dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
13

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

siljaline to trparky

Premium Member

to trparky

Re: IE Zero-Day

I'm not big on code, trparky See Profile When I was an IE MVP, I could have asked the IE Team at MS. I no longer have that option accessible to me.

What we have in this thread is the latest information.

I suspect we will know more in the forthcoming days if MS will issue an out-of-band patch or perhaps a FixIt.

trparky
Premium Member
join:2000-05-24
Cleveland, OH
·AT&T U-Verse

1 recommendation

trparky

Premium Member

Oh shit, I think I know how this exploit may work.

There's an attack technique which is used to overwrite the Structured Exception Handler which would, in any other case, catch the Null Reference Exception and handle it cleanly so that the program would not appear to crash.

But in the case of this exploit, it would overwrite the Structured Exception Handler using either a Stack-based Buffer Overflow or Heap Spray attack. Then, something would be used to trigger (a call to a null Object, in this case) the Exception Handler and since it's been overwritten with arbitrary code, the program would then be vulnerable to attack.

All of which EMET helps guard a program against.
trparky

trparky

Premium Member

There's something called Structured Exception Handling Overwrite Protection or SEHOP. It does this by preventing attackers from being able to use the SEH overwrite technique by verifying that the thread’s exception handler list is intact before allowing any of the registered exception handlers to be called or executed. This mitigation technique is made possible by a side-effect of overwriting the SEH. The side-effect is that the pointer in the program’s memory stack is corrupted in the process of overwriting the SEH, thus the integrity of the exception handling chain is broken.

An Exception Handler is anything that may include the use of TRY, CATCH, and FINALLY.

I did a presentation on various exploit techniques for my end of class project for my CompTIA Security+ prep class. I covered the use of EMET extensively so I had to actually do some research into how many of these attacks work on a basic level.
trparky

trparky

Premium Member

Many of Microsoft's newer programs have these exploit protections baked into the compiled code of the program. But, this only happens with programs that have been compiled with recent versions of the Microsoft Visual C++ Compiler.

My guess is that Internet Explorer 9 and 10, which aren't vulnerable, have been compiled with Visual C++ 2010 or newer and the older versions are still being compiled with pre-2010 C++ compiler thus not having the protections baked into the compiled code.

StuartMW
Premium Member
join:2000-08-06

StuartMW to trparky

Premium Member

to trparky
said by trparky:

But in the case of this exploit, it would overwrite the Structured Exception Handler using either a Stack-based Buffer Overflow or Heap Spray attack.

...

All of which EMET helps guard a program against.

That is my understanding as well.

Lagz
Premium Member
join:2000-09-03
The Rock

2 edits

Lagz to trparky

Premium Member

to trparky
said by trparky:

Oh shit, I think I know how this exploit may work.

There's an attack technique which is used to overwrite the Structured Exception Handler which would, in any other case, catch the Null Reference Exception and handle it cleanly so that the program would not appear to crash.

But in the case of this exploit, it would overwrite the Structured Exception Handler using either a Stack-based Buffer Overflow or Heap Spray attack. Then, something would be used to trigger (a call to a null Object, in this case) the Exception Handler and since it's been overwritten with arbitrary code, the program would then be vulnerable to attack.

All of which EMET helps guard a program against.

I wonder if flash or IE uses standard exception handlers or do they write their own? My instructor in C# told us to write our own exception handling when possible rather than throw standard exceptions, this might be why. When I was first introduced to exceptions I was like, HELL YEA I don't have to write as much code now. We had been writing our own exception handling up to that point. I wonder if they are just throwing standard exceptions if that's a result from laziness or management hurriedly wanting code pushed out the door?