Title: An Introduction to Internet Explorer DLL Vulnerability and Damage Analysis
1An Introduction to Internet Explorer DLL
Vulnerability and Damage Analysis
- Bo Sun, Dawei Su sun, dsu_at_cs.fsu.edu
2- 1. Introduction and Background
- 2. Problem Description
- 3. What We Did
- 4. Damage Analysis
- 5. Solution
3I. Introduction and Background
- Windows is popular on personal laptop/desktop
- Antivirus and firewall software is implemented
above Windows - The flaw and vulnerability of Windows depends on
MS to eradicate
4II. Problem Description
Internet Explorer 404 Not Found Page
5II. Problem Description (contl)
The analysis of 404 Not Found Page
- The file is located in a DLL file call
ieframe.dll with the name of navcancl.htm. As to
IE6, the DLL file is called shdoclc.dll, and one
of the HTML names is dnserror.htm. - This navcancl.htm can be extracted from the DLL
file using certain software such as Resource
Hacker. - Any code can be inserted.
6III. What we did
Hacking Internet Explorer 6
- The HTML part can be easily found in the
shdock.dll file. We can add a customized function
after onload, or just simply add something as
below. - ltscriptgt
- alert(Hello World!)
- lt/scriptgt
7III. What we did (Contl)
Hacking Internet Explorer 6 (Contl)
8Hacking Internet Explorer 7
III. What we did (Contl)
- In IE7, there is nearly no such DLL file
containing these HTML code parts, since Microsoft
created another file called ieframe.dll.mui to
store these HTMLs whereas they used ieframe.dll
to store the JavaScript file which is used to
dynamically generate the error messages.
9Simple Attack Resource Consumption
III. What we did (Contl)
- The code is inserted directly below the ltbodygt
tag. - ltscriptgt
- while(1)
- Window.open() /we can also use alert()
here/ -
- lt/scriptgt
10Simple Attack CPU and Stack Attack
III. What we did (Contl)
- A example to show CPUand stack attack by
calculating the Fibonacci numbers - ltscriptgt
- function fibonacci(n)
- if (ngt1)
- return fibonacci(n-1)fibonacci(n-2)
- if (nlt0)
- return 0
- return 1
-
- for (i0 ilt100000 i)
- document.write("Fibonacci number "i" is
-
"fibonacci(i)"ltbrgt") - lt/scriptgt
11Simple Attack Social Engineering Attack
III. What we did (Contl)
- Modify the HTML code in ieframe.dll.mui
- We can add
- some if - goto statements.
- Or ask the DLL file to modify host file.
- Once the user types suntrust.com, the browser
search for the spoofed file which is then
displayed to the screen. - We can also add
- some hidden code and wait. When the user
encounters an error, e.g. he/she enters a URL
like sutrust.com, the script captures it and
display the fake page.
12III. What we did (Contl)
Simple Attack Social Engineering Attack (contl)
13III. What we did (Contl)
Simple Attack Social Engineering Attack (contl)
- On the attackers server
- Write code on server to receive bank account
information
14IV. Damage Analysis
Serious Damage Examples
- Some attackers can gain control of the user
account remotely by altering certain HTML part of
the DLL file. Then the hacked computer can be
used as a node to start a DDOS attack
15Antivirus and Firewall Software
IV. Damage Analysis (Contl)
- We tested the infected DLL file using Symantec
Antivirus / Firewall and Kaspersky Internet
Security. The security levels in both software
are set to Highest. - Even though the software can give user a report
when the DLL file tries to access the Internet,
most of the users will let it pass, since the
users, same as the software, tend to trust the
operating system.
16IV. Damage Analysis (Contl)
Antivirus and Firewall Software (Contl)
Symantec Kaspersky
Local Modifications (Modify System Files) No Response No Response
Local Activities (Open Windows, Read Harddrives) No Response No Response
Access Internet (Sending Account Info, eMail) Report as IEs Activity Report as ieframe.dlls activity
Typical Worm Code Segment Report as IEs Activity Report as ieframe.dlls activity
17V. Solution
Windows File Protection (WFP)
- Applied in Windows XP to prevent programs from
replacing critical Windows system files which
includes ieframe.dll - WFP uses file signatures and catalog files that
are generated by code signing to verify protected
system files - Windows XP check the signatures about every 6 to
7 seconds
18V. Solution (Contl)
Windows File Protection (WFP) (contl)
- Replacement of protected system files is
supported only through the following mechanisms - Windows Service Pack installation using
Update.exe - Hotfixes installed using Hotfix.exe or Update.exe
- Operating system upgrades using Winnt32.exe
- Windows Update
- Otherwise system will prompt user to use the
installation disk to recover the damaged files
19V. Solution (Contl)
Windows File Protection (WFP) (contl)
- Two major defects.
- The prompt can be overridden by users.
- Now there are some tools that can completely
disable the prompt dialogue, therefore disable
the whole protection system.
20Write access protection
V. Solution (Contl)
- One better way to prevent this malicious
modification is to implement a file system like
UNIX. - Users, including root, do not have the write
access to some system files.
21Reference
- Matt Bishop, Computer Security Art and Science,
Addison-Wesley, 2002 - Microsoft Corporation, http//support.microsoft.co
m/kb/222193 - Microsoft MSDN, http//msdn.microsoft.com/en-us/li
brary/aa382551.aspx - Microsoft MSDN, http//msdn.microsoft.com/en-us/li
brary/aa372820.aspx - Steven Holzner. Inside JavaScript. New Riders
Publishing, 2002 - Zakas. Professional JavaScript for Web
Developers. Wrox, 2005 - David Flanagan. JavaScript The Definitive Guide.
O'Reilly Media, 4th Edition, 2001 - Danny Goodman. JavaScript DHTML Cookbook.
O'Reilly Media, 2003 - Danny Goodman, Michael Morrison. JavaScript
Bible, 5th Edition, 2004 - Christian Heilmann. Beginning JavaScript with DOM
Scripting and Ajax From Novice to Professional.
Apress, 2006 - Stuart McClure, Joel Scambrav, George Kurtz.
Hacking Exposed. Mcgraw-Hill Osborne Media, 5th
Edition, 2005
22Thank you!Any questions?