Microsoft Security Bulletin Coverage (Jan 14, 2014)

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of January, 2014. Following is the list of issues reported, along with Dell SonicWALL coverage information:

MS14-001 Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2916605)

  • CVE-2014-0258 Microsoft Word Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-0259 Microsoft Word Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2014-0260 Microsoft Word Memory Corruption Vulnerability
    There are no known exploits in the wild.

MS14-002 Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2914368)

  • CVE-2013-5065 Kernel NDProxy Vulnerability
    GAV: Inject.DKI
    GAV: Pidief.SKD

MS14-003 Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2913602)

  • CVE-2014-0262 Win32k Window Handle Vulnerability
    There are no known exploits in the wild.

MS14-004 Vulnerability in Microsoft Dynamics AX Could Allow Denial of Service (2880826)

  • CVE-2014-0261 Query Filter DoS Vulnerability
    There are no known exploits in the wild.

Adobe Reader, CVE-2013-3346 and Windows, CVE-2013-5065 Exploit Analysis (January 10, 2014)

In December, we reported an attack that leverages a combination of Adobe Reader Vulnerability(CVE-2013-3346) and a Windows Local Privilege Escalation Vulnerability(CVE-2013-5065). These vulnerabilities are already patched by their respective vendors.
The following write up explains in detail how these vulnerabilities are exploited.

Attack Flow

Analysis of CVE-2013-3346

This is a use-after-free vulnerability in Adobe Reader which can be exploited using specially crafted PDF file.
The Exploit PDF has an obfuscated JavaScript Stream.

After De-obfuscation, we can see code-piece that has shellcode, heapspray, payload, ROP

Here, the exploit is fine tuned for Adobe Reader 10 and 11.

The following is the minimum crash code.

Here are some debugging images.
The following shows crash, normal execution and call in the corrupted structure.

This is how the corrupted structure looks like. We can see how the call pivots into the ROP Chain.

This is a subset of ROP Chain

Now a sequence of functions is called which ultimately drop and execute malicious binary.

Analysis of CVE-2013-5065

This is a local privilege escalation vulnerability that could lead to code execution in ring0 context. The vulnerability exists in Microsoft’s NDProxy driver. The vulnerability is triggered due to out of bound condition in the ioctl handler.
The proof of concept code is as follows:

The ‘CreateFile’ function opens NDProxy through I/O. As quoted in MSDN – “NDPROXY is a system-provided driver that interfaces NDISWAN and CoNDIS WAN drivers (WAN miniport drivers, call managers, and miniport call managers) to the TAPI services.” DeviceIOControl is then used to send the control code directly to NDProxy driver. The code here is 0x8fff23cc.
There’s no detailed documentation on this code – so let’s look at NDProxy.sys (v5.1.2600.5512)
There’s PxIoDispatch(…) function that handles the codes

As you can see, the code 0x8fff23cc corresponds to the execution of the code in the box. Also note in the highlighted red box, ‘eax’ equals to 0x7030125 which is the value that was passed to DeviceIoControl function above as a part of the ‘InBuff’ [*(InBuf+5)]. Subtracting 7030101h from this gives 0x24. Let’s try to figure that out by debugging the sample. Executing the sample produces a crash :-

Let’s look at the crash using Windbgs “analyze !v”

And the state of the registers:

As seen, the EIP points to 0x38 (crash).

Let’s look at NDProxy!PxIODispatch+0x2b3 :

The call invokes in to an array with starting offset at off_18008. The index for the highlighted call is ‘eax’ which is 0x1b0 as you can in the state of the registers above. So, 0x18008 + 0x1b0 = 0x181B8. Looking at this address:

And it points to 0x38 – exactly the place where EIP was during the crash. Thus, the value 0x7030125 is chosen carefully to lead to this crash.

Following is the Flow :

Dell SonicWALL protects against this threat with the following signatures:

  • GAV: Inject.DKI (Trojan)
  • GAV: Pidief.SKD (Exploit)

Microsoft Windows Privilege escalation vulnerability (CVE-2013-5065) attacks (Dec 4, 2013)

The Dell SonicWALL Threats Research team observed reports of a new Windows privilege escalation vulnerability being exploited in the wild. Microsoft has released a security advisory for this vulnerability identified by CVE-2013-5065, and this vulnerability only affects users on Windows XP and Windows Server 2003 operating systems.

The exploit code is being distributed in a specially crafted PDF file. The PDF file contains malicious JavaScript with shellcode, obfuscated using JJEncode, that checks for specific versions of Adobe Reader and performs heapspray. If the Adobe Reader exploit attempt is successful, it will crash the application and pass the control to the shellcode. The shellcode further attempts to exploit a local Windows privilege escalation vulnerability on the target machine. It then decrypts a malicious executable embedded inside the original PDF file and installs it on the victim machine with kernel mode privilege.

The following chart illustrates the complete infection cycle:

Below is the deobfuscated JavaScript code checking for Adobe Reader version prior to exploitation attempt:

Upon successful Adobe Reader exploitation, the shellcode opens \.NDProxy and issues a specially crafted DeviceIOControlCode API call that triggers a local privilege escalation vulnerability mentioned here.

The shellcode then decrypts and executes embedded malware executable with elevated privileges on the target machine. The malware executable was found to inject code into system explorer.exe process. It also creates the following registry key to persist infection upon system reboot.

  • HKCUSoftwareMicrosoftWindows NTCurrentVersionWinlogon “Shell” = explorer.exe,(path to malware)

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Inject.DKI (Trojan)
  • GAV: Pidief.SKD (Exploit)

Microsoft out-of-band Security Advisory for Windows Kernel (Nov 27, 2013)

Microsoft has released an out-of-band bulletin Microsoft Security Advisory (2914486) on Nov 27, 2013 that addresses an Elevation of Privilege vulnerability in Microsoft Kernel component. This vulnerability affects Windows XP and Windows Server 2003. A successful exploit will cause arbitrary code run in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

This vulnerability has been referred by CVE as CVE-2013-5065.

Dell SonicWALL threat team researched this vulnerability the same day and created following GAV signatures to cover the attack.

  • GAV: 27311 Inject.DKI (Trojan)
  • GAV: 27312 Pidief.SKD (Exploit)

For the Microsoft vulnerabilities covered by SonicWALL, please refer to SonicWALL MAPP for details.