVE-2014-1776) was being exploited in targeted attacks. The vulnerability allows an attacker to take full control over the system after a user views a web page in their browser. According to Microsoft, it affects versions of Internet Explorer from version 6 to 11, meaning that almost all IE users are vulnerable to this bug. This vulnerability is so widespread that Microsoft has released patches to protect Windows XP, for which Microsoft has ended support since April 8, 2014.

Researchers from Palo Alto Networks have investigated this exploit in depth and concluded that this is a Use-After-Free vulnerability that occurs when Internet Explorer tries to reuse a freed CMarkup object. Attackers can manipulate memory allocations by using JavaScript to allocate an object that is freed before all references to that object are removed. Once the object is free the Flash file will overwrite a length field in the vector object and allow arbitrary memory access. After that the exploit uses a ROP chain to overwrite the virtual function table of a sound object to gain full control. The exploit utilized several advanced exploit techniques to make it almost 100% reliable. The exploit used in the wild contains two major parts, one is HTML which sets up the page to exploit, and the other is a Flash file which builds the memory layout in IE process and triggers the bug. Two parts must be combined to ensure a successful attack. The attack separated critical code into different pieces so that researchers could not reproduce the original exploit until they have both files.

The techniques used in this exploit are similar to those used in other recent attacks. Last year, exploitation of CVE-2013-3163 targeted Internet Explorer 8 and earlier this year, we found exploitation of CVE-2014-0322 in Internet Explorer 10. Similarities in each of these exploits indicate that they may have been created by the same author. All three exploits share the same exploit techniques:

  • Utilizing Flash to set up the memory layout.
  • Triggering the exploit code from Flash.
  • Using the vector object in Flash to access arbitrary memory.
  • Using a sound object vtable overwrite to gain EIP control.

All the Flash files used across the exploits have similar structures and even the same variable names. For example, they all use the Timer object to check if a Vector object is modified. The Timers are all set to repeat every one second for 4,096 seconds. The Vector object is named ‘s’ and the Sound object is named “ss” in the Flash files used in all three exploits. The following code is snippet from the disassembled ActionScript code of CVE-2014-1776.

private var found:Boolean = false;public var org:String = “vector”;

Neither of these variables is actually used in this exploit. If we go back and examine the exploit code for CVE-2013-3163, we see that the string ‘org’ was originally used as the trigger, and the variable ‘found’ was originally used as a flag indicating if the Vector object was modified. It appears that the attacker reused the code from the earlier exploit and forgot to remove the unnecessary variables.

s[_local28][(((_local41 – _local12) / 4) + 7)] = 0x18002D89;s[_local28][(((_local41 – _local12) / 4) + 8)] = 3096451096;

s[_local28][(((_local41 – _local12) / 4) + 9)] = _local9;

s[_local28][(((_local41 – _local12) / 4) + 10)] = 13078672;

s[_local28][(((_local41 – _local12) / 4) + 11)] = _local7;

s[_local28][(((_local41 – _local12) / 4) + 12)] = 3096481936;

s[_local28][(((_local41 – _local12) / 4) + 13)] = (this.m_longArrBase – 8);

s[_local28][(((_local41 – _local12) / 4) + 14)] = 13078672;

s[_local28][(((_local41 – _local12) / 4) + 15)] = this.m_rawLen;

s[_local28][(((_local41 – _local12) / 4) + 16)] = 3968066955;

s[_local28][(((_local41 – _local12) / 4) + 17)] = 753635372;

The exploit uses the code above to restore the corrupted object and save the stack frame on the heap so that the process would not crash after the exploit is successful. All three exploits use the same method and similar addresses to achieve that goal, even including the same hard coded assembly and registers.

_local6 = (m_longArrBase + 248);_local12 = m_longArrBase;

_local10 = this.m_ZwProtectAddr;

_local41 = _local6;

s[_local28][((((_local6 – _local12) / 4) – 2) – 4)] = (_local41 & 0xFFFFF000);

s[_local28][((((_local6 – _local12) / 4) – 1) – 4)] = 0x3000;

s[_local28][((_local6 – _local12) / 4)] = _local10;

s[_local28][(((_local6 – _local12) / 4) + 1)] = (_local41 + 28);

The code above shows the Flash code setting up the ROP chain to bypass DEP and includes another interesting marker. Normally programmers begin counting at 0 when referencing arrays, but in all three exploits they began at -2, which is quite unusual. Additionally, each sample uses a Sound object named ‘snd’ to gain control, and they all invoke the function toString().

The many similarities between these exploits lead us to believe they were written by the same actor or group. Or at the very least, a common template has been used to craft exploits for the three Internet Explorer vulnerabilities we analyzed. This re-use of techniques is common among exploits, even if they were not developed by the same group, and Palo Alto Networks employs a unique payload-based signature detection methodology, which is able to look at the behaviors of an exploit to prevent similar attacks in the future.

Palo Alto Networks customers with a Threat Prevention subscription were automatically protected from exploitation of these vulnerabilities:

  • CVE-2014-1776 with content release 433-2194 (#36435)
  • As well as the previous exploits detected earlier this year:
    • CVE-2013-3163 (#36016, #36021, #36024, #36025, #36028, #36265)
    • CVE-2014-0322 (#36426, #364267, #36346, #36347, #36348)
  • We are integrating Cyvera’s next-generation endpoint solution into our security platform. This integration will provide customers with the ability to stop zero-day attacks on browsers and operating systems to prevent future breaches that exploit unknown vulnerabilities, as we have seen used in CVE-2014-1776.

We suggest customers ensure they are running the latest content version on their devices and apply the patches Microsoft released on May 1, 2014.