Recently, the U.S. Department of Labor website was compromised and had been serving malicious code, capable of detecting and disabling some antivirus products such as Avira, F-Secure, Kaspersky, AVG, Sophos, etc. It would also attack Internet Explorer 8 users with an 0-day exploit. The Metasploit vulnerability research community was particularly interested in the exploit part, therefore that's what we'd like to talk about in this blog. Understanding how the evolving browser security landscape operates is key to formulating defense strategies, after all.
First off, according to Microsoft's advisory, only Internet Explorer 8 is vulnerable to this exploit, and we verified that with a fully patched Windows 7 with IE8. If you are looking for an excuse to upgrade to something more recent, the following image demonstrates IE8's weakness:
Some people say this is a CVE-2012-4792 (a patched vulnerability), we beg to differ. CVE-2012-4792 is a cbutton use-after-free, but the DoL exploit doesn't use this object at all (Exodus has an excellent writeup about that vulnerability). Instead, a mshtml!CGenericElement::`vtable' is created while appending a datalist element:
And freed during garbage collection:
Even though the CGenericElement vftable is freed, the reference is stil kept:
And of course, this invalid reference ends up with a crash when used by mshtml!CElement::Doc():
As of now, we are not aware of any patch from Microsoft specifically for IE8, but we will be updating this blog as soon as we hear something. If you're a current IE8 user, then please consider the following workarounds:
- For newer Windows, upgrade to Internet Explorer 9 or 10.
- For Windows XP users, please use other browsers such as Google Chrome or Mozilla Firefox.
- If for some reason you must use Internet Explorer 8, please use EMET. Or, you can also try setting IE's security zone to High, and customize your Active Scripting settings.
Note that while Microsoft's advisory also suggests setting IE8's Internet security zones to 'High' for ActiveX controls, this, by itself, will not mitigate -- the exploitation technique used here does not leverage ActiveX controls at all. So, while that is generally good advice, it will not help in this case.
If you'd like to try out this Metasploit module to better validate your defenses, please feel free to download Metasploit here. If you already have Metasploit Framework, you may just use the msfupdate utility to receive this module. For Metasploit Pro users, you will see this module in the upcoming update.
Special thanks to: EMH
|May 3rd - Microsoft advisory 2847140, no patch yet.|
|May 5th - Metasploit releases ie_cgenericelement_uaf exploit|
|May 8th - Microsoft releases "fix-it"|
|May 14th - Microsoft releases MS13-038 patch|