Last June 13, Microsoft released its security update for Cumulative Security Update for Internet Explorer (2699988) (CVE-2012-1875), which is exploited by a malware detected by Trend Micro as JS_DLOADER.SMGA. The attack code for this vulnerability has also been made public. There are few cases where that attack code is released simultaneously with Microsoft’s security update. In general, malware exploiting such vulnerabilities don’t show up quickly. Since the affected software is Internet Explorer, this attack has significant impact among millions of IE8 users.
By exploiting CVE-2012-1875, JS_DLOADER.SMGA poses a bigger threat to users as it also downloads the backdoor BKDR_AGENT.BCSG, disguised as a .JPG file. This backdoor is capable of communicating with a command-and-control (C&C) server via port 80. In effect, this communication compromises an infected system’s security, making it exposed to further infection.
How JS_DLOADER.SMGA Exploits CVE-2012-1875
I’m sharing my analysis of JS_DLOADER.SMGA to inform users of the key issue in CVE-2012-1875, as well as introducing our solution.
Based on my analysis, the noteworthy routines of JS_DLOADER.SMGA include:
- Heap spray. Once JS_DLOADER.SMGA exploits CVE-2012-1875, it executes Heap Spray method to run specific shellcode.
- Return-Oriented Programming (ROP). Though JS_DLOADER.SMGA successfully exploits CVE-2012-1875, its code cannot jump to the specified Heap Spray due to Data Execution Prevention (DEP) found on affected applications such as IE8, IE9. To bypass DEP, this exploit uses return-oriented programming (ROP) method to check system environment like OS and languages. It uses a specific script in order to determine the loaded modules in memory at different addresses, which are dependent on OS and language information. Then, based on the confirmed system information, it generates specific ROP code.
Technical Analysis of JS_DLOADER.SMGA
To show how the vulnerability works, I attempted to delete the Heap Spray module and execute it.
Below is the result of this attempt:
Based on the screenshot above, we can now confirm the vulnerability is on [eax+70h], since it points to ‘????????’, which is an unknown address.
So where does [eax+70h] point to? The value comes from the following code.
This means that the pointer to the vtable is in the object and is retrieved from the object.
It then checks the eax([ecx]) by using IDA Pro. Its ecx points to an object by the virtual function “mshtml!CBodyElement::`vftable'”, shown below:
Let’s check [eax+70h] points to which vtale.
The address could be calculated by adding [70h*4] from “mshtml!CBodyElement::`vftable’ “.
It point to the edx result, which shows “mshtml!CElement::SecurityContext”.
In our test, however, it points to the wrong address (the deleted object) due to JS_DLOADER.SMGA’s successful exploit of CVE-2012-1875 vulnerability, which resulted to the error.
Let’s execute JS_DLOADER.SMGA to confirm its payload. To confirm the usage of CVE-2012-1875 vulnerability, we modified some codes of JS_DLOADER.SMGA.
The succeeding screenshots below show the specific code in JS_DLOADER.SMGA that exploits the said vulnerability:
Because of JS_DLOADER.SMGA’s successful exploit of CVE-2012-1875 vulnerability, Ecx now points to the deleted object, which points to the heap-sprayed area (0x0c0c0c0c).Thus, [eax+70h] points to the heap area (0xc0c0c7c), which is for ROP module instead of calling mshtml!CElement::SecurityContext. The 0x0c0c0c7c ROP module, which has been started on 0x0c0c0c0c, is executed at CElement::Doc and jumps to iertutil!SettingStore::s_rgKeyTree+0x5a0.
Now, let’s look at the heap area that has been allocated by JS_DLOADER.SMGA.
By using Windbg we could confirm the heap sprayed areas .97.98% of these allocations have 80,000 size and 1c2 allocation.
Let’s check the heap spray module in JS_DLOADER.SMGA. As it loops 0x1c2 times, it will then create 1c2 heap allocation.
When we’ve checked the area, which has been heap spread, it point to the padding module (deadbee1 etc) followed by 0x90(NOP) and most other places.
JS_DLOADER.SMGA refers to deleted objects by using specially-crafted script so that it can successfully exploit CVE-2012-1875. Then, the inserted code Padding+ROP+Shellcode+Padding is executed in the heap sprayed area.
Bypassing Data Execution Prevention (DEP) IE8 and IE9
DEP is crafted to prevent any code to be executed in the non-executable section. JS_DLOADER.SMGA does not have permission to execute, rather it has the permission to read and write in the heap spray area by exploiting CVE-2012-1875.
To know how JS_DLOADER.SMGA successfully controls ROP code, let’s check the right of Heap sprayed area. The heap sprayed area has only RW( Read/Write). It means it is impossible to jump to the Heap Sprayed area directly.
The technique to bypass DEP is already in public. In this case, JS_DLOADER.SMGA controls its related codes by VirutualAlloc and change the attribution in the heap-sprayed area by putting “0x40”, which allows to execute, read, and write into the parameter “flprotect”.
Let’s check heap sprayed area which will jump after bypassing DEP. The heap area has a RWX (Read/Write/Execution) right by calling VirtualAlloc.
Trend Micro Protection
Trend Micro protects users from this threat via the Smart Protection Network™, which detects and deletes JS_DLOADER.SMGA. Trend Micro Deep Security users should apply rule 1005051 – Internet Explorer Same ID Property Remote Code Execution Vulnerability to prevent threats exploiting CVE-2012-1875. As reiterated in the previous entries, CVE-2012-1875 is already patched via the MS12-037 bulletin. Users are advised to regularly update their systems with the latest security patches distributed by security vendors.
Update as of June 24 11:06 PM PST time
Trend Micro Titanium users need not worry as they are protected from exploits targeting CVE-2012-1875 via Browser Exploit Solution (BES), without the need for any update.