Posts

OPIE Off-by-one Stack Buffer Overflow (June 3, 2010)

/in /by

“One time Passwords In Everything” (OPIE) is a mature, Unix-like login and password package installed on the server and the client which makes un-trusted networks safer against password-sniffing packet-analysis software. It works by circumventing the delayed attack method because the same password is never used twice after installing IPIE. OPIE is shipped with DragonFly BSD, FreeBSD and OpenSUSE. The OPIE package is sometimes used by FTP servers to provide security for an FTP session.

File Transfer Protocol (FTP) is a standard network protocol used to copy a file from one host to another over a TCP/IP-based network. The protocol is defined in RFC 959. A successful FTP transfer includes a control connection and a data connection. All the communication commands between the server and client will be transferred on the control connection. A typical control traffic is listed as bellow:

Response:	220-FileZilla Server version 0.9.29 beta Response:	220-written by Tim Kosse (Tim.Kosse@gmx.de) Response:	220 Please visit http://sourceforge.net/projects/filezilla/ Command:	USER user Response:	331 Password required for user Command:	PASS ********* Response:	230 Logged on

One of the commands included in the FTP protocol is the USER command. This command is used to begin the login process, which can be found in the above example. When an FTP server is using the OPIE package, it will pass on the value of the username field to the package for processing.

A buffer-overflow vulnerability exists in OPIE. The vulnerability is due to an off-by-one error in the username handle function while processing the value of the username field of the USER command. Specifically, the vulnerable code truncate the username field into a maximum 32 bytes string, and copies it to a fixed 32 bytes buffer, then appends a Null character at the end of the string, which may overwrite the immediate following data by one byte. Successful exploitation of this vulnerability could result in execution of arbitrary code with root privileges.

SonicWALL UTM team has researched this vulnerability, and covers the exploits with the following IPS signatures:

  • 30 USER Command BO Attempt
  • 4598 Generic Server Application Buffer Overflow Exploit 3

This vulnerability is referred by CVE as CVE-2010-1938.

Adobe Photoshop ABR BO (May 28, 2010)

/in /by

Adobe Photoshop is a multi-platform graphics editor developed and published by Adobe Systems. Adobe Photoshop is capable of handling numerous types of image file formats. One of the formats it can handle is ABR. ABR is a proprietary file format which describes Adobe Photoshop brushes. An ABR file contains multiple structures describing a Photoshop brush. One of the structures contained is BrshObjc which contains the description of a brush stored in the following format: 

Size Name Field ------------------------------------------------- 12 bytes DmtrUntF Diameter 12 bytes HrdnUntF Hardness 12 bytes AnglUntF Angle 12 bytes RndnUntF Roundness 12 bytes SpcnUntF Spacing 4 bytes Intrbool Interface 4 bytes flipXbool flipX 4 bytes flipYbool flipY

A buffer overflow vulnerability exists in Adobe Photoshop. The vulnerability is due to insufficient validation of the size of the AnglUntF structure. The vulnerable code uses the size value supplied in the Ang1UntF field as a parameter to the strncpy function. The vulnerable code will copy the specified number of bytes into a statically allocated heap buffer. This vulnerability can be exploited via numerous other file types that contain a brush definition.

In order to exploit this vulnerability remotely, an attacker must entice the target user to download and view a malicious file. Successful exploitation will result in a buffer overflow which may lead to process flow diversion within the context of the currently logged in user. In situations where code execution is not successful, the vulnerable application may terminate abnormally.

SonicWall has released an IPS signature to address a specific exploit targeting this vulnerability. The following signature has been released:

  • 5552 – Adobe Photoshop CS4 ABR File BO PoC

The vendor has released an advisory regarding this issue. The vulnerability has been assigned CVE-2010-1296 by mitre.

SpyEye crimeware toolkit (May 28, 2010)

/in /by

SonicWALL UTM Research team has been continuously monitoring newer variants of the SpyEye bots in the wild. In our detailed analysis of the SpyEye crimeware toolkit we found it to be very similar to Zeus in terms of functionality and features.

SpyEye is a web-based crimeware toolkit that was first released in early January, 2010 on underground forums. It is written in C++ and the size of the compiled bot was approximately 60KB in the first version. The newer version of SpyEye includes compression options which further reduces the size of the compiled binary to ~40KB. The main objective of this bot like Zeus is to steal financial information that includes banking credentials & credit card numbers as well as other sensitive information from victim machine.

SpyEye contains many interesting features which are listed below with the most notable being its ability to kill Zeus bot infection on the victim machine. This feature was not originally present but was added in version 1.0.7 onwards. This bot functions in ring3 mode like Zeus and runs hidden from the task manager, file explorer and other user-mode monitoring applications. Screenshot below shows SpyEye v1.0.7 toolkit in action:

screenshot

SpyEye version 1.0.7 toolkit features:

  • Formgrabber – Supports logging web form data for browsers like IE, Firefox, and Netscape.
  • Credit Card AutoFill module – Automates the process of getting money from stolen credit cards.
  • Steal FTP, POP3 & HTTP basic authorization accounts.
  • Daily e-mail backup.
  • Feature to kill Zeus bot infection.
  • UPX compression & encrypted configuration file.
  • Web-based control panel (PHP & MYSQL based).
  • Ability to detect and clean SpyEye infection.

The build and configuration file generated by the tool kit can be seen here:

screenshot

Screenshot of SpyEye web control panel main page:

screenshot

Screenshot showing the status of various bots and tasks (posted by the author):

screenshot

Network traffic generated by the BOT

  • Bot sends following message containing system information to the C&C server upon successful infection from victim machine:

    GET /gate.php?guid=USERNAME!COMPUTERNAME!24B5EF92&ver=10120&stat=ONLINE&ie=7.0.5730.13&os=5.1.2600&ut=Admin&cpu=19&ccrc=2F9360E0&md5=b97f34389d7e16b2ff9868ae1130b628

  • A sample of command received from the C&C server instructing the bot to update itself:

    UPDATE
    PATH=http://(REMOVED)/bin/ups.exe [Detected as GAV: SpyEye.AI (Trojan)]

The SpyEye toolkit is currently offered on underground forums for $500 with extra charges for newer features. The toolkit is continuously being updated with more sophisticated features and could be potential contender of surpassing Zeus and becoming king of crimware toolkits in future.

SonicWALL Gateway AntiVirus provides protection against SpyEye bot via GAV: SpyeEye.KD (Trojan), GAV: SpyEyes.DG_2 (Trojan) and GAV: Suspicious#spyeye (Trojan) signatures.

Oracle MySQL Database BO (May 21, 2010)

/in /by

MySQL is an open-source implementation of a relational database. The database uses the MySQL protocol to communicate with clients over the network. MySQL has a number of built-in SQL functions which are designed to help users with the task of querying and updating it.

The server listens for connections on TCP port 3306 by default. Interaction with the database starts after a client is successfully authenticated. The protocol relies on a generic request/response scheme wherein the client sends SQL queries and receives the resulting data sets. All packets share the following common 4-byte header:

 Bytes Name ---------------------- 3 Packet Length (n) 1 Packet Number n Packet Data

The request/response mode is entered into after successful authentication. In all requests, the first byte of packet data is the command code.

A buffer overflow vulnerability exists in MySQL database server. The vulnerability is due to lack of input validation in the check_if_table_exists function. The vulnerable function copies user supplied data of a request into a fixed stack buffer without validating the length of the source data. As a result, critical stack data can be overwritten allowing for arbitrary code execution. A remote authenticated attacker can exploit this vulnerability by sending a crafted request to a target server. The impact of the vulnerability is mitigated by the requirement of a successful authentication. Successful exploitation may lead to process flow diversion.

SonicWall has released an IPS signature to address a specific exploit targeting this vulnerability. The following signature addresses this vulnerability:

  • 5366 – MySQL COM_FIELD_LIST BO PoC

This vulnerability has been assigned the CVE-2010-1850 id by mitre.

Emissary Keylogger (May 20, 2010)

/in /by

SonicWALL UTM Research team received reports of a new KeyLogger seen in the wild called Emissary Keylogger. This Keylogger builder has a free version and a paid version being sold in a hacker forum.

The Keylogger builder comprises of two files– Emissary.exe and Stub.exe. Emissary.exe as shown below is the first released version of the keylogger builder. It requires a malicious user to input email address where the captured keylogs will be sent, the keylogger server name to build, a Fake Message that will popup when the server runs, and system options such as blocking AV sites, adding entry to startup and disabling administrative tasks such as the task manager and Registry editor.

screenshot

The builder will generate the keylogger server server.exe from Stub.exe, which the malicious user will use to target a victim.

screenshot

An updated Emissary Builder v3.0 is also available with added features and functionalities such as:

  • Supports Gmail, Hotmail and AOL email account
  • FTP Backup
  • Icon Changer
  • Screenshot capture
  • Execute Batch file
  • Opening Webpage
  • Start a Process
  • Change Desktop Wallpaper
  • Auto Startup Technique
    • Adds Startup Registry entry
    • Copy itself to Startup folder
  • Sends logs in HTML format
  • Can Spread via USB
  • Download and Execute trojans
  • Deletes Cookies
  • Logs Clipboard
  • Block Websites by modifying LocalHost File

    Default entries of this keylogger in Local Hosts file blocks the following security related websites:

    • 127.0.0.1 virustotal.com
    • 127.0.0.1 www.scanner.novirusthanks.org
    • 127.0.0.1 scanner.novirusthanks.org
    • 127.0.0.1 www.kaspersky.com
    • 127.0.0.1 kaspersky.com

  • Sends System Information such as:
    • Username
    • Machine Name
    • Installed logical drives
    • IP
    • Installed Softwares.

  • Disables the following Windows Features by adding registry entries such as:
    • Task Manager
      • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
        Value: DisableTaskMgr
        Data: dword:00000001
    • CMD
      • Key: HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem
        Value: DisableCMD
        Data: dword:00000001
    • Registry Editor
      • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
        Value: DisableRegistryTools
        Data: dword:00000001
    • Control Panel
      • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
        Value: NoControlPanel
        Data: dword:00000001
    • Folder Options
      • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
        Value: NoFolderOptions
        Data: dword:00000001
    • Run
      • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
        Value: NoRun
        Data: dword:00000001
    • Firewall
      • Key: HHKLMSystemCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfile
        Value: EnableFirewall
        Data: dword:00000000
    • Safeboot

      • Deletes the following registry entry:

      • Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBoot
    • User Account Control (UAC)
      • Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem
        Value: EnableLUA
        Data: dword:00000000
    • Right Click on Desktop and Windows Explorer
      • Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer
        Value: NoViewContextMenu
        Data: dword:00000001

    • * Startup Folder is usually Documents and SettingsUsernameStart MenuPrograms
    * LocalHost is {System Directory}Driversetchosts

Shown below are the screenshots of Emissary Builder v3:

screenshot

screenshot

screenshot

Infection Cycle

Malware authors use different infection vectors to target as many unsuspecting users as possible. They employ social engineering techniques to lure the users into downloading and installing their malware. In one such instance of social engineering tactics used for Emissary keylogger, we saw the malware author use popular video sharing site YouTube which further contained link to a site where the keylogger was being hosted.

1. The Malware author will upload a video on Youtube.com. The Youtube video can pertain to anything that an unsuspecting user might be interested. It will lure the user to click the download link of the video which in fact is a link where the actual keylogger server can be downloaded. In this case, its the www.mediafire.com website.

    screenshot

2. With the use of the URL shortening tool, the user have no idea where the download link will be redirected. Once the user clicks the download link, it will be redirected to the website that hosts the keylogger server. The user will then download the file and executes it.

    screenshot

3. The keylogger will then start infecting the system and gathers information and sends it to the author’s email. Shown below is an email account of the malware author showing the list of computer machine’s infected.

    screenshot

SonicWALL Gateway AntiVirus provides protection against this Keylogger via GAV: EmissaryKeyLogger (Trojan) and GAV: EmissaryKeyLogger_2 (Trojan) signatures.

Fake Amazon order – New Zbot variant (May 14, 2010)

/in /by

SonicWALL UTM Research team discovered a new Zbot spam campaign involving fake order payment e-mail from Amazon. The e-mail informs the user to download the attached file which it claims to be a document containing order tracking number.

The e-mail contains malicious executable file inside the zip attachment that has an icon disguised as a Microsoft Word document. This malware executable is a new variant of Zbot Trojan.

The e-mail message looks like:

screenshot

The downloaded fake tracking number document looks like:

screenshot

If the user tries to open this document file, it performs the following activities:

  • Connects to a malicious domain hulejsoops.ru which is a Zbot Command & Control (C&C) server and sends following HTTP requests:
    • GET /images/bb.php?v=2(REMOVED)m=40
    • GET /images/bb.php?v=2(REMOVED)m=41

  • Uppon successful connection & authentication to the C&C server it receives following command strings to further download additional malware as well as encrypted configuration file:

    screenshot

  • Based on above command strings, it downloads and executes all or some of these files based on the victim machine:
    • (SYSTEM)lowseclocal.ds
    • (SYSTEM)lowsecuser.ds
    • (SYSTEM)lowsecuser.ds.lll
    • (SYSTEM)sdra64.exe [Detected as GAV: Wigon.KG (Trojan)]
    • (SYSTEM)thxr.wgo
    • (SYSTEM)ustftqmbt.exe [Detected as GAV: Wigon.KG (Trojan)]

  • Registry modifications in order to ensure that the malware executes on each system reboot:
    • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: “(SYSTEM)userinit.exe,(System)sdra64.exe,”
    • HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunustftqmbt: “(SYSTEM)ustftqmbt.exe”
  • Downloads configuration file konf1.bin from one of the URLs found in the command string received from C&C server.
  • Deletes the original copy of the file.

The Trojan has very low AV detection at the time of writing this alert and is also known as Trojan.Win32.VBKrypt.td [Kaspersky] and Mal/Koobface-E [Sophos].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Zbot.TD (Trojan) signature.

HP OpenView NNM MaxAge Buffer Overflow (May 14, 2010)

/in /by

HP OpenView software provided large-scale system and network management of an organization’s IT infrastructure. One of the modules provided by HP OpenView is the Network Node Manager (NNM), which supplies web-based tools to view status of a network. NNM provides several CGI applications which allow users to manage the NNM server using a web browser. One of the CGI applications, getnnmdata.exe, provides a way for clients to query information from an HP OpenView server.

There exists a buffer overflow vulnerability in HP OpenView Network Node Manager. Specifically, the vulnerability is due to insufficient boundary checking when getnnmdata.exe handles the MaxAge parameter. When getnnmdata.exe receives an invalid MaxAge parameter, it prints the invalid value in an error message. The vulnerable code does not validate the length of the MaxAge parameter and copies the whole string into a fixed-length stack-based buffer.

A remote attacker can exploit this vulnerability by sending a crafted HTTP request (which contains crafted MaxAge parameter) to the target server. Successful exploitation would overwrite critical stack data, such as return addresses and exception handlers, and lead to arbitrary code injection and execution. In the case code execution is not successful, the vulnerable process may terminate abnormally, resulting a denial of service condition.

The CVE identifier for this vulnerability is CVE-2010-1553.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 5322 HP OpenView NNM MaxAge BO Attempt

Microsoft Windows SharePoint Services XSS (May 5, 2010)

/in /by

Microsoft Windows SharePoint Services (WSS) is a free add-on to Microsoft Windows Server 2003/2008; it is the core of several of Microsoft’s commercial portal technologies, such as the Office SharePoint Server. WSS is based on IIS and ASP.NET technologies; it provides a basic portal infrastructure, collaborative editing of documents, document organization, and version control capabilities. Clients normally use a web browser to access the SharePoint portal.

WSS comes with several administrative functions; one of them is Help interface, which provides access to on-line documentation and manuals. The search functionality is handled by help.aspx. When a query request of on-line help page arrives, help.aspx calls ProcessQueryString() function which reads all available parameters (cids) in the request.

A cross site scripting vulnerability exists in Microsoft Windows SharePoint Services. Specifically, the vulnerability is due to insufficient validation of request parameters. It is the URL-encoded string terminator %00 within a cid parameter value that allows a malicious cid value to bypass a sanity check. Below is An example of a malicious URL:

http://example.com/_layouts/help.aspx?cid0=SOME.XML%00%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E

When a user submits a request with a cid parameter appending %00, the full cid value, including the script code, will be rendered onto the response page. An attacker could exploit this vulnerability by embedding malicious script code in a URL and enticing the target user to open the URL in the browser. Successful exploitation would allow the attacker to get access to a target user’s sensitive information, such as cookies associated with the site.

Microsoft has released Security Advisory 983438 to address this issue. The CVE identifier for this vulnerability is CVE-2010-0817.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 5224 MS SharePoint Server help.aspx XSS Attempt

Oracle DBMS_CDC_PUBLISH SQL Injection (April 29, 2010)

/in /by

The Oracle Database (commonly referred to as Oracle RDBMS or simply as Oracle) is a relational database management system (RDBMS) produced and marketed by Oracle Corporation. Oracle Database Server is the server-side implementation of the Database System which contains multiple modules and functionalities. To extend the functionality, extra packages of related program objects such as procedures, functions, variables, constants are provided to improve the products.

One package which is included with the Oracle Database product is the DBMS_CDC_PUBLISH package. This package is used by a publisher to set up an Oracle Change Data Capture system for capturing and publishing change data from one or more Oracle relational source tables. Two of the procedures included in DBMS_CDC_PUBLISH are DROP_CHANGE_SOURCE and ALTER_CHANGE_SOURCE. These procedures drop or modify an existing AutoLog change source that was created with the CREATE_AUTOLOG_CHANGE_SOURCE procedure or an existing Distributed HotLog change source that was created with the CREATE_HOTLOG_CHANGE_SOURCE procedure. These two procedures have the following SQL method:

 DBMS_CDC_PUBLISH.DROP_CHANGE_SOURCE(         change_source_name IN VARCHAR2); 
 DBMS_CDC_PUBLISH.ALTER_CHANGE_SOURCE(         change_source_name IN VARCHAR2,         source_description IN VARCHAR2,         logfile_suffix IN VARCHAR2,         logfile_location IN VARCHAR2);

An SQL Injection vulnerability exists in the Oracle Database server. Specifically, the vulnerability is caused due to a lack of proper sanitization of user supplied arguments to DROP_CHANGE_SOURCE and ALTER_CHANGE_SOURCE procedures. By exploiting this vulnerability, an attacker can inject and execute SQL commands within the security privileges of the database administrator SYSDBA, effectively compromising the database server.

SonicWALL UTM team has researched this vulnerability and created the following IPS signature to detect/prevent the attacks addressing this issue.

  • 5214 Oracle DB ALTER_CHANGE_SOURCE SQL Injection Attempt
  • 5212 Oracle DB DROP_CHANGE_SOURCE SQL Injection Attempt

This vulnerability is referred by CVE as CVE-2010-0870.

New PDF malware spam (Apr 28, 2010)

/in /by

SonicWALL UTM Research team discovered a new PDF malware being heavily spammed in the wild since last night that exploits the Adobe PDF flaw. More information about the PDF flaw is available here – Social Engineering Attack Against Adobe Reader (Apr 01, 2010)

The e-mail pretends to arrive from the respective mail domain administrator or operator. It informs the user to read the instructions in the attached PDF file related to new mailbox settings. The e-mail messages looks like below:

screenshot

If user opens the PDF file, it prompts the user to click the open button in order to view the document as seen below:

screenshot

However, the actual batch code that gets executed is hidden above in the dialog box which can be seen here:

screenshot

screenshot

Once the user clicks on the open button, the embedded batch code gets executed as shown above. It drops a malicious Trojan executable at following location and executes the Trojan:

  • C:Program FilesMicrosoft Commonsvchost.exe [Detected as GAV: Bezopi.A (Trojan)]

The Trojan attempts to connect to a predetermined list of malicious domains like jademason.com, 1foxfiisa.com, dolsgunss.com and sends following GET request:

  • GET /lde/ld.php?v=1&rs=55274-337-9393301-(removed)&n=1&uid=1 HTTP/1.0

SonicWALL Gateway AntiVirus provided proactive protection against this malicious PDF spam attack via GAV: Suspicious#pdfexec (Exploit) signature. Signature has blocked more than 650,000 instances of this spam e-mail in last two days.

screenshot

Geographical mapping of the spam attack via IP location:

World Map

screenshot

North America Map

screenshot