Digging deeper into the IE vulnerability CVE-2014-1776 with Cyphort
-
Upload
cyphort -
Category
Technology
-
view
577 -
download
2
description
Transcript of Digging deeper into the IE vulnerability CVE-2014-1776 with Cyphort
Digging Deeper into the IE Vulnerability
Malware’s Most Wanted Series May 2014
Your Speakers Today
2
Marion Marschalek Malware Analyst and Researcher
Anthony James VP of Marke6ng and Products
Agenda
o IntroducFon to Cyphort Labs o Anatomy of web browser aJacks o Finding and dissecFng acFve aJacks o CVE-‐2014-‐1776 details and impact o How to miFgate risk o Q & A
3
Cyph
ort Labs T
-‐shirt
We work with the security ecosystem
•••••
Contribute to and learn from malware KB
We enhance malware detecFon accuracy
•••••
False posiFves/negaFves
•••••
Deep-‐dive research
Global malware research team
•••••
24X7 monitoring for malware events
About Cyphort Labs
4
VULNERABILITY EXPLOIT PAYLOAD
Anatomy of a Drive-‐by
injects malicious ja
vascript
serves explo
it
redirects to exploit server
downloads malicious executable
AJacker
VicFm
Executes exploit and payload
LegiFmate Web Server
Exploit HosFng Server
Malware DistribuFon
Server
ExploitaFon: HosFle Takeover
Mission Statement: Control EIP
EIP = InstrucDon Pointer
Control of EIP = Control of ExecuDon
Back to the Roots ...
buffer[32] buuuufff feeeeero ooverfff loooooow
\xef\x65\x41\x01
Parameters
Saved EBP
Return Address
Parameters
Local Variables
Smashing the Stack for Fun and Profit – Aleph One, 1996
On return the program will execute at 0x014165ef where the shellcode is waiFng.
Saved EBP
Return Address
Parameters
VulnerabiliFes Exploited Today
Source: Micorosoj Security Intelligence Report Vol.16 (hJp://www.microsoj.com/security/sir/)
The Zero-‐day Phenomenon
Source: Before We Knew It, Symantec Research (hJp://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf)
The Zero-‐day Phenomenon
Vulnerability introduced
Vulnerability disclosed
Exploit released in the wild
Vendor patch released
Patch widely deployed
TIME
ATTA
CKS
Zero-‐Day AIacks
Poll #1 – Most expensive exploit
Which Zero-‐day exploit do you think is most expensive on the black market? o Adobe Reader o Internet Explorer o Flash o Firefox
12
The LegiFmate Vulnerability Market
o Price depends on vulnerability impact and exploitability
o Need for trusted third party
Source: Forbes (hJp://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-‐for-‐zero-‐days-‐an-‐price-‐list-‐for-‐hackers-‐secret-‐sojware-‐exploits/)
Web Browser as Window to the Endpoint
Internet Explorer Exposed: CVE-‐2014-‐1776
o Revealed end of April 2014
o Official patch from Microsoj May 1st
o AffecFng IE versions 6 to 11
o Use-‐Ajer-‐Free vulnerability
.html vshow.swf
cmmon.js
Heap PreparaFon
DecrypFon ExploitString
Timer RegistraFon for proc()
Eval ( ExploitString )
Prepare ROP Chain
Corrupt Memory
Invoke Patched toString() send ExploitString via ExternalInterface
Internet Explorer Exposed: CVE-‐2014-‐1776
Internet Explorer Exposed: CVE-‐2014-‐1776
o Heap Spraying o User ARer Free o ROP Chain o Shellcode
.html vshow.swf
cmmon.js
Heap PreparaFon
DecrypFon ExploitString
Timer RegistraFon for proc()
Eval ( ExploitString )
Prepare ROP Chain
Corrupt Memory
Invoke Patched toString() send ExploitString via ExternalInterface
Internet Explorer Exposed: CVE-‐2014-‐1776
Stack
Code
Heap
Exploit
Heap PreparaFon
NOP+SC NOP+SC
NOP+SC .....
NOP+SC NOP+SC
ROP Jump Heap
Memory o Heap Spraying o Use ARer Free o ROP Chain o Shellcode
Internet Explorer Exposed: CVE-‐2014-‐1776
Class Object
Pointer to vRable
Member variables
FuncDon3()
FuncDon1()
FuncDon2()
vRable
o Heap Spraying o Use ARer Free o ROP Chain o Shellcode
Internet Explorer Exposed: CVE-‐2014-‐1776
o Heap Spraying o Use ARer Free o ROP Chain o Shellcode
Exploit
Overwrite Object Length
Corrupt Sound Object
Call Stack Pivot + ROP
Call ZwProtectVirtualMemory
Internet Explorer Exposed: CVE-‐2014-‐1776
o Heap Spraying o Use ARer Free o ROP Chain o Shellcode
Dynamic resoluDon of API addresses Final exploit acDon +
3 Key MiFgaFons
Keep Your Systems Up-‐to-‐Date
3 Key MiFgaFons
AcFvate EMET 4.1
3 Key MiFgaFons
Break the Kill Chain By Applying
HolisFc Security
Q and A
25
o InformaFon sharing and advanced threats resources
o Blogs on latest threats and findings
o Tools for idenFfying malware