CVE-2012-1889: Security Update Analysis

ORIGINAL SWISS ETHICAL HACKING

Your texte here ….

CVE 2012-1889 Security Update Analysis

19th July 2012 Brian MARIANI & Frédéric BOURLA

Timeline

The 12th of June 2012 Microsoft published a security advisory with a temporary fix related to the msxml core services vulnerability which is heavily exploited in the wild.

On June 18th 2012 Metasploit released a working exploit.

On June 19th 2012 a 100% reliable exploit for Internet Explorer 6/7/8/9 on Windows XP/Vista, and Windows 7 SP1 was published by metasploit.

On July 9th 2012 Microsoft finally released a security update in order to patch this vulnerability.

Some important details

This document is the continuation of the previous publication: “Microsoft XML core services uninitialized memory vulnerability”.

In this new presentation we will analyze the security update released on July 9th 2012 which fixes several DLL libraries, specially the msxml3.dll one.

The lab environment is an English Windows XP SP3 workstation.

For simplicity, ASLR and DEP security options are deactivated.

Security update

Files' size comparison

We identify all files implied in the security update process with monitoring tools, such as Process Monitor. Actually, the file which interests us is the msxml3.dll library.

To successfully compare unpatched and patched files, we first make a copy of the unpatched library to an analysis directory.

We apply the security update and we copy again the patched DLL file into the previous directory, with a new destination file name.

After downloading and applying the security update and comparing the size of this particular file, we can notice a tiny difference of 66 bytes.

Binary Diffing

Binary Diffing is a technique for performing automated binary differential analysis.

This becomes very useful for reverse engineering patches as well as program updates.

Some of the available binary diffing tools are:

– Bindiff

– PatchDiff

– Darumgrim

– Turbodiff

Here, we used Turbodiff.

Turbodiff

Turbodiff was programmed by Nicolás Economou.

It was presented at the Argentinian security conference Ekoparty in 2009.

It is a heuristic based IDA Plugin aimed for binary diffing.

This tools was developed in C++.

It provides an Architecture Independent Diffing.

Turbodiff results (1)

After analyzing the two binary files, turbodiff creates an ana file from the IDA idb file.

The aforementioned ana file will be used later in order to detect the suspicious and changed functions.

Later turbodiff displays its results:

After examining the differences between the two files:

– 25 functions are marked as suspicious.

– 72 functions are marked as changed.

Let’s check the changes in the DOMNode::get_definition(IXMLDOMNode) function which is the most important procedure involved in this vulnerability.

As we can see the instruction mov [edi], ebx was added into the get_definition function.

In order to understand this minor change let’s analyzed the whole process.

before after

Flow analysis (1)

749bd756 _dispatchImpl::InvokeHelper

Flow analysis (2)

749bd7de call dword ptr [esi+0x20]{msxml3!DOMNode::_invokeDOMNode

Flow analysis (3)

749d42da msxml3!DOMNode::_invokeDOMNode

Flow analysis (4)

749d6499 msxml3!DOMNode::get_definition

Flow analysis (5)

749d64d2 mov edi,[ebp+0xc] ss:0023:0013dff8=0013e138

This is the local variable value that will be retrieved later by the _dispatch::InvokeHelper function

Flow analysis (6)

Flow analysis (7)

749d6514 mov [edi],ebx ds:0023:0013e138=0c0c0c08

Flow analysis (8)

This instruction corresponds to the security update. The content of the edi will be initialized to zero

749d6514 mov [edi],ebx ds:0023:0013e138=0c0c0c08

Flow analysis (9)

_dispatchImpl::InvokeHelper 749bd7e9 mov eax,[ebp-0x14] ss:0023:0013e138=00000000

After returning to the _dispatchImpl::InvokeHelper function the previous sanitized pointer is moved into the eax register

Flow analysis (10)

749bd7ec cmp eax,ebx

Flow analysis (11)

Flow analysis (12)

749bd7f0 jz msxml3!_dispatchImpl::InvokeHelper+0xc2 (749bd818)

The conditional jump will be executed

Flow analysis (13)

749bd80a call dword ptr [ecx+0x18]

749bd7f0 jz msxml3!_dispatchImpl::InvokeHelper+0xc2 (749bd818)

The conditional jump will be executed

The call responsible to execute the payload is no more reachable due to the conditional jump

Conclusions

As we have seen the main change in the XML security update for Windows XP-SP3 is the mov [edi],ebx instruction.

This instruction sanitizes the value that will be retrieved later by the _dispatchImpl::InvokeHelper function.

If one modifies the two bytes instruction (891F) with NOP's instructions (9090) the whole security updated could be deactivate.

Apply the security update (KB2719985) as soon as you can since this vulnerability is heavily exploited in the wild nowadays.

749d6514 891F mov [edi],ebx

References

http://www.microsoft.com/fr-fr/download/details.aspx?id=30290

http://support.microsoft.com/kb/2719985

http://www.openrce.org/forums/posts/82

http://corelabs.coresecurity.com/index.php?module=Wiki&action=attachment&type=publication&page=Heuristicas_aplicadas_a_la_comparacion_%28_diffeo_%29_de_binarios&file=Economou_2009-binary_diffing.pdf

Acknowledgments

Thanks to Nicolas Economou from coresecurity for allowing us to publish the document using its utility Turbodiff :]

http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=turbodiff

Thanks for reading

Your questions are always welcome!

brian.mariani@htbridge.ch

frederic.bourla@htbridge.ch

CVE-2012-1889: Security Update Analysis

Technology

THE RANSOMWARE - Microsoft...CVE-2012-1054, CVE-2015-0204, CVE-2015-1637, CVE-2003-0818, CVE-2002-0126, CVE-1999-1058 Start out by patching those and you can drastically reduce your

[若渴計畫]CVE 2014-9322, CVE-2015-0235, CVE-2009-3547

Network and Security Manager Release Notes - Juniper …€¦ · Table9:CVEsforNSMPackages Packages AddressedCVEs NSM2012.2Release CVE-2011-3192,CVE-2011-3368,CVE-2012-0031,CVE-2011-4317,

Mapa Topográfico Almadén (Año 1889) MTN 0808 1889

Exploiting CVE-2018-8611 - NCC Group€¦ · Notable KTM-related security ﬁndings 2010 - CVE-2010-1889 - Tavis Ormandy - invalid free 2015 - MS15-038 - James Forshaw - type confusion

McAfee Foundstone FSL Update · 23242 - (K38243073) F5 BIG-IP BIG-IP ASM Data Processing Vulnerability Category: SSH Module -> NonIntrusive -> F5 Risk Level: High CVE: CVE-2017-6154

API design for cryptography - Hack.luarchive.hack.lu/2017/hacklu-crypto-api.pdf · Focused on high-speed cryptography ... CVE-2017-13077 CVE-2017-13078 CVE-2017-13079 CVE-2017-13080

Бeзопасность в MikroTik · Слоупоки и конкуренты обсуждают до сих пор. Некритичные CVE-2018-1156, CVE-2018-1157, CVE-2018-1158,

Release Notes€¦ · l CentOS 5 NSS security update (CESA-2016:2779). l Samba security updates (CVE-2017-7494). l OpenSSH vulnerability (CVE-2016-3115). l Man in the middle vulnerability

McAfee Foundstone FSL Update · CVE-2015-5296, CVE-2015-5299, CVE-2015-5330, CVE-2015-5370, CVE-2015-7560, CVE-2016-2110, CVE-2016-2111, CVE- ... exploitation could allow a remote

Préparée par - OSSIR...2015/06/09 · WanderingGlitch par ZDI (CVE-2015-1676, CVE-2015-1677, CVE-2015-1678, CVE-2015-1679, CVE-2015-1680) Microsoft - Avis Mai 2015 Failles / Bulletins

Cve. Alumno

CVE Glossary

McAfee Foundstone FSL Update€¦ · Category: Windows Host Assessment -> Patches and Hotfixes (CATEGORY REQUIRES CREDENTIALS) Risk Level: High CVE: CVE-2016-7287 Description A vulnerability

CVE FERRERO

graphische-presse/1889/pdf/1889-016library.fes.de/gewerkzs/graphische-presse/1889/pdf/1889-016.pdf · 16. 2. Pie 3. 1889. Organ fiir bie ber €itlpographen, Steinbrucfer, £icI?tÖrucferr

MCAFEE FOUNDSTONE FSL UPDATE 2019-SEP-11...Code Execution (CVE-201 Category: Windows Host Assessment -> Patches and Hotfixes (CATEGORY REQUIRES CREDENTIALS) Risk Level: High CVE: CVE-2019-1306

BRASIL IMPÉRIO (1822-1889). Império Brasileiro (1822-1889)

DNS Security Update 20152015 年 2月18日 CVE-2015-1349 High （高） 2015 年7月7日 CVE-2015-4620 Critical （重大） 2015 年 7月28日 CVE-2015-5477 Critical （重大）

schools.cvesd.orgschools.cvesd.org/district/district/CVE/CVE Bargaining... · 2017. 1. 5. · schools.cvesd.org