Internet Security Systems - AlertCon(TM)

A VB Runtime Bug and Critical Section Lock Exploitation

Posted by Robert Freeman on June 09, 2009 at 6:21 PM EDT.

A significant number of applications are written in the Visual Basic (VB) language because it is easy to write and even if you haven’t been looking closely enough at the applications you’ve installed over time, the chances are that some of them have been VB applications. They’re ubiquitous and with them come the VB runtime libraries that provide functionality to the applications they are bundled with. In short, you are likely to have these libraries.

Since late last year, several VB Runtime ActiveX controls have been patched and or have received killbits (to disable loading in Internet Explorer). Today, the MSCOMM32.OCX library from the VB6 runtime received a killbit for a bug I disclosed last year. Interestingly, this bug pertains to a heap overflow opportunity in a class object allowing a critical section lock overwrite. Critical section locks are common synchronization objects that also happen to be added at compile time to most class objects when compiling with Visual C++. This is an interesting exploitation vector because there’s little public research on critical section lock exploitation and abusing it will not be useful without something crafty it can influence. Nicholas Falliere produced the earliest public research I could find on the subject back in 2005. His paper notes various constraints which are troublesome in the context of a web browser. Given that Data Execution Prevention (DEP) under Vista can be a real pain (and also in Server 2003, etc.), it seemed like an interesting project to undertake--the goal being reliable exploitation of the ActiveX control bug in both XP and Vista by leveraging the critical section lock pointer. The result is that I’ve come up with a few crafty approaches that work even under IE8 (and maybe some other browsers) and hopefully you will read about them in a future whitepaper. I will point out that the BlackHat ’08 talk by Alex Sotirov and my colleague Mark Dowd, is a good starting point for anyone looking to research this exploitation vector.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.