MS 10-046, by R. Patterson & O. Oigagbe
Computer Science Security Track
Ogbeide Derrick Oigiagbe
Mathematics and Computer Science Security Track
In this paper, we describe the effects of being exploited by the MS10_46 vulnerability (Windows Shell Could Allow Remote Code Execution).
Measurement, Documentation, Experimentation, and Security
MS10_046, Windows Shell Could Allow Remote Code Execution, Security, Exploit, Analysis, Microsoft
This paper details the aftermath of executing of the MS10_046 vulnerability. We wish to explain in great detail the effects that this vulnerability has on a system.
To fully understand the effects of the MS10_046 vulnerability we must first understand the exploit as well as the payloads used.
1.1 Introduction to MS10_046
“[MS10_046] could allow remote code execution if the icon of a specially crafted shortcut is displayed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.” The vulnerability is successful due to Microsoft Windows not properly parsing the shortcuts created. When it is parsed, an icon gets displayed and then the malicious code is executed.
The attack machine with the aide of Metasploit, creates and host a malicious website which in turn builds a directory that holds the modified icon and a DLL.When the victim machine accesses the malicious website, a pop up message appears, asking the for permission to run web content. If this permission gets granted, then the malicious directory which contains both the icon and DLL will appear and this indicates the execution of the remote code.
1.2 Introduction to Meterpreter
“Meterpreter, short for The Meta-Interpreter is an advanced payload that is included in the Metasploit Framework. Its purpose is to provide complex and advanced features that would otherwise be tedious to implement purely in assembly. The way that it accomplishes this is by allowing developers to write their own extensions in the form of shared object (DLL) files that can be uploaded and injected into a running process on a target computer…” 
This particular payload is often detectable by various intrusion detection systems because of its use in the Metasploit framework. This allows our research group to analyze the effects the payload has after exploitation.
2. EXECUTING MS10_046
To execute MS10_046 we use Backtrack 5 R3 [Attack Machine]. This exploit would be carried out in the command line.\
First we start Metasploit:
Now we set the exploit we wish to use:
Next we shall look at the configuration options:
set SRVHOST 192.168.1.121
set LHOST 192.168.1.121
Now for ease of use we set the URIPATH to / so we only need to enter the IP address to exploit.
set URIPATH /
Finally we use the exploit:
The Metasploit local server would begin and it would resemble what is shown below.
Now that the malicious website is created we log onto the victim machine. Access the malicious URL “http://x.x.x.x/ (x.x.x.x – > LHOST)”.
A pop up message then appears, click on “Allow”.
After allowing the message the malicious directory then appears:
3. Lab Setup
We have set up a number of machines to test the CVE 2012-4681 Java 7 Applet Remote Code Execution vulnerability. The machines include:
•1 Windows 7 enterprise host machine for all virtual machines.
•1 XUbuntu Security Onion virtual machine used as a sensor and for analysis.
•1 Windows 7 virtual machine used as a victim.
•1 CentOS physical laptop used for analysis.
•1 Backtrack physical laptop used for exploiting the victim machine.
To help us analyze changes in the registry key we use Regshot to monitor changes during the exploit. A number of registry keys and registry values were added (Reference the end of this article for all of the keys added). However, not all the registry keys added are connected to the MS10_046 exploit. There are two particular keys that struck our attention.
– HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXDAV000\DeviceDesc: “@%systemroot%\system32\webclnt.dll,-104”
– HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXDAV000\DeviceDesc: “@%systemroot%\system32\webclnt.dll,-104”
These keys are specifically flagged because of the “webclnt.dll”. Webclnt.dll is also known as WebDAV Services DLL. According to process-info.org, “The webclnt.dll file includes the processes which run the range of extensions to the Hypertext Transfer protocol (HTTP). It means the WebDAV will be able to realize file sharing. Thanks to WebDAV users are able to load, edit, remove, create subdirectories and manage files on the Web server from the client desktop through HTTP. This happens because WebDAV tool enables cooperating with files on remote web servers.”.
The “webclnt.dll” creates a remote connection between the attack machine and the victim machine. This is also shown through our Wireshark section in the form of PROFIND. It is also possible that this DLL provides a catalyst for which the malicious random DLL is loaded into the rundll32.exe. This is possible because the webclnt.dll makes the folder on the attacking machine available to which the rundll32.exe can then load the malicious DLL and execute it.
During this research we ran Wireshark before the exploit was executed and also terminated it once the exploit was complete. This helped us avoid any excess data that may be involved. We notice a few significant events through Wireshark including a PROPFIND transmission, Multi-status response, GET .lnk and GET .dll.
First we shall look at the PROPFIND transmission. “The WebDAVPROPFIND Method retrieves properties for a resource identified by the request Uniform Resource Identifier (URI).” This WebDav method enables the victim computer to view the malicious directory created remotely by the attack machine. This can be seen in the below screen shot:
After the victim machine sends out the PROPFIND request it starts getting the malicious .lnk and .dll files as shown below:
We run snort to detect any malicious traffic across the network. We initiate Snort before executing the exploit. We narrow down our results by looking at the time stamps around each exploit and what alerts are immediately added. It should be noted that the operating system in which our IDS and IDS analysis tools exist uses snort rules from Emerging Threats. To aid us in viewing our results we use Snorby.
We obtain 6 individual alerts through Snorby after the exploit is carried out. The results are as follows:
•Alert SID: 2012086 Number of Alerts: 1 Alert Name: ET SHELLCODE Possible Call with No Offset TCP Shellcode
Code: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:”ET SHELLCODE Possible Call with No Offset TCP Shellcode”; flow:established; content:”|E8 00 00 00 00 58|”; fast_pattern:only; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012086; rev:1;)
•Alert SID: 2011270 Number of Alerts: 2 Alert Name: ET CURRENT_EVENTS Possible Microsoft Windows .lnk File Processing WebDAV Arbitrary Code Execution Attempt
Code: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”ET CURRENT_EVENTS Possible Microsoft Windows .lnk File Processing WebDAV Arbitrary Code Execution Attempt”; flow:established,to_client; file_data; content:”T”; nocase; content:””; nocase; distance:0; content:””; nocase; distance:0; content:””; nocase; distance:0; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20918; reference:url,www.kb.cert.org/vuls/id/940193; reference:url,www.microsoft.com/technet/security/advisory/2286198.mspx; reference:cve,2010-2568; reference:url,doc.emergingthreats.net/2011270; classtype:attempted-user; sid:2011270; rev:3;)
•Alert SID: 2012088 Number of Alerts: 1 Alert Name: ET SHELLCODE Possible Call with No Offset TCP Shellcode
Code: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:”ET SHELLCODE Possible Call with No Offset TCP Shellcode”; flow:established; content:”|E8 00 00 00 00 8F|”; fast_pattern:only; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012088; rev:1;)
•Alert SID: 2101390 Number of Alerts: 1 Alert Name: GPL SHELLCODE x86 inc ebx NOOP
Code: alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:”GPL SHELLCODE x86 inc ebx NOOP”; content:”CCCCCCCCCCCCCCCCCCCCCCCC”; fast_pattern:only; classtype:shellcode-detect; sid:2101390; rev:7;)
•Alert SID: 2015588 Number of Alerts: 1 Alert Name: ET POLICY Suspicious Windows Executable WriteProcessMemory
Code: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”ET POLICY Suspicious Windows Executable WriteProcessMemory”; flow:established,to_client; file_data; content:”MZ”; within:2; byte_jump:4,58,relative,little; content:”PE|00 00|”; distance:-64; within:4; content:”WriteProcessMemory”; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; reference:url,jessekornblum.livejournal.com/284641.html; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx; classtype:misc-activity; sid:2015588; rev:1;)
•Alert SID: 2000419 Number of Alerts: 1 Alert Name: ET POLICY PE EXE or DLL Windows file download
Code: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”ET POLICY PE EXE or DLL Windows file download”; flow:established,to_client; file_data; content:”MZ”; within:2; byte_jump:4,58,relative,little; content:”PE|00 00|”; distance:-64; within:4; flowbits:set,ET.http.binary; reference:url,doc.emergingthreats.net/bin/view/Main/2000419; classtype:policy-violation; sid:2000419; rev:17;)
A rundll32.exe process is created whenever the exploit is created. “The rundll32.exe application is simply used to launch functionality stored in shared .dll files.” We know that rundll32.exe specializes in loading arbitrary DLLs and running them. We also see that the rundll32.exe contains webclnt.dll. The “webclnt.dll” is what is used to grant the targeted machine access to the directories on the attacking machine.
8. WINDOWS LOGS
First we clear all windows logs so we know what is specific to this exploit and payload. After this we execute the MS10_046 vulnerability.
After the exploit we look at the windows logs and find a system error with the message of :
“The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID :
It should be noted that Metasploit scripts are written using Ruby which in turn can interact with COM (component object model) . This however is not enough to prove a direct correlation between Meterpreter and this specific error notification so we search the registry for that CLSID and find it maps to a Window’s shell and an interactive user:
From this we can infer that the victimized computer has been accessed. This also indicates that a malicious code has been executed and possibly a shell session has been granted.
Thanks to Dr. Michael O’leary, our advisor for this research project, for his guidance.
The Geek. (July 8, 2008). What is rundll32.exe And Why Is It Running?. In How to Geek. Retrieved October 22, 2012, from http://www.howtogeek.com/howto/windows-vista/what-is-rundll32exe-and-why-is-it-running/
Microsoft. (August 02, 2010). Microsoft Security Bulletin MS10-046 – Critical. In Microsoft. Retrieved October 26, 2012, from http://technet.microsoft.com/en-us/security/bulletin/MS10-046.
Ivanisevic, B. (n.d). Ruby on Windows Guides. In Ruby on Windows Guides. Retrieved October 31. 2012, from http://rubyonwindowsguides.github.com/book/ch04-01.html.
Process Info. (n.d). Process-Info.org. In Webclnt.dll. Retrieved October 31. 2012, from http://process-info.org/webclnt-dll.