Digest

SecuriTeam Digest

Heap Spraying: Exploiting Internet Explorer VML 0-day

[UPDATE: Sep 24th, 2006] Finally, got the code execution on XP SP2. However, because of the serious damage, I will not publish things about this until M$ release the patch. Sorry for inconvenient

At the time I write this article, This exploit is still 0-day, there is no patch. I decide to write this exploit because I just wanna to know that which platform is exploitable. Xsec’s exploit show that W2k platform is exploitable, so I decide to work with XP platform.

I use Shirkdog’s PoC as the starting point to see how IE crash. This is the result:

(6ec.6f0): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00310030 ebx=ffffff88 ecx=0013bec4 edx=001832cc esi=00000000 edi=00000000

Copyright in a packet

Ahoy,
Can you tell who wrote this poem?

“Oracle
Everybody follows
Speedy bits exchange
Stars await to glow”

You’re right!
Oracle JDBC Client programmers.

I was sniffing my network and encountered this poem in the RAW bytes of one of Oracle’s JDBC logon packets.

The RAW bytes of the packet (Data is in Hex; on the right ASCII translation):

22 4f 72 “Or
61 63 6c 65 0a 45 76 65 72 79 62 6f 64 79 20 66 acle.Everybody f
6f 6c 6c 6f 77 73 0a 53 70 65 65 64 79 20 62 69 ollows.Speedy bi
74 73 20 65 78 63 68 61 6e 67 65 0a 53 74 61 72 ts exchange.Star
73 20 61 77 61 69 74 20 74 6f 20 67 6c 40 6f 77 s await to gl@ow
22 0a 54 68 65 20 70 72 65 63 65 64 69 6e 67 20 “.The preceding
6b 65 79 20 69 73 20 63 6f 70 79 72 69 67 68 74 key is copyright
65 64 20 62 79 20 4f 72 61 63 6c 65 20 43 6f 72 ed by Oracle Cor
70 6f 72 61 74 69 6f 6e 2e 0a 44 75 70 6c 40 69 poration..Dupl@i
63 61 74 69 6f 6e 20 6f 66 20 74 68 69 73 20 6b cation of this k
65 79 20 69 73 20 6e 6f 74 20 61 6c 6c 6f 77 65 ey is not allowe
64 20 77 69 74 68 6f 75 74 20 70 65 72 6d 69 73 d without permis
73 69 6f 6e 0a 66 72 6f 6d 20 4f 72 61 63 6c 31 sion.from Oracl1
65 20 43 6f 72 70 6f 72 61 74 69 6f 6e 2e 20 43 e Corporation. C
6f 70 79 72 69 67 68 74 20 32 30 30 33 20 4f 72 opyright 2003 Or
61 63 6c 65 20 43 6f 72 70 6f 72 61 74 69 6f 6e acle Corporation

As you can see – the packet, belonging to our corporate world, had a Copyright mark, just after the poem.

“The preceding key is copyrighted by Oracle Corporation.
Duplication of this key is not allowed without permission
from Oracle Corporation. Copyright 2003 Oracle Corporation”

Well, what next?.. Harry Potter on P2P packets or maybe Copyrighted MD5s?

Live long and prosper,

Kfir Damari,
kfird@beyondsecurity.com.

diSlib (A Python PE Parser)

gil dabah (arkon), the creator of the fastest stream disassembler around, which also happens to be open source, distorm, released dislib, a python pe parser. i’ve discussed it before briefly while covering distorm.

dislib (a python pe parser):

dislib is a an easy to use python module to parse pe executables. it will give you all necessary information such as:

* sections with their accompanying information
* imported functions and their addresses (iat)
* exported functions by name, ordinal and address
* supports imagebase relocation
* relocated entries by offsets and their original dword values.
* lets you apply the relocations
* uses exceptions and oo interface (thanks to shenberg!)

enjoy,

gadi evron,
ge@beyondsecurity.com.

Joanna’s Blue Pill – Invisible Rootkits

the overly cool joanna rutkowska has been working on what she calls blue pill technology. using advanced virtualization technology from amd called svm/pacifica, her research shows she can create “invisible malware”. this is not related to any bug or os dependent, although she says it she will demonstrate how she gets by vista’s interesting technology to prevent unsigned code from being injected to the kernel.

you can read more about it in her blog.

gadi evron,
ge@beyondsecurity.com.

Taking Over Laptops by Fuzzing Wireless Drivers

some news items showed up in the past couple of days about vulnerabilities in wireless device drivers. these vulnerabilities were apparently found by the use of a 802.11 fuzzing tool called lorcon.

from wikipedia:

lorcon (acronym for loss of radio connectivity) is an open source network tool. it is a library for injecting 802.11 frames, capable of injecting via multiple driver frameworks, without the need to change the application code.
the project is maintained by joshua wright and michael kershaw (“dragorn”).

apparently, david maynor and jon ellch intend to demonstrate taking over a laptop by the use of a wireless driver vulnerability next month at black hat usa 2006.

i personally intend to go only to defcon, but this will be cool. :)

disclaimer: my employer (and the people hosting the blogs), beyond security, are the makers of the bestorm 2nd generation fuzzing product.

gadi evron,
ge@beyondsecurity.com.

PaiMei RE Framework

pedram amini announced paimei a few days ago. here is what he just said about it on dd:

for those of you who may be interested, i recently released a reverse
engineering framework that i’ve been working on named paimei. the goal
of the framework is to reduce the time from “idea” to prototype to a
matter of minutes, instead of days.

paimei is written entirely in python and exposes at the highest level a
debugger (pydbg, a component i’ve previously mentioned on this list), a
graph based binary abstraction and a set of utilities for accomplishing
various repetitive tasks. the framework can essentially be thought of as
a reverse engineer’s swiss army knife and has already been proven
effective for a wide range of both static and dynamic analysis tasks
such as: fuzzer assistance, code coverage tracking, data flow tracking
and more. you can grab the latest copy from:

http://www.openrce.org/downloads/details/208/paimei

i made the general documentation, api references and a flash demo of the
code coverage tool available on my personal site:

http://pedram.redhive.com/paimei/
http://pedram.redhive.com/paimei/demo.html

the real-time graphing and ida exporting functionality is not shown off
in the demo, i’ll add it as soon as i get better at making these silly
demos.

a couple of really brilliant individuals have already taken strong
interest in paimei and i hope to others get inspired to contribute as
well. please feel free to contact me directly on my pedram [dot] amini
[at] gmail account (pedram@redhive is purely a spam trap).

gadi evron,
ge@beyondsecurity.com.

diStorm – very quick (open source) stream disassembler

diStorm is just another stream disassembler, but… the quickest one I have ever seen and it supports AMD64. The guy (Arkon, Gil Dabah) must have no life as this thing is very good and must have taken quite some time to develop. It is open source.

It’s written in Python and available for Windows, Linux and general *nix. There is also a PE binary parsing library in the package.

Read More

Skype – The new NMAP?

In Blackhat Europe 2006 Philippe BIONDI presented his work on Skype.
Skype is famous for the level of obscurity taken to protect the code and protocol from prying eyes.

This outstanding work unveils Skype’s inner workings, reverse engineering the application and the network protocol and provides code samples.

The author poses and later answers three questions:

  1. Is Skype a backdoor?
  2. Can one detect and block Skype traffic?
  3. Is Skype safe enough for Business use?

Several security related issues are brought to light:

  • Several heap overflows were found during the research.
  • Skype can be DoSed by a single packet
  • Skype can be abused as anything from a port scanner to a botnet and covert channels in P2P

For the rest of this excellent work get the full paper at:
http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pdf