Cyberattacks targeting South Korean Banks and Media (Mar 22, 2013)

/in /by

The Dell Sonicwall Threats Research team observed reports of new cyber attacks targeting banks and broadcasting companies in South Korea. The malware involved in these attacks brought down multiple websites and interrupted Bank transactions by overwriting the Master Boot Record (MBR) and all the logical drives on the infected servers rendering them unusable.

Infection Cycle:

  • Upon execution, the malware involved in these attacks drops following files on the infected system:
    • %TEMP%alg.exe – UPX packed PuTTY file Plink (a command-line interface to the PuTTY back ends)
    • %TEMP%conime.exe – UPX packed PuTTY file PSCP (command-line secure file copy client)
    • %TEMP%AgentBase.exe [ Windows Wiper – Detected as GAV: KillDisk.NAS (Trojan)]
    • %TEMP%~pr1.tmp [ Unix Wiper – Detected as GAV: Linux.KillMBR (Trojan)]

  • File ~pr1.tmp is a malicious bash script intended to wipe off data from HP-UX, AIX, SunOS and other Linux distributions. It also wipes off data from any mounted shares on these systems.

  • The malware looks for stored SSH session credentials for mRemote and SecureCRT applications at specific locations in order to identify more potential target systems on the network.

  • It uses the dropped UPX packed PSCP executable – conime.exe to transfer the Unix Wiper bash script onto the identified Unix systems and then remotely executes it using the dropped UPX packed Plink executable – alg.exe.

  • It then executes the dropped Windows Wiper executable AgentBase.exe. Windows Wiper checks for active security processes belonging to two local AV companies – AhnLab and HAURI, and attempts to terminate them as seen below:

  • It then creates a local thread responsible for overwriting 0x1E0 bytes of MBR with one of the following strings:

    • PR!NCPES
    • PRINCPES
    • HASTATI.

  • The malware overwrites the same string to all the logical and removable drives it finds on the infected system. It then forces the system to restart via the following command – shutdown -r -t 0 , making it completely unavailable to the user.

    • SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

    • GAV: KillDisk.NAS (Trojan)
    • GAV: (Cloud Id: 13031960) EncPk.CR (Trojan)
    • GAV: (Cloud Id: 13060749) KillMBR.Y (Trojan)
    • GAV: KillMBR.Y (Trojan)

Chinese botnet leaks sensitive system info and awaits instructions (Mar 29, 2013)

/in /by

The Dell SonicWALL Threats Research team has discovered a new botnet originating from China. Apart from leaking sensitive system information and its potential click-fraud capability, the purpose of the botnet is not known at this time. It does however, contain the ability to receive instructions from a remote C&C server and download and run additional malicious executable files.

Infection Cycle:

Below is a sample of the DNS queries that the Trojan performed during analysis:

  • kjuwqnbv.com
  • sd.newaot.com
  • kfdsalete.com
  • towtags.com
  • tl.extreme-dm.com
  • el.extreme-dm.com
  • script.opentracker.net
  • atl.opentracker.net
  • www.statcounter.com
  • www.google.com
  • www.fondauto.com
  • jsfeedget.com
  • funnygusta.com

The Trojan creates the following files on the filesystem:

  • %USERPROFILE%kuswowugwize.exe [Detected as GAV: Pushdo.PVO (Trojan)]
  • %WINDOWS%msisvc.exe [Detected as GAV: Wagiclas.AA (Trojan)]

The Trojan creates the following keys in the Windows registry:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun kuswowugwize “%USERPROFILE%kuswowugwize.exe”
  • HKEY_LOCAL_MACHINESOFTWAREmsisvc.exe
  • HKEY_LOCAL_MACHINESOFTWAREmsisvc.exe GUID “530baa6df9246225b5ebcd3165946288”
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion AppManagement hex:56,1f,42,65,88,38,e7,0b,a1,38,5b,0b,2e,51,74,24,
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion kuswowugwizezap hex:5c,98,2f,52,e8,7f,a2,39,5c,f2,89,ac,43,66,fc,20,
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WMIADAPTER000 Service “WMIAdapter”
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WMIADAPTER000 ClassGUID “{8ECC055D-047F-11D1-A537-0000F8753ED1}”

The Trojan attempts to hide its activity from static analysis by encrypting important Windows API calls that it uses. We were able to locate the decryption routine which revealed the calls during runtime:

The Trojan uses the following 5 Windows API’s from wininet.dll for querying HTTP URL’s and downloading additional malicious files.

It uses the decrypted WinInet API’s to download a file (saq.jpg) with a JPEG extension. It uses the user agent string “NC2E” in the request. The file downloaded is not a JPEG image. It is an encrypted executable [Detected as GAV: Wagiclas.AA_2 (Trojan)] that is decrypted and run by the Trojan. It moves this file to %WINDOWS%msisvc.exe and executes it before terminating:

The Trojan uses a server running a copy of Mentalis Proxy Server to validate certificates:

The Trojan communicates to a remote C&C server in order to report infection and obtain further instructions. In this case it was instructed to wait. It sends sensitive information such as the Network Interface Card MAC address, Windows OS version and the external IP address of the compromised machine. The Trojan build version number is sent as the User Agent:

The Trojan was observed receiving the following response from a remote server. The response indicates that the bot is instructed to download and verify a file (qqka0328.jpg) from the specified URL and also simulate webpage visits to the specified URL. It provides a hash for verifying the file:

The msisvc.exe executable contains a valid certificate signed by a trusted authority (WoSign) located in China issued to a company named Taihu county mianyang information and technology Inc:

A quick look up of the e-mail address associated with the Digital Signature – 532476028@qq.com came up with the following job postings by the same e-mail user for the same company:

Dell SonicWALL UTM appliance provides protection against this threat with the following signatures:

  • GAV: DarkMoon.B_2 (Trojan)
  • GAV: Wagiclas.AA (Trojan)
  • GAV: Wagiclas.AA_2 (Trojan)
  • GAV: Pushdo.PVO (Trojan)
  • IPS: 9782 Darkmoon C&C activity 1
  • IPS: 9783 Darkmoon C&C activity 2

Spammers celebrate Easter in advance (March 29, 2013)

/in /by

Festivals bring an opportunity for the family to come together and celebrate,these celebrations often involve shopping for near and dear ones. Spammers take advantage of this and tailor their spam campaigns to mislead and infect innocent users.

Easter is a festival that is celebrated during the beginning of spring, this year it will be celebrated on 31st March. As the celebration day approaches, we are seeing an expected rise in Easter related spam mails. The following graph highlights our findings based on Easter related spam observed over the last 10 days.


As clearly visible, we can see a sharp rise in Easter related spam over the last few days. This trend is expected to continue until 31st March, after which we can expect a slow decline in these numbers.

The following are few mails that were observed a lot during the last few days:

  • Subject: $19.99 Flowers for Easter + FREE Vase
  • Subject: FREE Easter Egg Hunt Saturday March 30th
  • Subject: What better way to celebrate Easter than with flowers – Shop now
  • Subject: Get Easter Baskets and Other gifts for your child. Personalized too!
  • Subject: Easter Order deadline
  • Subject: Letter From The Easter Bunny
  • Subject: Easter Special- Huge Savings on all Makes and Models
  • Subject: Easter Blowout Sale on all Vehicles
  • Subject: Easter Sunday Shocker: Take 10lbs off your body
  • Subject: Easter Blowout Sale on all Vehicles
  • Subject: 50% off stunning Easter blooms!
  • Subject: Save 50% off the best bouquets for Easter

The following are screenshots for some of the spam:

Most of these spams try to entice the user into paying money and/or sharing sensitive personal information for a service or commodity. It is highly unlikely that the user will actually get these promised services/products. We urge our readers to be careful regarding such spam campaigns during Easter.

Dell SonicWALL Gateway AntiVirus monitors and provides constant protection against malicious threats. Wishing our readers a happy Easter!

Microsoft Remote Administration BO (March 29th, 2013)

/in /by

Microsoft Computer Browser service is used to share information about workgroups, domains, and the hosts within them. This is an essential Windows service for hosts that wish to browse shared resources. The Browser protocol defines five primary roles for participating hosts: client, service provider, local master, domain master, and backup server. The protocol uses two protocols to transport data: the Microsoft Remote Administration Protocol (RAP), and the Remote Mailslot Protocol (RMP). RAP is used by a client to request and receive enumerations of services and servers from a Master or backup browser server. RMP is used for sending requests and replies between service providers, master, and backup servers. The communication can be targeted or by broadcast.

RAP commands are sent over the Server Message Block (SMB) Protocol. Before any RAP commands can be issued to a server, the client needs to establish an SMB connection with the it. Lists of servers can be obtained by using the NetServerEnum2 class of commands. The commands NetServerEnum2Request and NetServerEnum2Response belong to this class.

A NetServerEnum2Request is used by clients to retrieve lists of servers or machine groups. This message has the following structure: 

 Offset   Size        Name                    Description -------- ----------- ----------------------- ----------------------------------------------------- 0x0000   2           errorcode 0x0002   2           converter 0x0004   2           entriesreturned         number of structures in the Data section 'x' 0x0006   2           entriesavailable        number of servers available 0x0008   x * len     RAPData                 'X' structures of 'len' length describing available services

The RAPData section contains NetServerInfo structures. The format of these structures depends on other parameters in the NetServerEnum2Request. The structure of elements contained in RAPData is shown below: 

 Offset   Size        Name                    Description -------- ----------- ----------------------- ----------------------------------------------------- 0x0000   16          servername              NetBIOS server name 0x0010   1           majorversion            major version 0x0011   1           minorversion            minor version 0x0012   4           servertype              type of services provided 0x0016   2           servercommentlow        absolute Offset from the start of RAPData to a string 0x0018   2           servercommenthigh

The protocol specification states that multiple entries can be provided in a NetServerEnum2Response message. Each entry consists of a servername field and a servercommentlow field. Values of two fields are used to calculate the offset from the start of the RAPData block to a null-terminated ASCII string allocated in the response block. A heap buffer overflow flaw exists in the Microsoft Windows Browser Service when handling NetServerEnum2Response messages from a master browser. When two entries with the same servername are encountered in one response, the vulnerable code copies a value from the affected field to a fixed size heap buffer, expanding the string to wide characters without verifying the resulting string’s length. A carefully crafted malformed message will cause an overflow the buffer during this copy. This leads to heap memory corruption and could potentially lead to code injection and execution. Remote attackers can exploit this vulnerability by impersonating a master browser and providing a crafted response to a query for a resource. Successful exploitation could result in arbitrary code execution in the context of the logged in user.

Dell SonicWALL has existing signatures that detect suspicious CIFS traffic. One of these signatures has been shown to proactively detect and block an acquired exploit targeting this flaw.
The following IPS signature is proactively detecting exploit traffic exploiting this flaw:

  • 8483 – Suspicious CIFS Traffic 14

This vulnerability has been assigned CVE-2012-1852 by mitre.
The vendor has released an advisory addressing this issue.

Oracle MySQL Server Geometry Query DoS (Mar 22, 2013)

/in /by

MySQL is the world’s most used open source relational database management system (RDBMS) that runs as a server providing multi-user access to a number of databases. MySQL is a Structured Query Language. It is a popular choice of database for use in web applications, and is a central component of the widely used LAMP open source web application software stack (and other ‘AMP’ stacks). For commercial use, several paid editions are available, and offer additional functionality. As with other database implementations, MySQL has a number of built-in SQL functions and supported operators that are designed to assist the user with the task of querying and updating the database.

MySQL supports spatial extensions to enable the generation, storage, and analysis of geographic features. MySQL implements a subset of SQL with the Geometry Types environment proposed by the Open Geospatial Consortium (OGC). This term refers to an SQL environment that has been extended with a set of geometry types. A geometry-valued SQL column is implemented as a column that has a geometry type.

Geometry is the root class of the hierarchy. It has a number of properties that are common to all geometry values created from any of the Geometry subclasses. Geometry subclasses include: Point, Curve, LineString, Surface and Polygon. These Geometry objects can be used as MySQL internal Geometry format or be represented Well Known Text (WKT) or Well Known Binary (WKB).

MySQL implements many other functions to perform operations on Geometric objects, one of which is Envelope. A vulnerability exists in the MySQL Envelope() function when handling serialized Geometry objects. The function fails to validate user supplied data when handling serialized Geometry objects. A remote, authenticated attacker can exploit this vulnerability by sending an Envelope() query on a malicious Geometry object to a vulnerable server. Successful exploitation could result in a denial-of-service condition.

Dell SonicWALL threat team has researched this vulnerability and released the following IPS signatures addressing the issue:

  • 9763 Oracle MySQL Server Geometry Query DoS 1
  • 9764 Oracle MySQL Server Geometry Query DoS 2

This vulnerability has been referred by CVE as CVE-2013-1861.

Delphi based bot with DDoS capabilities (March 15, 2013)

/in /by

Dell SonicWALL Threats Research team came across a Delphi based bot with DDoS capabilities along with support to execute multiple commands from the Command & Control (C&C) server. The author appears to refer this Malware as AyaBot.

Infection Cycle

Upon execution the Malware drops the following file on the system:

  • %USERPROFILE%Local SettingsTempregdrv.exe (Copy of itself)

The Malware adds the following keys to the registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunRegistry Driver “%USERPROFILE%Local SettingsTempregdrv.exe”

It makes the following changes to the registry in order to bypass firewalls:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZonemapProxyBypass=”1″
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZonemapIntranetName=”1″
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZonemapUNCAsIntranet=”1″

The following additions to the registry in HKEY_CURRENT_USERSoftwareRegDataData indicates the name AyaBot used by the creator:

During our analysis we observed AyaBot trying to access removable drives. AyaBot communicates with the server through Base64 encoded HTTP request and response, during our analysis we observed the following 3 phases of communication:

We observed a number of commands in the code, a few of them are listed below:

  • update
  • runexe
  • config
  • opensite
  • openurl
  • icmp
  • pcdata

The AyaBot sample we received contains the following hardcoded URLs:

  • etobylovjanvare.ru/0942c3aad278ce5ea571a61712b4506a.php
  • pervogoaprela.ru/0942c3aad278ce5ea571a61712b4506a.php
  • bylojarkonadvore.ru/0942c3aad278ce5ea571a61712b4506a.php
  • nogiledeneli.ru/0942c3aad278ce5ea571a61712b4506a.php
  • areyouaredo.com/0942c3aad278ce5ea571a61712b4506a.php

During our analysis we observed AyaBot successfully communicating with the following URL:

  • reklamamarketing.ru/content/blocks/classes/s.php

areyouaredo.com is one of the sites the bot tries to communicate with. This site provides DDoS attack services for a nominal fee as shown by their price chart below.

Similarities in the name of this site and the bot (AreYouAredo.com) suggests that this bot may be part of the site’s DDoS network, once a victim machine is infected it may play a role in a targeted DDoS attack as part of their services.

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Delf.OEJ_2 (Trojan)

Microsoft Security Bulletin Coverage (Mar 12, 2013)

/in /by

Dell SonicWALL has analysed and addressed Microsoft’s security advisories for the month of March, 2013. A list of issues reported, along with Dell SonicWALL coverage information follows:

MS13-021 Cumulative Security Update for Internet Explorer (2809289)

  • CVE-2013-0087 Internet Explorer OnResize Use After Free Vulnerability
    IPS:9708 DOM Object Use-After-Free Attack 4
  • CVE-2013-0088 Internet Explorer saveHistory Use After Free Vulnerability
    IPS:9709 Windows IE saveHistory Use-After-Free
  • CVE-2013-0089 Internet Explorer CMarkupBehaviorContext Use After Free Vulnerability
    IPS:9711 DOM Object Use-After-Free Attack 5
  • CVE-2013-0090 Internet Explorer CCaret Use After Free Vulnerability
    IPS:9712 DOM Object Use-After-Free Attack 6
  • CVE-2013-0091 Internet Explorer CElement Use After Free Vulnerability
    IPS:9715 Windows IE CElement Use-After-Free
  • CVE-2013-0092 Internet Explorer GetMarkupPtr Use After Free Vulnerability
    IPS:9716 Windows IE GetMarkupPtr Use-After-Free
  • CVE-2013-0093 Internet Explorer onBeforeCopy Use After Free Vulnerability
    IPS:9717 Windows IE onBeforeCopy Use-After-Free
  • CVE-2013-0094 Internet Explorer removeChild Use After Free Vulnerability
    IPS:9718 Windows IE removeChild Use-After-Free
  • CVE-2013-1288 Internet Explorer CTreeNode Use After Free Vulnerability
    IPS:9612 Windows IE SLayoutRun Use-After-Free (MS13-009)

MS13-022 Vulnerability in Silverlight Could Allow Remote Code Execution (2814124)

  • CVE-2013-0074 Client Silverlight Double Dereference Vulnerability
    There are no known exploits in the wild.

MS13-023 Vulnerability in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution

  • CVE-2013-0079 Visio Viewer Tree Object Type Confusion Vulnerability
    IPS:9726 Malformed Visio Document 10

MS13-024 Vulnerabilities in SharePoint Could Allow Elevation of Privilege

  • CVE-2013-0080 Callback Function Vulnerability
    IPS:9722 Microsoft SharePoint XSS (MS13-024)
  • CVE-2013-0083 SharePoint XSS Vulnerability
    IPS:9723 Microsoft SharePoint XSS (MS13-024) 2
  • CVE-2013-0084 SharePoint Directory Traversal Vulnerability
    IPS:1067 HTTP Server Directory Traversal Attack 7
  • CVE-2013-0085 Buffer Overflow Vulnerability
    There are no known exploits in the wild.

MS13-025 Vulnerability in Microsoft OneNote Could Allow Information Disclosure

  • CVE-2013-0086 Buffer Size Validation Vulnerability
    GAV:Malformed.one.MP.1

MS13-026 Vulnerability in Office Outlook for Mac Could Allow Information Disclosure

  • CVE-2013-0095 Unintended Content Loading Vulnerability
    There are no known exploits in the wild.

MS13-027 Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege

  • CVE-2013-1285 Windows USB Descriptor Vulnerability
    Local vulnerability
  • CVE-2013-1286 Windows USB Descriptor Vulnerability
    Local vulnerability
  • CVE-2013-1287 Windows USB Descriptor Vulnerability
    Local vulnerability

Revisiting Vobfus Worm (Mar 8, 2013)

/in /by

The Dell Sonicwall Threats Research team came across a sample appearing to be a new variant of the Vobfus family. Vobfus is a family of Visual Basic based worm that spreads through removable devices & network shares and is also known for downloading & executing other malware family binaries. The creators of this malware family have added many new features since the last time we published a SonicAlert on this family here.

Infection Cycle:

  • Upon execution, the worm performs the following DNS queries to download the latest version of itself from a remote server:

  • It downloads the latest Vobfus variant in an encrypted form. This is a new feature found in the recent Vobfus samples as the initial variants of Vobfus downloads were not encrypted.

    Upon successful download, it decrypts and executes the downloaded file.

  • It attempts to download other malware family executables which in our case belonged to Zeus and FakeAV family. These executables are downloaded in an unencrypted form.
  • The downloaded files are dropped at the following locations on the filesystem:
    • %USERPROFILE%muoeyus.exe [Detected as GAV: Vobfus.SB (Worm) ]
    • %USERPROFILE%vuvuv.exe [Detected as GAV: Vobfus.SB (Worm) ]
    • %USERPROFILE%3s8.exe [Detected as GAV: Vobfus.SB (Worm) ]
    • %TEMP%2724921.exe [Detected as GAV: Zbot.FZB (Trojan) ]
  • The worm adds the following registry key to enable startup after reboot:
    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “muoeyus” “%USERPROFILE%muoeyus.exe /k”
  • As seen in the previous variants, it drops multiple copies of itself to any external drives or network shares that are attached to the infected system using following filenames:
    • Passwords.exe
    • Porn.exe
    • Secret.exe
    • Sexy.exe
    • x.mpeg [0 byte File]
    • Autorun.inf
    • Muoeyus.exe

    The following image shows the dropped files.

    The worm also attaches itself to any ZIP or RAR files it finds on the system, removable drives and network shares.

  • It also hides all the folders present in the external drive and drops an executable with the same name and a disguised folder icon. This will mislead the user into double clicking the malicious executable. This feature is normally attributed to the family of Autorun Worms. Recently, Vobfus has also started to use this technique as seen here:

  • The newer variants of Vobfus also contains a series of Anti-Debugging, Anti-Virtualization and Anti-Sandbox checks, seen for the first time in Vobfus family.
    • It uses GetModuleHandle API call to check for the presence of debuggers, sandbox, and Avast Antivirus.
    • It then checks for the presence of Virtualization software such as VMWare, VirtualBox, and QEMU by querying the system registry.
  • The worm disables the Windows AutoUpdate feature on the infected system. It also patches the first byte of TerminateProcess and TerminateThread API with C3 (RET Instruction) to prevent any external processes from terminating the running instance of the malware:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Vobfus.SB (Worm)
  • GAV: Suspicious#vobfus (Worm)
  • GAV: Suspicious#vobfus_2 (Worm)
  • GAV: Zbot.FZB (Trojan)

Apache HTTP Server XSS Vulnerability (March 8, 2013)

/in /by

The Apache HTTP Server, commonly referred to as Apache, is a web server software notable for playing a key role in the initial growth of the World Wide Web. In 2009 it became the first web server software to surpass the 100 million website milestone. The application is available for a wide variety of operating systems, including Unix, FreeBSD, Linux, Solaris, Novell NetWare, OS X, Microsoft Windows, OS/2, TPF, and eComStation. Released under the Apache License, Apache is open-source software.

Apache supports a variety of features, many implemented as compiled modules which extend the core functionality. These can range from server-side programming language support to authentication schemes. Some common language interfaces support Perl, Python, Tcl, and PHP. Popular authentication modules include mod_access, mod_auth, mod_digest, and mod_auth_digest, the successor to mod_digest. Another example of the official plug-in modules is the mod_proxy_balancer module. As all other modules, it can be compiled as a separate shared library with a “.so” extension. The purpose of this module is to let Apache HTTP server run as a load balancing proxy server.

Mod_proxy_balancer when combined with mod_status provides a web interface called balancer-manager that enables dynamic updating of balancer members. You can use balancer-manager to change the balance factor for a particular member, or put it in off line mode.

A URL has the following generic format:

 ://[:port]/[path][filename][?][#]

A cross-site scripting vulnerability exists in the way mod_proxy_balancer module of Apache HTTP server handles the URL string for the balancer-manager web interface. The flaw is due to insufficient sanitation of the URL. A remote attacker can exploit this vulnerability by enticing a user to view a specially crafted webpage or link. Successful exploitation could result in the malicious script code executing in the client’s browser, within the security context of the Web-site.

The vendor, Apache, has released an advisory addressing this vulnerability on 2/25/2013. Dell SonicWALL UTM team has researched this vulnerability and covered it with a generic XSS detection signature:

  • 6753 Cross-Site Scripting (XSS) Attack 8

This vulnerability was assigned by CVE as CVE-2012-4558.

SAP NetWeaver Vulnerabilities (Mar 1, 2013)

/in /by

The SAP NetWeaver is a software/application platform which enables composition, provisioning, and management of SAP and non-SAP applications across a heterogeneous software environment. SAP NetWeaver deploys several services to handle incoming requests. One of the services, the Message Server, is used for communication between SAP systems and RFC clients.

Two vulnerabilities in SAP NetWeaver Message Server (msg_server.exe) were reported. The vulnerabilities are due to insufficient validation of incoming messages. A remote attacker could exploit these vulnerabilities by sending crafted requests to the msg_server.exe. Successful exploitation allows the attacker to execute arbitrary code in the context of Message Server.

The vulnerabilities have been assigned as CVE-2013-1592 and CVE-2013-1593.

Dell SonicWALL has released two IPS signatures to detect and block specific exploitation attempts targeting these vulnerabilities. The signatures are listed below:

  • 9667 SAP NetWeaver msg_server Memory Corruption
  • 9683 SAP NetWeaver msg_server Buffer Overflow