Hi folks,

Last night our Hunting Pots found this in use in the wild at some of the St Petersburg iframers sites installing rootkits and who knows what else, and this morning, we found it in use at the CWS sites. It infects a fully patched XP SP2 quite nicely.

The CWS people have only been using WMF since december/ january, and have a very big, well-established network for drawing in victims. Imo, this represents a significant escalation.

The last time I examined it in detail, the CWS guys make money by selling their search engine to minor website operators with a pitch along the lines of “Pay us $100 per month, and we’ll guarantee 80m visitors each month”.

Then when a victim visits one of their exploit sites, they install a URL-visiting program and a list of URLs. The URL-visitor then visits each customer website in turn, forging the headers to make it look like a real visitor referred by the bogus search engine.

The minor website operator sees his 80m visitors a month, but doesn’t realize that they are just pcs…. no human eyes at all.

If they could make money with WMF, they’ll be rich from this one.

Roger

This patch is more of an automation of the Microsoft suggested workaround, using a killbit for both vulnerabilities.

A full patch, very nicely built, is available from Determina for setSlice(), for limited versions of Windows.

Gadi Evron,
ge@linuxbox.org.

Exploit code is available:
http://www.milw0rm.com/exploits/2440

SANS diary:
http://isc.sans.org/diary.php?storyid=1742

And this is so massively exploited, it makes VML look cute. There’s a rootkit, some other malware, and haxdor! (a phishing trojan horse)

Thanks to Roger Thompson at explabs.com for first reporting it.
(more…)

This patch is meant for unsupported systems (Windows 9x to Windows 2000 SP3).

You can find the patch on the ZERT homepage: http://isotf.org/zert/.

Gadi Evron,
ge@linuxbox.org.

For the exploit writers on Windows platform, one of the protection mechanism in Vista that they have to faced with is Address Spaces Layout Randomization (ASLR). ASLR is the security feature that prevent the attacker exploit the vulnerable programs by arrange randomly the address spaces of stack, heap, library and so on. This make the attacker hard to predict the key entity in exploitation phase - such as return address, function pointer - so the rate of successful of the exploit will become in low rate. (This is the reason why I hate ASLR, lol)

But before the final version of Vista will be released, Ali Rahbar from Sysdream had analyzed Vista’s ASLR and he found some flaw in it.

But 32 possibilities is not much, and for buffer overflow exploitation, in some situations it is really feasible to do a brute force on the 32 possible values. But why has Microsoft used only 32 out of 256 possibilities

(more…)

A lot of discussion has been done worldwide about the disclousure (or not) of new information systems vulnerabilities.

First we have people who like full-disclousure (bug-details, including how to explore it and an exploit for it), in the other hand, who doesn’t agree on the vulnerability disclousure (need the disclousure of patches, not the details of what bug it corrects).

This kind of idea facilitates the attackers’ sucess (they just need to verify the differences between a system and the patched version of this system, using bindiff tools to help in this process). The users, who don’t need to really update systems (just update when a security flaw exists not just because an update exist) can’t know when is secure not update the system (so, let’s sell more systems…).

My first blog entry does not try to discuss it, but discuss this position:

“The policy of the FreeBSD Security Team is that local denial of service bugs not be treated as security issues; it is possible that this problem will be corrected in a future Erratum”

Interesting to see this kind of answer for a security problem in the system, mainly when the bug can be exploited (yeah, it can be exploited).

But, local denial of service is not a problem? Hum, sorry for hosting companies who uses FreeBSD!!

Cya,

Rodrigo Rubira Branco (BSDaemon).

Todays story of “You’re lying, we weren’t vulnerable” comes from Acutenix. Copy pasted from their “about us” page, this is how they describe themselves:

Acunetix was founded with [web application threats] in mind. We realised the only way to combat web site hacking was to develop an automated tool that could help companies scan their web applications for vulnerabilities. In July 2005, Acunetix Web Vulnerability Scanner was released - a tool that crawls the website for vulnerabilities to SQL injection, cross site scripting and other web attacks before hackers do.

I suppose I should give some background info about everything before laying it into Acunetix too much.
(more…)

ZERT just released a technical analysis of both the vulnerability and the ZERT patch. There is also a section explaining what the Microsoft patch does.

You can find the paper on the ZERT web page, or linked directly here.

Gadi Evron,
ge@linuxbox.org.

Memory Leak, twentieth strip of this new comics.

Click on the image for full size.

Now, CERT have already released the advisory 0-day IE bug, “WebViewFolderIcon ActiveX”. This bug, WebViewFolderIcon or another name “SetSlice” bug, is discovered by H D Moore on 18 July 2006 or early date - 2 months ago and he described it in one of his blog Browser Fun.

I think that this bug was fixed in past 2 months, however, I’m wrong. The public exploit is released from Metasploit project on Sep 26 and it can successful exploit on XP SP0 - SP2 with IE 6 SP1 and it should work for 2K and 2K3.

This bug should not be 0-day if guys from M$ had read H D M blog (or they had already read, but ignore it, lol)

Some days ago I asked comments or additional information of the state of Netscape development. There was no any comments added, but it appears that Netscape Communications has released Netscape Browser version 8.1.2 today.

Security Alerts page and Release Notes document have not been updated yet.

There are several security fixes included. Version 8.1.2 is based to Gecko version 1.7.5:
(more…)

== Update: This issue has been fixed with MS06-058 ==

Information about new targeted attacks using zero-day vulnerability in all versions of PowerPoint is available, again.

New related Trojan horse has name Exploit-PPT.d, reports McAfee. It was discovered on Tuesday 26th September and they had detection since today 27th Sep. All major versions of Microsoft PowerPoint, 2003, 2002 (aka XP) and 2000 are vulnerable.
But this is the most interesting point:

McAfee AVERT Labs guys checked these samples with Microsoft Malware Protection Command Line Scanner and it reported the following information:

D:\0-day.pp Infected: Exploit:Win32/Controlppt.X
(more…)

Is here. Several companies are rehearsing their old products and buzzwording them for DDoS mitigation or botnets, but not Trend Micro.

Trend Micro released a brand new product, implemented with the novel idea of utilizing DNS to detect bots on an ISP or corporate network.

Whether by massive requests for a C&C (bots phoning home) or massive requests for an MX record (spam bots), looking for negative caching (NX being cached as the C&C is not there yet but requested) and beyond.
It works. I don’t know if that’s what Trend Micro is doing, but it’s one step in the right direction to better botnet detection and mitigation.
(more…)

This does not seem to be a critical issue - yet.

The guys at Sunbelt just blogged this:
http://sunbeltblog.blogspot.com/2006/09/another-zero-day-on-loose-keyframe.html

The daxtcle.ocx exploit is the “other” zero day exploit, which to our knowledge hasn’t been seen in the wild. However, Adam Thomas in our security research team has just discovered a website with a modified version of the exploit that downloaded malware to a fully patched XP SP2 machine. The malware site was in a redirect script off of a porn site, in the same area as we discovered the VML exploit.

The exploit downloaded a fake version of svchost.exe, and a DLL was created in %system%\hehesox.dll which is receiving commands from a malware site. The browser did crash, but malware was successfully installed.
(more…)

Credits: Niega

At the first time, I decide the release the article at Oct 10. But there is someone already publish the exploit, so there is no means to still keep it private.

Last article, I had described that my method can’t be used to exploit XP SP2. But things change because Niega give me some information that he could produce some error that different from the old one.

This exception may be expected and handled.
eax=0013be58 ebx=001cc564 ecx=0013be4c edx=00000041 esi=000020d4 edi=00140000
eip=6f9eed1e esp=0013be34 ebp=0013c05c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program\Delade filer\Microsoft Shared\VGX\vgx.dll -
vgx!$DllMain$_gdiplus+0×30e8d:
6f9eed1e 668917 mov word ptr [edi],dx ds:0023:00140000=6341

IE crashes, but not with the security cookie checking failure. This is the interesting one, may be I can made the code execution from this (the reason why I’m give up to find the way to made the exploit work on XP SP2 because there is others can do it). Niega said that he produce the error by overwrite the stack massively. I reproduce the error by create the attack vector like this:
(more…)

Windows VML Vulnerability - Frequently Asked Questions (CVE-2006-4868)
==============================================

This Frequently Asked Questions document describes critical zero-day vulnerability in Windows Vector Markup Language graphics implementation. The document describes related malwares as well. There is no official patch for this vulnerability available.

** UPDATE: Fix as Vulnerability in Vector Markup Language Could Allow Remote Code Execution (KB925486), Security Bulletin MS06-055 has been released on 26th Sep.

More details is available at isc.sans.org/diary.php?storyid=1738

Q: What is Windows Vector Markup Language vulnerability?

A: This vulnerability is caused by an error when handling Vector Markup Language tags. This graphic implementation is supported by Microsoft Windows operating system. This 0-day type vulnerability can be exploited with Internet Explorer browser and Outlook e-mail client. Vulnerability is remotely exploitable and enables arbitrary code execution on target workstation.

(more…)