Posts

Adobe Illustrator EPS/DSC Comment BO (Dec 04, 2009)

/in /by

The Adobe Illustrator is a comprehensive vector graphics environment. It supports numerous vector file formats such as CDR, PDF, and PS/EPS, among others. PostScript (PS) is a programming language that is mostly utilized as a page description language in electronic and desktop publishing fields. Document Structuring Conventions (DSC) is a set of standards for PS that specifies a way to structure a PostScript file. A DSC conforming PostScript document is called an Encapsulated PostScript (EPS) file which is also used as a graphics file format. The EPS file can contain any combination of text, graphics, and images.

In EPS files, there are two required DSC comments, some conditionally required comments, and several programming guidelines. Each DSC comment in an EPS file starts with a ‘%’ character and ends with the newline characters ‘rn’. A snippet of an EPS file follows: 

%!PS-Adobe-3.1 EPSF-3.0 %%Title: test.eps [...truncated...] 0 0 mo 0 140 li 140 140 li 140 0 li

A buffer overflow vulnerability exists in Adobe Illustrator when parsing EPS files. The vulnerability exists due to a boundary error while processing DSC comments in an EPS file. The vulnerable code fails to verify the length of the comment string while it’s being copied into a static size buffer. As a result of this flaw, if a comment string is longer than a certain length, the copy operation can result in a function pointer being overwritten. A carefully constructed exploit can be made to divert the process flow of the vulnerable application.

Remote attackers can exploit this vulnerability by enticing target users to open a malicious EPS file with a vulnerable version of the affected product. Successful exploitation may allow execution of arbitrary code on the target host with the privileges of the logged in user.

SonicWALL has released two IPS signatures that detect and block known exploits that are targeting this vulnerability. The following signatures have been released:

  • 4152 – Adobe Illustrator EPS File DSC Comment BO Exploit
  • 4153 – Adobe Illustrator EPS File DSC Comment BO Exploit 2

The vulnerability has been assigned CVE-2009-4195 by Mitre.

Fake CDC H1N1 program – New ZBot variant (Dec 01, 2009)

/in /by

SonicWALL UTM Research team observed a new wave of the Fake CDC H1N1 program spam campaign starting today morning. The e-mail contains a URL pointing to a fake CDC website that hosts the new variant of ZBot Trojan. This is the first time SonicWALL has seen U.S. Center of Disease Control as a spoofed institution.

The email pretends to arrive from U.S. Centers for Disease Control & Prevention and informs the user about launch of a State Vaccination H1N1 program. It advises the user to create their personal H1N1 vaccination profile on CDC website for which the URL is contained in the e-mail. If the user clicks on this URL, it leads to a fake CDC website that asks the user to download their H1N1 vaccination profile document archive. This leads to the download of an executable file vacc_profile.exe which is the new ZBot Trojan variant.

The e-mail looks like:

Subject:

  • Your personal Vaccination Profile
  • Creation of personal Vaccination Profile
  • Instructions on creation of your personal Vaccination Profile
  • State Vaccination Program

Email Body:
————————
You have received this e-mail because of the launching of State Vaccination H1N1 Program.

You need to create your personal H1N1 (swine flu) Vaccination Profile on the cdc.gov website. The Vaccination is not obligatory, but every person that has reached the age of 18 has to have his personal Vaccination Profile on the cdc.gov site. This profile has to be created both for the vaccinated people and the not-vaccinated ones. This profile is used for the registering system of vaccinated and not-vaccinated people.
Create your Personal H1N1 Vaccination Profile using the link:

create personal profile
————————

The e-mail message looks like below:

screenshot

The site that opens up when user clicks on the URL inside the e-mail is shown below:

screenshot

As seen in the screenshot the malicious site prompts the user to download and open the Profile documente which in reality is the malware executable file:

screenshot

The new ZBot variant performs following activities upon execution:

  • Creates following files:
    • (Windows_System)lowseclocal.ds
    • (Windows_System)lowsecuser.ds
    • (Windows_System)lowsecuser.ds.lll
    • (Windows_System)sdra64.exe

      • (Copy of itself)

  • Ensures that it runs every time Windows restart by modifying following registry entry:
    • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit: “(Windows_System)userinit.exe,(Windows_System)sdra64.exe,”

  • It tries to connect to a predetermined IP address on HTTP port and sends following GET requests:
    • http://195.104.41(REMOVED)me/rec.php
    • http://195.104.41(REMOVED)cbd/75.bro
    • http://195.104.41(REMOVED)ip.php

  • It also attempts to download another Trojan from http://promed(REMOVED)css/absderce2.exe [Detected as GAV: Krap.AH_4 (Trojan)]

The Trojan is also known as trojan Trojan.Win32.Scar.auxg [Kaspersky] and TR/Crypt.XPACK.Gen [AntiVir].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Zbot.BFV (Trojan) signature.

MS IE Style Remote Code Execution Issue (Nov 25, 2009)

/in /by

Microsoft Internet Explorer (IE) is a popular web browser that is capable of rendering both static and dynamic web content. Internet Explorer provides web developers the ability to dynamically modify, and style a web page using Document Object Model (DOM) and Cascading Style Sheets (CSS) technologies. The Document Object Model (DOM) is a cross-platform and language-independent convention for representing and interacting with objects in HTML, XHTML and XML documents. Cascading Style Sheets (CSS) is a mechanism that allows authors and readers to attach style (e.g. fonts, colors and spacing) to HTML documents or the DOM elements. The HTML element