Yearly Archives: 2013

Microsoft Out-Of-Band Patch for Internet Explorer CVE-2012-4792 Vulnerability

Vulnerability Management, , , , , , ,

Microsoft, announcing in an Advanced Notification, will release, this Monday at 10 a.m. PST, an out-of-band security update to address vulnerability CVE-2012-4792, who was actively exploited in the wild targeting different organizations like Council on Foreign Relations (CFR.org), a foreign policy web group. This vulnerability was acknowledged by Microsoft, in MSA-2794220, the 30 December, but was exploited in targeted attacks since minimum beginning December. So, like for Oracle Java 7 Update 11 release, I advise you to patch asap.

 

 

Java Version 7 Update 11 Patch Oracle CVE-2013-0422 0day

Vulnerability Management, , , ,

Oracle has release an out-of-band patch, Java SE 7 Update 11, in order to patch the latest 0day, aka CVE-2013-0422, found massively exploited in the wild by kafeine. This update is done through an Oracle Security Alert regarding CVE-2013-0422. Oracle confirm that Java version 6, 5 and 4 are not vulnerables.

oracle-java-7-update-11-available

As always Oracle mention that the vulnerabilities are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications. But Oracle seem to forget that servers could crawl Internet, and that Java could be used to fetch web pages…

One interesting point is that Oracle push the default security level, introduced in version 7 Update 10, from “Medium” to “High“. With the “High” setting, the user is always prompted before any unsigned Java applet or Java Web Start application is run. This setting is looking like the default “Click-to-play” functionality introduced into Firefox and into Chrome.

Another interesting point, is that this update is fixing two vulnerabilities, CVE-2013-0422 known through the Java 0day discovery, but also CVE-2012-3174 who has a base CVSS score of 10.0. Ben Murphy, via TippingPoint (ZDI…), is credited for the vulnerabilities. CVE-2012-3174 is assigned since 6 Jun 2012 !!!

So hopefully, Oracle has release a patch, I strongly advise you to patch asap !

Short Story regarding Microsoft MS11-081 CVE-2011-1996

Exploits, Metasploit, , , ,

During some investigations, associated to a packed version of the September Internet Explorer CVE-2012-4969 vulnerability, I found an unknown exploit targeting Microsoft Internet Explorer. The code was found on CLEAN MX and the evidences was dated of 2011-10-25.

CVE-2011-1996-exploit

After some researches on Internet, I found a blog post “Internet Explorer Option Element Remote Code Execution” from Ivan Fratric related to CVE-2011-1996 who has similar familiarities with the founded code. Ivan spoke about an PoC but never delivered it.

In Internet Explorer, the implementation of Select HTML element contains an array of pointers to the Option elements the Select element contains. This array is called the Option cache. Normally, whenever an Option element inside a Select element is accessed via JavaScript, Option cache is rebuilt, thus ensuring its consistency. However, there are some JavaScript methods that can be used to delete and modify the Option elements contained inside the Select element without rebuilding the Option cache. In combination, these methods enable modifying a previously deleted Option element.

If you remember CVE-2011-1996 was patched in MS11-081 the 11 October 2011 and details on the vulnerability were provided by Ivan Fratic the 12 October 2011. This vulnerability is affecting Microsoft Internet Explorer 6,7 and 8. So less than 12 days after the release of the Microsoft patch, an exploit was found gathered on Clean MX…

Regarding Clean MX, this exploit was found used in the wild on “hxxp://hb7.in/n/vvv.html“. And the “hb7.in” domain name was previously found on MALWARE.pl and on jsunpack the 24th October.

Now since the 9 January, this exploit is now integrated into Metasploit framework as “ms11_081_option” targeting Internet Explorer 8 on Windows XP, Vista and 7. Just enjoy 🙂

Gong Da / Gondad Exploit Pack Add Java CVE-2013-0422 support

Reverse Engineering, , , , , , , , , , , , , , , , ,

If you are working in computer security and still don’t have hear about the latest Oracle Java 0day, aka CVE-2013-0422, then you should change you job ! This last Oracle Java 0day was discovered massively exploited in exploit kits by @kafeine the 10th January. Other exploit kits have quickly add support of this new vulnerability, like Gong Da exploit kit.

Gond-Da-CVE-2013-0422-2

This new version was discovered on “hxxp://syspio.com/data/m.html” a web site how is actually still online.

gond-da-exploit-kit-CVE-2013-0422-1

syspio.com” is hosted on 222.239.252.166, in KR and this domain name seem to be associated with a legit compromised web site.

The “m.html” file containing JavaScript code obfuscated by “JSXX VIP JS Obfuscator“, but traditional traces if this obfuscator are no more available.

After de-obfuscation of the “m.html” file you can see that Gong Da Pack has involve to the following diagram.

Gong Da EK - 1.3

Here under some information s regarding the different files:

  • EnKi2.jpg (aka CVE-2011-3544) : 8/46 on VirusTotal.com
  • cLxmGk3.jpg (aka CVE-2012-0507) : 11/46 on VirusTotal.com
  • OLluRM4.jpg (aka CVE-2012-1723) : 20/46 on VirusTotal.com
  • GPUrKz2.jpg (aka CVE-2012-4681) : 29/45 on VirusTotal.com
  • PBLO5.jpg (aka CVE-2012-5076) : 12/46 on VirusTotal.com
  • Nuwm7.jpg (aka CVE-2013-0422): 6/46 on VirusTotal.com