Using the Browser Cache to Bypass Security
This is a follow up to the Limited Firefox Zero-Day Attack in the Wild blog posted by my colleague Joji Hamada.
The exploit of the Mozilla Firefox 3.5/3.6 Remote Heap Buffer Overflow Vulnerability (BID 44425) uses a series of heap sprayed ROP gadgets (return-oriented programming) using code in xul.dll to bypass Data Execution Prevention (DEP). These ROP gadgets were only used to relocate and execute the shellcode in read, write, and executable memory no longer subject to DEP. It is noteworthy that the xul.dll module has ASLR enabled in supported operating systems like Windows Vista and Windows 7, which prevents this threat from running in those platforms.
To drop the malware onto an unsuspecting victim’s computer, this exploit employs a little trick: The malicious executable to be dropped onto the victim’s computer was hosted on the same domain using the name “scvhost.txt” and was included in the .html as shown below.
This makes a browser using the standard settings automatically download the referenced file into the browser cache.
After successful exploitation of the Firefox vulnerability, the shellcode that gets to run then launches the command processor (cmd.exe), which searches in browser cache of Firefox profiles directory looking for a file with a particular size of 48,640 bytes.
Once found, it copies the file to %Temp%\scvhost.exe and executes it.
The malware authors are likely using this technique in order to bypass certain security technologies that hook and monitor APIs such as “URLDownloadToFileA”.
Another possible benefit is it makes it easier to re-host this exploit on different domains as they wouldn’t need to modify the shellcode with a new domain.
However, while using the cache may bypass security techniques that use behavioral monitoring, doing so actually makes it easier to detect and prevent the threat using standard scanning techniques.
Interestingly, the authors are likely reusing old shellcode that has been modified with their new technique as the shellcode also locates the addresses of many APIs that aren’t actually used.
The Mozilla team released a fix for the vulnerability earlier today. Readers of this blog should make sure they upgrade to the latest version of the Firefox browser.
As always keep your antivirus definitions and software up-to-date and surf safe.