Special thanks to @kafeine
In July 2016, we worked with @kafeine of Proofpoint to help bring down the AdGholas malvertising campaign. This campaign started operating in 2015, which affected a million users per day during its peak before it was shut down earlier this year. It used the Angler and Neutrino exploit kits to attack victims. It also used steganography to hide malicious code within a picture.
In the process of working on this campaign, we found and analyzed an information disclosure vulnerability in both Internet Explorer and Microsoft Edge. We worked with Microsoft to address this flaw, named as CVE-2016-3351. Previously considered as a zero-day vulnerability, this issue was fixed in MS16-104 for Internet Explorer and MS16-105 for Edge, which was released though a patch earlier this week.
This vulnerability was used by attackers to avoid their code from getting into the hands of researchers. This allowed attackers to check the system’s description of a file type with a given extension. This may not sound serious, but it could be used to determine whether tools used by researchers such as Fiddler, Python, or Wireshark are installed on a system. It is similar to an earlier flaw, CVE-2013-7331.
If the target system is detected to have the mentioned security tools, the attack stops then and there. No further malicious code or payloads are downloaded. The attackers did not want researchers to access the ins and outs of their malvertising (malicious advertising) campaign. This filtering is commonly used by attackers to conceal information from researchers. Trying to detect if the system being “infected” is a virtual machine is a common tactic.
This vulnerability was used by the AdGholas campaign’s actors to avoid detection, which yielded to success. The combination of this flaw and its use of steganography made the campaign a difficult target for researchers and prevented them from discovering this flaw.
Description of the Vulnerability
The vulnerability exists in how Internet Explorer and Edge handle the mimeType property of <a> tags. This particular property is supported only by Internet Explorer and Edge, so other browsers (like Chrome and Firefox) are immune. In a typical attack scenario, the attacker would set a.href to .saz and return the value of a.mimeType. On a machine with Fiddler, this would be defined as “Fiddler Session Archive.” Otherwise, it would be something less specific like “SAZ File.” This alerts the attacker if the affected system has Fiddler installed.
The pseudo code shows how get_MimeType works:
Figure 1. pseudocode of get_MimeType
This function uses the hyperlink’s URL to get the file’s extension, which serves as a parameter to call GetFileTypeInfo. It queries the registry and gets the information needed.
This is the call stack of get_mimeType for the <a> tag:
Figure 2. Call stack of get_mimeType
The function MSHTML!CAnchorElement::get_mimeType, calls MSHTML!GetFileTypeInfo to get the file type information, which queries the registry (as seen in Figure 3).
For example, for the file extension “*.saz” queries the registry key HKCR\.saz\(Default). If Fiddler is installed, the value will be “Fiddler.ArchiveZip”. The code queries the key HKCR\Fiddler.ArchiveZip\(Default), whose value is “Fiddler Session Archive.”
Figure 3. Querying the registry
Figure 4. get_mimeType and the result
The following SHA1 hash is related to this exploit:
Trend Micro Solutions
- 1007924—Microsoft Internet Explorer And Edge Information Disclosure Vulnerability (CVE-2016-3351)
TippingPoint customers are protected from attacks exploiting these vulnerabilities with the following MainlineDV filters:
- 40712: HTTP: Microsoft Internet Explorer and Edge mimeType Information Disclosure Vulnerability