RealNetworks RealPlayer Code Execution Vulnerability (Jan 25, 2011)

/in /by

RealPlayer is a closed source cross-platform media player by RealNetworks that plays a number of multimedia formats including MP3, MPEG-4, QuickTime, Windows Media, and multiple versions of proprietary RealAudio and RealVideo formats. The application can play media files from local file system or network servers.

RealPlayer can be bundled with ActiveX controls and plug-ins that implement various functions. One of the ActiveX controls called IERPPlugin, is linked to library ierpplug.dll. This control is associated with CLSID “FDC7A535-4070-4B92-A0EA-D9994BCC0DC5”, and ProgID “IERPCtl.IERPCtl.1”. This ActiveX control can be instantiated in a web page using the tag or via scripting. For example:

or
obj = new ActiveXObject("IERPCtl.IERPCtl.1")
The ActiveX Control IERPPlugin exposes a set of methods and properties that allows for playing media from the HTML pages using the RealPlayer client. RecordClip(), one of the methods, invokes the RecordingManager.exe utility installed with RealPlayer. The syntax of this method is shown below:
RecordClip (String url, String mimeType, String clipInfo)
RecordingManager.exe, which is invoked by RecordClip(), is the Web Download and Recording Manager component of the RealPlayer. This component can be used to monitor, pause, or stop the media download progress. This executable accepts a URL to a media file as an argument. By default, RecordingManager switches are not accessible through the RecordClip() method of the IERPPlugin.
A code execution vulnerability exists in RealPlayer IERPPlugin ActiveX control. The vulnerability is due to improper validation of the url parameter passed to the RecordClip() method of the ActiveX Control. An attacker may leverage this vulnerability to download arbitrary files on any location on the target host.
SonicWALL UTM Research team has investigated this vulnerability and created the following IPS signature to detect/prevent the attacks addressing this issue:
  • 6146	RealNetworks RealPlayer Injection Code Execution Attempt
This vulnerability is referred by CVE as CVE-2010-3749.
 HP NNM Template Format String Flaw (Jan 21, 2011)  
/in  /by 
HP OpenView consists of a suite of network and system management software applications developed by HP. It includes several optional modules and components, such as OpenView Quality Manager, OpenView Performance Insight, and OpenView Network Node Manager.
 The HP OpenView Network Node Manager (NNM) supplies several CGI applications to provide a management interface to the NNM server. These CGI applications include OpenView.exe, nnmRptConfig.exe, and nnmRptPresenter.exe among others. With these applications, users can control and manage the NNM server, as well as access command-line applications, using a web browser.
 NNM is shipped with a number of report template files having the .rpt extension. The CGI application nnmRptConfig.exe is used to configure report generation by NNM. It uses various predefined templates and allows users to specify how frequently reports should be generated, where to send them, and what outgoing SMTP server to use, etc. This application can be accessed by a web browser. An example HTTP GET request the this application follows:
GET /OvCgi/nnmRptConfig.exe?Content&Action=Create&Template=Avail/GenAvail&Operation= Apply&Params=schdParams+nameParams&schdParams=schd_select1%3Dmonthtodate& nameParams=text1%3DGeneral+Availability%26text2%3Dtmp%40tmp.com%26text3%3D10.0.15.12 HTTP/1.1 Host: 10.0.15.78 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate
 A format string code execution vulnerability exists in the NNM CGI program nnmRptConfig.exe. The vulnerability is due to insufficient input validation when handling one of the CGI parameters in HTTP requests. During message handling the vulnerable code uses an sprintf-like function to the copy a value string to a stack buffer. The code does not perform any validation on the user supplied string and uses it as part of a format string. Thus, if the string contains format conversion specifiers, they will be processed by the sprintf-like function instead of being copied verbatim into the target buffer.
 Using certain format specifiers could lead to attacker-controlled memory corruption which can be exploited to inject and execute arbitrary code on the target server. A remote unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP request to a target server. Successful exploitation could result in execution of arbitrary code within the security context of the Internet Guest Account user.
 SonicWALL has released an IPS signature to address generic exploit attempts targeting this vulnerability. The following signature has been released to address this issue:
  • 6145 – HP OpenView Network Node Manager Format String Attempt
 In addition to this targeted detection effort, SonicWALL has numerous IPS signatures that proactively target format string attacks against vulnerabilities such as this one.
 This vulnerability has been assigned the identifier CVE-2011-0270 by mitre.
 Malicious PDF spreading in the wild (Jan 20, 2011)  
/in  /by 
SonicWALL UTM Research team observed a new malicious PDF spreading in the wild. This malicious PDF is being spread through spam emails with the file in the attachment. The email with malicious PDF file is shown below:
 screenshot
 If the user downloads the PDF file attachment and executes it, then it delivers a malicious payload using an exploit in Adobe Acrobat Reader. This malicious payload in turn downloads secondary malware.
  •  The PDF contains a producer section which is encrypted. This encrypted producer section is decrypted at runtime with the script embedded in the PDF file.
     screenshot
  •  The encrypted producer section of PDF file decrypts to a script that serves the payload. This script uses an appropriate exploit technique to deliver the payload depending on the version of Adobe Acrobat Reader being used.
     screenshot
  •  On inspection of the payload used in the script we observed secondary malware being downloaded from a remote location.
     screenshot
  •  On execution of the payload it downloads and executes the following malicious file
    • us01.exe  [Detected as GAV: Kryptik.JKT (Trojan)]
  •  The downloaded file performs the following activities on the victim’s machine:
    • It creates the following files
      • %UserProfile%Application DataMuitirfyoci.exe (Copy of itself) [Detected as GAV: Kryptik.JKT (Trojan)]
      • %UserProfile%Application DataYlaqozuzpa.lyz
    • It attempts to connect to randomly created domain names
        • screenshot
    • It creates the following registry key to ensure re-infection on system restart
      • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun: “%UserProfile%Application DataMuitirfyoci.exe”
 SonicWALL Gateway AntiVirus provided protection against this threat via following signatures:
 GAV: Pdfka.EML (Trojan)
 GAV: Kryptik.JKT (Trojan)
screenshot
screenshot
 Orz.A Trojan (Jan 14, 2011)  
/in  /by 
SonicWALL UTM Research team received reports of a new Trojan spreading in the wild. Once on a system it appears to post potential sensitive information to a remote web server.  In the background it installs a copy of the “Super Rabbit” system configuration software.  The software is installed without user interaction or consent.
 The Trojan makes DNS queries to the following hosts:
  • download.youbak.com
  • tj.pctutu.net
  • srtj.pctutu.net
 The Trojan makes a request to download a silent installer for the software “Super Rabbit”:
  • http://121.15.221.{removed}/soft/113/sr_v9_mini.exe
 The Trojan and silent installer make the following modifications to the system:
 screenshot
 The Trojan sends potential sensitive information to a remote site using the HTTP POST command:
 screenshot
 SonicWALL Gateway AntiVirus provides protection against this worm via the following signatures:
 GAV: Orz.A (Trojan)
 Microsoft Security Bulletins Coverage (Jan 11, 2010)  
/in  /by 
SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of January, 2011. A list of issues reported, along with SonicWALL coverage information follows:
 MS11-001 Vulnerability in Windows Backup Manager Could Allow Remote Code Execution (2478935)
  •  CVE-2010-3145 – Backup Manager Insecure Library Loading Vulnerability
     IPS 5726 Possible Binary Planting Attempt
 MS11-002 Vulnerabilities in Microsoft Data Access Components Could Allow Remote Code Execution (2451910)
  •  CVE-2011-0026 – DSN Overflow Vulnerability
     Note: An API vulnerability. Microsoft products are not affected by this issue. There are no third party products known to be affected.
  •  CVE-2011-0027 – ADO Record Memory Vulnerability
     IPS 6130 MS DAO Record Memory Corruption Exploit
 HP Photo Creative audio.Record ActiveX Stack BO (Jan 7, 2011)  
/in  /by 
HP Photo Creations is a free software that helps the user create photo books, calendars, collages, greeting cards and other keepsakes that can be printed or shipped to the user. The HP Photo Creations can automatically make beautiful keepsakes or help the user to customize keepsakes with over 1,800 high quality artwork designs, 1,300 placeable graphics, placeable text boxes, custom fonts, borders, and dozens of photo editing tools.
While installing HP Photo Creative, an ActiveX control audio.Record is also installed and registered. This control contains various audio processing functions, such as recording, resampling, importing, etc. The registered ActiveX control is associated with CLSID “3EEEBC9A-580F-46EF-81D9-55510266413D” and progID “audio.Record”. It can be instantiated in a web page using the  tag or via scripting. For example:
  
The ActiveX control audio.Record provides a couple of audio functions, Resample is one of them. The profile of this function is showed as bellow:
 Resample(String in, String out, Int32 options) 
A stack-based buffer-overflow vulnerability exists in HP Photo Creative ActiveX control audio.Record. The vulnerability is due to a boundary check error while processing an argument passed to function Resample. As a result of this, an overly long string can overflow the buffer and overwrite other values on the stack. Successful exploitation would result in arbitrary code injection and execution with the privileges of the currently logged in user.
SonicWALL UTM research team has investigated this vulnerability and created the following signature to prevent/detect the attack attempts addressing this issue:
  • 6120	HP Photo Creative audio.Record ActiveX Stack BO
This vulnerability is referred by bugtraq with ID 45631
 Yimfoca Worm Spreading in the Wild (Jan 4, 2011)  
/in  /by 
SonicWALL UTM Research team received reports of a new variant of an IM worm spreading in the wild. It propagates through Instant Messaging application such as Yahoo Messenger, AIM, MSN as well as in Social Networking site- Facebook. There were reportedly multiple rogue Facebook applications that were leading to this worm which are now taken down.
 Process of Infection:
 An unsuspecting user will receive a message to view a picture purportedly hosted in facebook.com through instant messaging application from an infected machine. A sample of the suspicious message sent via MSN looks like below:
 screenshot
 Once the user clicks on the link, it will redirect the user to this facebook.com page:
 screenshot
 This is a legitimate facebook.com page and typical when one clicks on a third-party link from within facebook. However, when the user clicks the continue button, the user will be directed to the malicious website.
 A screenshot of the malicious website is shown below:
 screenshot
 The site is designed to appear that the user is still browsing from within facebook, although the URL shows otherwise. It was also made to appear that the picture the user wants to see was moved and needed to click the “View Photo” button to see it. Clicking the button will download the malicious IM worm.
 Installation:
 Drops a copy of itself:
  • %Windows% nvsvc32.exe – [ detected as  GAV: Yimfoca.AA_3 (Worm) ]
 Downloads malware component:
  • C:WINDOWS ndl.dl
  • C:WINDOWSwibrf.jpg
  • C:WINDOWSwiybr.png
 Creates Mutex to ensure that only one instance of the application runs in the system:
  • Nvidia Drive Mon
 (Note: %Windows% is the Windows folder, which is usually C:Windows or C:WINNT.)
 Registry Changes:
 It adds the following registry entries to ensure that the dropped copy of the malware starts on every system reboot:
  • Key: [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] Value: “NVIDIA driver monitor”
     Data: “”c:windows nvsvc32.exe””
  • Key: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun] Value: “NVIDIA driver monitor”
     Data: “”c:windows nvsvc32.exe””
  • Key: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun] Value: “NVIDIA driver monitor”
     Data: “”c:windows nvsvc32.exe””
 Adds following registry entry to bypass firewall restrictions:
  • Key: [HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList] Value: “c:windows nvsvc32.exe”
     Data: “c:windows nvsvc32.exe:*:Enabled:NVIDIA driver monitor”
 Command & Control (C&C) Server connection:
     Upon successful installation, it tries to connect to a remote server to receive further instruction: 
     Remote Server: 75.102.21.13
     This worm will also join the following IRC Channel to receive instruction:
    • #!nn
     The screenshot below shows the IRC communication:
     screenshot
 Backdoor Functionality:
  • Spread via instant messaging
  • Update itself
  • Remove itself
  • Download and execute files
 Network Activity:
 DNS Request
  • 13.21.102.75
  • 18.149.220.66
  • 237.181.44.132
  • ale.pakibili.com
  • api.albertoshistory.info
  • astro.ic.ac.uk
  • insidehighered.com
  • journalofaccountancy.com
  • mas.0730ip.com
  • stayontime.info
  • transnationale.org
  • versatek.com
  • www.shearman.com
 FTP Server:
  • ftp.phoenix-cc.net
 Propagation: 
 This worm propagates via following platforms:
     Instant Messaging Application:
    • AIM
    • MSN
    • Yahoo Messenger
     Social Networking site:
    • Facebook
 Other System Modification: 
 Terminates the following services:
  • Microsoft Malware Protection Service – MsMpSvc
  • Windows AutoUpdate Service – wuauserv
 SonicWALL Gateway AntiVirus provides protection against this worm via the following signatures:
 GAV: Yimfoca.AA_3 (Worm)
 Fake Desktop Utilities (Dec 23, 2010)  
/in  /by 
SonicWALL UTM Research team has been monitoring fake desktop utilities since mid October. While we continue to see new variants of Fake Antivirus every day, this is a new approach adapted by Fake AV authors to target unwitting users. These fake utilities may arrive by spammed e-mails or via drive-by downloads from compromised sites similar to Fake AV.
 We have received multiple variants of fake desktop utilities till now that includes – Disk Doctor, Windows Defrag, Disk Scanner, Control Panel, Utility Manager etc. The agenda is pretty much similar to the Fake AV – infect the computer, scare the user with fake errors, and make them purchase a product to fix the errors.
 screenshot
 As you can see above they use fake icon and file information to masquerade as legitimate utilities. Below are some screenshots showing the fake desktop utilities in action:
 screenshot
 screenshot
 screenshot
 In addition to the above activity, some of the newer variants were randomly generating “hard drive problem” alerts whenever user attempts to open any application post infection.
 screenshot
 If the user falls for the trap and attempts to buy the software, it loads a fake address bar image containing SSL certificate information and the secure lock image in the same product window further assuring user of a safe legitimate transaction. In the background it attempts to connect to the landing site which has been taken off at the time of writing this alert.
 screenshot
 SonicWALL Gateway AntiVirus provided protection against these fake utilities via following  signatures:
 GAV: Suspicious#fakeav_17 (Trojan) [ ~900,000 hits ] 
 GAV: Suspicious#fakeav_16 (Trojan) [ ~5,000 hits ]
 MS IE CSS Parsing Memory Corruption (Dec 21, 2010)  
/in  /by 
Microsoft Internet Explorer is one of the most popular web browsers on the Internet. Internet Explorer is capable of rendering both static and dynamic web contents. It can also be used to download files, play multi-media contents and open different file formats using various plug-ins.
 A use-after-free vulnerability exists in Microsoft Internet Explorer. The vulnerability is due to the way Internet Explorer handles the creation and deletion of CSS (Cascading Style Sheets) objects. Remote attackers may exploit this vulnerability by enticing the target user to view a malicious HTML document, which allows injection and execution of arbitrary code.
 SonicWALL has released several IPS signatures to detect and block known exploits targeting this vulnerability. The following signatures were released to address this issue:
  • 6094 – MS IE CSS Import Use-After-Free Code Execution 1
  • 6095 – MS IE CSS Import Use-After-Free Code Execution 2
  • 6096 – MS IE CSS Import Use-After-Free Code Execution 3
 In addition to handling this specific threat, SonicWALL currently deploys a number of generic signatures which detect known shellcode patterns and evasion techniques that would likely be used during exploitation attempts of a vulnerability such as this one.
 For more information about this vulnerability, please read SecurityFocus advisory Microsoft Internet Explorer CSS Parsing Remote Memory Corruption Vulnerability.
 Wikileaks Black Hat Campaigns (Dec 16, 2010)  
/in  /by 
SonicWALL UTM Research team discovered instances of polluted results appearing in search engine results for Wikileaks related search terms. Malware authors often use SEO poisoning campaigns to lure unsuspecting users in to clicking on malicious links strategically placed in search engine results. This technique has been traditionally used by Malware authors in Black Hat SEO campaigns around all major events. However this is the first time we have observed Wikileaks related terms being used in Black Hat SEO campaigns. The search term “Julian Assange Wikileaks” leads users to the polluted search result shown below:
 screenshot
 If the user clicks on the malicious link in the search results then it performs the following on the victim’s machine:
  •  The initial link redirects users to a FakeAV landing page.
     screenshot
  •  If the user downloads and runs the FakeAV executable then it performs the following on the victim’s machine:
    • Drops the following files:
      • %temp%/systempack8_195.exe (Copy of Itself) [Detected as GAV: Kryptik.IXE (Trojan)]
      • %USERPROFILE%/Application Data/7b4dd2/IA7b4_195.exe  [Detected as GAV: Suspicious#fakeav_2 (Trojan)]
    • Creates the following registry entry to ensure that the dropped malware runs on every system reboot:
      • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce: “%temp%/systempack8_195.exe”
 Cyber criminals may be using the popularity garnered by wikileaks to their advantage as also observed from the mirror listing site “wikileaks.info” which is hosted in an address space known to be under the control of cyber criminals. Although the hosted site has not been found serving any malicious content so far we advise users to exercise caution visiting this domain.
 SonicWALL Gateway AntiVirus provided protection against this threat via following signatures:
 GAV: Kryptik.IXE (Trojan)
 GAV: GAV: Suspicious#fakeav_2 (Trojan)
 screenshot
       
Pin It on Pinterest