An Introduction to Internet Explorer DLL Vulnerability and Damage Analysis

Bo Sun, Dawei Su {sun, dsu}@cs.fsu.edu

• 1. Introduction and Background• 2. Problem Description• 3. What We Did• 4. Damage Analysis• 5. Solution

II. Problem DescriptionInternet Explorer “404 Not Found” Page

II. Problem Description (cont’l)

• The file is located in a DLL file call ieframe.dll with the name of navcancl.htm. As to IE6, the DLL file is called shdoclc.dll, and one of the HTML names is dnserror.htm.

• This navcancl.htm can be extracted from the DLL file using certain software such as Resource Hacker®.

• Any code can be inserted.

The analysis of 404 Not Found Page

III. What we did

• The HTML part can be easily found in the shdock.dll file. We can add a customized function after onload=, or just simply add something as below. <script>alert(“Hello World!”);</script>

Hacking Internet Explorer 6

III. What we did (Cont’l)Hacking Internet Explorer 6 (Cont’l)

Hacking Internet Explorer 7

• In IE7, there is nearly no such DLL file containing these HTML code parts, since Microsoft created another file called ieframe.dll.mui to store these HTMLs whereas they used ieframe.dll to store the JavaScript file which is used to dynamically generate the error messages.

III. What we did (Cont’l)

Simple Attack – Resource Consumption

• The code is inserted directly below the <body> tag.<script>while(1) {Window.open(“”); /*we can also use ‘alert()’ here*/

} </script>

III. What we did (Cont’l)

Simple Attack – CPU and Stack Attack• A example to show CPUand stack attack by calculating the

Fibonacci numbers<script>function fibonacci(n) { if (n>1) return fibonacci(n-1)+fibonacci(n-2); if (n<=0) return 0;return 1;}for (i=0; i<100000; i++) document.write("Fibonacci number "+i+" is

"+fibonacci(i)+"<br>");</script>

III. What we did (Cont’l)

Simple Attack – Social Engineering Attack• Modify the HTML code in ieframe.dll.mui• We can add

– some if - goto statements. – Or ask the DLL file to modify host file.

• Once the user types suntrust.com, the browser search for the spoofed file which is then displayed to the screen.

• We can also add – some hidden code and wait. When the user encounters an

error, e.g. he/she enters a URL like sutrust.com, the script captures it and display the fake page.

III. What we did (Cont’l)

Simple Attack – Social Engineering Attack (cont’l)III. What we did (Cont’l)

• On the attacker’s server:– Write code on server to receive bank account

information

Simple Attack – Social Engineering Attack (cont’l)III. What we did (Cont’l)

IV. Damage Analysis

• Some attackers can gain control of the user account remotely by altering certain HTML part of the DLL file. Then the hacked computer can be used as a node to start a DDOS attack

Serious Damage Examples

Antivirus and Firewall Software

• We tested the infected DLL file using Symantec Antivirus / Firewall and Kaspersky Internet Security. The security levels in both software are set to Highest.

• Even though the software can give user a report when the DLL file tries to access the Internet, most of the users will let it pass, since the users, same as the software, tend to trust the operating system.

IV. Damage Analysis (Cont’l)

Antivirus and Firewall Software (Cont’l)

IV. Damage Analysis (Cont’l)

Symantec KasperskyLocal Modifications (Modify System Files)

No Response No Response

Local Activities (Open Windows, Read Harddrives)

No Response No Response

Access Internet (Sending Account Info, eMail)

Report as IE’s Activity

Report as ieframe.dll’s activity

Typical Worm Code Segment Report as IE’s Activity

Report as ieframe.dll’s activity

V. Solution

• Applied in Windows XP to prevent programs from replacing critical Windows system files which includes ieframe.dll*

• WFP uses file signatures and catalog files that are generated by code signing to verify protected system files

• Windows XP check the signatures about every 6 to 7 seconds

Windows File Protection (WFP)

• Replacement of protected system files is supported only through the following mechanisms: – Windows Service Pack installation using Update.exe – Hotfixes installed using Hotfix.exe or Update.exe – Operating system upgrades using Winnt32.exe – Windows Update

• Otherwise system will prompt user to use the installation disk to recover the damaged files

V. Solution (Cont’l)Windows File Protection (WFP) (cont’l)

• Two major defects.–The prompt can be overridden by users.–Now there are some tools that can

completely disable the prompt dialogue, therefore disable the whole protection system.

V. Solution (Cont’l)Windows File Protection (WFP) (cont’l)

Write access protection

• One better way to prevent this malicious modification is to implement a file system like UNIX. – Users, including root, do not have the write access

to some system files.

V. Solution (Cont’l)

Reference• Matt Bishop, Computer Security: Art and Science, Addison-Wesley, 2002• Microsoft Corporation, http://support.microsoft.com/kb/222193• Microsoft MSDN, http://msdn.microsoft.com/en-us/library/aa382551.aspx• Microsoft MSDN, http://msdn.microsoft.com/en-us/library/aa372820.aspx• Steven Holzner. Inside JavaScript. New Riders Publishing, 2002• Zakas. Professional JavaScript for Web Developers. Wrox, 2005• David Flanagan. JavaScript: The Definitive Guide. O'Reilly Media, 4th Edition,

2001• Danny Goodman. JavaScript & DHTML Cookbook. O'Reilly Media, 2003• Danny Goodman, Michael Morrison. JavaScript Bible, 5th Edition, 2004• Christian Heilmann. Beginning JavaScript with DOM Scripting and Ajax: From

Novice to Professional. Apress, 2006• Stuart McClure, Joel Scambrav, George Kurtz. Hacking Exposed. Mcgraw-Hill

Osborne Media, 5th Edition, 2005

Thank you!Any questions?