Tag Archives: Adobe

New Adobe PDF Reader 0day and Acrobat Found Exploited in the Wild

FireEye team has report a new Adobe Reader and Acrobat zero day exploited in the wild. This new 0day allow exploitation of the latest Adobe PDF Reader 9.5.3, 10.1.5, and 11.0.1 with sandbox bypass. In the information’s provided on FireEye blog post, it seem that two DLLs are dropped by the malicious PDF and that fake error message appears.

Adobe has acknowledge a potential vulnerability in his latest PDF Reader through a post on PSIRT (Product Security Incident Response Team) blog.

In the screenshot provided by FireEye, who don’t provide a lot of details, we can see a call to a “/index.php” page, which will potentially mean that the PDF 0day is streamed from the PHP file. Also we can observe that the involved user agent is MSIE 7 (aka Internet Explorer 7) under windows NT 5.1 (aka Windows XP).

According to a post on threatpost.com:

Attackers are using malicious PDFs posing as an application for an international travel visa to exploit a zero-day vulnerability in Adobe Reader and Acrobat.

Happy 0day Hunting

Despite the lack of information’s, after some researches yesterday night, I found the following file “Visaform Turkey.pdf” (f3b9663a01a73c5eca9d6b2a0519049e).

And through other researches, we found at 10pm the supposed C&C server aka “http://bolsilloner.es/index.php“.

Visaform Turkey.pdf” was submitted on VirusTotal the 2013-02-11 and was recognized as “HEUR:Exploit.Script.Generic” at this time. This file was also submitted on malware tracker the 2013-02-12 and you can find some interesting information in this submission. Also the same file was submitted the 2013-02-13 to Wepawet. C&C server was submitted to jsunpack the 2013-02-13 without any associate outputs.

Adobe Security Advisory APSA13-02

Adobe PSIRT has release a security advisory APSA13-02 regarding two vulnerabilities CVE-2013-0640 (base CVSS score of 9.3) and CVE-2013-0641 (base CVSS score of 9.3) in Adobe Reader and Acrobat XI (11.0.01 and earlier), X (10.1.5 and earlier) and 9.5.3 and earlier for Windows and Macintosh. Also this security advisory confirm the exploitation of these vulnerabilities in targeted attacks through spear phishing campaign. Adobe is working on the issue and will provide updated versions asap. Affected softwares are:

  • Adobe Reader XI (11.0.01 and earlier) for Windows and Macintosh
  • Adobe Reader X (10.1.5 and earlier) for Windows and Macintosh
  • Adobe Reader 9.5.3 and earlier 9.x versions for Windows, Macintosh and Linux
  • Adobe Acrobat XI (11.0.01 and earlier) for Windows and Macintosh
  • Adobe Acrobat X (10.1.5 and earlier) for Windows and Macintosh
  • Adobe Acrobat 9.5.3 and earlier 9.x versions for Windows and Macintosh

Regarding Adobe security advisory, the vendor recommend, for users of Adobe Reader XI and Acrobat XI for Windows, as workaround to enable “Protected View“. To enable this setting, choose the “Files from potentially unsafe locations” option under the Edit > Preferences > Security (Enhanced) menu. The problem is that despite “Protected Mode” is activated, and as discussed on Twitter with @artem_i_baranov, and also mentioned by Ars Technica, “Protected View” is off when using the default version.

adobe-reader-protected-view

According to the documentation of “Protected View“:

When Protected View in enabled, PDFs are displayed in a restricted environment called a sandbox.

So it means, that by default sandbox is deactivated during display of PDFs.

Also Mac OS X users, and Linux users are not protected by this workaround who is only available for Windows.

Vendors Informations

FireEye has release new details regarding the payload used by the vulnerabilities. Also they point the fact on the high usage of Italian in the JavaScript embedded in the malicious PDF file.

Sophos has release a screenshot of the “Visaform Turkey.pdf” file and additional informations.

Visaform Turkey.pdf” Sample Analysis

Based on the poor sample we found on malware tracker (please re-enable the download functionality !), we started to analyse it.

First interesting information: It could be that the “Protected Mode” could be bypassed via pdf properties. After some researches it doesn’t seem linked.

trusted-mode-false

Second interesting information: The date in the document appear to be f****ng old !!!! (2012-11-08).

date-of-creation

Third sHOGG function is used to decrypt a bunch of variables in the code.

sHOGG-function

By using this function on certain variables, we can confirm that the following Adobe Readers were targeted:

  • 10.0.1.434
  • 10.1.0.534
  • 10.1.2.45
  • 10.1.3.23
  • 10.1.4.38
  • 10.1.4.38ARA
  • 10.1.5.33
  • 11.0.0.379
  • 11.0.1.36
  • 9.5.0.270
  • 9.5.2.0
  • 9.5.3.305

oTHERWISE-pRENDENDO

Also some special cases, for some specific languages and only with Reader 9.502 or 10.104, are forced.

languages-special-cases

I also can confirm that the code is heavily obfuscated with bunch of variable and functions names in Italian, like “dIAVOLO”, “bENEDETTO”, “sENTIRSI”, “aPPARENZA”, “fISAMENTE”, “pRESUNSI”, “cOCOLLE”, “sCHIUMA”, “pENITENZA”, etc.

esperanza

Regarding different sources, files dropped by the PDF:

  • L2P.T” (3a2547af14b5621f43481a70f32ccef3). Analysis on VirusTotal.
  • LangBar32.dll” (97777F269AE807891DAC4B388C66A952). Analysis on VirusTotal.
  • Visaform Turkey.pdf” (F475A43D374334197099ADA17720EB00). Analysis on VirusTotal.
  • D.T” (CB33E97F46A219804DDB373FF982D694). Analysis on VirusTotal.

As @binjo has released the code of Adobe Javascript, I also release my studies on it.

I will keep you in touch, in this post, if I have any additional information’s.

Microsoft February 2013 Patch Tuesday Review

Microsoft has release, the 12 February 2013, during his February Patch Tuesday, one updated security advisory and twelve security bulletins. On the twelve security bulletins five of them have a Critical security rating.

Microsoft Security Advisory 2755801

MSA-2755801,released during September 2012, has been updated. The security advisory is regarding updates for vulnerabilities in Adobe Flash Player in Internet Explorer 10. Update KB2805940 has been released for supported editions of Windows 8, Windows Server 2012, and Windows RT. The update addresses the vulnerabilities described in Adobe Security bulletin APSB13-05.

MS13-009 – Cumulative Security Update for Internet Explorer

MS13-009 security update, classified as Critical, allowing remote code execution, is the fix for 13 reported vulnerabilities. CVE-2013-0015 (4.3 CVSS base score) was discovered and reported by Masato Kinugawa. CVE-2013-0018 (9.3 CVSS base score) and CVE-2013-0022 (9.3 CVSS base score) were discovered and privately reported by OmairCVE-2013-0019 (9.3 CVSS base score) was discovered and privately reported by SkyLined, working with HP’s Zero Day InitiativeCVE-2013-0020 (9.3 CVSS base score) was discovered and privately reported by Arthur Gerkis, working with the Exodus Intelligence, and by Stephen Fewer of Harmony SecurityCVE-2013-0021 (9.3 CVSS base score) was discovered and privately reported by Tencent PC Manager. CVE-2013-0023 (9.3 CVSS base score) was discovered and privately reported by Arthur Gerkis, working with HP’s Zero Day InitiativeCVE-2013-0024 (9.3 CVSS base score) was discovered and privately reported by an anonymous researcher, working with HP’s Zero Day InitiativeCVE-2013-0025 (9.3 CVSS base score) and CVE-2013-0028 (9.3 CVSS base score) were discovered and privately reported by Scott Bell of Security-Assessment.comCVE-2013-0026 (9.3 CVSS base score) was discovered and privately reported by  Jose A Vazquez of Yenteasy Security Research, working with the Exodus Intelligence. CVE-2013-0027 (9.3 CVSS base score) was discovered and privately reported by Mark Yason of IBM X-Force. CVE-2013-0029 (9.3 CVSS base score) was discovered and privately reported by Stephen Fewer of Harmony Security and [email protected], working with HP’s Zero Day Initiative.

MS13-010 – Vulnerability in Vector Markup Language Could Allow Remote Code Execution

MS13-010 security update, classified as Critical, allowing remote code execution, is the fix for one privately reported vulnerability. CVE-2013-0030 (9.3 CVSS base score) was discovered and privately reported by an unknown security researcher.

MS13-011 – Vulnerability in Media Decompression Could Allow Remote Code Execution

MS13-011 security update, classified as Critical, allowing remote code execution, is the fix for one publicly reported vulnerability. CVE-2013-0077 (9.3 CVSS base score) was discovered and reported by Tencent Security Team.

MS13-012 – Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution

MS13-012 security update, classified as Critical, allowing remote code execution, is the fix for two publicly reported vulnerability linked to Oracle Outside In vulnerabilities fixed during January 2013 Critical Patch Update. These vulnerabilities are CVE-2013-0418 (6.8 CVSS base score) and CVE-2013-0393 (6.8 CVSS base score).

MS13-020 – Vulnerability in OLE Automation Could Allow Remote Code Execution

MS13-020 security update, classified as Critical, allowing remote code execution, is the fix for one publicly reported vulnerability. CVE-2013-1313 (9.3 CVSS base score) was discovered and reported by an anonymous researcher, working with HP’s Zero Day Initiative.

MS13-013 – Vulnerabilities in FAST Search Server 2010 for SharePoint Parsing Could Allow Remote Code Execution

MS13-013 security update, classified as Important, allowing remote code execution, is the fix for two publicly reported vulnerability linked to Oracle Outside In vulnerabilities fixed during January 2013 Critical Patch Update. These vulnerabilities are CVE-2012-3214 (2.1 CVSS base score) and CVE-2012-3217 (2.1 CVSS base score).

MS13-014 – Vulnerabilities in FAST Search Server 2010 for SharePoint Parsing Could Allow Remote Code Execution

MS13-014 security update, classified as Important, allowing denial of service, is the fix for one privately reported vulnerability. CVE-2013-1281 (7.1 CVSS base score) was discovered and privately reported by an anonymous researcher.

MS13-015 – Vulnerability in .NET Framework Could Allow Elevation of Privilege

MS13-015 security update, classified as Important, allowing elevation of privileges, is the fix for one privately reported vulnerability. CVE-2013-0073 (10.0 CVSS base score) was discovered and privately reported by James Forshaw of Context Information Security.

MS13-016 – Vulnerabilities in Windows Kernel-Mode Driver Could Allow Elevation of Privilege

MS13-016 security update, classified as Important, allowing elevation of privileges, is the fix for 30 privately reported vulnerability. CVE-2013-1248 (4.9 CVSS base score) and CVE-2013-1249 (4.9 CVSS base score) were discovered and privately reported by Mateusz “j00ru” Jurczyk of Google Inc, and Tencent Security Team. CVE-2013-1251 (4.9 CVSS base score), CVE-2013-1252 (4.9 CVSS base score) and CVE-2013-1253 (4.9 CVSS base score) were discovered and privately reported by Gynvael Coldwind and Mateusz “j00ru” Jurczyk of Google Inc. CVE-2013-1250 (4.9 CVSS base score), CVE-2013-1254 (4.9 CVSS base score), CVE-2013-1255 (4.9 CVSS base score), CVE-2013-1256 (4.9 CVSS base score), CVE-2013-1257 (4.9 CVSS base score), CVE-2013-1258 (4.9 CVSS base score), CVE-2013-1259 (4.9 CVSS base score), CVE-2013-1260 (4.9 CVSS base score), CVE-2013-1261 (4.9 CVSS base score), CVE-2013-1262 (4.9 CVSS base score), CVE-2013-1263 (4.9 CVSS base score), CVE-2013-1264 (4.9 CVSS base score), CVE-2013-1265 (4.9 CVSS base score), CVE-2013-1266 (4.9 CVSS base score), CVE-2013-1267 (4.9 CVSS base score), CVE-2013-1268 (4.9 CVSS base score), CVE-2013-1269 (4.9 CVSS base score), CVE-2013-1270 (4.9 CVSS base score), CVE-2013-1271 (4.9 CVSS base score), CVE-2013-1272 (4.9 CVSS base score), CVE-2013-1273 (4.9 CVSS base score), CVE-2013-1274 (4.9 CVSS base score), CVE-2013-1275 (4.9 CVSS base score), CVE-2013-1276 (4.9 CVSS base score) and CVE-2013-1277 (4.9 CVSS base score) were discovered and privately reported by Mateusz “j00ru” Jurczyk of Google Inc.

MS13-017 – Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege

MS13-017 security update, classified as Important, allowing elevation of privileges, is the fix for three privately reported vulnerability. CVE-2013-1278 (7.2 CVSS base score) and CVE-2013-1279 (7.2 CVSS base score) were discovered and privately reported by Gynvael Coldwind and Mateusz “j00ru” Jurczyk of Google Inc. CVE-2013-1280 (7.2 CVSS base score) was discovered and privately reported by an unknown security researcher.

MS13-018 – Vulnerability in TCP/IP Could Allow Denial of Service

MS13-018 security update, classified as Important, allowing denial of service, is the fix for a privately reported vulnerability. CVE-2013-0075 (7.1 CVSS base score) was discovered and privately reported by an unknown security researcher.

MS13-019 – Vulnerability in Windows Client/Server Run-time Subsystem (CSRSS) Could Allow Elevation of Privilege

MS13-019 security update, classified as Important, allowing elevation of privileges, is the fix for a publicly reported vulnerability. CVE-2013-0076 (7.2 CVSS base score) was discovered and privately reported by Max DeLiso.

Boeing-job.com Campaign and Adobe Flash 0days Additional Informations

The 7 February, Adobe has issue security bulletin APSB13-04 for Adobe Flash Player, in order address two vulnerabilities, CVE-2013-0633 and CVE-2013-0634, exploited in the wild.

CVE-2013-0633 (CVSS base score of 9.3) is exploited by tricking a Windows user to open a Microsoft Word document containing a malicious Flash content. CVE-2013-0634 (CVSS base score of 9.3) is exploited by tricking an Apple OS X user to open a web page, containing a malicious Flash content, through Firefox or Safari. But this vulnerability is also exploited by tricking a Windows user to open a Microsoft Word document containing a malicious Flash content.

Affected products are :

  • Adobe Flash Player 11.5.502.146 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.261 and earlier versions for Linux
  • Adobe Flash Player 11.1.115.36 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.31 and earlier versions for Android 3.x and 2.x

These vulnerabilities were discovered exploited in the wild:

  • For CVE-2013-0633, by Sergey Golovanov and Alexander Polyakov of Kaspersky Labs
  • For CVE-2013-0634, by Shadowserver Foundation, MITRE and Lockheed Martin CIRT

As described by Alienvault Labs and by FireEye, the vulnerabilities were exploited through spear phishing email messages targeting several industries including the aerospace one. One of the e-email attached file was using the 2013 IEEE Aerospace Conference schedule, and another reported sample was related to online payroll system of ADP US company.

Detailed analysis have been provided by Alienvault Labs, FireEye and Malware Must Die. All the analysis reported the following domain name ieee[.]boeing-job[.]com as C&C server.

boeing-job[.]com domain name was registered the 22 January 2013, through GoDaddy, with fake registration information’s.

The 5 February http://ieee[.]boeing-job[.]com sub domain was pointing to IP 108.62.10.13, AS15003 in US.
The 6 February http://boeing-job[.]com was pointing to IP 184.168.221.37, AS26496 in US, parking web page of GoDaddy.

But, they’re is always a but, if you take a look in Google you can find the IP address who was used for www.boeing-job[.]com.

google-www.boeing-job.com

This sub domain was pointing to a legit website http://www[.]grupo-gestion[.]com[.]ar, IP 200.123.160.138, AS16814 in Argentina.

By searching on urlQuery, you can find a submission, the 5 February, with this IP. And suprise this submission is regarding a “record.doc” document located in a “/adp/” directory. So we have the ADP word document. Also urlQuery is reporting an alert “FILE-OFFICE Microsoft Office Word with embedded Flash file transfer” regarding the “record.doc” document.

Now let analyze further this server used in the spear phishing campaign. By doing some researches on Google, you will quickly find that weak tools are present on the server and that these tools are freely accessible from Internet…. After some further analysis, we can find that an old default XAMPP installation is present on this server, and that  bad guys have use this weakness in order to install PHP backdoor. The PHP backdoor were also not protected giving full access to the server.

The related “/adp/” directory is empty of the “record.doc” file and most of the server seem to have been cleaned.

But, I discovered an interesting “/jobs/” directory containing a well-known tool, JSbug statistics backend, used in previous drive-by attacks campaign. The contents of the backend allow us to see that a campaign was started since the 22 January by using www.boeing-job[.]com domain name.

jsbug-backend

Also, what is interesting, is that the XAMPP Apache log files were accessible from Internet, without restrictions.

By doing some log analysis we can find the following information’s:

  • record.doc” file size was 563200 bytes.
  • First, 200 Apache return code, access to “/adp/record.doc” file was recorded the 05/Feb/2013:07:12:24 -0300.
  • /adp/record.doc” file was removed from the server around the 08/Feb/2013 09:23:24 -0300.
  • Around 300 accesses on the “record.doc” files were done during this timeframe. 42 the 5 February, 7 the 6 February, 89 the 7 February and 161 the 8 February.
  • A PHP backdoor was present on the server since the 05/Nov/2012 and used multiple times.
  • A second PHP backdoor was uploaded on the server the 8 February, at 08/Feb/2013 02:25:25 -0300 (surely used to remove the record.doc file). Why not using the first PHP backdoor ? Surely cause you are not the guy who has deposit the “record.doc” file and you don’t know the existence of the first PHP backdoor.
  • The server was scanned during two days with Acunetix, starting the 02/Feb/2013 18:25:45 -0300

Additional analysis of the discovered “/jobs/” and JSbug backend directory provide the following interesting information’s:

  • The “/jobs/” directory was first seen the 22/Jan/2013 06:12:44 -0300
  • Installation of JSBug backend was done the 22/Jan/2013 06:13:16 -0300
  • Additional files were installed in the “/jobs/” directory like “img/jquery-1.8.3.min.js“, “img/logo.gif“, “check.php”, “download.htm“, “download.php“, “img/download.css“, “img/ff_step1.png“, “img/ie_step3.png“, “img/ff_step2.png” and “NProtect.exe“. “check.php“, “download.htm“, “NProtect.exe” and “download.php” are no more present on the server.

By analysing the file remaining on the server, and used in a previous attack, who has start the 22 January, we can see the following files who reveal that a spear phishing campaign was done against Boeing employees, in order to trick them to install the “NProtect.exe” malware.

logo file founded on the server
logo file founded on the server
Step 1 for NProtect.exe installation
Step 1 for NProtect.exe installation
Step 2 for NProtect.exe installation
Step 2 for NProtect.exe installation
Step 3 for NProtect.exe installation
Step 3 for NProtect.exe installation

Gong Da / Gondad Exploit Pack Add Java CVE-2013-0422 support

If you are working in computer security and still don’t have hear about the latest Oracle Java 0day, aka CVE-2013-0422, then you should change you job ! This last Oracle Java 0day was discovered massively exploited in exploit kits by @kafeine the 10th January. Other exploit kits have quickly add support of this new vulnerability, like Gong Da exploit kit.

Gond-Da-CVE-2013-0422-2

This new version was discovered on “hxxp://syspio.com/data/m.html” a web site how is actually still online.

gond-da-exploit-kit-CVE-2013-0422-1

syspio.com” is hosted on 222.239.252.166, in KR and this domain name seem to be associated with a legit compromised web site.

The “m.html” file containing JavaScript code obfuscated by “JSXX VIP JS Obfuscator“, but traditional traces if this obfuscator are no more available.

After de-obfuscation of the “m.html” file you can see that Gong Da Pack has involve to the following diagram.

Gong Da EK - 1.3

Here under some information s regarding the different files:

  • EnKi2.jpg (aka CVE-2011-3544) : 8/46 on VirusTotal.com
  • cLxmGk3.jpg (aka CVE-2012-0507) : 11/46 on VirusTotal.com
  • OLluRM4.jpg (aka CVE-2012-1723) : 20/46 on VirusTotal.com
  • GPUrKz2.jpg (aka CVE-2012-4681) : 29/45 on VirusTotal.com
  • PBLO5.jpg (aka CVE-2012-5076) : 12/46 on VirusTotal.com
  • Nuwm7.jpg (aka CVE-2013-0422): 6/46 on VirusTotal.com