Posts tagged CVE-2012-4969
Like other Exploit Kits, Gong Da has add support for Oracle Java CVE-2013-1493 vulnerability, fixed in Oracle Java 6 Update 17, has also add support for Microsoft Internet Explorer CVE-2012-4969 and CVE-2012-4792 vulnerabilities, fixed in an emergency patch in September 2012 and January 2013.
Here is the new code for CVE-2013-1493.
And here the new code for CVE-2012-4792 (aka 4792.html) and CVE-2012-4969 (aka payload.html).
Also a new variant of CVE-2012-1889 (xml.html) has been introduced, reducing the detection rate by anti-viruses.
As always this new version of Gong Da Exploit Kit has been discovered on a Korean web site.
Gong Da Pack has involve to the following diagram.
Here under some information s regarding the different files:
- HcIa2.jar (aka CVE-2011-3544): 11/46 on VirusTotal.com
- bzExj6.jar (aka CVE-2012-0507): 14/45 on VirusTotal.com
- BnkLbvY3.jar (aka CVE-2012-1723): 19/46 on VirusTotal.com
- iCNpns4.jar (aka CVE-2012-4681): 28/46 on VirusTotal.com
- JdtDFRW1.jar (aka CVE-2012-5076): 16/46 on VirusTotal.com
- TolxrJG6.jar (aka CVE-2013-0422): 19/46 on VirusTotal.com
- FQxzUjYP.jar (aka CVE-2013-1493): 16/46 on VirusTotal.com
- GwDFO7.swf (aka CVE-2013-0634): 10/46 on VirusTotal.com
- xmlcoreOld.html (aka CVE-2012-1889): 18/46 on VirusTotal.com
- xml.html (aka CVE-2012-1889): 3/35 on VirusTotal.com
- xmlcoreNew.html (aka CVE-2012-1889): 10/45 on VirusTotal.com
- 4792.html (aka CVE-2012-4792): 1/46 on VirusTotal.com
- xyaKEg.html and payload.html (aka CVE-2012-4969): 5/46 on VirusTotal.com
Normally Gong Da was used against gamers, but this time the loaded malware seem to be different (analysis on ThreatExpert)
During some investigations, associated to a packed version of the September Internet Explorer CVE-2012-4969 vulnerability, I found an unknown exploit targeting Microsoft Internet Explorer. The code was found on CLEAN MX and the evidences was dated of 2011-10-25.
After some researches on Internet, I found a blog post “Internet Explorer Option Element Remote Code Execution” from Ivan Fratric related to CVE-2011-1996 who has similar familiarities with the founded code. Ivan spoke about an PoC but never delivered it.
If you remember CVE-2011-1996 was patched in MS11-081 the 11 October 2011 and details on the vulnerability were provided by Ivan Fratic the 12 October 2011. This vulnerability is affecting Microsoft Internet Explorer 6,7 and 8. So less than 12 days after the release of the Microsoft patch, an exploit was found gathered on Clean MX…
Now since the 9 January, this exploit is now integrated into Metasploit framework as “ms11_081_option” targeting Internet Explorer 8 on Windows XP, Vista and 7. Just enjoy 🙂
As I announced you on Twitter, this blog post will present targeted attacks who have start mid-September and wasn’t discussed or presented in public. These attacks have end around mid-October.
— Eric Romang (@eromang) Décembre 29, 2012
The Space Foundation is a nonprofit organization that supports the global space industry through information and education programs. It is a resource for the entire space community – industry, national security organizations, civil space agencies, private space companies and the military around the world. It also supports educators, students and journalists with information and education programs.
Reporters Without Borders (RWB) is a French-based international non-governmental organization that advocates freedom of the press and freedom of information. Reporters Without Borders is also known as RSF, and RSF Chinese is a dedicated web site for Chinese news in Chinese language.
The watering hole attack was done through different files and by a dedicated centralized backend named “Jsbug“.
Description of the watering hole attack
“rsf.php” script only provide content if parameter “id=1024” is present. This script load through an iframe call “ie.html” file. “rsf.php” is the equivalent of “exploit.html” in the CVE-2012-4969 0day found in mid-September.
If Windows XP is used, and language is “en-us“, “zh-cn“, “zh-tw“, “ko” or “ja” (hum hum CVE-2012-4792…), then the vulnerability is triggered.
If Windows 7 is used and Java 6 is installed, then the vulnerability is triggered. A spray base value is provided in the code for Internet Explorer 9 , but “count.php” has filter the targeted browsers.
Once the vulnerability is triggered, “917.exe” (6b4aa596e5a4208371942cdb0e04dfd9) file is installed. This malware is known as “Trojan-Dropper.Win32.Dapato.bscc“.
A interesting point regarding “ie.html” file, this file was dating of 19 September.
Some facts regarding CVE-2012-4969 :
- Vulnerability was discovered exploited in the wild, with a Flash variant, the 14 September.
- Metasploit PoC was provided the 17 September.
- Microsoft Security Advisory MSA-2757760 was published the 17 September.
- Microsoft patch was provided in MS12-063 the 21 September.
But you will see, through the next chapter, that the attack has began the 18 September.
“count2.php” script and Jsbug backend usage
“count2.php” script is loaded in any cases for statistics purposes. This script will create and check two cookies “stat_cookie” and “stat_time“, gather version of Adobe Flash, presence of Oracle Java and HTTP referrer. All these informations are send back to the same script with parameters.
All these informations are stored in a backend named “Jsbug“. This backend is quiet simple, only three menus “Client statistics“, “Report” and “Create Exploit“. The backend doesn’t have any external css or images files, and is typically composed of minimum three PHP scripts.
Login page of the backend is also quiet simplistic, no page title, no text in the page, and this logic of simplicity make it harder to discover through Google searches.
“Client statistics” menu will direct you on a recap page, of all visitors who have load “count2.php“, with OS type, browser type and version, version of Adobe Flash, version of Oracle Java, IP address, HTTP referer, number of visits, first visite and last visite date.
In the case of the Space Foundation watering hole attack, the first date are beginning 18 September.
In the case of RSF Chinese watering hole attack, the first date are beginning 19 September.
These attacks have ended around mid-October.
“Report” menu will direct you on a statistics page, of all visitors.
You can find, by clicking on the following image, a visualization timeline of the main exploitable vulnerabilities of year 2012.
Start date of a slide is corresponding to:
- the date of discovery of the vulnerability, or
- the date of report to the vendor, or
- the date of public release of the vulnerability
End date of a slide is corresponding to:
- the date of vendor security alert notification, or
- the date of Metasploit integration, or
- the date of fix, or
- the date of PoC disclosure