digging deeper into the ie vulnerability cve-2014-1776 with cyphort
DESCRIPTION
Web browser vulnerabilities remain a fertile ground for hackers to harvest and mount attacks. Latest vulnerabilities found in Internet Explorer and urgent response from Microsoft highlights the fact that despite end of life announcements for old and less secure products, millions of users remain exposed to threats. Web browser attacks and how the vulnerabilities are exploited How CVE-2014-1776 impacts you Finding and dissecting active attacks How to mitigate impacts of browser vulnerability based attacksTRANSCRIPT
Digging Deeper into the IE Vulnerability
Malware’s Most Wanted Series May 2014
Your Speakers Today
2
Marion Marschalek Malware Analyst and Researcher
Anthony James VP of Marke6ng and Products
Agenda
o IntroducFon to Cyphort Labs o Anatomy of web browser aJacks o Finding and dissecFng acFve aJacks o CVE-‐2014-‐1776 details and impact o How to miFgate risk o Q & A
3
Cyph
ort Labs T
-‐shirt
We work with the security ecosystem
•••••
Contribute to and learn from malware KB
We enhance malware detecFon accuracy
•••••
False posiFves/negaFves
•••••
Deep-‐dive research
Global malware research team
•••••
24X7 monitoring for malware events
About Cyphort Labs
4
VULNERABILITY EXPLOIT PAYLOAD
Anatomy of a Drive-‐by
injects malicious ja
vascript
serves explo
it
redirects to exploit server
downloads malicious executable
AJacker
VicFm
Executes exploit and payload
LegiFmate Web Server
Exploit HosFng Server
Malware DistribuFon
Server
ExploitaFon: HosFle Takeover
Mission Statement: Control EIP
EIP = InstrucDon Pointer
Control of EIP = Control of ExecuDon
Back to the Roots ...
buffer[32] buuuufff feeeeero ooverfff loooooow
\xef\x65\x41\x01
Parameters
Saved EBP
Return Address
Parameters
Local Variables
Smashing the Stack for Fun and Profit – Aleph One, 1996
On return the program will execute at 0x014165ef where the shellcode is waiFng.
Saved EBP
Return Address
Parameters
VulnerabiliFes Exploited Today
Source: Micorosoj Security Intelligence Report Vol.16 (hJp://www.microsoj.com/security/sir/)
The Zero-‐day Phenomenon
Source: Before We Knew It, Symantec Research (hJp://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf)
The Zero-‐day Phenomenon
Vulnerability introduced
Vulnerability disclosed
Exploit released in the wild
Vendor patch released
Patch widely deployed
TIME
ATTA
CKS
Zero-‐Day AIacks
Poll #1 – Most expensive exploit
Which Zero-‐day exploit do you think is most expensive on the black market? o Adobe Reader o Internet Explorer o Flash o Firefox
12
The LegiFmate Vulnerability Market
o Price depends on vulnerability impact and exploitability
o Need for trusted third party
Source: Forbes (hJp://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-‐for-‐zero-‐days-‐an-‐price-‐list-‐for-‐hackers-‐secret-‐sojware-‐exploits/)
Web Browser as Window to the Endpoint
Internet Explorer Exposed: CVE-‐2014-‐1776
o Revealed end of April 2014
o Official patch from Microsoj May 1st
o AffecFng IE versions 6 to 11
o Use-‐Ajer-‐Free vulnerability
.html vshow.swf
cmmon.js
Heap PreparaFon
DecrypFon ExploitString
Timer RegistraFon for proc()
Eval ( ExploitString )
Prepare ROP Chain
Corrupt Memory
Invoke Patched toString() send ExploitString via ExternalInterface
Internet Explorer Exposed: CVE-‐2014-‐1776
Internet Explorer Exposed: CVE-‐2014-‐1776
o Heap Spraying o User ARer Free o ROP Chain o Shellcode
.html vshow.swf
cmmon.js
Heap PreparaFon
DecrypFon ExploitString
Timer RegistraFon for proc()
Eval ( ExploitString )
Prepare ROP Chain
Corrupt Memory
Invoke Patched toString() send ExploitString via ExternalInterface
Internet Explorer Exposed: CVE-‐2014-‐1776
Stack
Code
Heap
Exploit
Heap PreparaFon
NOP+SC NOP+SC
NOP+SC .....
NOP+SC NOP+SC
ROP Jump Heap
Memory o Heap Spraying o Use ARer Free o ROP Chain o Shellcode
Internet Explorer Exposed: CVE-‐2014-‐1776
Class Object
Pointer to vRable
Member variables
FuncDon3()
FuncDon1()
FuncDon2()
vRable
o Heap Spraying o Use ARer Free o ROP Chain o Shellcode
Internet Explorer Exposed: CVE-‐2014-‐1776
o Heap Spraying o Use ARer Free o ROP Chain o Shellcode
Exploit
Overwrite Object Length
Corrupt Sound Object
Call Stack Pivot + ROP
Call ZwProtectVirtualMemory
Internet Explorer Exposed: CVE-‐2014-‐1776
o Heap Spraying o Use ARer Free o ROP Chain o Shellcode
Dynamic resoluDon of API addresses Final exploit acDon +
3 Key MiFgaFons
Keep Your Systems Up-‐to-‐Date
3 Key MiFgaFons
AcFvate EMET 4.1
3 Key MiFgaFons
Break the Kill Chain By Applying
HolisFc Security
Q and A
25
o InformaFon sharing and advanced threats resources
o Blogs on latest threats and findings
o Tools for idenFfying malware