February 2006 - Posts
FrSIRT is reporting a brand new IE exploit targeted to XP SP0 (Gold) that appears to be patched in XP SP1 or higher, as well as W/2000 SP4. Still, there might be some folks running "Gold" (and especially W/2000 SP3 in the corporate world) ... More can be found at FrSIRT's site
Microsoft Internet Explorer "IsComponentInstalled()" Remote Stack Overflow Exploit
Date : 28/02/2006
Rated as : Critical
Note : This vulnerability has reportedly been fixed in Windows XP SP1 and Windows 2000 SP4
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
Please be careful with all EXE files in email or other sources. So far this new PE based virus is low-risk.
Snow.A - File infector virus impacts *.EXE files
This detection is for a Win32 parasitic virus variant that infects Windows portable executable (PE) files.
W32/Snow.a bears the following characteristics:
1. infects PE executable files
2. infected files grow in length by about 243 kilobytes
3. drops and install WinPcap network drivers
4. drops and auto-starts a copy of itself
5. when an infected file is run, the virus searches for other files to infect on both local and network drives
6. flood network with spoofed arp packets (arp poisoning)
This article by F-Secure describes one of the most advanced root kit design. With kernel mode networking API hooks it even has the potential to compromise SSL based security.
QUOTE: Haxdoor is one of the most advanced rootkit malware out there. It is a kernel-mode rootkit, but most of its hooks are in user-mode. It actually injects its hooks to the user-mode from the kernel -- which is really unique and kind of bizarre. We took a careful look at Backdoor.Win32.Haxdoor.gh (detection added 31 Jan, 2006). It hooks HTTP functionality, redirects traffic, steals private information, and transmits the stolen data to a web-server controlled by the attacker. Most (all?) online banks use SSL encrypted connections to protect transmissions. If Haxdoor would hook networking functionality in the kernel, it would have hard time phishing since the data would be encrypted. By hooking on a high-enough API level it is able to grab the data before it gets encrypted.
This new downloader version of Bagle pretends to be a software cracking program, but it attempts to download malicious content from the Internet.
Bagle.DW - Disguised as Software Cracking program
W32/Bagle.dw is a trojan downloader that attempts to download and execute files from various compromised websites. As the website being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behavior of these new binaries altered - possibly with every user infection.
At the time of writing this description, McAfee AVERT did not see the downloading of any files as they may have been moved or deleted at the remote site. W32/Bagle.dw that was mass spammed on February 25th, 2006.
A new vulnerability has been discovered for Macromedia's Shockwave player that occurs only during install processing. Never install any software by email as virus writers may try to exploit this new vulnerability. Always install software directly from the vendors web site.
Macromedia ShockWave Player ActiveX Installer Buffer Overflow
Description: The vulnerability is caused due to a boundary error in the Installer ActiveX control. This can be exploited to cause a stack-based buffer overflow via overly long values passed in two specific parameters to the control. Successful exploitation allows arbitrary code execution, but requires that the user is e.g. tricked into visiting a malicious web site that prompts the user to install Shockwave Player. The vulnerability has been reported in versions 10.1.0.11 and prior.
Workaround: The vendor has reported that the vulnerability occurs only during the installation process, and no action needs to be taken by current users.
Solution: Only install ShockWave Player directly from the vendor's web site.
This executable Linux file (ELF) propagates by taking advantage of the XML-RPC for PHP Remote Code
Apple will most likely patch this vulnerability soon and Mac users should look for any System X updates. Just as in the Windows environment, everyone needs to be careful of any suspicious email attachments, email URL links, or unfamiliar websites.
Apple Mac OS X Metadata Handling Remote Shell Execution Vulnerability
Description: The vulnerability is caused due to an error in the processing of file association meta data in ZIP archives (stored in the "__MACOSX" folder) and mail messages (defined via the AppleDouble MIME format). This can be exploited to trick users into executing a malicious shell script renamed to a safe file extension stored in a ZIP archive or in a mail attachment. This can also be exploited automatically via the Safari browser when visiting a malicious web site.
Exploit: One exploit has been published and the code can be reviewed at the FrSIRT site
Patches: None published so far
Workarounds: Do not open files in archives or mail attachments originating from untrusted sources. The vulnerability can be mitigated by disabling the "Open safe files after downloading" option in Safari.
Below are some new exploits MS06-05 and MS06-06 that emerged shortly after Microsoft's "Patch Tuesday" updates on Valentines Day. Where malicious code is easy to develop by the bad guys, the timeframe for reverse engineering is moving from hours and days instead of a couple of weeks. Please update your systems promptly if you haven't had a chance to do this yet.FOUR NEW EXPLOITS FROM FEBRUARY UPDATES - from FrSIRT's website:2006-02-17 : Microsoft Windows Media Player 10 Plugin Remote Code Execution Exploit (MS06-006)
2006-02-17 : Microsoft Windows Media Player 9 Plugin Remote Code Execution Exploit (MS06-006)
2006-02-16 : Microsoft Windows Media Player BMP Handling Buffer Overflow Exploit (MS06-005) #2
2006-02-15 : Microsoft Windows Media Player BMP Handling Buffer Overflow Exploit (MS06-005) Microsoft Security Bulletin Summary for February, 2006
MS06-005 proof of concept exploit released
QUOTE: The proof of concept exploit for MS06-005 has been released. The exploit craft a malicious BMP file to perform buffer overflow in Media Player. Keeping in mind as Microsoft has pointed out that the exploiting factor can include other graphics file as well (such as .wmp), it's a good idea to get it patched ASAP.
The social engineering approach used by this latest version of the Bagle virus continues to prove that “if it's too good to be true, then it's not. It's always beneficial to avoid opening any suspicious attachment or URL link.
New Bagle Virus - Olympic-themed variant
System administrators should review this exposure carefully if they are using older versions of XP. Moving to XP SP2 is beneficial as it offers a number of security improvements. Companies should test their applications to ensure they are compliant as the stricter levels of security could create issues for poorly written applications. Still, upgrading to SP2 is worthwhile and goes smoothly in most cases.
Microsoft Windows Service ACLs Local Privilege Escalation Vulnerability
Technical Description: A vulnerability has been identified in Microsoft Windows, which could be exploited by malicious users to obtain elevated privileges. This flaw is due to insecure default access controls where the "Authenticated Users" group is granted permissions to modify Simple Service Discovery Protocol (SSDP) and Universal Plug and Play Device Host (UPnP) service configurations, which could be exploited by local unprivileged attackers to change the default binary that is associated with an affected service and execute malicious programs with elevated privileges.
Solution: Upgrade to Microsoft Windows XP SP2 or Microsoft Windows Server 2003 SP1, or change the default ACLs:
Users with Sun Java installed should update their systems to protect their brower and PC environment from malicious websites that could affect security controls.
Sun Java Runtime Environment Sandbox Security Bypass Vulnerabilities
Advisory ID : FrSIRT/ADV-2006-0467
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-02-08
Technical Description: Seven vulnerabilities were identified in Sun Java JRE (Java Runtime Environment), which could be exploited by malicious web sites to compromise a vulnerable system. These flaws are due to errors in the "reflection" APIs, which could be exploited by attackers to read, write, and execute arbitrary files by convincing a user to visit a specially crafted web page containing a malicious applet.
JDK 5.0 Update 4 and prior
JRE 5.0 Update 4 and prior
SDK 1.4.2_09 and prior
JRE 1.4.2_09 and prior
SDK 1.3.1_16 and prior
JRE 1.3.1_16 and prior
JDK and JRE 5.x - Upgrade to JDK and JRE 5.0 Update 6 :
SDK and JRE 1.4.x - Upgrade to SDK and JRE 1.4.2_10 :
SDK and JRE 1.3.x - Upgrade to SDK and JRE 1.3.1_17 :
The following are links related to "Safer Internet Day". This is a good initiative in providing security awareness for home users.
Europe's Internet safety information resource
Internet Safety Home Page
QUOTE: 'Safer Internet Day', the initiative is designed to raise awareness of cyber threats. The target audience in this case, however, isn't the corporate IT-type, but users, specifically targeting parents and children. This year's Safer Internet Day attempts to ride on the coattails of success of blogging and will distribute its message using exactly the same vehicle.
Hate speech / racism
SAFT guide for parents
Council of Europe Handbook
To surf in safe waters
This is some of the best documentation I've seen in providing a comprehensive analysis for a major new virus. The link below from CAIDA is chockful of charts, graphs, and facts. I'm glad that actual damages for the payload triggered on February 3rd were significantly less than predicted.
CAIDA -- The Nyxem Email Virus: Analysis and Inferences
This development tool is part of an SDK that can help Client/Server or web developers in authoring help screens for applications. This unpatched exploit is rated moderately critical and an exploit has been published.
Microsoft HTML Help Workshop "hhp" File Handling Buffer Overflow Issue
Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-02-06
Exploits: POC exploit published at FrSIRT's site
Affected Products: Microsoft HTML Help Workshop version 4.74.8702.0 and prior
Solution: Do not open untrusted ".hhp" files, as an there are no officially supplied patch for this issue yet.
Technical Description: A vulnerability has been identified in Microsoft HTML Help Workshop, which could be exploited by attackers to execute arbitrary commands. This flaw is due to a buffer overflow error when processing a specially crafted ".hhp" file containing an overly long "Contents file" field, which could be exploited by remote attakers to compromise a vulnerable system by convincing a user to open a malicious ".hhp" file.
More Posts Next page »