Thursday, August 2, 2012

CVE-2012-1889 Security Update Analysis - Analysis video and presentation from High-Tech Bridge by Brian Mariani and Frédéric Bourla


Sorry for being away for such a long time - I was out of town for almost 2 weeks and came back just a couple of days ago. However, the blog is not dead and I am planning to post more stuff soon. There is Madi/Mahdi epidemic in progress, the exploit pack table needs urgent updates, and I have a quite a few samples accumulated that I need to post before they get old and boring. For now, if you are looking for anything specific, you can ask and I will check if I have them in the pending category.

Today, please enjoy the second part of CVE-2012-1889 analysis (CVE-2012-1889 Security Update Analysis - in video and PDF format ) sent to us by Brian Mariani and Frédéric Bourla from High-Tech Bridge www.htbridge.com ( High-Tech Bridge CVE Acreditation)

Analysis Video


Download the analysis PDF here
Download the video file here (ASF) - High definition




1
The 12th of June 2012 Microsoft published a security advisory with a temporary fix related to the msxml core services vulnerability which is heavily exploited in the wild.
* On June 18th 2012 Metasploit released a working exploit.
* On June 19th 2012 a 100% reliable exploit for Internet Explorer 6/7/8/9 on Windows XP/Vista, and Windows 7 SP1 was published by metasploit.
* On July 9th 2012 Microsoft finally released a security update in order to patch this vulnerability.


2
Some important details
* This document is the continuation of the previous publication: “Microsoft XML core services uninitialized memory vulnerability”.
* In this new presentation we will analyze the security update released on July 9th 2012 which fixes several DLL libraries, specially the msxml3.dll one.
* The lab environment is an English Windows XP SP3 workstation.
* For simplicity, ASLR and DEP security options are deactivated.

3
 Security update













4
Files' size comparison

We identify all files implied in the security update process with monitoring tools, such as Process Monitor. Actually, the file which interests us is the msxml3.dll library.
*To successfully compare unpatched and patched files, we first make a copy of the unpatched library to an analysis directory.
*We apply the security update and we copy again the patched DLL file into the previous directory, with a new destination file name.
*After downloading and applying the security update and comparing the size of this particular file, we can notice a tiny difference of 66 bytes.


5.
Binary Diffing

*Binary Diffing is a technique for performing automated binary differential analysis.
*This becomes very useful for reverse engineering patches as well as program updates.
*Some of the available binary diffing tools are:
–Bindiff
–PatchDiff
–Darumgrim
–Turbodiff
*Here, we used Turbodiff.s.



6.
Turbodiff


*Turbodiff was programmed by Nicolás Economou.

*It was presented at the Argentinian security conference Ekoparty in 2009.
*It is a heuristic based IDA Plugin aimed for binary diffing.
*This tools was developed in C++.
*It provides an Architecture Independent Diffing.









7
Turbodiff results (1)
*After analyzing the two binary files, turbodiff creates an ana file from the IDA idb file.
*The aforementioned ana file will be used later in order to detect the suspicious and changed functions.









8.
Turbodiff results (2)

After examining the differences between the two files:
–25 functions are marked as suspicious.
–72 functions are marked as changed.











9

Turbodiff results (3)
*Let’s check the changes in the DOMNode::get_definition(IXMLDOMNode) function which is the most important procedure involved in this vulnerability.
*As we can see the instruction mov [edi], ebx was added into the get_definition function.
*In order to understand this minor change let’s analyzed the whole process.





10
Flow analysis (1)













13
Flow Analysis (13)














14
Conclusions
*As we have seen the main change in the XML security update for Windows XP-SP3 is the mov [edi],ebx instruction.
*This instruction sanitizes the value that will be retrieved later by the _dispatchImpl::InvokeHelper function.
*If one modifies the two bytes instruction (891F) with NOP's instructions (9090) the whole security updated could be deactivate.
*Apply the security update (KB2719985) as soon as you can since this vulnerability is heavily exploited in the wild nowadays.




References
http://www.microsoft.com/fr-fr/download/details.aspx?id=30290
http://support.microsoft.com/kb/2719985
http://www.openrce.org/forums/posts/82
http://corelabs.coresecurity.com/index.php?module=Wiki&action=attachment&type=publication&page=Heuristicas_aplicadas_a_la_comparacion_%28_diffeo_%29_de_binarios&file=Economou_2009-binary_diffing.pdf


Acknowledgments
Thanks to Nicolas Economou from coresecurity for allowing us to publish the document using its utility Turbodiff :]

http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=turbodiff




2 comments: