Posts

MS IE Aurora Memory Corruption (Jan 15, 2010)

/in /by

A 0day memory corruption vulnerability, codenamed Aurora, in the Internet Explorer browser has been disclosed. Most versions of the product are affected by the flaw. The vulnerability can be leveraged by accessing a freed or deleted DOM object through scripting. This action manifests itself internally as an invalid memory pointer reference which can in turn be manipulated to divert process flow of the browser. Exploitation resulting in code execution has been proven to be rather consistent and stable across all vulnerable versions of the affected product except for version 7 and 8 providing that DEP has been enabled.

The vulnerability is reported to have been exploited in targeted attacks. Exploitation requires the attacker to entice the target user to follow an HTTP link to the site hosting malicious code. The target browser has to have scripting enabled to be vulnerable.

Due to the nature of the bug and the virtually limitless ways of hiding or otherwise obfuscating malicious code exploiting the flaw, it is not feasible to develop an IPS signature that would encompass all attack cases. However, SonicWALL already has numerous existing IPS signatures that detect and block popular shell code used in HTML attacks which may be blocking attacks targeting this flaw. SonicWALL has released an additional IPS signature addressing the publicly released exploit and its variations. The following signature has been released:

  • 4711 – Javascript ASCII Table Lookup Attempt

The vendor has released a security advisory addressing this issue. Mitre has assigned the vulnerability the id CVE-2010-0249. A working public exploit has also been released by the metasploit project.

Symantec VRTSweb Code Execution (Jan 08, 2010)

/in /by

Symantec VERITAS Web Server (VRTSweb) is a shared component shipped with multiple Symantec products. VRTSweb provides the container that executes the Symantec web application. VRTSweb is developed using Java and a WAR file is used to distribute a Web application.

VRTSweb listens on TCP port 14300 to process administrative requests. Requests to this port are encoded as XML documents with “Command” as the root node. All requests are of the form:

The task is specified within the “command” attribute of the root node and the attributes depend on the command. Command authentication is performed using the “authFile” attribute. A client authenticates a request by specifying a file that resides in the VRTSweb runtime directory. A client who has knowledge of the VRTSweb runtime directory is able to authenticate himself. One of the supported commands, startWebApp, requires the following attributes: “command”, “authFile”, “appName”, and “installDir”. A startWebApp request looks like:

which requests VRTSweb to unpack and start the web application located at “c:test.war”.

A design weakness exists in Symantec VERITAS Web Server. The vulnerability is due to insufficient authentication when processing administration requests sent to TCP port 14300. Since the VRTSweb runtime directory contains a number of known files, when a startWebApp command is sent to the target system, authentication can easily be bypassed. The “.heartbeat” file is particularly useful for attacks as it is recreated periodically. A remote attacker can craft a startWebApp request that bypasses authentication to unpack and start a web application on a target system. The web application will run with the privileges of VRTSweb.

The vulnerability has been assigned as CVE-2009-3027.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 4699 Symantec VRTSweb Code Execution Attempt

Bredolab spam campaigns return in 2010 (Jan 8, 2010)

/in /by

SonicWALL UTM Research Team observed first Bredolab spam campaign of year 2010 starting Thursday morning of January 7, 2010 which involved MySpace password reset spam. It continued till early morning today when they switched to Facebook password reset spam which is still active at the time of writing this sonicalert.

Similar social engineering tactics involving Facebook and MySpace to spam new variants of Bredolab were seen in the year 2009 as well. SonicWALL has seen more than 40,000 e-mail copies from these spam campaigns till now.

Both spam campaigns use a similar theme which involves a fake e-mail message that informs the users about their account password being reset by the respective company. It instructs the users to download the attached document in order to retrieve their new password. The e-mail attachment is the new variant of Bredolab Trojan. SonicWALL has received more than 17 unique payloads of the Bredolab Trojan from these spam campaigns since yesterday.

Campaign #1 – MySpace Password Reset spam

Subject:

  • MySpace Password Reset Confirmation! Order NR.[4-digit numeric number]
  • MySpace Password Reset Confirmation!

Attachment:

  • MySpace_document_53459.zip (contains MySpace_document_53459.exe)
  • MySpace_document_32722.zip (contains MySpace_document_32722.exe)

Email Body:
————————
Hey [random name],

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
Your MySpace.
————————

The e-mail message looks like below:

screenshot

Campaign #2 – Facebook Password Reset spam

Subject:

  • Facebook Password Reset Confirmation! Support Message
  • Facebook Password Reset Confirmation! Your Support
  • Facebook Password Reset Confirmation! Important Message
  • Facebook Password Reset Confirmation! Customer Support

Attachment: Facebook_password_92335.zip (contains Facebook_password_92335.exe)

Email Body:
————————
Dear user of facebook,

Because of the measures taken to provide safety to our clients, your password has been changed
You can find your new password in attached document.

Thank,
Your facebook.
————————

The e-mail message looks like below:

screenshot

The executable file inside the zip attachment has an icon disguised as a Microsoft Excel sheet file:

screenshot

screenshot

The Trojan when executed performs the following host level activity:

  • Drops a copy of itself as (Windows System Folder)Startuprarype32.exe (~36KB)
  • Deletes the original file
  • Attempts to connect to dollardream.ru domain on TCP port 4455 and downloads an encrypted configuration file.

The Trojan is also known as TROJ_BREDLAB.SMP [Trend] and Win32:Bredolab-BL [Trj] [Avast].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Bredolab.BMP (Trojan) signature. [716,342 hits recorded in last 24 hours].

screenshot

VLC Media Player Memory Corruption (Dec 30, 2009)

/in /by

VideoLAN VLC Media Player is an open source multimedia player. It can play various audio/video formats (MPEG, DivX, ogg, Wave etc.) as well as streaming protocols. It is highly portable and available for multiple platforms.

VLC Media Player can be instructed to open media resources referred by URIs. A URI can be supplied to VLC Media Player by embedding it in a playlist file, such as a M3U or XSPF (XML Shareable Playlist Format) file. A URI can also be supplied by sending an HTTP request to the VLC Media Player web interface. In a URI, a “smb” scheme (often appears as “smb://path”) addresses a file on SMB share. The generic form of the SMB URI parsed by VLC media player is as follows:

smb://[[[domain;]username[:password@]]server[/share[/path[/file]]]]

A memory corruption vulnerability exists in VLC Media Player for Windows. Specifically, the vulnerability is due to an invalid free error when processing specific SMB URIs. If an invalid username is specified in the SMB URI, the vulnerable code will call the Kernel32.FreeLibrary function. The function call will fail however the vulnerable code does not check the result. The vulnerable code then copies a 4-byte string from the stack at a fixed offset and uses that value as a memory pointer.

An attacker can exploit this vulnerability by enticing a user to open a crafted playlist file. Successful exploitation would allow for arbitrary code injection and execution with the privileges of the currently logged in user. Code injection that does not result in execution would terminate the application due to memory corruption.

SonicWALL has released 2 IPS signatures to detect and block specific exploitation attempts targeting this vulnerability. The signatures are listed below:

  • 1337 VideoLAN VLC Media Player smb URI Handling Memory Corruption Attempt
  • 4533 VideoLAN VLC Media Player smb URI Handling Memory Corruption PoC

New Year greeting card spam (Dec 30, 2009)

/in /by

SonicWALL UTM Research team observed a new spam campaign starting on December 29, 2009 which involves a fake greeting card e-mail pretending to contain a link to New Year card. The e-mail looks like following:

Subject: Your have received a greetings card

Email Body:
————————
Have a happy and colorful New Year!

http://cpz.gumen(REMOVED)/2010.html -> leads to the malicious website that is still live
————————

The e-mail message looks like below:

screenshot

If the user clicks on the link in the e-mail, it leads to a malicious website that displays a happy new year image as seen below:

screenshot

The site has an obfuscated javascript code that executes when it loads. It tries to exploit multiple vulnerabilities including 0-day in Microsoft DirectShow (msvidctl.dll) and Adobe Acrobat Reader. If the exploit attempt is successful then it injects the shellcode shown below:

screenshot

The shellcode leads to download and execution of a new variant of Bredolab and Mebroot Trojan.

SonicWALL Gateway AntiVirus provides protection against this attack via GAV: Pdfka.ASD (Exploit), GAV: Tedroo.gen (Trojan),and GAV: Bredolab.SME_2 (Trojan) signatures

screenshot

screenshot

IntelliCom NetBiter Hostname Buffer Overflow (Dec 22, 2009)

/in /by

Intellicom NetBiter webSCADA is an embedded Supervisory Control and Data Acquisition solution for various hardware devices, providing remote management through web browsers. NetBiter Config is a configuration utility shipped with NetBiter webSCADA. It is used to enumerate and configure compatible devices on the LAN.

NetBiter Config uses HICP protocol to communicate with the devices. The HICP protocol is a proprietary protocol used to control managed devices in a SCADA environment. The protocol uses UDP/3250 port and contain key=value pairs in plain text, separated by semicolons:

key = value ; key = value ; [...]

The following keys are known:

Configure: xx-xx-xx-xx-xx-xx; Protocol version = ; fb type = ; module version =  mac = xx-xx-xx-xx-xx-xx; hn = ; ip = XXX.XXX.XXX.XXX; sn = XXX.XXX.XXX.XXX; gw = XXX.XXX.XXX.XXX; dhcp = ; pswd = off; dns1 = XXX.XXX.XXX.XXX; dns2 = XXX.XXX.XXX.XXX; password = ; new password = ;

A stack buffer overflow vulnerability exists in Intellicom NetBiter Config utility. The vulnerability is due to missing bounds checking on the value of parameter in incoming HICP packets. The malicious data is copied using the insecure function ‘strcpy’ into a fixed stack buffer. The buffer is part of a larger structure that contains multiple MFC objects, and the structure is later used to call an MFC dialog display function. One of these MFC objects is located after the vulnerable buffer and contains a function pointer. When the vulnerable stack buffer is overflowed, this virtual function can be overwritten and used by an attacker to execute arbitrary code. A remote unauthenticated attacker can exploit this vulnerability by sending a crafted UDP packet to the target program by disguising as a managed ‘device’ to the target user. Successful exploitation could result in execution of arbitrary code in the security context of the logged on user.

SonicWALL UTM team has researched on this vulnerability and released the following IPS signature:

  • 3019 IntelliCom NetBiter HICP Hostname BO Attempt

This vulnerability is disclosed by the vendor’s advisory

HP OpenView NNM Host Header BO (Dec 18, 2009)

/in /by

HP OpenView Network Node Manager (NNM) is one of the network and system management software applications developed by HP. It supplies several CGI applications to provide management interface of the NNM server. These CGI applications include webappmon.exe, OpenView.exe, toolbar.exe, ovlaunch.exe, ovlogin.exe and others. With these CGI applications users can control and manage the NNM server, as well as access command-line applications using a web browser.

The webappmon.exe CGI application provides network troubleshooting facilities such as ping, findroute, and others, to a HTTP client. This application can be accessed by a web browser using an HTTP request similar to the following:

GET /OvCgi/webappmon.exe?ins=nowait&action=ping&sel=192.168.0.1 HTTP/1.1 Host: 192.168.0.214 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive

There is a global buffer overflow vulnerability in the HP OpenView Network Node Manager CGI application webappmon.exe. The vulnerability is due to insufficient boundary checking when handling the Host HTTP header. Specifically, the vulnerable code in the affected application first copies a static string, “http://”, into a fixed global buffer of size 0x80 (128) bytes, then it concatenates the Host header value into the same buffer by calling a strcat-like function without proper boundary checking. Therefore, an overly long Host HTTP header will overflow the destination global buffer. An attacker addressing this vulnerability may inject and execute the malicious code within the security context of the Internet Guest Account user.

To protect SonicWALL customers from being attacked by any attacks addressing this vulnerability, the SonicWALL UTM team has created and released the following IPS signatures:

  • 3009 HP OpenView NNM Host Header BO Attempt

This vulnerability has been assigned CVE-2009-4177 by mitre.

New Adobe 0-day exploit (Dec 16, 2009)

/in /by

SonicWALL UTM Research team found reports of new 0-day vulnerability (CVE-2009-4324) in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild via malicious PDF files starting Monday, December 14, 2009. Adobe confirmed the vulnerability on December 15, 2009 and released a security advisory which can be found here.

Malicious PDF files are being spammed via e-mail in a series of targeted attacks starting early December, 2009. The e-mail attachment contains the malicious PDF exploit file. The sample e-mail messages look like below:

Subject:

  • reference
  • Interview Request

Attachment:

  • note_20091210.pdf
  • outline of interview.pdf

Email Body #1:
————————
Dear All

Please find attached the updated country briefing notes, and staff lists.

Kind regards
Jack
————————

Email Body #2:
————————
This is Fureer Angelica, diplomaic broadcaster for CNN in DC.
There’s growing concern about the U.S.-North Korea bilateral talks.
So, we’re planning an Interview about them.
Attached is the outline of the interview.

p.s. Detailed schedules will be followed soon if you accept the offer.
————————

The specially crafted PDF file has a malicious executable file (name – AdobeUpdate.exe) embedded inside PDF flatedecode stream. When the victim opens the PDF file it performs following activities:

  • Exploits the vulnerability in Adobe Reader and executes the embedded malicious executable file.

  • Malicious executable file is dropped and executed from – (TEMP FOLDER)AdobeUpdate.exe [Detected as GAV: Genome.AAWD (Trojan)]

  • The executable further attempts to download another malware from:
    • foruminspace.com/document(REMOVED).exe [Detected as GAV: Tapaoux.A (Trojan)]

There is no patch currently available from the vendor and the only way to mitigate this vulnerability is to disable the JavaScript option inside Adobe Reader and Acrobat.

SonicWALL Gateway AntiVirus provides protection against this threat via GAV: Suspicious#exepdf (Worm) signature. SonicWALL also provides protection via IPS: PDF File with Javascript 1 and IPS: PDF File with Javascript 2 signatures.

Christmas themed Koobface breaks CAPTCHAs (Dec 11, 2009)

/in /by

A new variant of Koobface worm was found in the wild. This time around the fake video poses as a message from Santa.

Koobface is a worm that shows up in fake messages from “friends” that encourage users to click on a malicious link that can steal user ID and password information, and be used to spread the worm. Koobface is constantly changing to avoid detection, or as we call it ‘highly polymorphic,’ with over 20,000 variations to date. We have previously SonicAlerted on it here.

It searches Internet Explorer’s cache of cookies, looking for any relating to the following social networking websites:

  • bebo.com
  • facebook.com
  • friendster.com
  • fubar.com
  • hi5.com
  • livejournal.com
  • myspace.com
  • netlog.com
  • tagged.com
  • twitter.com

There are major enhancements in this new variant of Koobface:

  1. It is able to break CAPTCHAs to register new google blogger accounts and send facebook messages. The CAPTCHA trick appears as a Windows warning that the system will be shut down unless they enter the CAPTCHA code displayed. If the shutdown timer hits zero, the system is locked until the code is entered. Once entered, the code is sent to a server where the information is later used for account creation.

  2. It has 3 stages of redirection – links in facebook messages go to bit.ly or blogspot URLs, which in turn forward to a hijacked pages with JavaScript, which will finally forward to the Koobface webserver pages (fake video social engineering).

  3. In the spam subjects and messages, it uses a clever trick to double some random letters to avoid signature detection but preserve readability.

     #BLACKLABEL FBTARGETPERPOST|20 TEXT_S|You mmust see thiss videoo now!! It''s the bbest one!! http://mopxopviexxx.com/983/ MD5|1822ec77fe9039ac2091299df8582c0f TEXT_S|You mmust see thiss vvideo noow! It''s the besst oone! http://tamara.ziegxxx.com/602/ MD5|7554b2b9e71763bc3ea9fb4cfad03594

  4. It registers new Google blogger accounts and creates blog posts using top news headlines from Google News. It also creates new Google Reader pages to spread itself.

  5. The infected machine doesn't contact the C&C server directly but instead uses other infected nodes as redirectors/proxies which will forward the request from the infected client to the real Command&Control server (C&C).

SonicWALL Gateway AntiVirus provides protection against this malware via signatures in the following table.
The Koobface worm consists of these modules:

Filename Description Sonicwall GAV signature
v2webserver.exe Koobface webserver GAV: Koobface.CSI (Trojan)
v2captcha.exe CAPTCHA breaker GAV: Koobface.DR (Worm)
v2googlecheck.exe checks Facebook for blocked URLs GAV: Small.ANLX (Trojan)
v2prx.exe Proxy and DNS Blocker GAV: Koobface.gen_2 (Trojan)
v2newblogger.exe Makes Blogspot accounts GAV: Vilsel.MBS (Trojan)
v2reader.exe Makes Google Reader pages GAV: Koobface.NCI_2 (Worm)
ff2ie.exe Cookie Converter GAV: Koobface.BSE (Worm)
ld15.exe Koobface loader GAV: Koobface.ATJ (Worm)
fb75.exe Facebook propagation GAV: Koobface.CMN (Trojan)
pp.12.exe Popup ads and FAKEAV installer GAV: Koobface.CSK (Worm)

MS IE Uninitialized DOM Memory Corruption (Dec 11, 2009)

/in /by

Microsoft Internet Explorer version 8, the latest version to date, contains a memory corruption vulnerability. The flaw exists due to an inproper handling of script modified DOM structures.

DOM defines an object oriented structure of the HTML document content. It allows for individual elements and properties of the HTML document to be manipulated by script. In the DOM structure, all HTML tags and their attributes are stored in a tree-like structure as Nodes. This tree can be defined statically using HTML tags or dynamically using script.

An example HTML code snippet followed by its DOM represenation is shown:

DOM representation: 

html |- body | |- p

DOM objects can be modified dynamically by script embedded in the HTML document. An example of dynamic DOM manipulation is shown:

 var i = document.createElement('p'); j.appendChild(i);

Microsoft Internet Explorer 8 improperly handles script-modified DOM structures when an HTML document is being parsed. By manipulating DOM script code, a circular reference between two DOM objects can be created. This error can lead to memory corruption which could be exploited to inject and execute arbitrary code. Remote attackers could exploit this vulnerability by persuading a target user to visit a maliciously crafted web page. Successful exploitation may result in code execution with the privileges of the logged in user.

Generic detection of this type of attack would require a full HTML parser. As such, generic detection is not feasible. SonicWALL has developed a signature that detects and blocks a known exploit targeting this vulnerability. The following signature was released:

  • 4234 – MS IE Uninitialized DOM Memory Corruption PoC (MS09-072)

The vendor has released an advisory and assigned the vulnerability the ID MS09-072. This flaw has been assigned CVE-2009-3674 by Mitre.