Software Vulnerability Exploitation Blog

Friday, June 20, 2008

Exploiting Office: MS08-011 – Attacking using Malformed .WPS

Microsoft Office Exploitation is still to be continued in today. Microsoft Office and Internet Explorer is the target because they are the applications that used everyday and has the more possibility to interact with external entities that other applications. However, exploiting Microsoft Office is not trivial, you must know a lot of Office document format - Word, Excel, PowerPoint and etc. I try to learn these files formats from internet and I found that it's not easy and time consuming. I think may be trying to learn the file format from exploit may be the easier way. So, I pick up the MS08-011 Microsoft Works files (.WPS) vulnerability to be the case study.

According to Microsoft Security Bullentin, MS08-011 occurs when Microsoft Office or Microsoft Works Suite try to convert the crafted .WPS files to be other format. The vulnerability in this case is stack-based buffer overflow which is easier to exploit. I set up Microsoft Windows XP SP2 and Microsoft Office 2003 SP3 as the test-based. To exploit this vulnerability, you have to install Import Converter. If you have not yet installed it, Microsoft Word will install it when you try to open .WPS file:

Photobucket

I use Chujwamwdupe's exploit which tested on Windows XP SP2 de and Office 2003 SP3. This is the result:

Photobucket

Microsoft Word crashs, however, the calculator is launched which means that it exploits successfully without any modification. In the exploit, it use the return address 0x7c941eed which point to "jmp esp" instruction. in XP SP2 de. When I lookup this address in my machine, it's point to the same instruction, that's why I don't have to change any part of the exploit.

I start to debug the vulnerability by changing the return to 0x41414141 and re-run the exploit. However, it seems that all of information on the stack are destroyed by the exploit, so I can't trace back to see what's happened. Umm.... may be I have to find more details from the exploit code instead. In the code, the author said that when you change the length of TEXT section to the value more than 0x10 , the overflow will occur. I start to locate the magic characters of .WPS file "CHNKWKS" and the locate the "TEXT" characters. After the "TEXT" field, I see only one character that is not null:

Photobucket

I think may be this is the key to trick the overflow. I change this value to 0x01 and re-run the exploit:

Photobucket

At this time, it crash in different position from the old one, 0x61092ae7 (wkcvqd01!DllGetClassObject + 0x158fd). I put the assumption that the overflow situation may be related to this function, so I start to disassembly the code section and it's lucky because the code is easy to understand:

Photobucket

Shortly describe, this code copy data from the address pointed by esi to the address pointed by edi. esi got the address from eax, and edi got the address from ecx. Each of loop will copy 12 bytes and check the loop condition value which stored at address pointed by ebx + 0Ah. I set the value 0x01 back to 0x2f, then set the breakpoint in debugger at 0x61092ae7. When I run the exploit, the message breakpoint hit occurs on the screen and I run the debugger step by step until I see something interesting:

Photobucket

At this step, the loop condition is loaded from address pointed by ebx + 0xa to esi, and it's value is 0x2f !!! Yezzz, this value which I suspect is an important key in the exploit. It's functionality is the number of loop, for each loop the program will copy 12 bytes from source to destination totally 12 * 0x2f = 564 bytes to memory. If you calculate length of shellcode + number of bytes after 0x2f + length of the return address, you will see that it is 362 + 20 + 4 = 386 bytes which small enough for the value 0x2f to copy all of we need.

I continue the debugger until exit the loop, the stack looks like this:

Photobucket

Our return address is stored at 0x001242e8 and starting of the shellcode is at 0x001242ec. After this step we will see 2 "pop" instruction and 1 "ret" instruction, then flow of execution transfers to 0x61091b25, wkcvqd01!DllGetClassObject + 0x1493b:

Photobucket

I continue run step-by-step until the instruction "ret" again:

Photobucket

Now, it's easy to understand what's happened next ;) Microsoft Word will returns to address on the stack which point to "jmp esp" instruction. After that, the program will landing on the stack which our shellcode is stored:

Photobucket

End ^=^

Monday, June 16, 2008

Blended Threat: Attacking Windows Users using Safari’s and IE’s Vulnerabilities

One year / One entry ^_^. Normally, most of information security people use one or more web browser because this can make you surf the web more secure. You can choose which web browser will be used to surf the specific web, so you can avoid to use the vulnerable browser to visit the suspected web site. But, do you think using multiple browsers will make your machine infect malware instead of be more secure, lol. Yes, I'm talking about vulnerabilities of 2 web browser, Safari and Internet Explorer. Each of vulnerability is considered moderate/less severity, however, when using these vulnerabilities together the severity will become critical. The vulnerabilities I describe in this entry are Safari "Carpet Bomb" and Internet Explorer "DLL Load Hijack"

Safari Carpet Bomb ,discovered by Netish Dhanjani, is the vulnerability of Apple's web browser on OS X and Microsoft Windows. When users use Safari to browse the specially crafted website, Safari will download file into users machine without users interaction (default location is Desktop). The trick to force Safari to download file into user machine is iframe:

...
iframe src="somefile" width=xxx height=xxx

...


I install Safari 3.3.1 (525.17), the latest version of Safari, and browse to my crafted website. The result is in below:

Photobucket

Safari download 3 files into Desktop - A, B and C. Many people, including Apple, consider this behavior to be less or no harmful. The file downloaded into users machine could not be executed by Safari itself. Yes, their attitude are right until Aviv Raff point to something important.

Aviv Raff, a brilliant security researcher, has discovered something that can escalate Safari's vulnerability to critical severity. He releases the screen-shot to prove that command execute could be occur when combine Safari's vulnerability with Internet Explorer behavior. If you notice the stuff that he discover about IE in the past, you will see something that very interesting. In December 2006, Aviv Raff had discovered that IE7 has the behavior that may be dangerous to the user. For some DLLs, IE7 will search the DLLs from PATH environment and loaded the first match into memory. In some situation, IE7 will search from Desktop. If the attacker has the ability to put DLLs on the victim's Desktop, he will won the game...

Now, I think you already know how to put things together, right? :). Trick the users to download file into Desktop by using Safari's vulnerability and waiting users to launch IE is the way to do. To test this, I create 3 DLLs file - sqmapi.dll, imageres.dll and schannel.dll - which will launch calc.exe, notepad.exe and mspaint.exe. Is it necessary to named the DLLs like these ?. According to Aviv's information, only these DLLs can be used to hijack the IE. This is the result when I use Safari to browse the web and then open IE7:

Photobucket

and this screen-shot confirm that IE7 already launch calc, notepad and mspaint:

Photobucket

If you would like to see IE search which path in order, you can use Process Monitor to view it. This is the snapshot from Process Monitor:

Photobucket

From the picture above, I can assume that the search path of IE is in the following order:

  • C:\Program Files\Internet Explorer\
  • C:\WINDOWS\system32\
  • C:\WINDOWS\system\
  • C:\WINDOWS\
  • C:\Documents and Settings\username\Desktop

Have fun with them ^_^

P.S. This attack also called "Blended Threat". It means the software vulnerability that combine with two or more different vulnerabilities.