Posts

Microsoft Security Bulletins Coverage (Dec 15, 2010)

/in /by

SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of December, 2010. A list of issues reported, along with SonicWALL coverage information follows:

MS10-090 Cumulative Security Update for Internet Explorer (2416400)

  • CVE-2010-3340 – HTML Object Memory Corruption Vulnerability
    IPS 6090 MS IE HTML Object Memory Corruption 1 (MS10-090)
  • CVE-2010-3342 – Cross-Domain Information Disclosure Vulnerability
    Note: There are no known public exploits targeting this vulnerability.
  • CVE-2010-3343 – HTML Object Memory Corruption Vulnerability
    IPS 6091 MS IE HTML Object Memory Corruption 2 (MS10-090)
  • CVE-2010-3345 – HTML Element Memory Corruption Vulnerability
    Note: It is not feasible to detect the attacks at gateway level.
  • CVE-2010-3346 – HTML Element Memory Corruption Vulnerability
    Note: It is not feasible to detect the attacks at gateway level.
  • CVE-2010-3348 – Cross-Domain Information Disclosure Vulnerability
    Note: There are no known public exploits targeting this vulnerability.
  • CVE-2010-3962 – Uninitialized Memory Corruption Vulnerability
    IPS 5908 Malicious HTML Style Tag 1
    IPS 5943 MS IE Invalid Flag Reference Memory Corruption 1

MS10-091 Vulnerabilities in the OpenType Font (OTF) Driver Could Allow Remote Code Execution (2296199)

  • CVE-2010-3956 – OpenType Font Index Vulnerability
    IPS 6087 Malicious Font File 7b
  • CVE-2010-3957 – OpenType Font Double Free Vulnerability
    IPS 6088 Malicious Font File 8b
  • CVE-2010-3959 – OpenType CMAP Table Vulnerability
    IPS 6089 Malicious Font File 9b

MS10-092 Vulnerability in Task Scheduler Could Allow Elevation of Privilege (2305420)

  • CVE-2010-3338 – Task Scheduler Vulnerability
    Note: Local elevation of privilege.

MS10-093 Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (2424434)

  • CVE-2010-3967 – Insecure Library Loading Vulnerability
    Note: It is not feasible to detect the attacks at gateway level.

MS10-094 Vulnerability in Windows Media Encoder Could Allow Remote Code Execution (2447961)

  • CVE-2010-3965 – Insecure Library Loading Vulnerability
    Note: It is not feasible to detect the attacks at gateway level.

MS10-095 Vulnerability in Microsoft Windows Could Allow Remote Code Execution (2385678)

  • CVE-2010-3966 – BranchCache Insecure Library Loading Vulnerability
    Note: It is not feasible to detect the attacks at gateway level.

MS10-096 Vulnerability in Windows Address Book Could Allow Remote Code Execution (2423089)

  • CVE-2010-3147 – Insecure Library Loading Vulnerability
    Note: It is not feasible to detect the attacks at gateway level.

MS10-097 Insecure Library Loading in Internet Connection Signup Wizard Could Allow Remote Code Execution (2443105)

  • CVE-2010-3144 – Internet Connection Signup Wizard Insecure Library Loading Vulnerability
    Note: It is not feasible to detect the attacks at gateway level.

MS10-098 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2436673)

  • CVE-2010-3939 – Win32k Buffer Overflow Vulnerability
    Note: Local elevation of privilege.
  • CVE-2010-3940 – Win32k PFE Pointer Double Free Vulnerability
    Note: Local elevation of privilege.
  • CVE-2010-3941 – Win32k Double Free Vulnerability
    Note: Local elevation of privilege.
  • CVE-2010-3942 – Win32k WriteAV Vulnerability
    Note: Local elevation of privilege.
  • CVE-2010-3943 – Win32k Cursor Linking Vulnerability
    Note: Local elevation of privilege.
  • CVE-2010-3944 – Win32k Memory Corruption Vulnerability
    Note: Local elevation of privilege.

MS10-099 Vulnerability in Routing and Remote Access Could Allow Elevation of Privilege (2440591)

  • CVE-2010-3963 – Kernel NDProxy Buffer Overflow Vulnerability
    Note: Local elevation of privilege.

MS10-100 Vulnerability in Consent User Interface Could Allow Elevation of Privilege
(2442962)

  • CVE-2010-3961 – Consent UI Impersonation Vulnerability
    Note: Local elevation of privilege.

MS10-101 Vulnerability in Windows Netlogon Service Could Allow Denial of Service (2207559)

  • CVE-2010-2742 – Netlogon RPC Null dereference DOS Vulnerability
    IPS 6086 MS Windows Netlogon Service DoS

MS10-102 Vulnerability in Hyper-V Could Allow Denial of Service (2345316)

  • CVE-2010-3960 – Hyper-V VMBus Vulnerability
    Note: It is not feasible to detect the attacks at gateway level.

MS10-103 Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2292970)

  • CVE-2010-2569 – Size Value Heap Corruption in pubconv.dll Vulnerability
    Note: There are no known public exploits targeting this vulnerability.
  • CVE-2010-2570 – Heap Overrun in pubconv.dll Vulnerability
    IPS 6084 Malicious Publisher Document 1b
  • CVE-2010-2571 – Memory Corruption Due To Invalid Index Into Array in Pubconv.dll Vulnerability
    Note: There are no known public exploits targeting this vulnerability.
  • CVE-2010-3954 – Microsoft Publisher Memory Corruption Vulnerability
    Note: There are no known public exploits targeting this vulnerability.
  • CVE-2010-3955 – Array Indexing Memory Corruption Vulnerability
    IPS 6085 Malicious Publisher Document 2b

MS10-104 Vulnerability in Microsoft SharePoint Could Allow Remote Code Execution (2455005)

  • CVE-2010-3964 – Malformed Request Code Execution Vulnerability
    IPS 6083 MS SharePoint Malformed Request 1b

MS10-105 Vulnerabilities in Microsoft Office Graphics Filters Could Allow for Remote Code Execution (968095)

  • CVE-2010-3945 – CGM Image Converter Buffer Overrun Vulnerability
    IPS 6077 Malicious Image File 1b
  • CVE-2010-3946 – PICT Image Converter Integer Overflow Vulnerability
    IPS 6078 Malicious Image File 2b
  • CVE-2010-3947 – TIFF Image Converter Heap Overflow Vulnerability
    IPS 6079 Malicious Image File 3b
  • CVE-2010-3949 – TIFF Image Converter Buffer Overflow Vulnerability
    IPS 6080 Malicious Image File 4b
  • CVE-2010-3950 – TIFF Image Converter Memory Corruption Vulnerability
    IPS 6080 Malicious Image File 4b
  • CVE-2010-3951 – FlashPix Image Converter Buffer Overflow Vulnerability
    IPS 6081 Malicious Image File 5b
  • CVE-2010-3952 – FlashPix Image Converter Heap Corruption Vulnerability
    IPS 6082 Malicious Image File 6b

MS10-106 Vulnerability in Microsoft Exchange Server Could Allow Denial of Service (2407132)

  • CVE-2010-3937 – Exchange Server Infinite Loop Vulnerability
    Note: There are no known public exploits targeting this vulnerability.

New IE 0-day Vulnerability (Nov 5, 2010)

/in /by

SonicWALL UTM Research team received reports of a new Internet Explorer 0-day Vulnerability reported here being exploited in the wild. Internet Explorer version 6, 7 and 8 are affected by it. The vulnerability is actively being targeted in the wild by specially crafted HTML pages on compromised sites.

The HTML page contains a heavily obfuscated malicious java script code that encloses the shell code and NOP sled. Upon successful exploit attempt, the shell code gets executed and it will lead to download & execution of a malicious executable file on the victim machine.

During our research we found the shell code enclosed within the JavaScript to be encrypted and snippet of the decrypted code can be seen below:

screenshot

The code seen above leads to the download of linkbl.gif file from a compromised site, which is an encrypted malicious executable and has a GIF header to avoid AV detection. The file gets decrypted and the GIF header is replaced by MZ header on the victim machine.

The malware performs following activities upon execution:

  • Drops following two files on the victim machine:
    • (STARTUP)/ctfmon.exe [Detected as GAV: Agent.IEM (Trojan)]
    • (SYSTEM32)/msnetacsvc.dll [Detected as GAV: Pirpi.D (Trojan)]

  • Creates the following registry entry to ensure that the dropped malware runs on every system reboot:
    • HKLM_SYSTEM_ServicesNWCWorkstationParametersServiceDll: “%SystemRoot%System32msnetacsvc.dll”
    • HKLM_SYSTEM_ServicesNWCWorkstationImagePath: “%SystemRoot%System32svchost.exe -k netsvcs”
    • HKLM_SYSTEM_ServicesNWCWorkstationDisplayName: “NetWare Workstations”

  • Opens a backdoor on victim machine and attempts to connect to an IP address of a server hosted in Poland. The server is still actively serving encrypted command files at the time of writing this alert. Sample command files requested:
    • GET /bbs/OmIxA9gILmICAAAAPDlUKWrsYsjh0XQxOpixOpixOpiA.gif
    • GET /binary/jXor5LTseXmEAAAAihV0f-Pux4Xbv_grj1Wrj1Wrj1UA.rar
    • GET /picture/OdEw2TlxLdEDAAAAPThVKGntYcfg0HUwO9ewO9ewO9eA.jpg
    • GET /images/Y6V8BWHA1AUIAAAAWtefUqtsaX7fGXD9g5mA.gif
    • GET /news/kHgu4hdmhHeCAAAAlx7Xgkpzwkh7xecukL8ukL8ukL6A.jpg
    • GET /pic/9AWMBYsPcAUgAAAA8un9djhBrNp2tiOM9IoM9IoM9ImA.bmp

    Directories contacted on the server include bbs, binary, pic, picture, image, images, index, and news.

SonicWALL Gateway AntiVirus provided protection against this threat via following signatures:

GAV: CVE-2010-3962.A (Exploit)
GAV: Pirpi.D#dldr (Trojan)
GAV: Agent.IEM (Trojan)
GAV: Pirpi.D (Trojan)
IDP: 5908 Malicious HTML Style Tag 1