Sizing up CVE-2010-1885 Exploit Artifacts

Monday, December 13, 2010 Posted by Corey Harrell 0 comments
There are numerous resources available to assist you during a system examination. A few of them include search engines, blogs, books, forums, and listservs. These resources have helped me gain a better understanding of the data I’m seeing when processing cases. I thought one of the benefits of documenting the exploit artifacts left on a system would be to have a resource that could be referenced during examinations of compromised systems. I felt this would have been helpful during the examination of the system I discussed in the post Anatomy of a Drive-by II. I was unfamiliar with some of the artifacts from the attack against the system and this made it difficult to determine what vulnerability was exploited which lead to the malware being downloaded.

The one area of the attack vector I wasn't as confident about was the exploit used. The examination showed it could have involved Java, Adobe Reader, or the Windows Help Center Vulnerability. This was one of the reasons of why I started documenting the various attack vector artifacts by focusing on exploits instead of the delivery mechanisms. To identify the potential exploit artifacts I’m using the exploits in Metasploit by running the exploits against various test systems in order to see what artifacts are created. The first vulnerability I researched using Metasploit was the CVE-2010-1885 (Windows Help Center vulnerability) explot and the potential artifacts I found are documented here. However, this testing made me question if it’s feasible to use the artifacts left by Metasploit as a reference to compare against the exploits being used in the wild. I wondered if there was enough similarity between the various implementations of exploits (various exploit packs available) to make identifying the various artifacts meaningful. One way to find out is to compare the artifacts left by Metasploit against the artifacts left by an exploit pack being used in the wild. I'm going to be comparing the CVE-2010-1885 exploit artifacts against the system I suspected this vulnerability was exploited by an exploit pack. This will not only help determine the feasibility of using Metasploit to document exploit artifacts but the comparison can also show how useful a reference about attack vector artifacts could be.

Metasploit Potential Artifacts Summary
The potential artifacts of the CVE 2010-1885 exploit included the exploit itself and the changes the exploit caused in the operating system environment. As a reminder, the following is the summary of the five artifact areas and the artifacts located in those areas:

        * Artifact with references to the ASX and iframe variables
            - htm file located in a temporary folder

        * Artifacts associated with the files specified in the ASX and iframe variables being accessed
            - ASX file located in a temporary folder (parname = )
            - htm file containing the iframe pointing to the hcp string
            - Image file located in a temporary folder
            - References to the above artifacts being accessed [Internet Explorer history contained entries of the files being accessed].

        * Folder of interest associated with the exploit
            - Activity involving the helpctr folder

        * Artifacts associated with the hcp protocol
            - Internet Explorer’s index.dat file recorded the activity of the hcp protocol
            - Files located in the Temporary Internet Files folder. Files located in this folder are the same files which were located in the helpctr folder

        * Artifacts associated with the Windows programs executed during the exploit
           - Programs were executed verclsid.exe, helpctr.exe, and helpsvc.exe

Review of the Anatomy of a Drive-by Examination
The comparison will be made using the timeline and image of the system I referenced in the Anatomy of a Drive-by posts. The system will be examined to identify any of the potential artifacts from the Windows Help Center vulnerability being exploited. The bullets below show the attack artifacts I located when I examined this system (I copied the bullets from the drive-by post):

* 09/12/10 06:38:25PM show[1].htm file was created on the system. This file had references to a few of the artifacts (jar file and the Windows Help Center vulnerability). Also, this file was associated with the xhaito[dot]com domain.

* 09/12/10 06:38:35PM The hcp[1].htm file was created on the system. The content of this file is associated with the Windows Help Center vulnerability.

* 09/12/10 06:38:35PM 0.8503427712213907.exe (Hiloti MD5 a06e417b9743e65bbb9ace16d6d3a65f) was created.

To be safe I'm starting the review one minute before 06:38:25PM and five minutes afterwards. I think this timeframe is sufficient to identify if any CVE-2010-1885 exploit artifacts are present. The picture below shows the first portion of the system activity involving the Windows Help center vulnerability.

The xhaito domain was hosting an exploit pack used to compromise the system. There was a hidden iframe in the rain[1].htm that pointed to the xhaito domain (Line 847906) and the PrivacIE entry showed the system visited the malicious domain (Line 847904). The first artifact of the CVE-2010-1885 exploit was the htm file named show[1].htm in the Temporary Internet Files folder (line 847907). Jsunpack was used to examine the htm file when the malicious domain was still active. As a result, not only could you see a reference to an ASX file but the ASX file was actually downloaded as shown below.

I examined the show[1].htm file again to see if there was still a reference to an ASX file when the malicious domain was no longer active. The ASX file wasn’t downloaded but there was still a reference indicating an ASX file was involved.

 The show[1].htm file also had a reference to the htm file containing the hcp string. The entire string was captured by Jsunpack when the malicious domain was still active as shown below.

There was only a reference to the htm file containing the hcp string when the domain was active. This reference can still be used to explain where the htm file came from.

The picture below shows the next portion of the system activity involving the Windows Help Center vulnerability.

 The htm file (hcp[1].htm) referenced in the show[1].htm file was created on the system in the Temporary Internet Files folder (line 847947). The file’s content was obfuscated as shown below.

 I used Jsunpack to examine the file in order to deobfuscate the file’s content. This revealed the hcp string as shown below.

The picture below shows the last portion of the system activity involving the Windows Help Center vulnerability.

The first artifact in the picture occurred on Line 847985 which was a modification to the registry key HKU\Software\Microsoft\MediaPlayer\Health. This same registry key was modified when Metasploit was run against the test systems running Internet Explorer 8. I didn’t find a lot of information about this key but I came across a forum where a person stated Windows Media Player may use this key to determine if the player shut down properly. I ran a few tests using Procmon and found that Windows Media Player creates a subkey in this location with a name similar to {4AC12489-C148-4C7F-9FA0-3C5D8A590E0D} when the player is started. This subkey is deleted when the player shuts down properly but remains if not properly shut down. I consistently saw this behavior in my testing on XP and this registry modification may indicate that Windows Media Player was running. The last artifact was the pchealth\helpctr folder being accessed. This activity occurred on Lines 847993 and 847994.

Potential Artifacts Comparison
The examination was able to locate various artifacts associated with the CVE 2010-1885 exploit. It may not be clear how many of the Metasploit artifacts were actually located on the system. To help this comparison the five Metasploit artifact areas and the artifacts located in those areas are listed below with notes in red highlighting if the artifact was present on the system:

* Artifact with references to the ASX and iframe variables
     - htm file located in a temporary folder *** Artifact not present ***

* Artifacts associated with the files specified in the ASX and iframe variables being accessed
     - ASX file located in a temporary folder (parname = ) *** show[1].htm file with references to an ASX file ***
     - htm file containing the iframe pointing to the hcp string *** show[1].htm file with references to the iframe containing the hcp exploit ***
     - Image file located in a temporary folder *** Artifact not present ***
     - References to the above artifacts being accessed [Internet Explorer history contained entries of the files being accessed] *** Artifact not present ***

* Folder of interest associated with the exploit
     - Activity involving the helpctr folder *** helpctr folder was accessed ***

* Artifacts associated with the hcp protocol
     - Internet Explorer’s index.dat file recorded the activity of the hcp protocol *** Artifact not present ***
     - Files located in the Temporary Internet Files folder. Files located in this folder are the same files which were located in the helpctr folder *** Artifact not present ***

* Artifacts associated with the Windows programs executed during the exploit
     - programs were executed verclsid.exe, helpctr.exe, and helpsvc.exe *** Only artifact present in the timeline of interest was the registry key HKU\Software\Microsoft\MediaPlayer\Health indicating the player was running. Verclsid.exe executed 30 minutes after my timeline of interest ***

Conclusion
As I was going back over the examination of this system I kept thinking how useful this information would have been when I first examined the system. I was still able to identify the CVE-2010-1885 exploit was involved with the attack but I didn’t locate all of the artifacts of this attack such as the helpctr folder activity. Having a resource with this information would have allowed me to see the pattern of this attack in the data. I think this pattern could be helpful even when certain artifacts are not present on the system.

The system didn’t have the entire documented CVE-2010-1885 exploit artifacts present. However, I don’t think the same artifacts would appear between the various exploit packs targeting this vulnerability. For example, a member of the Win4n6 Yahoo group said they located the web browser entries in unallocated space showing activity of the hcp protocol. One of the entries even contained the hcp exploit string. This artifact wasn’t present on the system I examined but this artifact was present on the test system Metasploit was run against. Even with this slight variation, I think the artifacts that are present could be used to determine if this vulnerability was targeted in an attack.

I know this is only one comparison but there appears to be enough similarity between the various implementations of an exploit to make identifying the various artifacts meaningful. Metasploit is one tool that could be used to help identify and document these artifacts.


Thoughts? Comments?

CVE 2010-1885 (Windows Help Center URL Validation Vulnerability) Exploit Artifacts

Monday, December 6, 2010 Posted by Corey Harrell 0 comments
Artifact Name

CVE 2010-1885 (Windows Help Center URL Validation Vulnerability) Exploit Artifacts

Attack Vector Category

Exploit

Description

Vulnerability in the helpctr.exe affects Microsoft Windows XP and Windows Server 2003. Exploitation allows remote attackers to bypass the trusted documents option and execute arbitrary commands using a crafted hcp:// URL.

Attack Description

The following is the sequence of the attack as described by the Seclist Full disclosure reference..

1. Using “an html page, email, document, or other application force a user to fetch an .asx file containing an HtmlView element”. Author mentioned this could be accomplished using the variable: var asx =http://something/something.asx. Also, the author mentioned Windows Media Player could be used in the attack.

2. “From the HtmlView element, invoke the hcp protocol handler that would normally require confirmation”. Author mentioned the hcp protocol can be invoked from within an iframe in an ASX HtmlView element.

3. “From the HCP Protocol handler, bypass the /fromhcp whitelist by using the string miscalculation”. Author mentioned to defeat the whitelist use the following string:

4. “Once the whitelist has been defeated, invoke a help document with a known” cross-site scripting vulnerability. Author mentioned one help document available in a default installation is system/sysinfo/sysinfomain.htm.

5. “Use the defer property of a script tag to execute script in a privileged zone”.

6. “Invoke an arbitrary command using the wscript.shell object”.

Exploits Tested

Metasploit v3.5 ms10_042_helpctr_xxs_cmd_exec

Target System Information

* Windows XP SP3 Virtual Machine with Internet Explorer v8 with administrative user account

* Windows XP SP3 Virtual Machine with Internet Explorer v8 with non-administrative user account

* Windows XP SP3 Virtual Machine with Internet Explorer v7 with administrative user account

* Windows XP SP3 Virtual Machine with Internet Explorer v7 with non-administrative user account

Different Artifacts based on Administrator Rights

No

Different Artifacts based on Tested Software Versions

Yes, different artifacts between Internet Explorer 7 and 8

Potential Artifacts

The potential artifacts include the CVE 2010-1885 exploit and the changes the exploit causes in the operating system environment. The artifacts can be grouped under the following five areas:
      * Artifact with references to the ASX and iframe variables
      * Artifacts associated with the files specified in the ASX and iframe variables being accessed
      * Folder of interest associated with the exploit
      * Artifacts associated with the hcp protocol
      * Artifacts associated with the Windows programs executed during the exploit

Note: the documenting of the potential artifacts attempted to identify the overall artifacts associated with the vulnerability being exploited as opposed to the specific artifacts unique to the Metasploit. As a result, the actual artifact storage locations and filenames are inside of brackets in order to distinguish what may be unique to the testing environment.

      * Artifact with references to the ASX and iframe variables located in a temporary folder
           - htm file located in a temporary folder [Temporary Internet Files folder]. Image below highlights the variables.

      * Artifacts associated with the files specified in the ASX and iframe variables being accessed (the artifacts varied based on the version of Internet Explorer)
           - ASX file located in a temporary folder [Temporary Internet Files folder]. This file invokes the hcp protocol handler through an iframe. In the image below, the iframe is located in the file named [c.html]. The ASX file line containing "REF href" mentions an image file [gif image] which is accessed by the Windows Media Player. This ASX file wasn’t present with Internet Explorer 7.

           - htm file containing the iframe pointing to the hcp string located in a temporary folder [Temporary Internet Files folder]. In the image below, notice the iframe is referencing the sysinfo/sysinfomain.htm document which contains a cross site scripting vulnerability. The iframe is detected by VirusTotal as CVE-2010-1885 exploit.

           - image file [gif image] located in a temporary folder [Temporary Internet Files folder] and files associated with Windows Media Player executing [Windows Media Player prefetch file and registry entries]. These artifacts weren’t present with Internet Explorer v7

           - references to the above artifacts being accessed [Internet Explorer history contained entries of the files being accessed]. In the image below, the ASX filename is lk.asx, iframe is in the file named c.html, the image filename is t.gif, and 192.168.11.200 was the computer running the Metasploit exploit.

     * Folder of interest associated with the exploit
           - There was a lot of activity involving the helpctr folder [C:\WINDOWS\pchealth\helpctr]. The image below shows a portion of this activity involving files being accessed as well as a cache file being created.

     * Artifacts associated with the hcp protocol
           - Internet Explorer’s index.dat file recorded the activity of the hcp protocol. In the image below, notice the iframe located in the 7:18:05PM entry.

          - Files located in the Temporary Internet Files folder. Files located in this folder are the same files which were located in the helpctr folder [C:\WINDOWS\pchealth\helpctr]. This was determined through a comparison of the files’ hashes and the arrows in the image below highlight two of those files.

     * Artifacts associated with the Windows programs executed during exploit
           - The following programs were executed verclsid.exe, helpctr.exe, and helpsvc.exe. The Prefetch folder had files indicating the execution of these programs [C:/WINDOWS/Prefetch/VERCLSID.EXE-3667BD89.pf], [C:/WINDOWS/Prefetch/HELPCTR.EXE-3862B6F5.pf], and [C:/WINDOWS/Prefetch/HELPSVC.EXE-2878DDA2.pf].

Timeline View of Potential Artifacts

The images below shows above artifacts in a timeline created from the Windows XP SP3 Internet Explorer 8 with the administrative user account test system. However, this timeline doesn't include the Internet Explorer history entries.

















References

        Vulnerability Information
            Mitre’s CVE-2010-1885 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1885
            NIST Vulnerability Database CVE-2010-1885 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1885

        Full Disclosure Information
           Seclists Full Disclosure http://seclists.org/fulldisclosure/2010/Jun/205
           Neohapsis Archives http://archives.neohapsis.com/archives/fulldisclosure/2010-06/0197.html
           Microsoft Security and Research Blog http://blogs.technet.com/b/srd/archive/2010/06/10/help-and-support-center-vulnerability-full-disclosure-posting.aspx

        Other Information
           Microsoft Security Bulletin MS10-042 http://www.microsoft.com/technet/security/bulletin/MS10-042.mspx