counter

View My Stats

Sunday, October 16, 2011

Reversing the Aurora Vulnerability CVE-2010-0249:

Well this is a year old vulnerability but I thought of documenting it as was quite famous.

and was over television news. Here are some links

http://indiatoday.intoday.in/story/Chinese+hackers+target+PMO/1/79215.html

http://www.wired.com/threatlevel/2010/01/operation-aurora/.

Enough of stories.

Lets move on to technical analysis.

I picked up a POC from internet and tested on my XP SP2.

I opened IE in windbg and opened the POC html with IE. IE crashed at following location.

image

Looking at the disassembly of the location:

image

We see the the Crash happens at the GetDocPtr

image

It looks like the address pointed by ecx register has invalid data which causes the access violation.

Looking at the stack trace

image

Looking at the function mshtml!CEventObj::GenericGetElement

image

It looks like ecx value is derived from the value at address pointed by esi.

restart windbg and set breapoint

bp mshtml!CEventObj::GenericGetElement+0x97

the press g. when internet explorer comes up open the html page.


We break at the point and view the contents of address pointed by esi.

0:000> dds poi(esi) l1
036f7b30  7d4c1850 mshtml!CImgElement::`vftable'
0:000> dds ecx l1
036f7b30  7d4c1850 mshtml!CImgElement::`vftable'

We see that the  that the ecx points CImgElement Vtable is


Looking at the Vtable

0:000> dds 7d4c1850 l10
7d4c1850  7d6de377 mshtml!CImgElement::PrivateQueryInterface
7d4c1854  7d4f43c9 mshtml!CElement::PrivateAddRef
7d4c1858  7d4f4cdd mshtml!CElement::PrivateRelease
7d4c185c  7d519a0e mshtml!C1DElement::`vector deleting destructor'
7d4c1860  7d56c685 mshtml!CImgElement::Init
7d4c1864  7d56c5e0 mshtml!CImgElement::Passivate
7d4c1868  7d63ba1f mshtml!CBase::GetEnabled
7d4c186c  7d63ba1f mshtml!CBase::GetEnabled
7d4c1870  7d63b1f2 mshtml!CBase::GetPages
7d4c1874  7d63b644 mshtml!CBase::InterfaceSupportsErrorInfo
7d4c1878  7d6df0f8 mshtml!CImgElement::QueryStatus
7d4c187c  7d6dff5f mshtml!CImgElement::Exec
7d4c1880  7d4fad5c mshtml!CRect::CRect
7d4c1884  7d4f4e9d mshtml!CElement::SecurityContext
7d4c1888  7d4f7c1c mshtml!CBase::SecurityContextAllowsAccess
7d4c188c  7d5e71d8 mshtml!CElement::DesignMode

We can use the following winbg command to automate to see what all variables are created at esi at the address

bp mshtml!CEventObj::GenericGetElement+0x93 ".printf \"esi = [%08x] \",esi;dds poi(esi) l1;gc"

I press g in windbg and see the following

esi = [036f7f20] 036f7b30  7d4c1850 mshtml!CImgElement::`vftable'
esi = [036f7f20] 036f7b30  7d4c1850 mshtml!CImgElement::`vftable'
ModLoad: 75c50000 75cbe000   C:\WINDOWS\system32\jscript.dll
esi = [036f6b60] aaaaaaaa  ????????
(8b8.768): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=036f7bc0 ebx=aaaaaaaa ecx=aaaaaaaa edx=03703cd0 esi=036f6b60 edi=ffffffff
eip=7d4f2531 esp=0013e154 ebp=0013e174 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
mshtml!CElement::GetDocPtr:
7d4f2531 8b01            mov     eax,dword ptr [ecx]  ds:0023:aaaaaaaa=????????

We see that esi always points the CImgElement  is created at the place.

Restart windbg clear all the old breakpoints using bc *.

Let us find which all function cause the exception and

I set another breapoint

bp mshtml!CEventObj::GenericGetElement+0x97

and run windbg. Windbg breaks at the following location

Breakpoint 0 hit
eax=0013e4c8 ebx=036f7b30 ecx=036f7b30 edx=0013dfc0 esi=036f7f20 edi=ffffffff
eip=7d6d5250 esp=0013df7c ebp=0013df98 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
mshtml!CEventObj::GenericGetElement+0x97:
7d6d5250 e8dcd2e1ff      call    mshtml!CElement::GetDocPtr (7d4f2531)

Lets set breakpoint at the address pointed by ecx and see which function write on the address ecx=036f7b30

After the breakpoint is hit I clear all the breakpoints and set breakpoint on write

ecx=036f7b30

0:000> bc *
0:000> ba w4 036f7b30 ".printf \"eip=[%08x] \n\n \",eip;u eip l1;gc"
0:000> g
eip=[7d519a43]    mshtml!CElement::~CElement+0x10:
7d519a43 7406            je      mshtml!CElement::~CElement+0x18 (7d519a4b)
ModLoad: 75c50000 75cbe000   C:\WINDOWS\system32\jscript.dll
eip=[7d4f2c22]    mshtml!CStr::Set+0x3e:
7d4f2c22 83c004          add     eax,4
(464.960): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=036f8a50 ebx=aaaaaaaa ecx=aaaaaaaa edx=03703df0 esi=036f7fc0 edi=ffffffff
eip=7d4f2531 esp=0013e154 ebp=0013e174 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
mshtml!CElement::GetDocPtr:
7d4f2531 8b01            mov     eax,dword ptr [ecx]  ds:0023:aaaaaaaa=????????

It looks like some of the functions which write the address are


shtml!CElement::~CElement
mshtml!CStr::Set

 


To be continued. . .

No comments:

Post a Comment