Using Deviare to Create a Temporary Zero Day Patch

Zero day vulnerabilities put organizations at the mercy of vendors. These vulnerabilities are like a ticking bomb: you do not know when someone will exploit them. Writing your own patch for closed source applications is, in most cases, a complex mission that can take even longer than the vendor solution. When you use legacy software which has outlived vendor support you must write your own patch or set up preventive measures. Even if you are using supported software, you can use Deviare to protect yourself from some known 0-day vulnerabilities to 0-day attacks until the vendor patch is available. Below is a code sample which uses Deviare to address CVE-2010-3971. Deviare makes hooking extremely easy, requiring only the most rudimentary programming skills. Deviare is binary instrumentation for the masses!

CVE-2010-3971 is a vulnerability in the CSharedStyleSheet::Notify function in the CSS parser in mshtml.dll. It uses memory after it is freed. We use Deviare to intercept the exploit before the attack is made effective and can achieve a denial of service or execution of arbitrary code.

The CSharedStyleSheet::Notify function manipulates an array of CStyleSheet objects. The function receives a flag as a parameter. If this flag passed is one, it calls CStyleSheet::Notify. The exploit must embed the value of the flag to call this particular function.

Our code hooks the CStyleSheet::Notify function, which is not normally called by Internet Explorer, in all iexplorer.exe processes, to detect the presence of an exploit. We use Metasploit to simulate the attack with the ms11_003_ie_css_import exploit and check our detection method. If an exploit is detected, a message box appears and IE is suspended to prevent damage.
Below is a video showing the attack and defense in action:

Code

The code is available on github.

Prerequisites

  1. Download Deviare and register it for 32-bit or 64-bit
  2. To enable the Deviare engine to use debugging symbols, the following library files are required: symsrv.dll which can be obtained in the Debugging Tools for Windows package and msdiaXX.dll which is part of the DIA SDK, available in Microsoft Visual Studio installation folder, under DIA SDK/bin directory. The Recommended Debugging Tools for Windows version is 6.12.2633 or higher. Tested DIA SDK versions are 9.0 (msdia90.dll), 10.0 (msdia100.dll) and 11.0 (msdia110.dll).
  3. You must copy those 32 and/or 64-bit DLLs to the dllx86 and dllx64 folders in the “bin” directory of the project, depending on which platforms you want to target.
  4. The project platform should match the Internet Explorer platform for the interception to succeed.
  5. Compile the solution
  6. The project will load and cache the symbols in the directory D:\PDB

Acknowledgment

Douglas from Nektra researched and developed the code.

Further Reading

  1. When A DoS Isn’t A DoS
  2. Windows XP SP3 and Office 2003 support ends April 8, 2014

If you liked this article, you might also like: