Apache Struts2 Remote Command Execution (July 29, 2010)

/in /by

Apache Struts2 is originated from 2 different projects, the Apache Struts and WebWork. In 2008, the two projects combined to create Struts2, which is a MVC framework for building Java web-based applications. OGNL stands for Object-Graph Navigation Language; it is an expression language for getting and setting properties of Java objects.

A remote command execution vulnerability exists in Apache Struts2. The vulnerability is due to insufficient validation when evaluating request parameter names as OGNL statements. A remote attacker can exploit this vulnerability by sending a crafted HTTP request to the target server. Successful exploitation of this vulnerability would allow the attacker to execute arbitrary command with the privileges of the target service. In the case command execution is not successful, the vulnerable process may terminate abnormally, resulting a denial of service condition.

The CVE identifier for this vulnerability is CVE-2010-1870.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 4680 Apache Struts2/XWork Remote Command Execution

Ipswitch IMail Server Reply-To BO (July 26, 2010)

/in /by

The Ipswitch IMail Server is a mail server geared towards medium to large size organizations. It implements the POP3, IMAP4, and SMTP protocols. The SMTP server module is installed and started in a default installation.

The SMTP protocol defines a set of commands used to exchange email messages between network connected hosts. The full SMTP protocol specification is outlined in RFC 821. SMTP commands are composed of ASCII strings separated by the end of line byte sequence 0x0d0a (CRLF). In a standard SMTP session, after the TCP connection is opened, there is normally a handshake process between the client and server. After successful connection has been established, the client will either send an email to an account on the SMTP server or will use the server to relay the message to its destination.

An SMTP email message consists of a header and a message body. The header consists of several lines defining numerous aspects of the email such as the source and destination addresses. The body of the message begins after an empty line following the header. Each header line is composed of a field name, followed by a colon character “:”, further followed by the field value, terminated by CRLF. For example:

From:  To:  Subject: test email Reply-To:  Content-Type: text/plain;

Some of the header fields specified by the standard are listed below:

Bcc Cc Date From Received Reply-To Subject To X-headers

A buffer overflow vulnerability exists in the Ipswitch IMail server. The vulnerability is due to a boundary error in the processing of the Reply-To SMTP header. If multiple Reply-To headers exist in a message, the vulnerable code will concatenate them into a single string. This string will then be copied into a fixed size stack buffer without any prior checks of the final string’s length. If the length of the concatenated Reply-To header is greater than the size of the allocated buffer, the string copy operation will result in user supplied data overrunning the provided buffer. This will lead to corruption of sensitive stack data such as the function return addresses. Unauthenticated attackers may exploit this vulnerability by supplying a crafted SMTP message with multiple, long Reply-To headers. Successful exploitation may allow arbitrary code to be injected and executed with the privileges of the server process.

SonicWall has established IPS signatures in place to proactively detect and block attacks of these types. The following SMTP signatures are effectively blocking SMTP related attacks by detecting common shellcode transfers:

  • 4120 – Generic SMTP Attack Attempt
  • 5470 – Generic SMTP Shellcode Exploit

SonicWALL has additional generic signatures that encompass multiple protocols, including SMTP, which are not protocol specific. These signatures are also effective in proactively blocking attacks against SMTP servers.

Prolaco Worm Spreading in the Wild (July 23, 2010)

/in /by

SonicWALL UTM Research team received reports of a new variant of Peer-to-Peer (P2P) Worm Prolaco spreading in the wild. It propagates through P2P channels as well as spammed e-mail. The e-mail contains the malicious file inside the zip attachment.

Below are sample e-mails:

Subject:

  • You have got a new message on Facebook!
  • You have received A Hallmark E-Card!
  • Thank you from Google!

Attachment:

  • Facebook message.zip (contains document.jpg .exe )
  • Postcard.zip (contains document.jpg .exe )
  • CV-20100120-112.zip (contains document.jpg .exe )

Email Body:

    Hi,

    You have got a personal message on Facebook from your friend.
    To read it please check the attachment.
    Thanks,

    The Facebook Team
    ===================================================
    Hello!

    You have received a Hallmark E-Card from your friend.

    To see it, check the attachment.

    There’s something special about that E-Card feeling. We invite you to make a friend’s day and send one.

    Hope to see you soon,
    Your friends at Hallmark

    ===================================================
    We just received your resume and would like to thank you for your interest in working at Google.
    This email confirms that your application has been submitted for an open position.

    Our staffing team will carefully assess your qualifications for the role(s) you selected and others that
    may be a fit. Should there be a suitable match, we will be sure to get in touch with you.

    Click on the attached file to review your submitted application.

    Have fun and thanks again for applying to Google!

    Google Staffing
    ===================================================

The e-mail message looks like below:

    screenshot
    screenshot
    screenshot ===================================================

Once the user runs the executable file, it will do the following activities:

File Operation:

Added Files

  • Documents and Settings{user}Application DataSystemProclsass.exe – (222KB) [ Detected as GAV: Prolaco.I (Worm) ]
  • WINDOWSsystem32HPWuSchd5.exe – (447KB) [ Detected as GAV: Prolaco.I (Worm) ]
  • Program FilesMozilla Firefoxextensions{9CE11043-9A15-4207-A565-0C94C42D590D}
  • Program FilesMozilla Firefoxextensions{9CE11043-9A15-4207-A565-0C94C42D590D}chrome
  • Program FilesMozilla Firefoxextensions{9CE11043-9A15-4207-A565-0C94C42D590D}chromecontent
  • Program FilesMozilla Firefoxextensions{9CE11043-9A15-4207-A565-0C94C42D590D}chromecontenttimer.xul [ Detected as GAV: Dursg.G (Trojan) ]
  • Program FilesMozilla Firefoxextensions{9CE11043-9A15-4207-A565-0C94C42D590D}chrome.manifest
  • Program FilesMozilla Firefoxextensions{9CE11043-9A15-4207-A565-0C94C42D590D}install.rdf

Registry Operation:

Added Entries

  • HKEY_CURRENT_USERIdentities Curr version “25”
  • HKEY_CURRENT_USERIdentities Last Date “23-7-2010”
  • HKEY_CURRENT_USERIdentities Inst Date “23-7-2010”
  • HKEY_CURRENT_USERIdentities Popup count “0”
  • HKEY_CURRENT_USERIdentities Popup time “0”

    • Allows program to run without user notification:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem EnableLUA dword:00000000

    • Ensures this Worm runs on every Windows startup.

  • KEY: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
    Value: HP Software Updater5
    Data:“WINDOWSSystem32HPWuSchd5.exe”

  • KEY: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun
    Value: RTHDBPL
    Data:“Documents and Settings{user}Application DataSystemProclsass.exe”

    • Ensures this Worm bypass the Firewall.

  • KEY: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList
    Value: C:WINDOWSSystem32HPWuSchd5.exe
    Data:“C:WINDOWSSystem32HPWuSchd5.exe:*:Enabled:Explorer”

Malware Propagation:

    Peer-to-Peer Applications

    This Worm drops copies on P2P shared folders using filenames taken from its list:

    List of the P2P apps:

    • program fileswinmxshared
    • program filesteslafiles
    • program fileslimewireshared
    • program filesmorpheusmy shared folder
    • program filesemuleincoming
    • program filesedonkey2000incoming
    • program filesbearshareshared
    • program filesgrokstermy grokster
    • program filesicqshared folder
    • program fileskazaa lite k++my shared folder
    • program fileskazaa litemy shared folder
    • program fileskazaamy shared folder

    Filenames it uses when copying itself to P2P folders which are key generator and cracking tools of popular commercial applications:

    • AOL Instant Messenger (AIM) Hacker.exe
    • AOL Password Cracker.exe
    • Ad-aware 2010.exe
    • Adobe Acrobat Reader keygen.exe
    • Adobe Illustrator CS4 crack.exe
    • Adobe Photoshop CS4 crack by M0N5KI Hack Group.exe
    • Alcohol 120 v1.9.x.exe
    • Anti-Porn v13.x.x.x.exe
    • AnyDVD HD v.6.3.1.8 Beta incl crack.exe
    • Ashampoo Snap 3.xx [Skarleot Group].exe
    • Avast 4.x Professional.exe
    • Avast 5.x Professional.exe
    • BitDefender AntiVirus 2010 Keygen.exe
    • Blaze DVD Player Pro v6.52.exe
    • Brutus FTP Cracker.exe
    • CleanMyPC Registry Cleaner v6.02.exe
    • Counter-Strike Serial key generator [Miona patch].exe
    • DCOM Exploit archive.exe
    • DVD Tools Nero 10.x.x.x.exe
    • Daemon Tools Pro 4.8.exe
    • DivX 5.x Pro KeyGen generator.exe
    • Divx Pro 7.x version Keymaker.exe
    • Download Accelerator Plus v9.2.exe
    • Download Boost 2.0.exe
    • FTP Cracker.exe
    • G-Force Platinum v3.7.6.exe
    • Google SketchUp 7.1 Pro.exe
    • Grand Theft Auto IV [Offline Activation + mouse patch].exe
    • Half-Life 2 Downloader.exe
    • Hotmail Cracker [Brute method].exe
    • Hotmail Hacker [Brute method].exe
    • ICQ Hacker Trial version [brute].exe
    • IP Nuker.exe
    • Image Size Reducer Pro v1.0.1.exe
    • Internet Download Manager V5.exe
    • K-Lite Mega Codec v5.2 Portable.exe
    • K-Lite Mega Codec v5.2.exe
    • Kaspersky AntiVirus 2010 crack.exe
    • Kaspersky Internet Security 2010 keygen.exe
    • Keylogger unique builder.exe
    • L0pht 4.0 Windows Password Cracker.exe
    • LimeWire Pro v4.18.3 [Cracked by AnalGin].exe
    • MSN Password Cracker.exe
    • Magic Video Converter 8.exe
    • McAfee Total Protection 2010 [serial patch by AnalGin].exe
    • Microsoft Visual Basic KeyGen.exe
    • Microsoft Visual C++ KeyGen.exe
    • Microsoft Visual Studio KeyGen.exe
    • Microsoft.Windows 7 ULTIMATE FINAL activator+keygen x86.exe
    • Motorola, nokia, ericsson mobil phone tools.exe
    • Mp3 Splitter and Joiner Pro v3.48.exe
    • Myspace theme collection.exe
    • NetBIOS Cracker.exe
    • NetBIOS Hacker.exe
    • Norton Anti-Virus 2005 Enterprise Crack.exe
    • Norton Anti-Virus 2010 Enterprise Crack.exe
    • Norton Internet Security 2010 crack.exe
    • PDF password remover (works with all acrobat reader).exe
    • Password Cracker.exe
    • Power ISO v4.4 + keygen milon.exe
    • Rapidshare Auto Downloader 3.8.6.exe
    • Sophos antivirus updater bypass.exe
    • Sub7 2.5.1 Private.exe
    • Super Utilities Pro 2
      009 11.0.exe
    • Total Commander7 license+keygen.exe
    • Tuneup Ultilities 2010.exe
    • Twitter FriendAdder 2.3.9.exe
    • UT 2003 KeyGen.exe
    • VmWare 7.x keygen.exe
    • Website Hacker.exe
    • WinRAR v3.x keygen [by HiXem].exe
    • Winamp.Pro.v7.xx.PowerPack.Portable+installer.exe
    • Windows 2008 Enterprise Server VMWare Virtual Machine.exe
    • Windows Password Cracker + Elar3 key.exe
    • Windows2008 keygen and activator.exe
    • YouTubeGet 5.6.exe
    • Youtube Music Downloader 1.3.exe
    • [+ MrKey +] Windows XP PRO Corp SP3 valid-key generator.exe
    • [Eni0j0 team] Vmvare keygen.exe
    • [Eni0j0 team] Windows 7 Ultimate keygen.exe
    • [antihack tool] Trojan Killer v2.9.4173.exe
    • [fixed]RapidShare Killer AIO 2010.exe
    • [patched, serial not need] Nero 9.x keygen.exe
    • [patched, serial not needed] Absolute Video Converter 6.2-7.exe
    • [patched, serial not needed] PDF Unlocker v2.0.5.exe
    • [patched, serial not needed] PDF to Word Converter 3.4.exe
    • sdbot with NetBIOS Spread.exe

    Mass-Mailing

    This Worm harvests email addresses from the system and send spam emails with an attachment of itself.

Network Activity:

The following HTTP request were observed from this Worm:

  • http://controll{REMOVED}ckout

Pop-up Advertisements

    This Worm injects code to the following browser to monitor keyword searches:

    • Internet Explorer
    • Opera
    • Chrome
    • Firefox

    The following are the keyword terms that it monitors and once found displays pop-up advertisements from the domain “tetrosearch.com”:

    • airlines
    • amazon
    • antivir
    • antivirus
    • baby
    • bank
    • bany
    • baseball
    • books
    • cars
    • casino
    • cialis
    • cigarettes
    • comcast
    • craigslist
    • credit
    • dating
    • design
    • diet
    • doctor
    • dvd
    • ebay
    • estate
    • fashion
    • film
    • finance
    • flights
    • flower
    • footbal
    • football
    • gambling
    • game
    • gifts
    • golf
    • graphic
    • health
    • hotel
    • insurance
    • iphone
    • ipod
    • job
    • loan
    • loans
    • medical
    • military
    • mobile
    • money
    • mortgage
    • movie
    • music
    • myspace
    • pharma
    • pocker
    • poker
    • porn
    • school
    • sex
    • shop
    • software
    • sport
    • spybot
    • spyware
    • trading
    • tramadol
    • travel
    • twitter
    • verizon
    • video
    • virus
    • vocations
    • wallpaper
    • weather
    • yobt

SonicWALL Gateway AntiVirus provides protection against these Worm via the following signatures:

  • GAV: Prolaco.I (Worm)
  • GAV: Dursg.G (Trojan)

Bredolab Trojan spam campaign (July 16, 2010)

/in /by

SonicWALL UTM Research team observed a wave of Resume spam campaign involving newer variant of Bredolab Trojan starting earlier this week. The spam emails arrive with a zip archived attachment which contains the Bredolab Trojan executable. The e-mail pretends to be arriving from a prospective job applicant and it looks like:

Attachment: resume_41170.zip (contains Myresume.exe)

Subject: Please look my CV, Thank you

Email Body:
————————
Hello!

I have figured out that you have an available job.
I am quiet intrested in it. So I send you my resume,

Looking forward to your reply.
Thank you.
————————

A sample email message looks like:

screenshot

The executable files inside the attachment has an icon disguised as a Microsoft Word document file:

screenshot

If the user opens the malicious attachment then it performs following activities on the victims machine:

  • It creates the following file
    • C:WINDOWSSystem32svrwsc.exe – Detected as GAV: Bredolab.ZX (Trojan)
  • It injects itself into the following processes
    • C:WINDOWSsystem32csrss.exe
    • C:WINDOWSSystem32svchost.exe
  • It attempts to access the following files and fails, possibly looking for a prior infection
    • (Application Data)MicrosoftOFFICETEMPdoc~1.dat
    • (Application Data)MicrosoftOFFICETEMPdoc~2.dat
  • It connect to a predetermined malicious domain musiceng.ru and sends process information

    screenshot

  • It creates following registry keys to ensure svrwsc.exe starts as service on every system restart under the name “Windows Security Center Service” :
    • HKLMSYSTEMCurrentControlSetServicesSvrWscType: 0x00000010
    • HKLMSYSTEMCurrentControlSetServicesSvrWscStart: 0x00000002
    • HKLMSYSTEMCurrentControlSetServicesSvrWscErrorControl: 0x00000000
    • HKLMSYSTEMCurrentControlSetServicesSvrWscImagePath: “C:WINDOWSSystem32svrwsc.exe”
    • HKLMSYSTEMCurrentControlSetServicesSvrWscDisplayName: “Windows Security Center Service”
    • HKLMSYSTEMCurrentControlSetServicesSvrWscObjectName: “LocalSystem”
    • HKLMSYSTEMCurrentControlSetServicesSvrWscDescription: “The service provides COM APIs for independent software vendors to register and record the state of their products to the Security Center service.”

SonicWALL Gateway AntiVirus provides protection against this Bredolab Trojan variant with GAV: Bredolab.ZX (Trojan) signature.

screenshot

MS Outlook ATTACH_BY_REFERENCE (July 16, 2010)

/in /by

Microsoft Outlook email client is an implementation of all popular email protocols such as SMTP, POP3 and IMAP, as well as Microsoft’s own proprietary standards. Attachments, rich text or HTML emails are transferred between email client and server in encoded formats in order to adhere to the 7bit character limitation. There are several methods which are used to accomplish this, one of which is a proprietary Microsoft encoding format called the Transport Neutral Encapsulation Format (TNEF). The TNEF specification encodes and encapsulates the message body in a file attachment using “winmail.dat” as its filename.

The structure of TNEF allows for pointing to other email attachments, included in the email or referred to with a URL. The URL is interpreted by Outlook and the resource is requested and subsequently handled by the system based on its type.

A design flaw exists in Microsoft Outlook when processing attachment URLs inside the mail body. The vulnerability exists in the attachment URL handling mechanism. Upon opening the attachment, the vulnerable application first attempts to confirm that the file extension is not on the black list. When the attachment body is not enclosed within the message, but rather referred to with a URL, the verification logic can be tricked to bypass that check.
If the URI referencing the attachment contains a query string, and the query string contains what may be interpreted as a file extension, then that perceived file extension is considered in the verification procedure.

It is possible to construct a specific attachment URI that Outlook will consider as safe, but upon downloading the attachment, will forward the file to the operating system for execution without blocking.

An attacker must entice the target user to open a malicious attachment using a vulnerable version of the affected product. Successful exploitation may allow the download and execution of arbitrary code with the privileges of the currently logged in user.

SonicWALL has released two IPS signatures to detect and block known existing exploits targeting this flaw. The following signatures were released to address this issue:

  • 4662 – MS Outlook SMB Code Execution PoC 1 (MS10-045)
  • 4664 – MS Outlook SMB Code Execution PoC 2 (MS10-045)

Mitre has assigned the ID CVE-2010-0266. The vendor has released a security advisory regarding this issue.

Oficla Trojan spam campaigns (July 9, 2010)

/in /by

SonicWALL UTM Research team observed multiple spam campaigns in last 3 days involving Oficla Trojan. SonicWALL has received more than 10,000 e-mail copies from these spam campaigns till now. The e-mail messages contains a zip archived attachment which has the new variant of Oficla Trojan executable.

E-mail format from these spam campaigns are shown below:

Campaign #1 – Changelog document spam

Attachment: Changelog_05_07_2010.zip (contains Changelog_05_07_2010.DOC.exe)

Subject: Your log 06.07.2010

Email Body:
————————
Good afternoon,
as promised your changelog is attached,
Sandy
————————

The email message looks like:

screenshot

Campaign #2 – Fees document spam

Attachment: Fees_2010.zip (contains Fees_2010.DOC.exe)

Subject: Your fees 2010

Email Body:
————————
Please find attached a statement of fees as requested, this will be posted today.
The accommodation is dealt with by another section and I have passed your request on to them today.

Kind regards.
Gina Martinez
————————

The email message looks like:

screenshot

The executable files inside the attachment has an icon disguised as a Microsoft Word document file:

screenshot

If the user opens the malicious attachment then it performs following activities on the victim machine:

  • Connects to a predetermined C&C server and sends system information. The server responds back with command to download & run malware executable and also contains backup URLs for the C&C server.

    screenshot

  • Drops following malicious executable files some of which gets downloaded from URLs received via C&C server:
    • (Temp)10.tmp – Detected as GAV: Bredolab.PCK (Trojan)
    • (Temp)14.tmp – Detected as GAV: Bredolab.PCK_2 (Trojan)
    • (Temp)15.tmp – Detected as GAV: Bredolab.PCK_2 (Trojan)
    • (Temp)F.tmp – Detected as GAV: Oficla_8 (Trojan)
    • (System)thxr.wgo – Detected as GAV: Oficla_8 (Trojan)
  • Injects F.tmp into svchost.exe process.
  • Deletes the original copy of the file that was opened by the user.
  • Modifies following registry entry to ensure thnxr.wgo gets injected on every system restart:
    • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell: “Explorer.exe rundll32.exe thxr.wgo nwfdtx”
  • Creates following registry entry to store the backup C&C server URLs in hexadecimal format:
    • HKLMSOFTWAREClassesididurl1: (URL in hexadecimal format)
    • HKLMSOFTWAREClassesididurl2: (URL in hexadecimal format)
    • HKLMSOFTWAREClassesididurl3: (URL in hexadecimal format)

SonicWALL Gateway AntiVirus provides protection against this Oficla Trojan variant by GAV: Oficla.GW_2 (Trojan) signature.

screenshot

VMware SpringSource Remote Code Execution (July 8, 2010)

/in /by

SpringSource is a division of VMWare, Inc. provides a suite of software products that accelerate the entire build, run, and manage enterprise Java application lifecycle. SpringSource also provides support for the open source application frameworks Spring and Grails which run on the Java Virtual Machine. The SpringSource Spring Framework is a framework in the Java web development industry.

Java is a programming language originally developed by James Gosling at Sun Microsystems. Java is general-purpose, concurrent, class-based, and object-oriented, and is specifically designed to have as few implementation dependencies as possible. All code in Java is written inside a class and everything is an object, with the exception of the intrinsic data types (ordinal and real numbers, boolean values, and characters), which are not classes for performance reasons. A typical Java class is listed as bellow:

 // Outputs "Hello, world!" and then exits public class HelloWorld {    public static void main(String[] args) {        System.out.println("Hello, world!");    } }

A software construct used within the Spring Framework is the JavaBean. A JavaBean is a reusable software component that conforms to a particular convention. It is a Java Object that is serializable, has a nullary constructor, and allows access to properties using getter and setter methods. One way Spring Framework enables rapid web application development is by leveraging introspection and JavaBeans into a single concept: a form backing bean. A form backing bean enables a Java Spring developer to map web form input to a JavaBean. The mapping has several properties:

commandClass - the class of the object that will be used to represent the data in this form. commandName - the name of the command object. sessionForm validator - a class that validate data that is passed in from the form. formView - the JSP for the form successView - the JSP that the user is routed to if the form submits with no validation errors.

When an HTML form is submitted to a URL, the Spring web framework will instantiate an instance of the JavaBean specified by commandClass.

A remote code execution vulnerability exists in VMware SpringSource Spring Framework. The vulnerability is due to a design error when processing submissions to a URL utilizing a form backing bean. During the classs initialization, all properties of the Class object can be modified by a remote user; including the Class object’s classLoader property. This allows the attackers to inject and execute arbitrary code with the privileges of the target service.

SonicWALL UTM team has researched this vulnerability and created the following IPS signature:

  • 4551 VMware SpringSource Remote Code Execution

This issue is referred by CVE as CVE-2010-1622.

Novell iManager Tree Name Denial of Service (July 1, 2010)

/in /by

Novell iManager is a Web-based administration console that provides customized access to network administration utilities and content from virtually any location in the world. A default installation of Novell iManager includes the Apache HTTP server, Tomcat application container and so on.

Novell iManager provides services through HTTP on port 8080/TCP, and HTTPS on port 8443/TCP. The iManager default login page is accessible via the following URL:

https://:/nps/servlet/webacc

where the port is 8443 by default.

In the login page listed above there are three input login credentials, which include a User Name, a Password and a Tree Name. The input data and other various hidden parameters are submitted in the same URI using an HTTP POST request. The data is passed to the iManager application in the web form represented by variables. The Tree Name parameter is passed in the variable “tree”.

A denial of service vulnerability is found in the Novell iManager web application. The vulnerability is due to a failure of the application to properly check the length of the variable tree submitted within the iManager login request. Specifically, the vulnerable codes check the input string and add some extra characters to the input string, which causes the overwritten of the stack buffer. A remote unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP GET or POST request to the server. This will result in abnormal termination of the affected service process, causing a denial of service condition.

SonicWALL UTM team has researched this vulnerability, and created the following IPS signature to prevent/detect the attacks addressing this issue:

  • 5475 Generic Server Application Buffer Overflow Exploit 2

This vulnerability is referred by the CVE as CVE-2010-1930.

Backdoor Lecna Exploits MS hcp URL XSS Vulnerability (July 1, 2010)

/in /by

SonicWALL UTM Research received reports of malware actively exploiting the recently reported vulnerability in Windows Help and Support Center (CVE-2010-1885) – MS hcp-URL Cross Site Scripting (June 10, 2010)

The malware author used the code below to exploit the vulnerability:

    screenshot

Upon successful exploitation, it downloads a component JavaScript file shown below as its payload:

    screenshot This file is being blocked by SonicWALL as GAV: JS.HCP.SVR.XSS (Exploit)

This script then downloads and executes the Backdoor Lecna file which uses an Adobe Acrobat icon to disguise itself as a acrobat file.

    screenshot

Malware Installation

Mutex Name:
To ensure that only one instance of this malware is running on the infected system it creates a mutex:

  • MicrosoftForZR

Files Added:
It drops a copy in Startup folder which allows itself to run on every system startup.

  • (Documents and Settings)All UsersStart MenuProgramsStartupAdobe Acrobat Speed Launcher.exe – GAV: Lecna.GEN (Trojan)

Registries Added:
It writes into the registry the host id which marks systems it successfully infected:

  • Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftCurrentIESetup
    Value: hostid
    Data: dword:000045f2

Files Downloaded:
It downloads the following files which are actually executable.

  • www.{REMOVED}.com/ForZRMail/myapp.htm – GAV: Lecna.GEN (Trojan)
  • www.{REMOVED}.com/ForZRMail/zr.txt – GAV: Lecna.GEN_2 (Trojan)

Network Activity:
Tries to connect to the following:

  • 77.90.80.0
  • www.vic{REMOVED}.com
  • www.ian{REMOVED}.com

SonicWALL Gateway AntiVirus provided protection against this malicious backdoor via following signatures:

  • GAV: HCP.SVR.XSS.1 (Exploit)
  • GAV: JS.HCP.SVR.XSS (Exploit)
  • GAV: Lecna.GEN (Trojan)
  • GAV: Lecna.GEN_2 (Trojan)

screenshot

HP OpenView NNM arg Buffer Overflow (June 25, 2010)

/in /by

HP OpenView software provided large-scale system and network management of an organization’s IT infrastructure. One of the modules provided by HP OpenView is the Network Node Manager (NNM), which supplies web-based tools to view status of a network. NNM provides several CGI applications which allow users to manage the NNM server using a web browser; one of the CGI applications is jovgraph.exe.

There exists a buffer overflow vulnerability in HP OpenView Network Node Manager. Specifically, the vulnerability is due to insufficient boundary checking when jovgraph.exe handles the arg parameter. The vulnerable code does not validate the length of the arg parameter and copies the whole string into a fixed-length stack-based buffer.

A remote attacker can exploit this vulnerability by sending a crafted HTTP request to the target server. Successful exploitation would overwrite critical stack data, such as return addresses and exception handlers, and lead to arbitrary code injection and execution. In the case code execution is not successful, the vulnerable process may terminate abnormally, resulting a denial of service condition.

The CVE identifier for this vulnerability is CVE-2010-1960.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 4376 HP OpenView NNM jovgraph.exe BO Attempt