Here's a mitigation for the CVE-2010-0249 IE createEventObject srcElement zero-day. Quite simply, it just disables the createEventObject method by mangling its name in memory. If anyone knows an important web application that uses createEventObject, *please* respond to the mailing list. Use this code at your own risk. It could contain mistakes, cause problems with other software, and fail to protect your computer. I've done some very basic testing on the following configurations: * Windows 2000 SP4, IE6 SP1 * Windows XP (x86) SP3, IE 6 SP3 * Windows XP (x86) SP3, IE 7 * Windows XP x64 SP1, IE 6 SP1 (32-bit and 64-bit) * Windows XP x64 SP1, IE 7 (32-bit and 64-bit) * Windows XP x64 SP2, IE 7 (32-bit and 64-bit) * Windows XP x64 SP2, IE 8 (32-bit and 64-bit) * Windows Vista (x86) SP2, IE 7 * Windows Vista (x86) SP2, IE 8 So far, I haven't been able to bypass the mitigation. I've tried 'for (var n in document)' to discover the mangled method name (doesn't enumerate it), I've tried 'document.x' in case the invalid surrogate characters are ignored (doesn't work), and I've tried 'eval("document.x\ud...")' and 'eval(unescape("document.x%ud..."))' (IE gives an "Invalid character" error). So do your worst. To test the mitigation, you can use this pared-down proof-of-concept: [body onload="for(var i=0; i!=10000; i++) ev.srcElement"] [img src=. onerror="ev=createEventObject(event); outerHTML++"] (Of course, replace [ and ] with < and > above. The 'for' loop is just a kludge to make it more likely to crash.) If you're interested in researching the vulnerability (using this PoC), breakpoint MSHTML!CImgElement::CImgElement, then run until MSHTML!CTreeNode::CTreeNode is hit -- this tree node is freed during MSHTML!CImgHelper::Fire_onerror, but is later accessed during MSHTML!CEventObj::get_srcElement. -- Derek
/* Here's a mitigation for the CVE-2010-0249 IE createEventObject srcElement zero-day. Quite simply, it just disables the createEventObject method by mangling its name in memory. If anyone knows an important web application that uses createEventObject, *please* respond to the mailing list. Use this code at your own risk. It could contain mistakes, cause problems with other software, and fail to protect your computer. I've done some very basic testing on the following configurations: * Windows 2000 SP4, IE6 SP1 * Windows XP (x86) SP3, IE 6 SP3 * Windows XP (x86) SP3, IE 7 * Windows XP x64 SP1, IE 6 SP1 (32-bit and 64-bit) * Windows XP x64 SP1, IE 7 (32-bit and 64-bit) * Windows XP x64 SP2, IE 7 (32-bit and 64-bit) * Windows XP x64 SP2, IE 8 (32-bit and 64-bit) * Windows Vista (x86) SP2, IE 7 * Windows Vista (x86) SP2, IE 8 So far, I haven't been able to bypass the mitigation. I've tried 'for (var n in document)' to discover the mangled method name (doesn't enumerate it), I've tried 'document.x' in case the invalid surrogate characters are ignored (doesn't work), and I've tried 'eval("document.x\ud...")' and 'eval(unescape("document.x%ud..."))' (IE gives an "Invalid character" error). So do your worst. To test the mitigation, you can use this pared-down proof-of-concept: [body onload="for(var i=0; i!=10000; i++) ev.srcElement"] [img src=. onerror="ev=createEventObject(event); outerHTML++"] (Of course, replace [ and ] with < and > above. The 'for' loop is just a kludge to make it more likely to crash.) If you're interested in researching the vulnerability (using this PoC), breakpoint MSHTML!CImgElement::CImgElement, then run until MSHTML!CTreeNode::CTreeNode is hit -- this tree node is freed during MSHTML!CImgHelper::Fire_onerror, but is later accessed during MSHTML!CEventObj::get_srcElement. -- Derek */ //////////////////////////////////////////////////////////////// // ieceo1.cpp //============================================================== // Another dirty mitigation for another IE zero-day -- this // time, the createEventObject srcElement dangling pointer // vulnerability (CVE-2010-0249, BID 37815). // // This mitigation works by registering as a Browser Helper // Object, then modifying MSHTML.DLL in memory to break // createEventObject. As long as it's installed, you can't use // document.createEventObject in any process that loads the BHO. // // To build: // // 1. Start Visual Studio 2008 (2005 should also work) // 2. File -> New -> Project // 3. Choose Visual C++: Win32: Win32 Project // 4. Enter "ieceo1" for the name // 5. In the Win32 Application Wizard, choose an // "Application type" of "DLL", and under "Additional // options", check "Empty project" // 6. In the Solution Explorer, right-click on "Source Files", // Add -> New Item // 7. Choose "C++ File (.cpp)" and enter "ieceo1.cpp" for the // name // 8. Paste all of this source code into the new .cpp file // 9. In the Solution Explorer, right-click again on "Source // Files", Add -> New Item // 10. Choose "Module-Definition File (.def)" and enter // "ieceo1.def" for the name // 11. Paste everything in the block comment below (between the // rows of ****'s) into the new .def file // 12. Build -> Configuration Manager; for "Active solution // configuration", choose "Release" // 13. For maximum portability, Project -> Properties, // Configuration Properties: C/C++: Code Generation: set // "Runtime Library" to "Multi-threaded (/MT)"; this will // keep ieceo1.dll from requiring MSVCR*.DLL // 14. (While you're in there, Project -> Properties, // Configuration Properties: Linker: Input, and make sure // that "Module Definition File" contains "ieceo1.def") // 15. Build -> Build Solution // // To use, copy "ieceo1.dll" to the Windows\System32 directory // and run "regsvr32 ieceo1.dll" as an administrator. On 64- // bit Windows, copy the 32-bit DLL to Windows\SysWOW64, copy // the 64-bit DLL to Windows\System32 with a different name // (like "ieceo1_x64.dll"), and use "regsvr32" for each of // them, so that both 32-bit and 64-bit IE will be protected. // // To uninstall, run "regsvr32 /u ieceo1.dll". (Of course, on // 64-bit Windows, you'll need to unregister each DLL you // previously registered.) // // The DLL self-registers as a Browser Helper Object, but it // doesn't actually do anything BHO-like -- it just modifies // MSHTML.DLL in memory during DllGetClassObject, then "fails." // Being a BHO is a convenient way to get loaded into Internet // Explorer. (Note that it may also load into Explorer.) If // for whatever reason it can't modify the system's MSHTML.DLL, // it will display a message box informing the user of the // failure. // // NO WARRANTIES. Use at your own risk. Redistribution of this // source code in its original, unmodified form is permitted. // // Copyright (C) Derek Soeder - 01/16/2010 //////////////////////////////////////////////////////////////// /**** Paste the following into a new .def file: ************* LIBRARY "ieceo1.dll" EXPORTS DllCanUnloadNow PRIVATE DllGetClassObject PRIVATE DllRegisterServer PRIVATE DllUnregisterServer PRIVATE ***************************************************************/ #define IECEO1_CLSID_W L"{802af904-a984-4481-8376-c103ade582e6}" #define WIN32_LEAN_AND_MEAN #define _CRT_NON_CONFORMING_SWPRINTFS #define _CRT_SECURE_NO_WARNINGS #include <windows.h> #include <olectl.h> #include <stdlib.h> #include <stdio.h> //////////////////////////////////////////////////////////////// // MSHTML.DLL "createEventObject" mangling //////////////////////////////////////////////////////////////// #define KNOTTY_STRING L"createEventObject" LPWSTR find_string( HMODULE hmMSHTML ) { MEMORY_BASIC_INFORMATION mbi; LPVOID lpvbase; LPVOID lpv; LPWSTR lpwch; size_t cwchremain; lpvbase = (LPVOID)((UINT_PTR)hmMSHTML & ~(UINT_PTR)0xFFFFU); for ( lpv = lpvbase; VirtualQuery( lpv, &mbi, sizeof(mbi) ) == sizeof(mbi); lpv = (LPBYTE)mbi.BaseAddress + mbi.RegionSize ) { if ( mbi.BaseAddress == NULL || (LPVOID)((UINT_PTR)(mbi.AllocationBase) & ~(UINT_PTR)0xFFFFU) != lpvbase || mbi.RegionSize < 0x1000 || mbi.Type != MEM_IMAGE ) { break; } if (mbi.State != MEM_COMMIT) continue; cwchremain = ( mbi.RegionSize - sizeof(KNOTTY_STRING) ) / sizeof(lpwch[0]); for ( lpwch = (LPWSTR)(mbi.BaseAddress); cwchremain != 0; lpwch++, cwchremain-- ) { if ( memcmp( lpwch, KNOTTY_STRING, sizeof(KNOTTY_STRING) ) == 0 ) { return lpwch; } } } //for(VirtualQuery) return NULL; } //find_string BOOL apply_mitigation( LPWSTR wszString ) { DWORD dwprot; size_t i, cwch; if ( !VirtualProtect( wszString, sizeof(KNOTTY_STRING), PAGE_EXECUTE_READWRITE, &dwprot ) ) { return FALSE; } srand( (unsigned int)GetTickCount() + (unsigned int)wszString + (unsigned int)&wszString + (unsigned int)KNOTTY_STRING + (unsigned int)GetCurrentProcessId() ); cwch = ( sizeof(KNOTTY_STRING) / sizeof(KNOTTY_STRING[0]) ) - 1; if (cwch != 0) wszString[0] = L'x'; // random invalid unmatched UTF-16 surrogate pair characters for (i = 1; i < cwch; i++) wszString[i] = (WCHAR)(0xDC00U | (rand() & 0x03FF)); VirtualProtect( wszString, sizeof(KNOTTY_STRING), dwprot, &dwprot ); FlushInstructionCache( GetCurrentProcess(), wszString, sizeof(KNOTTY_STRING) ); return TRUE; } //apply_mitigation //////////////////////////////////////////////////////////////// // Browser Helper Object DLL //////////////////////////////////////////////////////////////// HINSTANCE g_hinstMyself; BOOL g_fInitialized; CRITICAL_SECTION g_csInit; HMODULE g_hmMSHTML; STDAPI DllUnregisterServer() { HKEY hkey, hkey2, hkey3; if ( RegOpenKeyW( HKEY_LOCAL_MACHINE, L"SOFTWARE\\" L"Classes\\CLSID", &hkey ) == ERROR_SUCCESS ) { if ( RegOpenKeyW( hkey, IECEO1_CLSID_W, &hkey2 ) == ERROR_SUCCESS ) { if ( RegOpenKeyW( hkey2, L"InprocServer32", &hkey3 ) == ERROR_SUCCESS ) { RegDeleteValueW( hkey3, NULL ); RegCloseKey( hkey3 ); RegDeleteKeyW( hkey2, L"InprocServer32" ); } RegCloseKey( hkey2 ); RegDeleteKeyW( hkey, IECEO1_CLSID_W ); } RegCloseKey( hkey ); } if ( RegOpenKeyW( HKEY_LOCAL_MACHINE, L"SOFTWARE\\" L"Microsoft\\Windows\\CurrentVersion\\Explorer", &hkey ) == ERROR_SUCCESS ) { if ( RegOpenKeyW( hkey, L"Browser Helper Objects", &hkey2 ) == ERROR_SUCCESS ) { RegDeleteKeyW( hkey2, IECEO1_CLSID_W ); RegCloseKey( hkey2 ); RegDeleteKeyW( hkey, L"Browser Helper Objects" ); } RegCloseKey( hkey ); } return S_OK; } //DllUnregisterServer STDAPI DllRegisterServer() { HKEY hkey, hkey2; WCHAR wszmod[1024]; LSTATUS lret; if ( RegCreateKeyW( HKEY_LOCAL_MACHINE, L"SOFTWARE\\Classes\\CLSID\\" IECEO1_CLSID_W L"\\InprocServer32", &hkey ) != ERROR_SUCCESS ) { _fail: DllUnregisterServer(); return SELFREG_E_CLASS; } GetModuleFileNameW( g_hinstMyself, wszmod, (sizeof(wszmod) / sizeof(wszmod[0])) ); lret = RegSetValueW( hkey, NULL, REG_SZ, wszmod, (DWORD)( (wcslen( wszmod ) + 1) * sizeof(wszmod[0]) ) ); RegCloseKey( hkey ); if (lret != ERROR_SUCCESS) goto _fail; if ( RegCreateKeyW( HKEY_LOCAL_MACHINE, L"SOFTWARE\\" L"Microsoft\\Windows\\CurrentVersion\\Explorer\\" L"Browser Helper Objects", &hkey ) != ERROR_SUCCESS ) { goto _fail; } lret = RegCreateKeyW( hkey, IECEO1_CLSID_W, &hkey2 ); RegCloseKey( hkey ); if (lret != ERROR_SUCCESS ) goto _fail; RegCloseKey( hkey2 ); return S_OK; } //DllRegisterServer STDAPI DllCanUnloadNow() { return S_OK; } //DllCanUnloadNow STDAPI DllGetClassObject( REFCLSID rclsid, REFIID riid, LPVOID * ppv ) { LPWSTR lpwch; WCHAR wszbuf[256]; EnterCriticalSection( &g_csInit ); __try { if (!g_fInitialized) { // MSHTML should already be loaded; this extra // reference will keep it from ever unloading g_hmMSHTML = LoadLibraryW( L"mshtml.dll" ); lpwch = find_string( g_hmMSHTML ); if (lpwch != NULL) { swprintf( wszbuf, L"IECEO1: Found \"%s\" at %p in MSHTML_%p\r\n", KNOTTY_STRING, lpwch, g_hmMSHTML ); OutputDebugStringW( wszbuf ); apply_mitigation( lpwch ); } else { swprintf( wszbuf, L"IECEO1: FAILED to find \"%s\" in MSHTML_%p\r\n", KNOTTY_STRING, g_hmMSHTML ); OutputDebugStringW( wszbuf ); MessageBoxW( NULL, L"The Internet Explorer createEventObject srcElement zero-day " L"mitigation, also known as IECEO1, is not protecting your system " L"because it is incompatible with this version of Internet Explorer." L"\n\nTo remove IECEO1, run \"regsvr32 /u ieceo1.dll\" as an " L"administrator.", L"IECEO1", MB_ICONWARNING|MB_OK ); } g_fInitialized = TRUE; } } __finally { LeaveCriticalSection( &g_csInit ); } return CLASS_E_CLASSNOTAVAILABLE; } //DllGetClassObject BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved ) { if (fdwReason == DLL_PROCESS_ATTACH) { g_hinstMyself = hinstDLL; g_fInitialized = FALSE; InitializeCriticalSection( &g_csInit ); } return TRUE; } //DllMain