Code to mitigate IE event zero-day (CVE-2010-0249)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Here's a mitigation for the CVE-2010-0249 IE createEventObject
srcElement zero-day.  Quite simply, it just disables the
createEventObject method by mangling its name in memory.  If anyone
knows an important web application that uses createEventObject,
*please* respond to the mailing list.

Use this code at your own risk.  It could contain mistakes, cause
problems with other software, and fail to protect your computer.

I've done some very basic testing on the following configurations:

 * Windows 2000 SP4, IE6 SP1
 * Windows XP (x86) SP3, IE 6 SP3
 * Windows XP (x86) SP3, IE 7
 * Windows XP x64 SP1, IE 6 SP1 (32-bit and 64-bit)
 * Windows XP x64 SP1, IE 7 (32-bit and 64-bit)
 * Windows XP x64 SP2, IE 7 (32-bit and 64-bit)
 * Windows XP x64 SP2, IE 8 (32-bit and 64-bit)
 * Windows Vista (x86) SP2, IE 7
 * Windows Vista (x86) SP2, IE 8

So far, I haven't been able to bypass the mitigation.  I've tried 'for
(var n in document)' to discover the mangled method name (doesn't
enumerate it), I've tried 'document.x' in case the invalid surrogate
characters are ignored (doesn't work), and I've tried
'eval("document.x\ud...")' and 'eval(unescape("document.x%ud..."))'
(IE gives an "Invalid character" error).  So do your worst.

To test the mitigation, you can use this pared-down proof-of-concept:

  [body onload="for(var i=0; i!=10000; i++) ev.srcElement"]
  [img src=. onerror="ev=createEventObject(event); outerHTML++"]

(Of course, replace [ and ] with < and > above.  The 'for' loop is
just a kludge to make it more likely to crash.)

If you're interested in researching the vulnerability (using this
PoC), breakpoint MSHTML!CImgElement::CImgElement, then run until
MSHTML!CTreeNode::CTreeNode is hit -- this tree node is freed during
MSHTML!CImgHelper::Fire_onerror, but is later accessed during
MSHTML!CEventObj::get_srcElement.

-- Derek
/*

Here's a mitigation for the CVE-2010-0249 IE createEventObject
srcElement zero-day.  Quite simply, it just disables the
createEventObject method by mangling its name in memory.  If anyone
knows an important web application that uses createEventObject,
*please* respond to the mailing list.

Use this code at your own risk.  It could contain mistakes, cause
problems with other software, and fail to protect your computer.

I've done some very basic testing on the following configurations:

 * Windows 2000 SP4, IE6 SP1
 * Windows XP (x86) SP3, IE 6 SP3
 * Windows XP (x86) SP3, IE 7
 * Windows XP x64 SP1, IE 6 SP1 (32-bit and 64-bit)
 * Windows XP x64 SP1, IE 7 (32-bit and 64-bit)
 * Windows XP x64 SP2, IE 7 (32-bit and 64-bit)
 * Windows XP x64 SP2, IE 8 (32-bit and 64-bit)
 * Windows Vista (x86) SP2, IE 7
 * Windows Vista (x86) SP2, IE 8

So far, I haven't been able to bypass the mitigation.  I've tried
'for (var n in document)' to discover the mangled method name
(doesn't enumerate it), I've tried 'document.x' in case the invalid
surrogate characters are ignored (doesn't work), and I've tried
'eval("document.x\ud...")' and 'eval(unescape("document.x%ud..."))'
(IE gives an "Invalid character" error).  So do your worst.

To test the mitigation, you can use this pared-down proof-of-concept:

  [body onload="for(var i=0; i!=10000; i++) ev.srcElement"]
  [img src=. onerror="ev=createEventObject(event); outerHTML++"]

(Of course, replace [ and ] with < and > above.  The 'for' loop is
just a kludge to make it more likely to crash.)

If you're interested in researching the vulnerability (using this
PoC), breakpoint MSHTML!CImgElement::CImgElement, then run until
MSHTML!CTreeNode::CTreeNode is hit -- this tree node is freed during
MSHTML!CImgHelper::Fire_onerror, but is later accessed during
MSHTML!CEventObj::get_srcElement.

-- Derek

*/

////////////////////////////////////////////////////////////////
// ieceo1.cpp
//==============================================================
// Another dirty mitigation for another IE zero-day -- this
// time, the createEventObject srcElement dangling pointer
// vulnerability (CVE-2010-0249, BID 37815).
//
// This mitigation works by registering as a Browser Helper
// Object, then modifying MSHTML.DLL in memory to break
// createEventObject.  As long as it's installed, you can't use
// document.createEventObject in any process that loads the BHO.
//
// To build:
//
//  1. Start Visual Studio 2008 (2005 should also work)
//  2. File -> New -> Project
//  3. Choose Visual C++: Win32: Win32 Project
//  4. Enter "ieceo1" for the name
//  5. In the Win32 Application Wizard, choose an
//     "Application type" of "DLL", and under "Additional
//     options", check "Empty project"
//  6. In the Solution Explorer, right-click on "Source Files",
//     Add -> New Item
//  7. Choose "C++ File (.cpp)" and enter "ieceo1.cpp" for the
//     name
//  8. Paste all of this source code into the new .cpp file
//  9. In the Solution Explorer, right-click again on "Source
//     Files", Add -> New Item
// 10. Choose "Module-Definition File (.def)" and enter
//     "ieceo1.def" for the name
// 11. Paste everything in the block comment below (between the
//     rows of ****'s) into the new .def file
// 12. Build -> Configuration Manager; for "Active solution
//     configuration", choose "Release"
// 13. For maximum portability, Project -> Properties,
//     Configuration Properties: C/C++: Code Generation: set
//     "Runtime Library" to "Multi-threaded (/MT)"; this will
//     keep ieceo1.dll from requiring MSVCR*.DLL
// 14. (While you're in there, Project -> Properties,
//      Configuration Properties: Linker: Input, and make sure
//      that "Module Definition File" contains "ieceo1.def")
// 15. Build -> Build Solution
//
// To use, copy "ieceo1.dll" to the Windows\System32 directory
// and run "regsvr32 ieceo1.dll" as an administrator.  On 64-
// bit Windows, copy the 32-bit DLL to Windows\SysWOW64, copy
// the 64-bit DLL to Windows\System32 with a different name
// (like "ieceo1_x64.dll"), and use "regsvr32" for each of
// them, so that both 32-bit and 64-bit IE will be protected.
//
// To uninstall, run "regsvr32 /u ieceo1.dll".  (Of course, on
// 64-bit Windows, you'll need to unregister each DLL you
// previously registered.)
//
// The DLL self-registers as a Browser Helper Object, but it
// doesn't actually do anything BHO-like -- it just modifies
// MSHTML.DLL in memory during DllGetClassObject, then "fails."
// Being a BHO is a convenient way to get loaded into Internet
// Explorer.  (Note that it may also load into Explorer.)  If
// for whatever reason it can't modify the system's MSHTML.DLL,
// it will display a message box informing the user of the
// failure.
//
// NO WARRANTIES.  Use at your own risk.  Redistribution of this
// source code in its original, unmodified form is permitted.
//
// Copyright (C) Derek Soeder - 01/16/2010
////////////////////////////////////////////////////////////////

/****  Paste the following into a new .def file:  *************

LIBRARY "ieceo1.dll"

EXPORTS
        DllCanUnloadNow PRIVATE
        DllGetClassObject PRIVATE
        DllRegisterServer PRIVATE
        DllUnregisterServer PRIVATE

***************************************************************/

#define IECEO1_CLSID_W L"{802af904-a984-4481-8376-c103ade582e6}"

#define WIN32_LEAN_AND_MEAN
#define _CRT_NON_CONFORMING_SWPRINTFS
#define _CRT_SECURE_NO_WARNINGS

#include <windows.h>
#include <olectl.h>
#include <stdlib.h>
#include <stdio.h>

////////////////////////////////////////////////////////////////
// MSHTML.DLL "createEventObject" mangling
////////////////////////////////////////////////////////////////

#define KNOTTY_STRING L"createEventObject"

LPWSTR find_string(
        HMODULE                 hmMSHTML )
{
        MEMORY_BASIC_INFORMATION mbi;
        LPVOID                  lpvbase;
        LPVOID                  lpv;
        LPWSTR                  lpwch;
        size_t                  cwchremain;

        lpvbase = (LPVOID)((UINT_PTR)hmMSHTML & ~(UINT_PTR)0xFFFFU);

        for ( lpv = lpvbase;
              VirtualQuery( lpv, &mbi, sizeof(mbi) ) == sizeof(mbi);
              lpv = (LPBYTE)mbi.BaseAddress + mbi.RegionSize )
        {
                if ( mbi.BaseAddress == NULL ||
                     (LPVOID)((UINT_PTR)(mbi.AllocationBase)
                        & ~(UINT_PTR)0xFFFFU) != lpvbase ||
                     mbi.RegionSize < 0x1000 ||
                     mbi.Type != MEM_IMAGE )
                {
                        break;
                }

                if (mbi.State != MEM_COMMIT) continue;

                cwchremain = ( mbi.RegionSize -
                        sizeof(KNOTTY_STRING) ) / sizeof(lpwch[0]);
                        
                for ( lpwch = (LPWSTR)(mbi.BaseAddress);
                      cwchremain != 0; lpwch++, cwchremain-- )
                {
                        if ( memcmp( lpwch, KNOTTY_STRING,
                                     sizeof(KNOTTY_STRING) ) == 0 )
                        {
                                return lpwch;
                        }
                }
        } //for(VirtualQuery)

        return NULL;
} //find_string

BOOL apply_mitigation(
        LPWSTR                  wszString )
{
        DWORD                   dwprot;
        size_t                  i, cwch;

        if ( !VirtualProtect( wszString, sizeof(KNOTTY_STRING),
                              PAGE_EXECUTE_READWRITE, &dwprot ) )
        {
                return FALSE;
        }

        srand( (unsigned int)GetTickCount() +
               (unsigned int)wszString +
               (unsigned int)&wszString +
               (unsigned int)KNOTTY_STRING +
               (unsigned int)GetCurrentProcessId() );

        cwch = ( sizeof(KNOTTY_STRING) /
                 sizeof(KNOTTY_STRING[0]) ) - 1;

        if (cwch != 0)
                wszString[0] = L'x';

        // random invalid unmatched UTF-16 surrogate pair characters
        for (i = 1; i < cwch; i++)
                wszString[i] = (WCHAR)(0xDC00U | (rand() & 0x03FF));

        VirtualProtect( wszString, sizeof(KNOTTY_STRING),
                dwprot, &dwprot );

        FlushInstructionCache( GetCurrentProcess(),
                wszString, sizeof(KNOTTY_STRING) );

        return TRUE;
} //apply_mitigation

////////////////////////////////////////////////////////////////
// Browser Helper Object DLL
////////////////////////////////////////////////////////////////

HINSTANCE               g_hinstMyself;
BOOL                    g_fInitialized;
CRITICAL_SECTION        g_csInit;

HMODULE                 g_hmMSHTML;

STDAPI DllUnregisterServer()
{
        HKEY                    hkey, hkey2, hkey3;

        if ( RegOpenKeyW( HKEY_LOCAL_MACHINE, L"SOFTWARE\\"
                L"Classes\\CLSID", &hkey ) == ERROR_SUCCESS )
        {
                if ( RegOpenKeyW( hkey, IECEO1_CLSID_W,
                        &hkey2 ) == ERROR_SUCCESS )
                {
                        if ( RegOpenKeyW( hkey2, L"InprocServer32",
                                &hkey3 ) == ERROR_SUCCESS )
                        {
                                RegDeleteValueW( hkey3, NULL );
                                RegCloseKey( hkey3 );
                                RegDeleteKeyW( hkey2,
                                        L"InprocServer32" );
                        }

                        RegCloseKey( hkey2 );
                        RegDeleteKeyW( hkey, IECEO1_CLSID_W );
                }

                RegCloseKey( hkey );
        }

        if ( RegOpenKeyW( HKEY_LOCAL_MACHINE, L"SOFTWARE\\"
                L"Microsoft\\Windows\\CurrentVersion\\Explorer",
                &hkey ) == ERROR_SUCCESS )
        {
                if ( RegOpenKeyW( hkey, L"Browser Helper Objects",
                        &hkey2 ) == ERROR_SUCCESS )
                {
                        RegDeleteKeyW( hkey2, IECEO1_CLSID_W );
                        RegCloseKey( hkey2 );
                        RegDeleteKeyW( hkey,
                                L"Browser Helper Objects" );
                }

                RegCloseKey( hkey );
        }

        return S_OK;
} //DllUnregisterServer

STDAPI DllRegisterServer()
{
        HKEY                    hkey, hkey2;
        WCHAR                   wszmod[1024];
        LSTATUS                 lret;

        if ( RegCreateKeyW( HKEY_LOCAL_MACHINE,
                L"SOFTWARE\\Classes\\CLSID\\" IECEO1_CLSID_W
                L"\\InprocServer32", &hkey ) != ERROR_SUCCESS )
        {
_fail:
                DllUnregisterServer();
                return SELFREG_E_CLASS;
        }

        GetModuleFileNameW( g_hinstMyself, wszmod,
                (sizeof(wszmod) / sizeof(wszmod[0])) );

        lret = RegSetValueW( hkey, NULL, REG_SZ, wszmod,
                (DWORD)( (wcslen( wszmod ) + 1) *
                         sizeof(wszmod[0]) ) );

        RegCloseKey( hkey );

        if (lret != ERROR_SUCCESS) goto _fail;

        if ( RegCreateKeyW( HKEY_LOCAL_MACHINE, L"SOFTWARE\\"
                L"Microsoft\\Windows\\CurrentVersion\\Explorer\\"
                L"Browser Helper Objects", &hkey ) != ERROR_SUCCESS )
        {
                goto _fail;
        }

        lret = RegCreateKeyW( hkey, IECEO1_CLSID_W, &hkey2 );

        RegCloseKey( hkey );

        if (lret != ERROR_SUCCESS ) goto _fail;

        RegCloseKey( hkey2 );

        return S_OK;
} //DllRegisterServer

STDAPI DllCanUnloadNow()
{
        return S_OK;
} //DllCanUnloadNow

STDAPI DllGetClassObject(
        REFCLSID                rclsid,
        REFIID                  riid,
        LPVOID                  * ppv )
{
        LPWSTR                  lpwch;
        WCHAR                   wszbuf[256];

        EnterCriticalSection( &g_csInit );

    __try
    {
        if (!g_fInitialized)
        {
                // MSHTML should already be loaded; this extra
                // reference will keep it from ever unloading
                g_hmMSHTML = LoadLibraryW( L"mshtml.dll" );

                lpwch = find_string( g_hmMSHTML );

                if (lpwch != NULL)
                {
                        swprintf( wszbuf,
L"IECEO1: Found \"%s\" at %p in MSHTML_%p\r\n",
                                KNOTTY_STRING, lpwch, g_hmMSHTML );
                        OutputDebugStringW( wszbuf );

                        apply_mitigation( lpwch );
                }
                else
                {
                        swprintf( wszbuf,
L"IECEO1: FAILED to find \"%s\" in MSHTML_%p\r\n",
                                KNOTTY_STRING, g_hmMSHTML );
                        OutputDebugStringW( wszbuf );

                        MessageBoxW( NULL,
L"The Internet Explorer createEventObject srcElement zero-day "
L"mitigation, also known as IECEO1, is not protecting your system "
L"because it is incompatible with this version of Internet Explorer."
L"\n\nTo remove IECEO1, run \"regsvr32 /u ieceo1.dll\" as an "
L"administrator.",
                                L"IECEO1", MB_ICONWARNING|MB_OK );
                }

                g_fInitialized = TRUE;
        }
    }
    __finally
    {
        LeaveCriticalSection( &g_csInit );
    }

        return CLASS_E_CLASSNOTAVAILABLE;
} //DllGetClassObject

BOOL WINAPI DllMain(
        HINSTANCE               hinstDLL,
        DWORD                   fdwReason,
        LPVOID                  lpvReserved )
{
        if (fdwReason == DLL_PROCESS_ATTACH)
        {
                g_hinstMyself  = hinstDLL;
                g_fInitialized = FALSE;
                InitializeCriticalSection( &g_csInit );
        }

        return TRUE;
} //DllMain

[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux