StrikePack 12200 Released

StrikePack 12200 is now available to BreakingPoint customers. This release contains 9 new strikes covering 7 different vulnerabilities.

MS07-035: Win32 API Code Execution Vulnerability

One of the strangest bugs patched by Microsoft on June 12th was the "Vulnerability in Win 32 API Could Allow Remote Code Execution" issue addressed in MS07-035 (CVE-2007-2219). The description provided by Microsoft is somewhat vague:

"This critical security update resolves a privately reported vulnerability in a Win32 API. This vulnerability could allow remote code execution or elevation of privilege if the affected API is used locally by a specially crafted application. Therefore applications that use this component of the Win32 API could be used as a vector for this vulnerability. For example, Internet Explorer uses this Win32 API function when parsing specially crafted Web pages."

Fortunately, a friend of mine was working on the same issue, and after reviewing the differences between the patched and unpatched versions, discovered the trigger. The vulnerability occurs when an application tries to locate a resource within an EXE or DLL using a numerical ID. A logic error results in the resource ID being treated as a resource handle if the ID supplied is greater than 65535. An attacker can exploit this flaw through Internet Explorer by redirecting the victim to a res://existing.dll resource URL that contains a hash character (#) followed by a decimal integer value greater than 65535.

This logic error eventually leads to an attempt to free the resource handle. Since the attacker controls the pointer value of the handle, the end result is a call to RtlFreeHeap() with an attacker-supplied parameter. Exploiting this to execute arbitrary code is tricky, since the attacker would need to create a fake heap structure in memory and then pass the decimal value of a pointer to this structure in the URL. In the following stack trace, the value 65536 (0x10000) was supplied as the resource ID to Internet Explorer 7.

eax=0173b8a8 ebx=00000000 ecx=0019f1e8
edx=7cbf4418 esi=00010000 edi=00140000
eip=7c931c6b esp=0173b7fc ebp=0173b8b8 iopl=0 cs=001b
ss=0023  ds=0023  es=0023  fs=003b  gs=0000 efl=00000206

ntdll!RtlFreeHeap+0x44:
cmp     byte ptr [esi-0x1],0xff ds:0023:0000ffff=??

ChildEBP RetAddr 
0173b8b8 7c9109bc ntdll!RtlFreeHeap+0x44
0173b8cc 7c910992 ntdll!RtlpFreeAtom+0x1b
0173b8dc 7c832545 ntdll!RtlFreeUnicodeString+0x17
0173b8f0 7c80bc44 kernel32!BaseDllFreeResourceId+0x2d
0173b938 7e86e4d9 kernel32!FindResourceW+0x96
0173b970 7e942228 mshtml!GetResource+0x1c
0173bc14 7e94209d mshtml!CResProtocol::DoParseAndBind+0x2fc
0173bc30 7e941f71 mshtml!CResProtocol::ParseAndBind+0x26
0173bc54 6142d78a mshtml!CResProtocol::Start+0xa4
0173bc88 61421eab urlmon!COInetProt::StartEx+0xf1

In the crash above, an exception was thrown because the address 0x10000-1 (0xffff) does not map to a valid address. If we pass an argument that contains a valid address, then we reach the following block of code:

ntdll!RtlFreeHeap+0x44
cmp     byte ptr [esi-0x1],0xff ds:0023:0000ffff=??
jb      ntdll!RtlFreeHeap+0xe1 (7c91047d)
mov     edx,esi
call    ntdll!RtlpLowFragHeapFree (7c93212e)

The first thing we notice is that the byte before the address we pass is used to determine what type of free operation to perform. If this byte is not 0xff, then the normal free routines are used. If this byte is 0xff, then the low fragmentation heap code is called instead. This is good news for us, since it lets us hit two different code paths in search of a way to control execution. If we take the first path and point the resource ID at a block of NULL bytes, the free operation completes without an exception being raised. If we point it immediately before a byte set to 0xff, a new exception is raised from inside the low fragmentation heap code. Playing with these values should eventually lead to an exploitable condition, but so far have we not found a clean way to trigger code execution.

StrikePack 11995 included coverage for this vulnerability (ms07_035_windows_api.xml), which can be found in the /strikes/exploits/browser/ directory of the strike tree.

StrikePack 12128 Released

StrikePack 12128 is now available to BreakingPoint customers. This release contains 8 new strikes covering 6 different vulnerabilities.

MS07-033: Navigation Cancel Page Vulnerability

On June 12th, Microsoft released an update to cover the five vulnerabilities addressed in MS07-033. One of the flaws, titled "Navigation Cancel Page Spoofing Vulnerability" (CVE-2007-1499), demonstrated a common problem in how resource URLs are used in Internet Explorer. This vulnerability allowed an attacker to modify the URL used in the Refresh link of the Navigation Cancelled screen of Internet Explorer 7. To exploit this flaw, an attacker would redirect the victim to a res://ieframe.dll/navcancl.htm resource URL that contains a hash character (#) and a crafted XSS string.

The vulnerability occurs in one of the included javascript functions of the navcancel.htm page. You can view the source yourself by entering that res:// URL into the location bar of Internet Explorer 7, right-clicking the page, and selecting the View Source menu item. At the top of the HTML source, we see two script tags that load in external javascript files. These files are errorPageStrings.js and httpErrorPagesScripts.js. If we enter the URL for the httpErrorPagesScripts.js into the location bar, we see a function named navCancelInit() in the javascript source. This function looks at the parameter in the URL and then rewrites the Refresh link to point to this location. The only restriction is that the value after the hash mark must begin with http(s)://, ftp://, or file://. The problem with this code is that an attacker can insert a double-quote and close-parenthesis into the URL and then append arbitrary javascript, which will be executed within the context of the resource domain. For example, the following URL will cause an alert box to pop up when the Refresh link is clicked:

res://ieframe.dll/navcancl.htm#http://BOGUS/");alert("Hello");// After a quick review, it appears that most IPS vendors detect this attack by looking for a link to res://ieframe.dll/navcancl.htm that contains a double-quote in the parameter. What they missed is that this location can also be accessed using a link to about:cancel. For example, the following URL will exploit this vulnerability the exact same way: about:cancel#http://BOGUS/");alert("Hello");//

The list of mappings between about URLs and resource links can be found in the HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs registry key.StrikePack 11995 included two strikes for this vulnerability, ms07_033_navcancel_xss_about.xml and ms07_033_navcancel_xss_res.xml, which can be found in the /strikes/exploits/browser/ directory of the strike tree.

RFC3514: Setting the Evil Bit

Every once in a while, a good joke can turn into a useful feature. On April 1st, 2003, Steven Bellovin published RFC 3514, entitled "The Security Flag in the IPv4 Header". This document suggested that the "unused bit" in the IP Flags field of the IPv4 packet header should be used to convey security information. Specifically, the document stated that the "evil bit" should be set to one for all attack traffic, while benign traffic should leave it set to zero. Network devices, such as firewalls, should drop all traffic with this bit set. The assumption, of course, is that malicious users would always follow the RFC and set the evil bit for any packets used in an attack. While most folks who saw this RFC realized it was a joke, quite a few people contacted Bellovin asking for clarification. You can see an archive of the responses on Mr. Bellovin's web site.

So, how is this useful? The BreakingPoint BPS-1000 product supports multiple concurrent tests. The traffic leaving the four test ports can be a combination of re-created traffic streams, generated application traffic

, high-speed TCP sessions, and exploits. If you are developing a security product, such an IPS or IDS, trying to debug attack detection under a heavy traffic load can be problematic. If only there was an easy way to identify the "evil" traffic in the stream...

The evil bit to the rescue! The BreakingPoint BPS-1000 supports setting the evil bit for all attack traffic sent by the Security

component. To enable RFC 3514 support:

1. Login to the BPS-1000 interface.
2. Access the Attack Manager and create a new Attack Series.
3. Add the desired exploits to the Strikes group.
4. Click the Parameters button. The system will examine the selected strikes and present you with a list of all available parameters.
5. Select the IP option group from the Parameters Filter drop-down box. The option list will now show IP related parameters.
6. Select the RFC3514 option and change the value to true.
7. Close the Parameters dialog.
8. Select New Test from the Test menu.
9. Add a Security component.
10. Select the Targeted Attack screen.
11. Choose the Attack Series you just created from the list.

At this point, you can add other components, such as the Bit Blaster and Session Sender, or just run the test as is. Once the test is running, you can use the following tcpdump

BPS filter to match the evil traffic:

#  tcpdump -vn 'ip[6] & 128 != 0'