Tag Archives: Oracle

Reporters Without Borders Victim of Watering Hole Campaign

As mentioned by Jindrich on Twitter, it seems that the entity or entities behind the watering hole attacks don’t care to be caught or detected and it also seems that they don’t care if the Internet Explorer and Java vulnerability are patched. They act as the opportunists and try to take advantage from the timeframe between the patch release and the patch application of some users, companies and non-governmental organizations.

Last week me and Jindrich Kubec reported on watering hole attacks against multiple high value web sites, including as example major Hong Kong political parties. These websites used the latest Internet Explorer (CVE-2012-4792) vulnerability, patched in MS13-008, but also the latest Java (CVE-2013-0422) vulnerability, patched in Oracle Java 7 Update 11.

It seems that one week later, Reporters Without Borders, a French-based international non-governmental organization that advocates freedom of the press and freedom of information, is the new web site used for the watering hole campaign. Such an organization is an ideal target for watering hole campaign, as it seems right now the miscreants concentrate only on human rights/political sites – many Tibetian, some Uygur, and some political parties in Hong Kong and Taiwan which are the latest hits in this operation. In our opinion the finger could be safely pointed to China (again).

Like for the Hong Kong political party, the english version of RWB was doing a javascript inclusion to “hxxp://en.rsf.org/local/cache-js/m.js“.

rsf-en-m.js-file

rsf-en-traffic

The “m.js” file creates a cookie “Somethingbbbbb” with one day expiration date. The cookie name could be linked to the Hong Kong political party “m.js” cookie name which was “Somethingeeee“. This kind of cookies was already used two years ago in similar attacks with different exploits.

If Internet Explorer 8 is used an iframe is loaded from”hxxp://newsite.acmetoy.com/m/d/pdf.html” file. Otherwise two iframes will load “hxxp://98.129.194.210/CFIDE/debug/includes/java.html“ and “hxxp://newsite.acmetoy.com/m/d/javapdf.html“.

newsite.acmetoy.com analysis

newsite.acmetoy.com” web site is hosting the following CVE-2012-4792 related files:

  • pdf.html” (ffe715a312a488daf3310712366a5024) : Traditional “DOITYOUR” obfuscated Javascript file which attempts to exploit the latest Internet Explorer vulnerability, CVE-2012-4792.
  • logo1229.swf” (da0287b9ebe79bee42685510ac94dc4f) : Traditional “DOITYOUR” variant of “today.swf“.
  • DOITYOUR02.html” (cf394f4619db14d335dde12ca9657656) : Traditional “DOITYOUR” variant of “news.html“.
  • DOITYOUR01.txt” (a1f6e988cfaa4d7a910183570cde0dc0) : Traditional “DOITYOUR” variant of “robots.txt“.

newsite.acmetoy.com” web site is also hosting the following Java vulnerabilities related files:

  • javapdf.html” (b32bf36160c7a3cc5bc765672f7d6f2c) : Javascript file for CVE-2013-0422 or CVE-2011-3544 exploitation.
  • AppletHigh.jar” (f02ffa2b293ff370d0ea3499d0ade9bd) : CVE-2013-0422 exploit.
  • AppletLow.jar” (1da8f77dde43f55585896eddaff43896) : CVE-2011-3544 exploit.

98.129.194.210 analysis

98.129.194.210” web site is hosting the following Java vulnerabilities related files, as you can see, they’re completely same as the above and most probably serve only as a backup server in case of takedown.

  • java.html” (b32bf36160c7a3cc5bc765672f7d6f2c) : Javascript file for CVE-2013-0422 or CVE-2011-3544 exploitation.
  • AppletHigh.jar” (f02ffa2b293ff370d0ea3499d0ade9bd) : CVE-2013-0422 exploit.
  • AppletLow.jar” (1da8f77dde43f55585896eddaff43896) : CVE-2011-3544 exploit.

These binaries were dropped by the exploits :

  • 686D0E4FAEE4B0EF93A8B9550BD544BF334A6D9B495EC7BE9E28A0F681F5495C, which is remote access tool (RAT) programmed to contact “luckmevnc.myvnc.com” (112.140.186.252, Singapore) or “luckmegame.servegame.com” (currently parked).
  • A14CCC5922EFC6C7CEC1BB58C607381C99967ED4B7602B7427B081209AAF1656 is an interesting injector which downloads something which pretends to be an error webpage, decodes its content which is in fact position independent code which is later injected to another process. This is also RAT, contacting “d.wt.ikwb.com” (58.64.179.139, Hong Kong).

We’ve contacted RSF webmaster and the code should be already removed. Avast and other anti-virus product users are protected on multiple levels against this threat, also updating to latest versions of the vulnerable software packages is a must. Or getting rid of them, as most users can safely replace MSIE with another browser and completely uninstalling Java, reducing the attack surface.

Oracle Critical Patch Update January 2013 Review

Oracle has provide his Critical Patch Update (CPU) for January 2013 how has been released on Tuesday, January 15. This CPU contains 86 security vulnerability fixes across 24 of Oracle products. On the 86 security vulnerabilities 45 of them may be remotely exploitable without authentication. The highest CVSS Base Score for vulnerabilities in this CPU is 10.0 and concern Oracle Database Mobile. 9 vulnerabilities have a CVSS base score upper or equal to 7.0.

As you may know Oracle is using CVSS 2.0 (Common Vulnerability Scoring System) in order to score the reported vulnerabilities. But as you also may know security researchers disagree with the usage of CVSS by Oracle. Oracle play with CVSS score by creating a “Partial+” impact rating how don’t exist in CVSS 2.0, and by interpreting the “Complete” rating in a different way than defined in CVSS 2.0.

Oracle Database Server

One vulnerability is reported for “Oracle Database Server”. CVE-2012-3220 vulnerability has a CVSS score of 9.0. Affected component is “Spatial” and exploitation require authentication. CVSS score is 9.0 for Windows platform and 6.5 for Linux and Unix.

Oracle Database Mobile/Lite Server

5 vulnerabilities are reported for “Oracle Database Mobile/Lite Server“, all of them are remotely exploitable without authentication. The highest CVSS score is 10.0. Affected component is “Mobile Server“.

CVE-2013-0361 and CVE-2013-0366 have a CVSS base score of 10.0CVE-2013-0362CVE-2013-0363 and CVE-2013-0364 have a CVSS base score of 7.8.

Oracle Fusion Middleware

6 vulnerabilities are reported for “Oracle Fusion Middleware” and 4 of them may be remotely exploitable without authentication. The highest CVSS score of this vulnerability is 5.0. Affected component is “Management Pack for Oracle GoldenGate“, “Oracle GoldenGate Veridata“, “Oracle WebLogic Server“, “Oracle Access Manager“, “Oracle Application Server Single Sign-On” and “Oracle Outside In Technology“.

CVE-2012-0022 and CVE-2011-5035 have a CVSS base score of 5.0CVE-2012-5097 and CVE-2012-1677 have a CVSS base score of 4.3CVE-2013-0393 and CVE-2013-0418 have a CVSS base score of 2.1.

Oracle Enterprise Manager Grid Control

13 vulnerabilities are reported for “Oracle Enterprise Manager Grid Control” and all of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 7.5. Affected components are “APM – Application Performance Management” and “Enterprise Manager Base Platform“.

CVE-2013-0359 has a CVSS base score of 7.5CVE-2013-0360 and CVE-2013-0396 have a CVSS base score of 5.0CVE-2013-0352CVE-2013-0374CVE-2013-0355CVE-2013-0372CVE-2013-0373CVE-2013-0353CVE-2013-0354CVE-2013-0358CVE-2012-3219 and CVE-2012-5062 have a CVSS base score of 4.3.

Oracle E-Business Suite

9 vulnerabilities are reported for “Oracle E-Business Suite” and 7 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 6.4. Affected components are “Oracle Applications Framework“, “Oracle CRM Technical Foundation“, “Oracle Marketing“, “Oracle Universal Work Queue“, “Human Resources“, “Oracle Applications Technology Stack” and “Oracle Payroll“.

CVE-2013-0397CVE-2013-0381CVE-2013-0382 and CVE-2012-3190 have a CVSS base score of 6.4CVE-2012-3218 has a CVSS base score of 5.5CVE-2013-0376CVE-2013-0377 and CVE-2013-0380 have a CVSS base score of 4.3CVE-2013-0390 has a CVSS base score of 2.1.

Oracle Supply Chain Products

One vulnerability is reported for “Oracle Supply Chain Products” and CVE-2013-0370 has a CVSS base score of 2.1. Affected component is “Oracle Agile PLM Framework“.

Oracle PeopleSoft Products

12 vulnerabilities are reported for “Oracle PeopleSoft Products” and 7 of them may be remotely exploitable without authentication. The highest CVSS base score of these vulnerabilities is 5.5. Affected component are “PeopleSoft PeopleTools” and “PeopleSoft HRMS“.

CVE-2013-0369 and CVE-2013-0391 have a CVSS base score of 5.5CVE-2013-0394 has a CVSS base score of 5.0CVE-2013-0388CVE-2013-0356CVE-2013-0357CVE-2012-1755CVE-2013-0387CVE-2012-5059 and CVE-2013-0392 have a CVSS base score of 4.3CVE-2013-0395 has a CVSS base score of 4.0CVE-2012-3192 has a CVSS base score of 3.5.

Oracle JD Edwards Products

One vulnerability is reported for “Oracle JD Edwards Products” and CVE-2012-1678 has a CVSS base score of 3.5. Affected component is “JD Edwards EnterpriseOne Tools“.

Oracle Siebel CRM

10 vulnerabilities are reported for “Oracle Siebel CRM” and 5 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 5.0. Affected component is “Siebel CRM“.

CVE-2012-1701CVE-2012-3170 and CVE-2012-3169 have a CVSS base score of 5.0CVE-2013-0378 and CVE-2013-0379 have a CVSS base score of 4.3CVE-2013-0365CVE-2012-1680CVE-2012-3172CVE-2012-3168 and CVE-2012-1700 have a CVSS base score of 4.0.

Oracle Sun Products Suite

8 vulnerabilities are reported for “Oracle Sun Products Suite” and 1 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 6.6. Affected components are “Solaris” and “Sun Storage Common Array Manager (CAM)“.

CVE-2013-0400 and CVE-2013-0399 have a CVSS base score of 6.6CVE-2013-0415 has a CVSS base score of 6.0. CVE-2013-0417 has a CVSS base score of 5.0CVE-2013-0407 has a CVSS base score of 3.6CVE-2012-0569 and CVE-2013-0414 have a CVSS base score of 3.3CVE-2012-3178 has a CVSS base score of 2.1.

Oracle Virtualization

One vulnerability is reported for “Oracle Virtualization” and CVE-2013-0420 has a CVSS base score of these vulnerabilities is 2.4. Affected component is “VirtualBox“.

Oracle MySQL

18 vulnerabilities are reported for “Oracle MySQL” and 2 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 9.0. Affected components are “MySQL Server“.

CVE-2012-5612 and CVE-2012-5611 have a CVSS base score of 9.0CVE-2012-5060CVE-2013-0384CVE-2013-0389 and CVE-2013-0386 have a CVSS base score of 6.8CVE-2013-0385 has a CVSS base score of 6.6CVE-2013-0375 has a CVSS base score of 5.5CVE-2012-1702 has a CVSS base score of 5.0CVE-2013-0383 has a CVSS base score of 4.3CVE-2013-0368CVE-2012-0572, CVE-2013-0371CVE-2012-0574CVE-2012-1705CVE-2012-0578 and CVE-2013-0367 have a CVSS base score of 4.0CVE-2012-5096 has a CVSS base score of 3.5.

Watering Hole Campaign Use Latest Java and IE Vulnerabilities

Through a collaboration with (Jindrich Kubec (@Jindroush), Director of Threat Intelligence at avast! / Eric Romang (@eromang), independent security researcher), we can confirm that the watering hole campaigns are still ongoing, targeting multiple web high value web sites, including as example a major Hong Kong political party. We can also confirm that a second major Hong Kong political party is victim of this watering hole campaign.

This website is actually using the new version of the original Internet Explorer (CVE-2012-4792) vulnerability attack, patched in MS13-008, but right now it’s also using the latest Java (CVE-2013-0422) vulnerability, patched in Oracle Java 7 Update 11.

We will provide you further details on the affected web sites after their cleaning.

Chinese language version of the targeted web site is doing a remote javascript inclusion to “hxxp://www.[REDACTED].org/board/data/m/m.js“.

malicious-javascript-inclusion

This website is a legitimate compromised website used for hosting the exploit files, hosted in South Korea.

This include file uses the well-known “deployJava” function, aka “deployJava.js“, and creates a cookie “Somethingeeee” with one day expiration date. This cookie is quite strange and it’s also possible to find it in years old exploits, which suggests this is only a part of greater, long-going operation.

mt.html-file-2

If Internet Explorer 8 is used , an iframe is load from”hxxp://www.[REDACTED].org/board/data/m/mt.html” file. Otherwise and if Oracle Java is detected, an iframe will load “hxxp://www.[REDACTED].org/board/data/m/javamt.html“.

Analysis of “mt.html

mt.html” (d85e34827980b13c9244cbcab13b35ea) file is an obfuscated Javascript file which attempts to exploit the latest Internet Explorer vulnerability, CVE-2012-4792, fixed in MS13-008 and provided by Microsoft Monday morning.

https://www.virustotal.com/file/58588ce6d0a1e042450946b03fa4cd92ac1b4246cb6879a7f50a0aab2a84086a/analysis/ (avast detects this code as JS:Bogidow-A [Expl] through Script Shield component).

Comparing to the original CFR and Capstone Turbine versions, this code is not targeting certain browser supported language, but the code is based on the version used on CFR with “boy” and “girl” patterns.

Traditional “today.swf” has been replaced with “logo1229.swf” (da0287b9ebe79bee42685510ac94dc4f), “news.html” has been replaced with “DOITYOUR02.html” (cf394f4619db14d335dde12ca9657656) and “robots.txt” has been replaced with “DOITYOUR01.txt” (a1f6e988cfaa4d7a910183570cde0dc0). The traditional dropper “xsainfo.jpg” is now embedded in the “mt.html” file and obfuscated in the Javascript.

The executable file can be extracted from the string by cutting of first 13 characters, converting hex chars to binary and xoring the whole binary blob with 0xBF. Resulting file with SHA256 CE6C5D2DCF5E9BDECBF15E95943F4FFA845F8F07ED2D10FD6E544F30A9353AD2 is RAT which is communicating with a domain hosted in Hong Kong by New World Telecom.

Analysis of “javamt.html

javamt.html” (b32bf36160c7a3cc5bc765672f7d6f2c) is checking if Oracle Java 7 is present, if yes latest Java vulnerability, CVE-2013-0422, will be executed through “AppletHigh.jar” (521eab796271254793280746dbfd9951). If Oracle Java 6 is present, “AppletLow.jar” (2062203f0ecdaf60df34b5bdfd8eacdc) will exploit CVE-2011-3544. Both these applets contain the very same binary mentioned above (unencrypted).

javamt.html-file

Conclusion

As you see, the watering hole campaign still continues, but has evolved in form but also by using the latest Oracle Java vulnerability. There is just one advise: patch, patch, patch… and see you soon.

Java Version 7 Update 11 Patch Oracle CVE-2013-0422 0day

Oracle has release an out-of-band patch, Java SE 7 Update 11, in order to patch the latest 0day, aka CVE-2013-0422, found massively exploited in the wild by kafeine. This update is done through an Oracle Security Alert regarding CVE-2013-0422. Oracle confirm that Java version 6, 5 and 4 are not vulnerables.

oracle-java-7-update-11-available

As always Oracle mention that the vulnerabilities are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications. But Oracle seem to forget that servers could crawl Internet, and that Java could be used to fetch web pages…

One interesting point is that Oracle push the default security level, introduced in version 7 Update 10, from “Medium” to “High“. With the “High” setting, the user is always prompted before any unsigned Java applet or Java Web Start application is run. This setting is looking like the default “Click-to-play” functionality introduced into Firefox and into Chrome.

Another interesting point, is that this update is fixing two vulnerabilities, CVE-2013-0422 known through the Java 0day discovery, but also CVE-2012-3174 who has a base CVSS score of 10.0. Ben Murphy, via TippingPoint (ZDI…), is credited for the vulnerabilities. CVE-2012-3174 is assigned since 6 Jun 2012 !!!

So hopefully, Oracle has release a patch, I strongly advise you to patch asap !