An Introduction to Internet Explorer DLL Vulnerability and Damage Analysis

1
An Introduction to Internet Explorer DLL
Vulnerability and Damage Analysis

• Bo Sun, Dawei Su sun, dsu_at_cs.fsu.edu

2

• 1. Introduction and Background
• 2. Problem Description
• 3. What We Did
• 4. Damage Analysis
• 5. Solution

3
I. Introduction and Background

• Windows is popular on personal laptop/desktop
• Antivirus and firewall software is implemented
  above Windows
• The flaw and vulnerability of Windows depends on
  MS to eradicate

4
II. Problem Description
Internet Explorer 404 Not Found Page
5
II. Problem Description (contl)
The analysis of 404 Not Found Page

• The file is located in a DLL file call
  ieframe.dll with the name of navcancl.htm. As to
  IE6, the DLL file is called shdoclc.dll, and one
  of the HTML names is dnserror.htm.
• This navcancl.htm can be extracted from the DLL
  file using certain software such as Resource
  Hacker.
• Any code can be inserted.

6
III. What we did
Hacking Internet Explorer 6

• The HTML part can be easily found in the
  shdock.dll file. We can add a customized function
  after onload, or just simply add something as
  below.
• ltscriptgt
• alert(Hello World!)
• lt/scriptgt

7
III. What we did (Contl)
Hacking Internet Explorer 6 (Contl)
8
Hacking Internet Explorer 7
III. What we did (Contl)

• In IE7, there is nearly no such DLL file
  containing these HTML code parts, since Microsoft
  created another file called ieframe.dll.mui to
  store these HTMLs whereas they used ieframe.dll
  to store the JavaScript file which is used to
  dynamically generate the error messages.

9
Simple Attack Resource Consumption
III. What we did (Contl)

• The code is inserted directly below the ltbodygt
  tag.
• ltscriptgt
• while(1)
• Window.open() /we can also use alert()
  here/
• lt/scriptgt

10
Simple Attack CPU and Stack Attack
III. What we did (Contl)

• A example to show CPUand stack attack by
  calculating the Fibonacci numbers
• ltscriptgt
• function fibonacci(n)
• if (ngt1)
• return fibonacci(n-1)fibonacci(n-2)
• if (nlt0)
• return 0
• return 1
• for (i0 ilt100000 i)
• document.write("Fibonacci number "i" is
  
• 
  "fibonacci(i)"ltbrgt")
• lt/scriptgt

11
Simple Attack Social Engineering Attack
III. What we did (Contl)

• Modify the HTML code in ieframe.dll.mui
• We can add
• some if - goto statements.
• Or ask the DLL file to modify host file.
• Once the user types suntrust.com, the browser
  search for the spoofed file which is then
  displayed to the screen.
• We can also add
• some hidden code and wait. When the user
  encounters an error, e.g. he/she enters a URL
  like sutrust.com, the script captures it and
  display the fake page.

12
III. What we did (Contl)
Simple Attack Social Engineering Attack (contl)
13
III. What we did (Contl)
Simple Attack Social Engineering Attack (contl)

• On the attackers server
• Write code on server to receive bank account
  information

14
IV. Damage Analysis
Serious Damage Examples

• Some attackers can gain control of the user
  account remotely by altering certain HTML part of
  the DLL file. Then the hacked computer can be
  used as a node to start a DDOS attack

15
Antivirus and Firewall Software
IV. Damage Analysis (Contl)

• We tested the infected DLL file using Symantec
  Antivirus / Firewall and Kaspersky Internet
  Security. The security levels in both software
  are set to Highest.
• Even though the software can give user a report
  when the DLL file tries to access the Internet,
  most of the users will let it pass, since the
  users, same as the software, tend to trust the
  operating system.

16
IV. Damage Analysis (Contl)
Antivirus and Firewall Software (Contl)
Symantec Kaspersky
Local Modifications (Modify System Files) No Response No Response
Local Activities (Open Windows, Read Harddrives) No Response No Response
Access Internet (Sending Account Info, eMail) Report as IEs Activity Report as ieframe.dlls activity
Typical Worm Code Segment Report as IEs Activity Report as ieframe.dlls activity
17
V. Solution
Windows File Protection (WFP)

• Applied in Windows XP to prevent programs from
  replacing critical Windows system files which
  includes ieframe.dll
• WFP uses file signatures and catalog files that
  are generated by code signing to verify protected
  system files
• Windows XP check the signatures about every 6 to
  7 seconds

18
V. Solution (Contl)
Windows File Protection (WFP) (contl)

• Replacement of protected system files is
  supported only through the following mechanisms
• Windows Service Pack installation using
  Update.exe
• Hotfixes installed using Hotfix.exe or Update.exe
  
• Operating system upgrades using Winnt32.exe
• Windows Update
• Otherwise system will prompt user to use the
  installation disk to recover the damaged files

19
V. Solution (Contl)
Windows File Protection (WFP) (contl)

• Two major defects.
• The prompt can be overridden by users.
• Now there are some tools that can completely
  disable the prompt dialogue, therefore disable
  the whole protection system.

20
Write access protection
V. Solution (Contl)

• One better way to prevent this malicious
  modification is to implement a file system like
  UNIX.
• Users, including root, do not have the write
  access to some system files.

21
Reference

• Matt Bishop, Computer Security Art and Science,
  Addison-Wesley, 2002
• Microsoft Corporation, http//support.microsoft.co
  m/kb/222193
• Microsoft MSDN, http//msdn.microsoft.com/en-us/li
  brary/aa382551.aspx
• Microsoft MSDN, http//msdn.microsoft.com/en-us/li
  brary/aa372820.aspx
• Steven Holzner. Inside JavaScript. New Riders
  Publishing, 2002
• Zakas. Professional JavaScript for Web
  Developers. Wrox, 2005
• David Flanagan. JavaScript The Definitive Guide.
  O'Reilly Media, 4th Edition, 2001
• Danny Goodman. JavaScript DHTML Cookbook.
  O'Reilly Media, 2003
• Danny Goodman, Michael Morrison. JavaScript
  Bible, 5th Edition, 2004
• Christian Heilmann. Beginning JavaScript with DOM
  Scripting and Ajax From Novice to Professional.
  Apress, 2006
• Stuart McClure, Joel Scambrav, George Kurtz.
  Hacking Exposed. Mcgraw-Hill Osborne Media, 5th
  Edition, 2005

22
Thank you!Any questions?