Adobe Camera Raw Plug-in BO (Dec 21, 2012)

/in /by

Adobe Photoshop is an image editor capable of handling numerous image file formats and is available on multiple platforms. One of the file formats supported by Photoshop is the Tagged Image File Format (TIFF). TIFF supports a number of image data and compression formats as well as storage of multiple images in a single file. The header structure of a TIFF file is shown: 

Offset     Length (bytes)  Description ---------- --------------- ------------------------------------------------ 0x0000     2               byte order 0x0002     2               0x002a (42) 0x0004     4               offset of first Image File Directory (IFD)

Byte order is defined by two codes, where ‘II’ indicates little-endian and ‘MM’ indicates big-endian. The offset of the IFD is relative to the beginning of the file. Each IFD record is an array of entries. The record structure is shown: 

Offset     Length (bytes)  Description ---------- --------------- ------------------------------------------------ 0x0000     2               number of IFDs (n) 0x0002     12 * n          IFD data [....]     4               offset of next IFD

The last record in the file is denoted by the offset of the next IFD being set to zero. Each IFD data record contains an array of values. The record structure is shown: 

Offset     Length (bytes)  Description ---------- --------------- ------------------------------------------------ 0x0000     2               tag 0x0002     2               type 0x0004     4               count 0x0008     4               value or offset

The tag field defines what the data type of the value is. The type field defines the type of record contained in the value that follows or the offset of the value in the file if the value field is too small to hold it. The count field defines how many values are contained in the array. Image data in TIFF files is either stored in arrays of rows or tiles. The data stored in arrays may be compressed using one of many available compression algorithms, one of which is the LZW algorithm.

A buffer overflow vulnerability exists in the LZW decompression code of Adobe Camera Raw plugin when decoding TIFF images. During construction of the compression dictionary, codes that aren’t defined yet, may lead to the creation of a circular reference. When such codes are subsequently encountered, the dereference of the circular reference will lead to an endless loop. During this loop, data is being written to a buffer, which eventually results in a buffer overflow. An attacker has to entice the target user to open a malicious TIFF file with the vulnerable application in order to exploit this vulnerability. Successful exploitation could possibly allow code execution under the security context of the logged in user. Exploitation resulting in successful code execution is possible, however, unlikely due to the nature of the flaw.

Dell SonicWALL has released IPS signatures to address this issue. The following signatures were released:

  • 9381 – Adobe Photoshop Camera Raw Buffer Underflow 1
  • 9382 – Adobe Photoshop Camera Raw Buffer Underflow 2

The vendor has released an advisory addressing this issue.
The vulnerability has been assigned the id CVE-2012-5679 by mitre.

Apple iTunes m3u Playlist Buffer Overflows (Dec 14, 2012)

/in /by

Apple iTunes is a digital media player application used for playback and organization of digital media content. It is also used to manage content on Apple devices such as iPod, iPhone, iPod Touch and others. iTunes is capable of creating and processing playlists of the PLS and M3U formats. There are two types of M3U playlists, the standard and extended formats. An example snippet of the standard M3U playlist follows: 

 # this is a comment http://server.com/file2.mp3 http://test.com/file10.mp3

The media resource may be either a music file on the local file system or a remote server specified via a URL. An extended M3U file contains different types of records. An example snippet follows: 

 #EXTM3U #EXTINF:-1,Rock 101 : My rock station http://mediaserver.com:8000/rock.mp3

Multiple buffer overflows exist in Apple iTunes when parsing M3U files with overly long records. Overflows exist within three records. EXTINF records begin with the string #EXTINF. Two buffer overflows can occur when handling overly long #EXTINF records. Both occur when the affected record value is copied into a fixed size buffer without proper length validation. The first flaw results in a heap buffer overflow, while the second in a stack buffer overflow.
Filename records, which follow an EXTINF record can also be used to exploit another vulnerability. The filename flaw is also a case of a string being copied into a fixed size heap buffer.
Additional records contained within the m3u file which fall outside of the file format specification are also processed by iTunes. These records are copied into fixed size heap buffers without proper length checks. Supplying overly long strings in these records may also result in heap buffer overflows which consequently may result in termination of the application or diversion of process flow.

An attacker can exploit this vulnerability by enticing a user to open a malicious M3U file with a vulnerable version of iTunes. Successful exploitation could result in the injection and execution of arbitrary code in the context of the currently logged in user. Unsuccessful exploitation could result in the application terminating abnormally.

Dell SonicWALL has existing signatures that address M3U file exploits as well as a host of generic signatures which are likely to pro-actively catch exploits targeting this vulnerability. The published exploit is caught by the following IPS signature:

  • 6808 – Client Application Shellcode Exploit 26

The vendor has released an advisory addressing this issue. The vulnerability has been assigned CVE-2012-0677 by mitre.

Skynet uses Tor for botnet anonymity (December 14, 2012)

/in /by

DellSonicWall Threats research team received reports of a new botnet that uses Tor anonymity service as a means to communicate with its Comamnd and Control (C&C) servers. The Onion Router (Tor) has traditionally been used by individuals to protect privacy and confidentiality against network surveillance. But using Tor services to cloak communication between botnet and C&C servers is a distinctive feature of this particular malware, likely to be mimicked by other botnets in future. Reports indicate that the malware is spreading through Usenet. The malware has been named Skynet by its creator as seen in the code:

screenshot

The components and behavior of Skynet are similar to the one described in a popular Reddit IAmA thread by author throwaway236236. The Skynet sample we analyzed is around 15mb in size which is substantially large. The file contains the following embedded modules:

  • Tor client
  • Zeus Bot
  • CGminer Bitcoin mining utility
  • OpenCL.dll that is needed for CGMiner

Infection Cycle:

When executed, the malware adds the following files to the system:

  • %USERPROFILE%Local SettingsTempOpenCL.dll
  • %USERPROFILE%Local SettingsTemptmp5c295ddc.bat. A batch file to delete the main executable
  • %USERPROFILE%AdminApplication Datator. This folder contains few tor specific files
  • A folder and exe with random names in %AppData%. This exe is a copy of the main executable

It then creates legitimate svchost processes in suspended state and then injects malicious code in to them. The injected code has functionality to detect the presence of AV solutions on the system. Malicious code injected is individually detected as follows:

  • Malicious Injection 1 [GAV: Suspicious#avcheck (Trojan)]
  • Malicious Injection 2 [GAV: Suspicious#avcheck (Trojan)]
  • Malicious Injection 3 [GAV: Zbot.AAN_66 (Trojan)]

It adds the following key to the windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “%USERPROFILE%Application DataRandom_nameRandom_name.exe”

The Tor component:
Traffic in a Tor network is subject to multiple layers of encryption as it bounces between a number of nodes before reaching its destination. Tor Hidden Services are used to provide anonymity to servers; these hidden services can be accessed only through Tor-specific .onion pseudo domains. We observed the following parameters being passed to an instance of svchost.exe indicating that a Tor Hidden Service is created locally on the infected machine:
–HiddenServiceDir “C:Documents and SettingsAdminApplication Datatorhidden_service” — HiddenServicePort “55080 127.0.0.1:55080”

During our analysis we observed Skynet interact with the following .onion pseudo domains:

  • f2ylgv2jochpzm4c.onion
  • uy5t7cus7dptkchs.onion
  • 6m7m4bsdbzsflego.onion
  • h266x4kmvmpdfalv.onion
  • uzvyltfdj37rhqfy.onion
  • 7wuwk3aybq5z73m7.onion
  • jr6t4gi4k2vpry5c.onion
  • ceif2rmdoput3wjh.onion
  • 742yhnr32ntzhx3f.onion
  • xvauhzlpkirnzghg.onion
  • ua4ttfm47jt32igm.onion
  • 6ceyqong6nxy7hwp.onion
  • owbm3sjqdnndmydf.onion
  • ua4ttfm47jt32igm.onion

We observed Skynet requesting the following resources from the links above:

  • iplist.txt
  • reverseproxy.txt

By using Tor servies, Skynet achieves the following:

  • It becomes difficult to trace the real location of the C&C servers
  • Mutiple layers of encryption of the communication with C&C makes its difficult to ascertain the traffic content
  • Usage of hidden services for IRC and BitCoin mining servers allows for anonymity

IRC component of Skynet:

IRC has been a popular service used by botnets for command and control. It has prone to easy detection but with the help of Tor services Skynet has taken it to the next level. We observed a number of IRC commands issued during our analysis of Skynet:

  • Nick [USA-XP-638XXX]XXXXXXX
  • User 535XXXX
  • Join #USA
  • Join #4net2
  • Join #4net3
  • Join #4net4
  • Join #4net5
  • Join #4netallin
  • Join #4net1

The author provided a screenshot of multiple bot infected machines connected to his IRC channel:

screenshot

DDOS capabilities of Skynet:

During our analysis we observed Slowloris components in the code indicating that Skynet has DDOS capabilities. We saw the following commands in the code which further strengthen the indication of Skynet’s DDOS capabilities:

  • !syn
  • !syn.stop
  • !udp
  • !udp.stop

Skynet uses IRC coupled with Tor to issue DDOS commands to its victim machines while effectively cloaking this communication channel.

Zeus component in Skynet:

The Zeus botnet has been used to steal banking information from millions of infected machines. After its source was leaked in 2011, there were reports of new variants of Zeus. The author of Skynet claims to have a modified version of Zeus, he also provided a screenshot of his control panel on Reddit.

The Zeus component uses a local Socks proxy as a relay to the Tor network in order to communicate with its C&C server. We observed the following request to port 42349 when Skynet is executed:
localhost:42349/z/config.bin

screenshot

Bitcoin Mining component of Skynet:

Skynet drops a number of files on the system during its execution, OpenCL.dll is one such file. OpenCl.dll is a necessary component for running CGMiner which is a bitcoin miner. Skynet activates this component when the victim machine is inactive for a period of two minutes. We observed 100% CPU utilization by the Bitcoin mining module. The process is started by passing the following parameters to an instance of svchost.exe:
“C:WINDOWSsystem32svchost.exe” -o http://95.211.7.6:81 -u usXXX -p XXXXXXX -w 128 -I d -k poclbm –api-listen

screenshot

We observed the following Bitcoin Mining Proxy being contacted during our analysis:

  • 95.211.7.6:81

The author provided a screenshot of his BitCoin mining control panel in the Reddit IAmA thread:

screenshot

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Skynet.ZS (Trojan)
  • GAV: Suspicious#avcheck (Trojan)
  • GAV: Zbot.AAN_66 (Trojan)

Microsoft Security Bulletin Coverage (Dec 11, 2012)

/in /by

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of December, 2012. A list of issues reported, along with Dell SonicWALL coverage information follows:

MS12-077 Cumulative Security Update for Internet Explorer

  • CVE-2012-4781 InjectHTMLStream Use After Free Vulnerability
    Attack cannot be detected on the wire.
  • CVE-2012-4782 CMarkup Use After Free Vulnerability
    Attack cannot be detected on the wire.
  • CVE-2012-4787 Improper Ref Counting Use After Free Vulnerability
    IPS:9341 – Windows IE Improper Ref Counting Use After Free Exploit

MS12-078 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution

  • CVE-2012-2556 OpenType Font Parsing Vulnerability
    GAV:Malformed.otf.MP.8
  • CVE-2012-4786 TrueType Font Parsing Vulnerability
    No known exploits exist in the wild.

MS12-079 Vulnerability in Microsoft Word Could Allow Remote Code Execution

  • CVE-2012-2539 Word RTF ‘listoverridecount’ Remote Code Execution Vulnerability
    IPS:9342 – MS Word RTF listoverridecount Memory Corruption Exploit

MS12-080 Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution

  • CVE-2012-3214 Oracle Outside In Technology Vulnerability
    Local vulnerability.
  • CVE-2012-3217 Oracle Outside In Technology Vulnerability
    Local vulnerability.
  • CVE-2012-4791 RSS Feed May Cause Exchange DoS Vulnerability
    Attack cannot be detected on the wire.

MS12-081 Vulnerability in Windows File Handling Component Could Allow Remote Code Execution

  • CVE-2012-4774 Windows Filename Parsing Vulnerability
    IPS:9346 – MS Windows Filename Parsing Exploit

MS12-082 Vulnerability in DirectPlay Could Allow Remote Code Execution

  • CVE-2012-1537 DirectPlay Heap Overflow Vulnerability
    IPS:9347 – Suspicious Office Document 1 IPS:9348 – Suspicious Office Document 2 IPS:9349 – Suspicious Office Document 3 IPS:9350 – Suspicious Office Document 4 IPS:9351 – Suspicious Office Document 5 IPS:9352 – Suspicious Office Document 6 IPS:9353 – Suspicious Office Document 7

MS12-083 Vulnerability in IP-HTTPS Component Could Allow Security Feature Bypass

  • CVE-2012-2549 Revoked Certificate Bypass Vulnerability
    Attack cannot be detected on the wire.

Trojan with sophisticated features served through Social Networks (Dec 06, 2012)

/in /by

Dell SonicWALL Threats Research team discovered a new Trojan spreading through malicious links in Facebook messages. This Trojan is very sophisticated and sports various features such as Anti-debugging code, self modifying code, SEH (Structured Exception Handler) modification, code injection, Spam module, Bitcoin mining module, Facebook messaging module and encrypted C&C communication. We saw various links through which this Trojan was being served. Once these links are clicked, it downloads the Trojan and also often displays an enticing message urging the user to run the executable. One such instance is shown below:

The executable when downloaded is as shown below:

Infection Cycle

  • The Trojan when executed creates a copy of itself in:

    %userprofile%fnph.exe [Detected as GAV: Injector.ZTL (Trojan)]

  • It creates the following registry entry ensuring that it automatically starts on system reboot

    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun:MSConfig:”%userprofile%fnph.exe”

  • It has self modifying code which creates a custom IAT(Import Address Table) during runtime

  • As seen below it adds a custom exception handling routine to the Structured Exception Handler (SEH) chain in the Thread Environment Block (TEB) of the process. This handling routine contains logic that is triggered during runtime.

The self modifying portion of the code creates an instance of svchost.exe and injects code in to it. The injected code in svchost.exe communicates with a remote C&C server and was also found containing various other interesting modules discussed below:

  • It communicates with a remote server over Port 443 using a custom encryption protocol. We observed it communicating with the following hardcoded remote servers:

    • 185.4.227.76
    • 185.4.227.78
    • 188.165.132.183

  • It also contains a module to send out emails. It does this by querying various public MX servers and attempts to relay emails through them. During a controlled run we observed the following queries being generated (many more were found in memory):

  • We discovered a worm module with the following hardcoded Facebook interfaces in order to spread via chat messages:

  • We saw the following hardcoded bitcoin mining URL’s with account information:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV:Injector.ZTL (Trojan)
  • GAV:Buzus.MTFH (Trojan)
  • GAV:Buzus.MTED (Trojan)

MySQL GRANT Query Buffer Overflow (Dec 6, 2012)

/in /by

MySQL is the world’s most used open source relational database management system (RDBMS) as of 2008 that runs as a server providing multi-user access to a number of databases. MySQL is a popular choice of database for use in web applications, and is a central component of the widely used LAMP open source web application software stack (and other ‘AMP’ stacks). LAMP is an acronym for “Linux, Apache, MySQL, Perl/PHP/Python.” Free-software-open source projects that require a full-featured database management system often use MySQL.

MySQL supports the Structured Query Language (SQL) for querying and updating stored data. Usually the MySQL protocol is used to communicate with the MySQL database. GRANT is one of the common used query commands in SQL language. An example of the use of the GRANT query follows: 

 GRANT ALL PRIVILEGES ON db_base.* TO db_user @'%' IDENTIFIED BY 'db_passwd';

A stack buffer overflow vulnerability exists in MySQL database server. The vulnerability is due to lack of input validation while the vulnerable codes handle the GRANT request. A remote authenticated attacker can exploit this vulnerability by sending a crafted GRANT request to a target server. Successful exploitation could result in execution of arbitrary code within the security context of the MySQL service.

Dell SonicWALL UTM team has researched this vulnerability and released the following signatures addressing the issue:

  • 9308 MySQL GRANT SELECT Buffer Overflow
  • 9309 MySQL GRANT FILE Buffer Overflow

This vulnerability has been referred by CVE as CVE-2012-5611.

Vobfus Worm spreads via removable drives and remote shares (Nov 28, 2012)

/in /by

Dell Sonicwall Threats research team have observed an increase in the activity of a Visual Basic based Worm that spreads through removable drives and network storage devices. It spreads by exploiting the Windows Autorun functionality on systems with autorun enabled. The malware also drops copies of other variants of itself on the target system.

Infection cycle:

Upon execution the Worm performs the following DNS queries:

It downloads and runs the following file [Detected as GAV: Vobfus.GKTI (Worm)]:

It adds the following files to the filesystem:

  • %USERPROFILE%fltiaz.exe [Detected as GAV: Vobfus.MB (Worm)]
  • %USERPROFILE%google.com [Detected as GAV: Vobfus.GKTI (Worm)]
  • %USERPROFILE%zoineeh.exe [Detected as GAV: Vobfus.MB (Worm)]

It adds the following key to the windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun fltiaz “%USERPROFILE%fltiaz.exe /y”

If an external drive or network share is attached to the system it adds the following files to it:

      autorun.inf
      ..exe [Detected as GAV: Vobfus.MB (Worm)]
      ...exe [Detected as GAV: Vobfus.MB (Worm)]
      doubuox.exe [Detected as GAV: Vobfus.MB (Worm)]
      Ghost.exe [Detected as GAV: Vobfus.MB (Worm)]
      new.exe [Detected as GAV: Vobfus.MB (Worm)]
      Passwords.exe [Detected as GAV: Vobfus.MB (Worm)]
      Porn.exe [Detected as GAV: Vobfus.MB (Worm)]
      Secret.exe [Detected as GAV: Vobfus.MB (Worm)]
      Sexy.exe [Detected as GAV: Vobfus.MB (Worm)]
      x.mpeg [empty file]

autorun.inf contains the following data:

      [uwltqjpqjxh]
      gzupk=lqgmrqqrbap
      qdwlllctweangp=spcbbyzrqo
      qltmvzvoy=knjjj
      ptirmx=wowovqtfvggpobi
      [autorun]
      urdhqzqqbeanx=xpxkglhjl
      tnpxnqazil=apkzwbkyagutzq
      fypth=ifzpcchxomrw
      gvhzmwbuoc=orwefptecbp
      sfaokjjjpxpthtj=1237
      vtzjq=7054
      mfvnlhphvdljze=354
      open=dOUbuox.exe [malware executable]
      cllhgp=6641
      dmtetp=9073
      ACTiON=5110
      mafwiruf=rehlobqwgkquqvh
      tjvxskdor=apvzhkuckliiux
      pyxrgzragjrp=teyvvbesbqzl
      uvtpoh=zztct
      useAuTopLAy=1
      qoszphttyjq=eykbilz
      rplgrerq=avfimuuinab
      rfeishnidwt=mhsiyosltd
      gdmpl=uqahjnayhjqthp
      [sqfyudgzycwmt]
      pcomnes=njyuknsbl
      hkful=cnthafzhiaxgb
      koyqytcygawml=epxvcedvtjlg
      qltddccquliiki=dilweqwpzvkbfk
      ohacluzgwonge=ruljjvl

It attempts to add itself to any zip files that it finds on the system, removable drives and remote shares. It was observed issuing the following command:

      "C:Program FilesWinRARRar.exe" a -y -ep -"E:myzip.zip" "%USERPROFILE%Secret.exe"

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Vobfus.MB (Worm)
  • GAV: Vobfus.GKTI (Worm)
  • GAV: Bredolab.OQI (Trojan)
  • GAV: Vobfus.FIJJ (Trojan)
  • GAV: Pronny.IJ (Worm)
  • GAV: Vobfus.HS (Worm)

Novell File Reporter FSFUI Arbitrary File Retrieval (Nov 27, 2012)

/in /by

Novell File Reporter is software that allows network administrators to identify files stored on the network and generates reports regarding the size of individual files, file type, when files were last accessed, and where duplicates exist. Additionally, the File Reporter tracks storage volume capacity and usage. It is a component of the Novell File Management Suite.

Novell File Reporter examines and reports on terabytes of data via a central reporting engine (NFR Engine) and distributed agents (NFR Agents). The NFR Engine schedules the scans of file instances conducted by NFR Agents, processes and compiles the scans for reporting purposes, and provides report information to the user interface. The NFR Engine when working in either eDirectory or Active Directory connects to the directory via a Directory Services Interface (DSI) and thus can monitors and checks file permissions.

NFR Agents communicate with HTTPS protocol on port 3037 by default. A request is sent to the NFR Agent as an XML-formatted request body of a POST request. One example of the XML contents can be: 

  FSFUI 126 filename

A file retrieval vulnerability exists in Novell File Reporter. The vulnerability is due to lack of authorization on certain requests which return the contents of a file. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted request to the NFR Agent service. Successful exploitation can result in arbitrary file retrieval with SYSTEM privileges.

Dell SonicWALL IPS team has researched this vulnerability and released the following IPS signature to detect the attacks.

  • 9273 Novell File Reporter FSFUI Arbitrary File Retrieval

An existing generic Directory Traversal detection signature will also take effect in most of the cases.

  • 6613 Server Application Directory Traversal Attack 6

This vulnerability has been referred by CVE as CVE-2012-4958.

Trojan uses Google Docs to cloak its communication with servers (November 21, 2012)

/in /by

Dell SonicWALL Threats Research team received reports of a new malware threat that uses a novel trick to try and hide its operation. This Trojan communicates with the C&C servers using Google Docs as a proxy. Since Google Docs encrypts all of its communication, it helps the Trojan cloak the C&C server communication and improve the chances of evading antivirus detection.

The malicious executable disguises itself in a Microsoft Word document icon and entices the user to click and execute it.
screenshot

Infection Cycle

The Trojan begins by creating a mutex named “G46A33F21110”. This ensures that at a given time only one instance of the Trojan is running on the machine.

The Trojan then executes the following commands:

  • Net.exe group Domain Admins /domain
  • Net.exe group Admins. do Domfnio /domain
  • Net.exe localgroup Administrators
  • Net.exe localgroup Administradores

The Trojan communicates with the C&C servers using Google Docs service as a medium. We can see the malicious URL being converted into a Google Viewer link in the following two screenshots:

screenshot

screenshot

Using Google Viewer as a proxy, the Trojan tries to communicate with the following C&C servers:

  • 83.222.226.158
  • cdn.akamaihub.com
  • msupdatecdn.com
  • stocksengine.net

The Trojan sends information about the victim host through the following parameters:

  • id ( Identification for the Trojan )
  • bdversion ( Version number of the Trojan )
  • guidx
  • win_version ( Victims Windows version )
  • win_baseversion ( Base build of Windows )
  • username ( Current users account name )
  • hostname ( Computer name )
  • killed
  • time_get
  • time_ipchange
  • time_cmd
  • workdir ( Directory where the trojan is present )
  • cmd_line ( Path to the command shell on the victim host)
  • localadmin ( Local admin account name )
  • domainadmin ( Domain admin account name )
  • domain (Domain of the machine )

The following links were observed in the code of the Trojan. This gives an idea about the type of functionalities implemented for the Trojan:

  • /syncstart.html – Provide information about the infected host
  • /update.html – Update the Trojan with new set of commands and/or functionalities
  • /updatecheck.html – Check if an update is necessary
  • /updatestatus.htm – Check the status of the update

Google docs Viewer enables the users to view documents in the browser rather than saving and opening them in dedicated programs. The Trojan uses this service as a proxy to communicate with the C&C servers, in doing so it effectively cloaks the communication between itself and the C&C servers. The use of encrypted communication makes it difficult for network security solutions and analysts in identifying the type of information being exchanged. The fact that the Trojans traffic is coming from Google Docs helps it sneak through some defenses as legitimate traffic.

Dell SonicWALL Gateway AntiVirus provides protection against this threat through the following signature:

  • GAV: Makadocs (Trojan)

    • Webmin show.cgi Remote Command Execution (Nov 20, 2012)

    /in /by

    Webmin is a web-based system configuration tool for Unix-like systems, and the recent versions can also be installed and run on Windows. It can be used to configure operating system internals, such as users, disk quotas, services or configuration files, as well as modify and control open source apps, such as the Apache HTTP Server, PHP or MySQL. Webmin is largely based on Perl, running as its own process and web server. It defaults to TCP port 10000 for communicating, and can be configured to use SSL if OpenSSL is installed with additional required Perl Modules.

    Webmin consists of a simple web server, and a number of CGI programs which directly update system files like /etc/inetd.conf and /etc/passwd. The web server can be accessed through Hypertext Transfer Protocol (HTTP) protocol on default port 10000. HTTP is a request/response protocol described in RFC documents. A typical HTTP session is: 

     Client request   GET /index.html HTTP/1.1   Host: www.example.com  Server response   HTTP/1.1 200 OK   Date: Mon, 23 May 2005 22:38:34 GMT   Server: Apache/1.3.3.7 (Unix) (Red-Hat/Linux)   Last-Modified: Wed, 08 Jan 2003 23:11:55 GMT   Etag: "3f80f-1b6-3e1cb03b"   Accept-Ranges:  none   Content-Length: 438   Connection: close   Content-Type: text/html; charset=UTF-8

    According to the protocol, the client request can be supplied with multiple variables, for example: 

       GET /index.html?var1=value1&var2=value2 HTTP/1.1   Host: www.example.com

    File Manager module is one of the Webmin modules. It is responsible for viewing, editing and changing permissions on files and directories on a system through a Windowslike file manager interface. For example, the following client request can be used to view files on the system:

       GET /file/show.cgi HTTP/1.1   Host: www.example.com

    A command-injection vulnerability exists in Webmin File Manager Module. The vulnerability is due to insufficient input validation of the user-supplied variables in requests sent to /file/show.cgi. A remote, authenticated attacker with access to File Manager module could exploit this vulnerability to execute arbitrary commands on the target machine in the security context of the vulnerable application, which is root privilege.

    Dell SonicWALL UTM team has researched this vulnerability and released the following IPS signatures to detect the attacks:

    • 8836 Webmin show.cgi Remote Command Execution
    • 9258 Webmin show.cgi Remote Command Execution 2

    This vulnerability has been referred by CVE as CVE-2012-2982