Posts

ATMFD.DLL Memory Corruption Vulnerability attacks spotted in the wild (Aug 4, 2015)

/in /by

CVE-2015-2387 attacks have been spotted in the wild. An elevation of privilege vulnerability exists in Adobe Type Manager Font Driver (ATMFD) when it fails to properly handle objects in memory. ATMFD.DLL in the Adobe Type Manager Font Driver in Microsoft Windows allows local users to gain privileges via a crafted application, aka “ATMFD.DLL Memory Corruption Vulnerability.” An attacker can successfully exploit this vulnerability to execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights

Following is the analysis of the exploit:

The executable is packed and contains malicious font and exploit code. The payload (.exe) prepares the ROP gadget in usermode before it calls the vulnerable ATMDF.dll in kernel mode.

The sample opens the ntkrnlpa.exe and calls the vulnerable ATMFD.dll . The malicious exe successfully starts the cmd process with local privileges and manages to exploit the vulnerability to gain admin privileges

Running the vulnerable exe from windbg shows that the exe loads the font in memory.

Setting the breakpoint at NamedEscape shows the vulnerable dll being called.

And then the binary tries to load the malicious font (tag OTTO of OpenType font)

When the ATMFD.dll tries to process this font it leads to a buffer overflow which allows the attacker to gain admin privileges.

Dell SonicWALL Threat Research Team has researched this vulnerability and released following signatures to protect their customers.

  • GAV 20469 : Dropper.A_767
  • GAV 17022 : CVE-2015-2387

Microsoft Security Bulletin Coverage (July 14, 2015)

/in /by

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of July, 2015. A list of issues reported, along with Dell SonicWALL coverage information are as follows:

MS15-058 Vulnerabilities in SQL Server Could Allow Remote Code Execution

  • CVE-2015-1761 SQL Server Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-1762 SQL Server Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-1763 SQL Server Remote Code Execution Vulnerability
    There are no known exploits in the wild.

MS15-065 Security Update for Internet Explorer

  • CVE-2015-1729 Internet Explorer Information Disclosure Vulnerability
    IPS: 5962 “Internet Explorer Cross-domain Information Disclosure (MS14-065) 2”
  • CVE-2015-1733 Internet Explorer Memory Corruption Vulnerability
    IPS: 11026 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 10”
  • CVE-2015-1738 Internet Explorer Memory Corruption Vulnerability
    IPS: 11027 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 11”
  • CVE-2015-1767 Internet Explorer Memory Corruption Vulnerability
    IPS: 11028 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 12”
  • CVE-2015-2372 VBScript Memory Corruption Vulnerability
    IPS: 11029 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 13”
  • CVE-2015-2383 Internet Explorer Memory Corruption Vulnerability
    IPS: 11030 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 14”
  • CVE-2015-2384 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2385 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2388 Internet Explorer Memory Corruption Vulnerability
    IPS: 11031 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 15”
  • CVE-2015-2389 Internet Explorer Memory Corruption Vulnerability
    IPS: 11032 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 16”
  • CVE-2015-2390 Internet Explorer Memory Corruption Vulnerability
    IPS: 11033 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 17”
  • CVE-2015-2391 Internet Explorer Memory Corruption Vulnerability
    IPS: 11034 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 18”
  • CVE-2015-2397 Internet Explorer Memory Corruption Vulnerability
    IPS: 7638 “DOM Object Use-After-Free Attack 2”
  • CVE-2015-2398 Internet Explorer XSS Filter Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2401 Internet Explorer Memory Corruption Vulnerability
    IPS: 11036 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 20”
  • CVE-2015-2402 Internet Explorer Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2403 Internet Explorer Memory Corruption Vulnerability
    IPS: 2175 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 1”
  • CVE-2015-2404 Internet Explorer Memory Corruption Vulnerability
    IPS: 2190 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 2”
  • CVE-2015-2406 Internet Explorer Memory Corruption Vulnerability
    IPS: 2191 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 3”
  • CVE-2015-2408 Internet Explorer Memory Corruption Vulnerability
    IPS: 2192 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 4”
  • CVE-2015-2410 Internet Explorer Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2411 Internet Explorer Memory Corruption Vulnerability
    IPS: 2198 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 5”
  • CVE-2015-2412 Internet Explorer Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2413 Internet Explorer Information Disclosure Vulnerability
    IPS: 2207 “Internet Explorer Information Disclosure Vulnerability (MS15-065) 1”
  • CVE-2015-2414 Internet Explorer Information Disclosure Vulnerability
    IPS: 2208 “Internet Explorer Information Disclosure Vulnerability (MS15-065) 2”
  • CVE-2015-2419 Jscript9 Memory Corruption Vulnerability
    IPS: 2209 “Internet Explorer JScript9 Memory Corruption Vulnerability (MS15-065)”
  • CVE-2015-2421 Internet Explorer ASLR Bypass
    IPS: 2210 “Internet Explorer ASLR Bypass Vulnerability (MS15-065)”
  • CVE-2015-2422 Internet Explorer Memory Corruption Vulnerability
    IPS: 2233 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 6”
  • CVE-2015-2425 Internet Explorer Memory Corruption Vulnerability
    IPS: 2234 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 7”
  • CVE-2015-2372 VBScript Memory Corruption Vulnerability
    IPS: 11029 “Internet Explorer Memory Corruption Vulnerability (MS15-065) 13”
  • CVE-2015-2398 Internet Explorer XSS Filter Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2402 Internet Explorer Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2419 Jscript9 Memory Corruption Vulnerability
    IPS: 2209 “Internet Explorer JScript9 Memory Corruption Vulnerability (MS15-065)”
  • CVE-2015-2421 Internet Explorer ASLR Bypass
    IPS: 2210 “Internet Explorer ASLR Bypass Vulnerability (MS15-065)”

MS15-066 Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution

  • CVE-2015-2372 VBScript Memory Corruption Vulnerability
    There are no known exploits in the wild.

MS15-067 Vulnerability in RDP Could Allow Remote Code Execution

  • CVE-2015-2373 Remote Desktop Protocol (RDP) Remote Code Execution Vulnerability
    There are no known exploits in the wild.

MS15-068 Vulnerabilities in Windows Hyper-V Could Allow Remote Code Execution

  • CVE-2015-2361 Hyper-V Buffer Overflow Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2362 Hyper-V System Data Structure Vulnerability
    There are no known exploits in the wild.

MS15-069 Vulnerabilities in Windows Could Allow Remote Code Execution

  • CVE-2015-2368 Windows DLL Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2369 DLL Planting Remote Code Execution Vulnerability
    There are no known exploits in the wild.

MS15-070 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution

  • CVE-2015-2376 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2377 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2378 Microsoft Excel DLL Remote Code Execution Vulnerability
    IPS:5726 “Binary Planting Attack 2”
  • CVE-2015-2379 Microsoft Office Memory Corruption Vulnerability
    SPY:3107 “Malformed-File doc.MP.24”
  • CVE-2015-2380 Microsoft Office Memory Corruption Vulnerability
    SPY:3106 “Malformed-File doc.MP.23”
  • CVE-2015-2415 Microsoft Office Memory Corruption Vulnerability
    GAV:37640 “Olemal.A”
  • CVE-2015-2424 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.

MS15-071 Vulnerability in Netlogon Could Allow Elevation of Privilege

  • CVE-2015-2374 Elevation of Privilege Vulnerability in Netlogon
    There are no known exploits in the wild.

MS15-072 Vulnerability in Windows Graphics Component Could Allow Elevation of Privilege

  • CVE-2015-2364 Graphics Component EOP Vulnerability
    SPY:3105 “Malformed-File swf.MP.234”

MS15-073 Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege

  • CVE-2015-2363 Win32k Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2365 Win32k Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2366 Win32k Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2367 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2381 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2382 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.

MS15-074 Vulnerability in Windows Installer Service Could Allow Elevation of Privilege

  • CVE-2015-2371 Windows Installer EoP Vulnerability
    There are no known exploits in the wild.

MS15-075 Vulnerabilities in OLE Could Allow Elevation of Privilege

  • CVE-2015-2416 OLE Elevation of Privilege Vulnerability
    SPY:3105 “Malformed-File swf.MP.234”
  • CVE-2015-2417 OLE Elevation of Privilege Vulnerability
    SPY:3105 “Malformed-File swf.MP.234”

MS15-076 Vulnerability in Windows Remote Procedure Call Could Allow Elevation of Privilege

  • CVE-2015-2370 Windows RPC Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

MS15-076 Vulnerability in ATM Font Driver Could Allow Elevation of Privilege

  • CVE-2015-2387 ATMFD.DLL Memory Corruption Vulnerability
    GAV:20469 “Dropper.A_767”