IE Security Series: script pioneer

IE Security Series: script pioneer

Review: The previous two articles outlined the following content of IE: The history of IE, new features of each version, simple HTML Rendering logic, and challenges posed by website Trojans to IE Security.
Starting from this chapter, we will continue to take the network horse as an opportunity to gain a deep dive into IE's vulnerability analysis and security confrontation knowledge. The script pioneer series will last for four chapters. The first two chapters will introduce the common encryption methods and countermeasures in the network horse. The following describes the Shellcode Analysis in two chapters.
III.1 HTML and network horse attack 2-permission issues
The Web horse cannot be separated from the script. in the previous chapter, we also introduced the most basic obfuscation, or, more accurately, encoding, because escape is indeed used for encoding.
I want to introduce the content of this chapter from the actual example of a Web horse.

See the above Code. This is a trojan page that occurs in the real world. These Trojan servers may stop at any time, so I have archived the page. Because the trojan page is directly crawled, anti-virus software may report viruses. If you are worried about security issues, we recommend that you process samples in a virtual environment.
This network male uses VBScript Integer Overflow Vulnerability (CVE-2014-6332 ). This famous vulnerability has been analyzed on the Internet. If you do not know it, you can refer to these analysis articles. This chapter only introduces the content at the script level, so binary analysis will be conducted in subsequent chapters, depending on the length of the selected part of the vulnerability for analysis.
This section briefly describes the scripts and attack points involved in this section.
At the beginning of the page, you can see a set of META tags. This is because VBScript is not supported in the Edge mode in Internet Explorer 11, the trojan code requires IE to simulate IE8 at the beginning, so that the rendering mode can be forcibly changed to IE8 to support VBScript execution.
Meta http-equiv = "X-UA-Compatible" content = "IE = EmulateIE8">
Next, two SCRIPT labels are displayed on the page:

Some colleagues may have doubts about the priority of code execution. In IE, the script execution sequence is:
(1) who runs the SCRIPT first;

(2) In each part, the function is parsed first, but not executed. After the function is parsed, it is executed from the first line of the Public code at the outermost layer;

(3) If there is no fault-tolerant statement in each part, the code after the part will not run after the error code is encountered. But it does not affect the content of other parts;

(4) In Javascript, the Error-tolerant code is try {} catch (...) {}. In VBScript, the Error-tolerant code is: On Error Resume Next;


In this way, we can see that a function is defined in Section 1. The function will call CreateObject to create three objects: wscript. shell, Microsoft. XMLHTTP, and ADODB. Stream.

The GUID of these three objects is:
Wscript. shell: 72c24dd5-d70a-438b-8a42-98108b88afb8
Microsoft. XMLHTTP: ED8C108E-4349-11D2-91A4-00C04F7969E8 * (progid: Microsoft. XMLHTTP.1.0)
ADODB. Stream: 00000566-0000-0010-8000-00AA006D2EA4
Check the guid of the Wscript. shell and ADODB. Stream in the registry. You will find the same:


By the way, the Safe for script and Safe for init of these ActiveX objects are both set to False, which makes it impossible for them to be loaded in the Internet zone. If they are used in the local region, internet Explorer will pop up:

By default, the Internet domain is medium-high. At this level, such scripts are not executed (an exception is triggered at the same time ).

If the vulnerability is successfully executed, the security check switch is disabled. As a result, all the objects marked as insecure can be created and run successfully, in this way, you do not even need to worry about any existing defense mechanisms (such as ASLR) to attack your computer.

You can see that the network horse finally runs this function. This function downloads an EXE and runs it. This EXE is a trojan program.
However, the final sentence of the network horse is to create An iframe pointing to the Trojan exe: hxxp: // 116.426195.114/server.exe, and then use window. open () opens a new window, And the url is also the exe.

The results of these two statements make IE (the same for other browsers) pop up a download prompt:

This is the last step for users. As long as users do not click to run it, there will be no problem, and this URL will almost be put into the warehouse by all the kill Softwares in China, and it will certainly not lie to many people.

Note that the website also has a 1.js. this js file is 404, And the content is unknown. But looking at the obvious "js Trojan" above, maybe the author has integrated the js content into this webpage.
Finally, we know that this webpage is intended for users to download server.exe. From the Soft Kill report alone, this exe is a remote control program. For such a moderate-volume Trojan program, the easier and more convenient debugging environment is Sandboxie + OllyDbg, or VMWare + debugging tool, which may occupy a large amount of memory, the former is lightweight and easy to organize. However, do not wear a sandbox by virus samples to affect the real system. This part of content is not covered in this series and is not described in detail.

When searching the List of Trojan-infected websites today, I also saw the following example (Appendix 2), which is infected with Ramnit, a virus similar to pandatv, A script is attached to every html file. This script requires local permissions to prompt execution. However, if you click "allow, this virus will be re-generated (maybe this code and the above CVE-2014-6332 together to better ):

Figure: Ramnit infection example
Almost all files infected with the virus can be repaired by antivirus software.
III.2 HTML and network horse attack 3-anti-obfuscation
The above is a simple example. Now we will look at some examples with obfuscation.
The examples in this section are not very difficult. As long as you observe them carefully, they can be easily unlocked. Some difficult examples will be introduced in the next chapter.
1. JS compression results;

Let's take a look at this example. For details, see Appendix 3. This script is a CVE-2004-0204 of the use of code, taken from a previous web horse records, at first glance this thing code is complex and disgusting, but in fact, if you remember the previous chapter said, eval will eventually execute the function in the first parameter, and here the first parameter is a function. Therefore, you only need to replace eval with alert and the execution will get the content:

The red box is the address of the Trojan file to be downloaded.
However, I do not know why it is not very good. Let's simply read the code:

It can be seen that the function is actually:
Eval (
Function (p, a, c, k, e, d) {} (p, a, c, k, e, d)
)
In fact, the returned value of the anonymous function with six parameters is passed to eval for execution. Therefore, the returned value is the code that has been decrypted at least once.
If you still don't understand it, you will understand it:
Var a = function () {return 1 }();
Alert (a. toString ());

Initially (2007), except for a few JS libraries, most of the code was used immediately. However, after that, jspack was used by many websites due to its function of compressing code. If you want to generate such code, Baidu may search for eval compression.
2. read simple code

On this page (Appendix 4), we can see that an encrypted code is very strange,

By reading the code, we can see that this code is actually two sections:
Define the function xViewState ();
Call the xViewState () function ().
By reading the xViewState function, we can find that the first half is decrypting data, and there is only document in the interaction with pages or scripts. write, therefore, the document. replace write with alert to know the content of the page to be written.
Please note that the content written into the DOM by document. write will be rendered and executed immediately.

It seems that it is writing a piece of style information, moving. nemonn to the place of-9999px top, which means that this content will not be within the visible scope of the page. Why? You must also know: Black chain.
Another hidden place on this page, you may be more aware of what it wants to do by reading this Code:


Figure: Code of the Black link not displayed on the home page
This method has been listed as a target by Google. Script-based encryption can be regarded as a "Confrontation" with Google ".
3. Tool Processing
Since javascript can easily hijack an object, the tool I provide also has a simple replacement function:


4. Exploit Kit example
This is a simple example of the notorious Nuclear Exploit Kit's loading Page.

Figure: Nuclear EP's Landing Page (Appendix 5) shows a Page structure similar:
SCRIPT>... SCRIPT>
ELEMENTS> data elements>
SCRIPT>... SCRIPT>
The content of ELEMENTS cannot be executed, so the analysis should focus on the content in the middle of the SCRIPT.

First, deconfuse the first paragraph. It can be found that comments in the Code account for half of the length, so batch delete them first.

Then format the JS Code,

Then, sort it out (Appendix 6) and you can see that it is almost easy to know what the code is doing:
The third SCRIPT block of the page (Attachment 6, LN78)
Script> aiTsnQh (EOHCnD ("iaTyv"); script>
In fact, the EOHCnD function is called. The definition of this function is:

Read,
LN29: generate the object document;
LN30: Call document ["getElementById"] (divId). innerHTML ["replace"] (/[]/g, '') to delete spaces;
LN32-33: Actually substr obfuscation;
LN37-50: starting from the first byte, every 2 words substr, convert to number, if less than 10 unchanged, greater than 10-2, then save in MvBLCx variable
LN52: Return decrypted characters.
That is to say, it is very simple. This EOHCnD is the decryption function. Therefore, we can execute the page and output its return value.
Change the third SCRIPT block to Console. log:

The decrypted content (Appendix 7 ). The script sends parameters to the vulnerability exploitation Program (SWF, Attachment 8) for execution. SWF Content.
The above is all the decryption content in this chapter. You can perform some decryption tests against the malicious scripts in the attachment. Next, I will give an overview of some ActiveX knowledge in IE.
III.3 ActiveX processing method and security restrictions for web page rendering by IE
When rendering Web pages with IE, ActiveX objects have always been a hot topic for vulnerability creators. ActiveX control is a reusable component designed based on COM (Microsoft's Component Object Model. Because it can be "Active" in a variety of things, it is probably called this name.
ActiveX controls can create an instance using tags, CreateObject in scripts, or new ActiveXObject.

Figure: The exploitation code of CVE-2010-0886 overflow vulnerability under XP is passing in a too long docbase parameter to the object
ActiveX object is a binary file. If this binary file contains some dangerous operations, it will certainly be able to do some bad things to the user's machine. Because ActiveX controls can do almost all the things that common programs can do, malicious ActiveX will be very fatal, especially loading ActiveX controls specified by web pages in IE, security and convenience conflict with each other.
The opposite is that ActiveX in XP has the same permissions as IE, and most people log on as administrators. Therefore, ActiveX also has the administrator privilege. This problem has been improved in the IE protection mode introduced by Vista.
This section briefly introduces the ActiveX security label Safe For Scripting. Controls marked as Safe For Scripting should not be maliciously exploited by any untrusted script (simply put, provided by others and unforeseeable by developers), such as disclosing privacy and executing files, or it simply interferes with the normal functions of other software.
Another is parameter input. When the input initialization data is untrusted (for example, when the background color of a control is RGB (999,-1, "abc ), the plug-in cannot crash or thus it won't work (Safe For Initializing). Who knows what the user will send to you.

 

To allow ActiveX to participate in IE Script interaction, you must ensure that this plug-in can be safely executed For any Script Host, and register the plug-in as "Safe For Scripting ".
There are two ways to do this. One is to write a key value in the registry, and the other is to inherit the IObjectSafety interface (ATL also provides an IObjectSafetyImpl for your convenience ).

Figure: An example of a control using IObjectSafety
IObjectSafety includes the GetInterfaceSafetyOptions and SetInterfaceSafetyOptions functions. GetInterfaceSafetyOptions should return the Safe For Init? Safe For Scripting ?), SetInterfaceSafetyOptions is called by the host to tell the control what security features it should have.

Figure: IObjectSafety definition. refer to the specific code of objsafe. h In the VC Runtime Library.

Figure: Implementation of GetInterfaceSafetyOptions. Refer to the atlctl. h code in the VC Runtime Library.
For details about this part, refer to "COM essence theory".
Let's briefly discuss the implementation of ActiveX in IE. As mentioned earlier, most of the elements included are inherited by CElement, which is no exception. The class corresponding to the OBJECT is CObjectElement and inherited by CElement.
When the OBJECT is parsed, the OBJECT will:
1. Try to read the parameter and find the CLSID and other parameter information;
2. Read the CODEBASE value and parse it into the Property Bag. The value can be:
2.1 absolute URL; (http://drops.2cto.com/xx.cab#version=xxx)
2.2 relative URL; (xx. cab # version = xxx)
2.3 URL-free; (# version = xxx)
3. Read and parse other parameters and save them to the Property Bag;
4. Load the OBJECT;
When loading an OBJECT, IE will:
1. Check the cache. This cache will cache some pointers to IDispatch. If the cache has been hit, you do not need to Query again this time;
2. Make sure that the ActiveX control can be securely loaded (SafeForScripting) and accessed; if this step fails, IE will return E_ACCESSDENIED.
IsSafeToScript is a COleSite function, which will:
1. Check whether ActiveX security detection has been disabled by the user (check whether URLACTION_ACTIVEX_OVERRIDE_SCRIPT_SAFETY is set in the domain );

Figure: MSDN, https://msdn.microsoft.com/en-us/library/ms537178.aspx
2. If the current content is a Java Applet, check whether the user permits the Applet to be loaded. Direct return prohibition is not allowed;
3. Check the IObjectSafety property of the control and mark it as Safe For Scripting;
4. When it is marked as failed and the user selects a prompt, a prompt is displayed, indicating that the ActiveX plug-in to be loaded is insecure;
5. Load the control during security.
The above is the general action taken by IE when loading ActiveX controls. Next we will briefly introduce some security improvements made by IE for ActiveX controls:
Activex Opt-In has been introduced since IE7. This function is used to disable most ActiveX by default. When a website requests to execute an ActiveX control, IE will pop up a message bar:

Figure: Information bar, via Google Image

Figure: Security Warning, via Google Image
This control is loaded only when the user determines.
These plug-ins do not belong to the "majority" column:
A. Upgrade the plug-in that has been used before IE7;
B. IE7 pre-stores a white list, which is verified and many of them are common ActiveX;
C. Controls downloaded and installed by the user in the browser;

Figure: White List, Location: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Ext \ PreApproved
2. IE8 (+ Vista) introduces the Per-User (Non-Admin) ActiveX, which allows users to install ActiveX controls with Non-administrator permissions, microsoft claims that this operation is intended to allow users to better use the UAC feature, because if you install a malicious ActiveX Control with common user permissions, in addition to affecting the current user, overall system security will not be seriously affected, because this ActiveX control is also a permission with the current user.
In IE8, ActiveX can also be enabled by website. Since then, KillBits has been integrated into Windows Update, so that Microsoft can clean up the mess after ActiveX problems occur.
In Vista, IE also introduces the protection mode. In the protection mode, IE runs at a low integrity level, which means that even if ActiveX is broken, some sensitive data cannot be written.
3. Added ActiveX Filtering in IE9, which allows you to disable controls on all websites without prompting them.
4. the loading of ActiveX controls in IE10 will undergo multiple checks, including group policies and permission checks. ActiveX controls have the same permissions as those in browsers. Only ActiveX controls that support 32/64-bit files and are compatible with AppContainers can be loaded after you enable the feature.
5. IE11 (+ Windows 8) will automatically scan ActiveX and prevent malicious ActiveX running.
At the same time, Microsoft also pushed some Out-Of-Date ActiveX functions, which is estimated to be Chrome and Firefox, blocking Out outdated ActiveX functions.
6. Spartan (IE12) does not support ActiveX and BHO.
Instead, an "extended system" is used for installation. The "Old Style" (Intranet, which requires websites supported by the old version) is rendered using IE11.
It can be seen that Microsoft has a lot of hate for this set of things. As for whether Spartan can complete this series of security advances and compatibility transitions, we have to wait and see how Microsoft has improved its "extension system" to make it safer or have another mess.