Thursday, August 2, 2012

CVE-2012-1889 Security Update Analysis - Analysis video and presentation from High-Tech Bridge by Brian Mariani and Frédéric Bourla

Sorry for being away for such a long time - I was out of town for almost 2 weeks and came back just a couple of days ago. However, the blog is not dead and I am planning to post more stuff soon. There is Madi/Mahdi epidemic in progress, the exploit pack table needs urgent updates, and I have a quite a few samples accumulated that I need to post before they get old and boring. For now, if you are looking for anything specific, you can ask and I will check if I have them in the pending category.

Today, please enjoy the second part of CVE-2012-1889 analysis (CVE-2012-1889 Security Update Analysis - in video and PDF format ) sent to us by Brian Mariani and Frédéric Bourla from High-Tech Bridge ( High-Tech Bridge CVE Acreditation)

Analysis Video

Download the analysis PDF here
Download the video file here (ASF) - High definition

The 12th of June 2012 Microsoft published a security advisory with a temporary fix related to the msxml core services vulnerability which is heavily exploited in the wild.
* On June 18th 2012 Metasploit released a working exploit.
* On June 19th 2012 a 100% reliable exploit for Internet Explorer 6/7/8/9 on Windows XP/Vista, and Windows 7 SP1 was published by metasploit.
* On July 9th 2012 Microsoft finally released a security update in order to patch this vulnerability.

Some important details
* This document is the continuation of the previous publication: “Microsoft XML core services uninitialized memory vulnerability”.
* In this new presentation we will analyze the security update released on July 9th 2012 which fixes several DLL libraries, specially the msxml3.dll one.
* The lab environment is an English Windows XP SP3 workstation.
* For simplicity, ASLR and DEP security options are deactivated.

 Security update

Files' size comparison

We identify all files implied in the security update process with monitoring tools, such as Process Monitor. Actually, the file which interests us is the msxml3.dll library.
*To successfully compare unpatched and patched files, we first make a copy of the unpatched library to an analysis directory.
*We apply the security update and we copy again the patched DLL file into the previous directory, with a new destination file name.
*After downloading and applying the security update and comparing the size of this particular file, we can notice a tiny difference of 66 bytes.

Binary Diffing

*Binary Diffing is a technique for performing automated binary differential analysis.
*This becomes very useful for reverse engineering patches as well as program updates.
*Some of the available binary diffing tools are:
*Here, we used Turbodiff.s.


*Turbodiff was programmed by Nicolás Economou.

*It was presented at the Argentinian security conference Ekoparty in 2009.
*It is a heuristic based IDA Plugin aimed for binary diffing.
*This tools was developed in C++.
*It provides an Architecture Independent Diffing.

Turbodiff results (1)
*After analyzing the two binary files, turbodiff creates an ana file from the IDA idb file.
*The aforementioned ana file will be used later in order to detect the suspicious and changed functions.

Turbodiff results (2)

After examining the differences between the two files:
–25 functions are marked as suspicious.
–72 functions are marked as changed.


Turbodiff results (3)
*Let’s check the changes in the DOMNode::get_definition(IXMLDOMNode) function which is the most important procedure involved in this vulnerability.
*As we can see the instruction mov [edi], ebx was added into the get_definition function.
*In order to understand this minor change let’s analyzed the whole process.

Flow analysis (1)

Flow Analysis (13)

*As we have seen the main change in the XML security update for Windows XP-SP3 is the mov [edi],ebx instruction.
*This instruction sanitizes the value that will be retrieved later by the _dispatchImpl::InvokeHelper function.
*If one modifies the two bytes instruction (891F) with NOP's instructions (9090) the whole security updated could be deactivate.
*Apply the security update (KB2719985) as soon as you can since this vulnerability is heavily exploited in the wild nowadays.


Thanks to Nicolas Economou from coresecurity for allowing us to publish the document using its utility Turbodiff :]