3897 vulnerability analysis

Posted by fierce at 2020-04-04

*The relevant loopholes involved in this article have been reported to the manufacturer and repaired. This article is only for technical research and discussion, and is strictly prohibited to be used for illegal purposes, otherwise, all consequences will be borne by yourself.

1、 Previous overview

The attack target of vulnerability sample is Internet Explorer users in Korea and Japan. The system environment is WinXP system and Internet Explorer 8 browser

2、 Vulnerability details

1) Code analysis

Cve-2013-3897 triggers onpropertychange event through JS script. When the event is triggered, some elements are created and the location of the element is changed later. At this time, cdisplaypointer object of IE browser calls cmarkuppoiner virtual function, but cmarkuppoiner virtual function has been released by cdisplaypointer:: release function. When cmarkuppoiner calls, This virtual function is pointed to the stack forged by the attacker, and the dep protection of XP system is broken through through ROP technology. Now, the JS process is analyzed (as follows)

Now let's review the attack process in JS code; when JS code is executed, an element named textarea is created first, and it is attached as a child node of another new element address through applyelement (as follows)

Next, the textarea element changes the valueproperty of textarea by triggering onselect, and changes the valueproperty by calling swapnode, triggering the subsequent onpropertychange (as follows)

Note here that the child node of id_2 (address element) is the textarea element. The textarea is removed from the page layout by the exchange node, and a new element is re inserted, which changes the value, thus triggering the subsequent onpropertychange event and the onpropertychange event (as follows)

The next step is to change the display position of the textarea element layout (the sample uses the document. Execcommand ("unselect") command to unselect); at this time, any other element executing the SelectAll command or any other operation will trigger displaypointer to change the position of textarea (as follows)

//Forgery of data string STR to be injected

JS's select calls to cdisplaypointer:: scrollintoview to set the new display location through displaypoiner; however, the referenced cmarkuppoiner pointer has been released by cdisplaypointer:: release function, and points to a stack area forged by the attacker. Finally, in the qiclassid process, When the code attempts to execute the cmarkuppointer:: queryinterface interface (cmarkuppointer virtual mark offset is 0), the attacker can obtain system permission

2) Assembly analysis

First, let's look at the crash point. When the virtual function cmarkuppoiner is called, this place will crash (as follows)

Now we start debugging the samples. The vulnerability of the module occurs in the mshtml module. When the module is loaded, the conditional breakpoint BP ordinal103 + 0x3a93e ". If poi (eax) = 77bd18d3 {}. Else {GC}" is used. Because the ROP chain is a fixed address in the MSVCRT module, eax points to the call pointer. When the breakpoint occurs, the released pointer area has been controlled by the attacker, That is to say, in JS code, the pointer injected by modifying the attribute of the array element title is as follows

Now let's look at the virtual table pointer forged by the attacker; the address in the table should be the fixed address in the MSVCRT module; here is the win7 system, which does not display the module name and is an error address (as follows)

Step P again, the first ROP address execution error, so there is a memory access error (as follows)

Use the! Heap-p-a ebx instruction to check the heap size structure allocated at the forged virtual table pointer. The win7 64 bit is 0 × 48, that is to say, the injection takes 0 × 48 as a unit (as follows)

The following ROP? Shellcode is no longer analyzed, because viruses, Trojans and vulnerability attacks are basically the same

3、 Summarize experience

We should have absolute patience and perseverance, and pay attention to the search of materials and the review of English articles and technical documents. Moreover, when we encounter problems in the analysis process, we should try to solve them, don't avoid them, and we should face them positively in order to win the final victory. Finally, I wish you good luck (pictures have nothing to do with this article)!

Pdf format documents please move to PC Security Learning Research Station for download