Security researcher Barnaby Jack, currently at IOActive but a veteran of Foundstone, eEye, and Juniper with almost ten years in the industry, has demonstrated two exploit methods for ATM’s (Automated Teller Machines) in a presentation that is thus far the talk of the Black Hat 2010 conference. In a discussion originally slated for last year before it was muffled by Juniper based on the concerns of “an affected ATM vendor”, Jack demonstrates what he calls jackpotting an ATM.

Here’s the ATM “jackpot” (music playing, money flying out, word ‘Jackpot’ displayed on the console):

The Attack

The attack was employed using two custom tools Jack developed: Scrooge, an ATM firmware rootkit (malicious software that conceals itself at the level of interface between software and hardware) and Dilinger (named for the famous bank robber), a remote ATM attack tool that keeps track of compromised machines and stores the data stolen from people who use the machines. The first exploit involved unlocking a panel on the ATM and inserting a USB key that overwrites the machine’s native firmware with the aforementioned rootkit, taking control of the ATM.

Research

Triton ATM opened up, as an example.

To perform the research, Jack acquired physical ATM machines, attached a debugger to the ATM motherboard, and proceeded to reverse engineer the machine’s firmware. He then developed a replacement version (the aforementioned Scrooge software). Firmware typically refers to the small footprint of code (programs, data structures) that provide internal control of electronic devices. In other words, think the low level operations of any electronic device.

In the models Jack tested he was able to, after accessing the machine’s USB ports with a master key purchased online, perform a replacement of the firmware with his rootkit version. The ATM’s include the ability to do this so that firmware updates can be made by those performing maintenance on the ATM. However, there is no integrity check to ensure that the code update is coming from a trusted source.

The keys themselves for the cabinets are not hard to acquire.

Mitigation

In response ATM vendors have created a new version of the firmware requiring future updates have a digital signature (essentially a shared secret between the machine and the author of code for that machine to ensure the integrity of the code update). Doing this would help to prevent the type of rogue update via USB Jack performed, as long as the signing keys are kept secret.

Breadth

While Jack wouldn’t reveal the names of the ATM vendors whose devices he compromised (they are reported to be Triton and Tranax machines), he has noted that every ATM he has tested he has compromised, intimating attacks on multiple machines are possible because of similarities in the way generic ATM machines are made. He did note the external limitations of his research, citing the fact that there are only so many ATM’s you can put in an apartment before “your girlfriend gets mad”.

Jack actually told the delivery man who brought the ATM’s that he was getting them because he wanted to avoid bank withdrawal fees.

Money spews from the ATM like a slot machine post exploit.

Remote Attack

A remote attack was also demonstrated over Wifi, but many of the details have not yet been released. Jack found a way ,testing on his own machines, to bypass the remote authentication system of the ATM so that the same homemade rootkit, Scrooge, could be installed. This essentially provides access to an ATM via an Internet connection allowing for attack results such as the ability to record card and pin numbers on entry and sending them to a remote attacker). Such vulnerable ATM’s could be located with a war dialing tool, calling thousands of phone numbers until a vulnerable machine responds via modem, a technique already in play by criminals.

Conclusion

“Sometimes you have to demo a threat to spark a solution,”
Barnaby Jack

The image is a resonant and powerful image of insecurity, we have here a demonstrated attack that allows you to spew money out of an ATM in a few seconds, and a second that doesn’t even require physical access to the machine. At this point, the response time frame from ATM vendors as well as the vulnerability demonstrated via USB are bordering on negligence, a master key that is readily available and USB based firmware updates without any signing mechanism to ensure that it is an ‘approved’ update.

We have here, after all, a device whose sole purpose is to dispense cash.

Last year an ATM vendor got the talk pulled from BlackHat by pressuring Jack’s employer, Juniper Networks, despite having seven months of notification from Jack to arrive at some sort of response before the scheduled talk. Given we are now some one and a half years from notification, and given the quantity and dispersal of ATM’s out there, the vulnerabilities demonstrated are likely still viable.

Related Posts:

• Press F1 for Help, pwned.
• Microsoft’s Google Attack Patch?
• Adobe util.printd Zero Day
• Six Bulletins in Last Patch Tuesday of 2009
• The Barack Obama Donations Site was Hacked…err, no it wasn’t.

Microsoft published security advisory 981169 yesterday in response to the zero day vulnerability reported a few days prior. The vulnerability is in the help system and can be triggered by luring an Internet Explorer user into pressing the F1 key. Windows 2000, Windows XP SP2 & SP3, and Windows 2003 SP2 with Internet Explorer 7 and Internet Explorer 8 are all affected.

Credit to Maurycy Prodeus for publishing the initial details of the vulnerability.

Details

Using the MsgBox VBScript function in an html file, an attacker can create a dialog box prompting the user to hit F1, something that is likely not difficult to do with a message such as “Internet Explorer encountered an error, press F1 to continue”. The MsgBox function is important as its fourth argument specifies a helpfile parameter, basically which hlp or chm file to launch when the user asks for help via F1.

I created a simple help file with the word “Test” using the Microsoft Help Workshop version 4.03. In addition to this, I added the macro to launch a command prompt (cmd.exe). When I double click this file in Windows XP SP3, I get my test helpfile and the command prompt launches as well:

Cmd.exe launched with my Help file.

So we now have a .hlp file which executes code. As mentioned before, the MsgBox function has a parameter to specify a help file to launch when the user hits F1. Here is where I come back to a recurring issue of SMB traffic and allowing it outbound on firewalls. In order for the MsgBox parameter to launch the .hlp file, the attacker must point to a local file (which the user would have had to already download) or host a file on an internet accessible SMB share. If you look at the proof of concept code circulating, currently you will see the MsgBox help parameter is “\x.x.x.x\attackfile.hlp”, a pointer to a help file on an SMB share. Corporate enterprises should certainly block SMB outbound, and with this vulnerability and the several previous attacks via SMB client, users should be blocking this outbound traffic as well.

Vista, Windows 7, & Server 2008

The vulnerability does not work on Vista, Windows 7 and Windows 2008 due to Microsoft no longer including winhlp32.exe with these versions. However, there is an update which can install winhlp32 for these versions (Windows 7 Version I installed from here). I found that these updates did not launch the cmd.exe as the Windows XP version did (I also tried Prodeus’s PoC help file and it displayed but did not run calc.exe). It is possible that Microsoft removed this code execution function from these versions.

Workarounds

The warnings are avoid hitting F1 when prompted by websites. Additionally, permissions to winhlp32.exe can be modified so that it doesn’t execute. In an Active Directory environment, a Group Policy software restriction setting can prohibit winhlp32.exe from launching. As mentioned, I recommend blocking outbound SMB traffic, as there is rarely a justification for mounting a network share on the public internet. This helps with many known vulnerabilities disclosed in the past as well.

Related Posts:

• Turning an ATM into a Slot Machine
• iPhone 4 Ordering and Session Switching
• Thou Shalt Not Send Naked Pictures…To Anyone Ever
• May’s Patch Tuesday
• IEPeers – A New Internet Explorer Zero Day Vulnerability

Noted journalist and friend of the blog George V. Hulme shared the picture below from a CNBC broadcast, perhaps the most amusing way seen thus far of describing the patch for the ‘Aurora bug‘ that famously affected Google late last year.

That assumes of course that Microsoft is not in fact working on a Google Attack Patch.

The Google Attack Patch is coming soon.

Of course they are referring to Microsoft’s out of band patch release on January 21st for the Internet Explorer use after free vulnerability that has been nicknamed Aurora.

Aurora Patch description.

Praetorian advises giving this patch special attention in your environment, especially if you continue to run on Internet Explorer 6.0. The vulnerability is not confined to this version of the browser, but the method of attack is well known for this version at this point.

Related Posts:

• Turning an ATM into a Slot Machine
• Press F1 for Help, pwned.
• Adobe util.printd Zero Day
• Six Bulletins in Last Patch Tuesday of 2009
• The Barack Obama Donations Site was Hacked…err, no it wasn’t.

Adobe published an advisory yesterday confirming the vulnerability and plans to make an update available by January 12, 2010 to resolve the issue. In the meantime, a mitigation step is available by disabling JavaScript in Adobe Reader and Acrobat. Users with Microsoft DEP (“Data Execution Prevention”) enabled reduces the exploit to a denial of service attack.

Some detailed analysis of a malicious PDF reveals the Javascript and shows that a function called util.printd leads to a memory corruption issue. This function is supposed to return a date using a specified format and takes two parameters (plus a third optional parameter not typically used). The first parameter is the format of the date and time (0 for PDF, 1 for Universal, or 2 for Localized string). The second parameter is the date object submitted to format. The code shows the first parameter contains a @ followed by a series of numbers as opposed to the expected input.

JS heap spray and vulnerable function call.

Email Phishing, Malicious PDFs, and Metasploit

A Metasploit exploit module has been released taking advantage of this vulnerability. The integration into Metasploit can accelerate the spread of exploits for this vulnerability in the wild. A video demonstration utilizing this module can be seen here.

Examples of the phishing emails along with examples of the malicious PDF files can be found on the Contagio malware dump site here and here. The following two emails are examples of the phishing methods used to have users open the malicious PDF files:

Email One:

[mailto:chrisanderson58@hotmail.com]
Sent: 2009-11-30 1:56 AM
To: XXX@XXX.XXX
Subject: FW: reference
\----
From: jackr@gilbrooks.edu
To: chrisanderson58@hotmail.com
Subject: reference
Date: Mon, 30 Nov 2009 06:53:52 +0000


Dear All
Please find attached the updated country briefing notes, and staff lists.


Kind regards
Jack

Email Two:

[mailto:fureer.angelica@gmail.com]
Sent: 2009-12-13 12:14 AM
To: XXXXXX
Subject: Interview Request


This is Fureer Angelica, diplomaic broadcaster for CNN in DC.
There's growing concern about the U.S.-North Korea bilateral talks.
So, we're planning an Interview about them.
Attached is the outline of the interview.


p.s. Detailed schedules will be followed soon if you accept the offer.

Workarounds (from a previous post)

Disabling Javascript on Adobe Acrobat

Adobe notes that disabling Javascript mitigates against the specific exploit identified, although it would be possible to create a variant that does not rely on Javascript. To disable Javascript in Adobe Reader or Acrobat, select Edit>Preferences, select the JavaScript option on the left, and uncheck the Enable Acrobat JavaScript option as shown.

Uncheck to disable Acrobat JavaScript

Data Execution Prevention

Also, users with DEP enabled on Windows Vista or Windows 7 reduces the exploit from remote code execution to denial of service. Data Execution Prevention (DEP) performs additional checks on memory to help prevent malicious code from running, designed to prevent buffer overflow attacks. To enable DEP on Windows for all or individual programs, proceed to Control Panel -> System and Maintenance -> System, click on Advanced System Settings, under Performance click Settings, and finally under the Data Execution Prevention tab click Turn on DEP for all programs and services except those I select. If you can not find Acrobat in the list of programs, click Add and browse to the Acrobat executable (.exe) file and click Open. For more information on DEP settings, visit the Microsoft help page.

References

• Adobe PSIRT: New Adobe Reader and Acrobat Vulnerability
• CVE-2009-4324
• New Zero day Adobe Acrobat Reader vulnerability analysis

Related Posts:

• Turning an ATM into a Slot Machine
• Press F1 for Help, pwned.
• Microsoft’s Google Attack Patch?
• Six Bulletins in Last Patch Tuesday of 2009
• The Barack Obama Donations Site was Hacked…err, no it wasn’t.

• MS09-071 – Vulnerabilities in Internet Authentication Service Could Allow Remote Code Execution (974318)
• MS09-074 – Vulnerability in Microsoft Office Project Could Allow Remote Code Execution (967183)
• MS09-072 – Cumulative Security Update for Internet Explorer (976325)
• MS09-069 – Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service (974392)
• MS09-070 – Vulnerabilities in Active Directory Federation Services Could Allow Remote Code Execution (971726)
• MS09-073 – Vulnerability in WordPad and Office Text Converters Could Allow Remote Code Execution (975539)

Severity Levels

Microsoft has a rating system for bulletins which includes: Critical, Important, Moderate, and Low. The severity levels I provide below are not directly from Microsoft. For example, MS will give an important rating when exploitation could result in compromise of availability, as in a denial of service. MS09-069 can result in a denial of service, however, the attacker must already be authenticated. For this reason I drop the severity to Low.

Bulletin Summaries

Bulletin: MS09-071
Recommended Action: Update Windows 2008 Server (32-bit and 64-bit) which have IAS configured to use PEAP with MS-CHAP v2 authentication.
My Severity Rating: Moderate, should patch the above mentioned software.

This update addresses two vulnerabilities in the Internet Authentication Service (IAS). One is an IAS memory corruption vulnerability and the second is an authentication bypass vulnerability in MS-CHAP authentication. Client operating systems contain the vulnerable code but the components are not used in a way to make them vulnerable.

Bulletin: MS09-074
Recommended Action: Update MS Project 2000 SR-1.
My Severity Rating: Important for Project Software

This update addresses a vulnerability in Microsoft Project which can cause remote code execution when a specially crafted Project file is opened.  Microsoft Project 2000 SR-1, Project 2002 SP1 and Project 2003 SP3 are affected.

Bulletin: MS09-074
Recommended Action: Update Internet Explorer
My Severity Rating Critical

This update addresses five difference vulnerabilities with at least one or more affected every version of Internet Explorer. Attackers can host malicious code which can lead remote code execution on vulnerable systems. Any issues that lead to remote execution in IE should be addressed immediately; even if you are confident about not browsing malicious sites, a known site, such as the Pentagon web site, could be used to automatically execute or redirect you to malicious code using cross-site scripting.

Bulletin: MS09-069
Recommended Action: Update Windows 2000, Windows XP and Windows 2003
My Severity Rating: Low

A vulnerability in LSASS can cause a denial of service. The attacker must be authenticated and communicating through IPSEC.

Bulletin: MS09-070
Recommended Action: Update Windows 2003 and Windows 2008 Servers
My Severity Rating: Low

This update addresses two vulnerabilities in Active Directory Federation Services, one which can be used to spoof an authenticated user and the second which can cause remote code execution. The spoofing requires access to a workstation and browser recently used by a targeted user and the remote code execution requires the attacker to have valid logon credentials to the vulnerable server.

Bulletin: MS09-069
Recommended Action: Update Windows XP SP3 and/or Office 2003 SP3
My Severity Rating: Moderate

A vulnerability in text converters in WordPad and Office can cause remote code execution. Malicious code can be hosted on a website to trigger an exploit, however, an attempt would cause a dialog box to appear prompting the user to open the file (unless the option to “Always ask before opening this type of file” has been unchecked).

Adobe

Adobe has mirrored the patch Tuesday schedule of releasing patches on the first Tuesday of the month. The severity ratings also follow the same definitions a s Microsoft’s.

Adobe has two advisories for this month:

Bulletin: APSA09-06
Recommended Action: Update Adobe Illustrator CS4 and earlier. (Avail Jan 8)
My Severity Rating: Low

A vulnerability in Illustrator CS4 and earlier could lead to remote code execution. The target is required to open a malicious eps file.

Bulletin: APSA09-17
Recommended Action: Update Adobe Flash Player and Adobe AIR
My Severity Rating: Low

Adobe states this is a critical update and it is scheduled for release today, but does not provide details of the update.

Updates

Adobe has released details on the Flash Player update. The update addresses six vulnerabilities, five which can lead to remote execution and one to information disclosure. The vulnerabilities were identified in Flash Player version 10.0.32.18 and earlier.

References

• Microsoft’s December Bulletins
• Adobe’s Security Advisories

Related Posts:

• Turning an ATM into a Slot Machine
• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.

“We have a table admin. And in this table we can see that the admin passwords are in PLAIN TEXT! The website is big, with many sections, and there are 19 admins. What else we need to get full access on the website? Nothing. After we log in as admins, we can virtually do anything we want with the website: upload PHPShells, redirects, infect pages with Trojan droppers, [and even deface the whole website],” – Unu

Speculative holes become apparent in reading the blog entry. The blog states and Pangolin shows that the database backend to the site is MS Access. Why would a professionally built web site (the site was built by a firm called Blue State Digital), use MS Access to store data? The Obama donation site, like the other sites built by Blue State Digital, is PHP based and appears to use the Expression Engine content management system (CMS) by EllisLab’s. Expression Engine uses MySQL, another problem. Finally, the donate.barackobama.com web site does not have user ids and passwords, it takes contributions directly from a form the user fills out.

Pangolin screenshot supposedly demonstrating SQL Injection of Obama web site.

Officials with responsibility around the web site responded similarly. Hari Sevugan of the DNC stated that “based on the number of incorrect assertions, we do not think that this information is credible. There has been no security breach”. Jascha Franklin-Hodge the CTO at Blue State Digital followed with: “After careful review, we are confident that the screenshot included in this bug does not contain any data from the barackobama.com or any other site hosted by Blue State Digital, the DNC, or Organizing for America. Microsoft Access is not used in any capacity on the barackobama.com site or servers.”

Not everybody agreed as of this morning. Chet Wisniewski of Sophos posted the following, based largely on Unu’s other successful exploits: The Tech Herald is reporting that they have spoken to the Democratic National Committee who deny Obama’s site was hacked. This is not surprising, and I believe is also incorrect. The usernames all match up with Obama staffers and campaign staff, which if the screenshot posted by Unu was mocked up would be a lot more work than most scammers would bother with.
Source: http://www.sophos.com/blogs/chetw/g/2009/10/26/obama-vulnerable-sql-injection-headline/

So what site did Unu the researcher pop?

Here is Roosevelt University’s calendar. We were led here by the keywords showing up in the Pangolin screenshot. Fingerprinting the calendar application at Roosevelt University shows that it is an Active Server Pages application relying on an MS Access database. Errors on the calendar application reference the MS Access ODBC driver. So we’ve found the MS Access database in question. One of the admin accounts in the screenshots is id: webmaster pw: calAdmin…, or calendar administrator. Looking at the calendar itself on the Roosevelt U web site, the abbreviation CCL shows up, standing for “Center for Campus Life”. Looking again at the list of ids, there is a cclschadmin, likely Center for Campus Life scheduling administrator or something similar.

Why did Unu start at one site and end up popping another?

Google cache provides us the answer.

How the sites are linked.

Identifying the SmartProxy code as common to all web sites by Blue State Digital

So what’s the vulnerability?

It is not nearly as headline grabbing as the potential to steal login credentials from Obama donors, but until it was corrected at some point recently, the ability to redirect to any web site from donate.barackobama.com or any of the other sites mentioned above was not a good thing. Why?

First, it is a common technique of phishers or anyone attempting to get users to input information at a URL to try to make the domain look as legitimate as possible. When a bad actor can send out e-mails that are prefaced with the actual Obama donation site URL, but actually load any other web site to accept information, it makes masquerading as a legitimate web site that much easier.

Second and more important though is that the cookies from any of these web sites can be read by the site that is redirected to, because according to the browser you are still under donate.barackobama.com. On sites that don’t have credentials, like the donate site, this is not really an issue. But other sites in the family, such as my.barackobama.com do accept user registrations, and have login/password authentication. A cookie called PHPSESSID is set. If a bad actor can get a user to click on a link under the my.barackobama.com domain that actually redirects to his web site, he can read this session cookie, set it himself, and be logged in as that user on the barackobama.com web site. How hard would it be to get logged in users on the site to click a link? You are allowed to set up a blog on the web site, write one story and direct people to a link in the story.

At one point last year, you would not even have had to do that, the community blogs section of the site was redirecting to Hilary Clinton’s web site because of a vulnerability where HTML characters were allowed in the blog entries. This allowed a bad actor to inject Javascript into the pages which would be executed as part of the page load by subsequent users. The Javascript included a redirect, and Barack Obama was now advertising for Hilary Clinton based apparently on the actions of a mischievous Illinoisan.

Want to try reading your my.barackobama.com session cookie on another web site?

Create an id at my.barackobama.com. Force the site to redirect using the /smartproxy/, for example: http://my.barackobama.com/page/smartproxy/www.google.com. You’re now on Google, but check out what cookies you can read. There are a number of ways to do this but here is an easy one, a Javascript bookmarklet:

<a href=
         "javascript:(function(){x=window.open();x.document.write(&#39;%3Cht&#39;+&#39;
ml%3E/r%3Che&#39;+&#39;ad%3E%3Ctitle%3EDisplay%20Cookies%3C/title%3E%3C/he&#39;+&#39;ad
%3E%3Cbo&#39;+&#39;dy%3E&#39;);if%20(document.cookie%20==%20&#39;&#39;)%20x.document.write(
&#39;
No%20Cookies%20Found&#39;);%20else%20{thisCookie%20=%20document.cookie.split(&#39;;%20&#39;);
%20for%20(i=0;%20i%3CthisCookie.length;%20i++)%20{x.document.write(thisCookie[i]%20+%20&#39;%3Cb
r%20//%3E&#39;);}}x.document.write(&#39;%3C/bo&#39;+&#39;dy%3E%3C
/ht&#39;+&#39;ml%3E&#39;);x.document.close();})()">
            Display Cookies</a>

To add the bookmarklet, right click on this link and select Add to Favorites or Bookmark this Link. When on the redirected Google site, click the bookmark you’ve created, you should see your PHPSESSID from the my.barackobama.com web site.

This problem now appears to be fixed for the most part. Google as a redirect still works, but many other sites at this point will not, producing the following error:

ERROR: attempt to proxy page from a host not on the allow list. access denied.

This would indicate that a white list of allowed hosts has been set up.

Not the Same Server

The Tech Herald reported the following earlier today:

“Unu has apparently accessed a database on the same server that is unrelated to President Obama’s site…If so, we asked why an SQLi from President Obama’s site allowed access to the Access database…While this is pure speculation on our part, perhaps the DNC is correct. It is possible that Unu has in fact accessed the database for a different site entirely that resides on the same server”

Source: http://www.thetechherald.com/article.php/200944/4682/Researcher-discloses-SQL-Injection-flaw-on-barackobama-com

The Roosevelt University website is hosted in Englewood Colorado by NTT America, the Barack Obama donation website is hosted in Washington, D.C. by Internap Network Services on behalf of Blue State Digital. The web sites are not hosted on the same server.

Who’s Unu?

Unu, apparently from Bucuresti Romania, says that for him penetration testing and finding vulnerabilities is a hobby and a passion. His blog, a testament to the results of his hobby, is a compilation of the results of successful SQL Injection attacks against web sites like BNP Paribas, Credit Agricole in France, Royal Bank of Scotland’s WordPay, Poste Italiane (the Italian Postal Service) and others as well as examples of successful parameter manipulation and other web application vulnerabilities. He appears to practice a version of responsible disclosure in that he has notified the organizations mentioned on the blog and explained the problems. His blog, and its disclosures, are interesting reading for the security professional and thus we encourage you to have a look.

The site he publishes to is hosted on Baywords, a blog platform notable in that it was formed to combat what it sees as censorship by other platforms such as WordPress (the platform founders state they set up the service after a friend of theirs was closed down by Wordpress for a TOS violation.

What is Pangolin?

Pangolin is an automated SQL Injection tool developed by NOSEC ostensibly to assist in penetration testing. The tool can be used to detect SQL injection vulnerabilities on a web application, and upon detection allow the user to perform certain operations such as DBMS fingerprinting, retrieving user ids and hashes, dump tables, run SQL statements, and so forth. NOSEC is a web site hosted by a firm now called Connaught Cup in Shenzhen, China.

What is SQL Injection?

SQL Injection is basically a code injection technique that attempts to get an SQL query to execute via data inputted into a field from the client to the application. For example, let’s say we have a piece of code like this:

SELECT id
FROM logins
WHERE username = '$username'
AND password = '$password’

The fields $username and $password are coming from the browser. Our user normally logs in by entering John as user id and ‘Password1′ as his password (he shouldn’t have a weak password like that, but he does). The query analyzes it, sees the $username = John and checks to make sure password = Password1. The password statement evaluates as true, and the web application authenticates or logs in the user.

A bad actor comes along and inputs John as the user id ,but instead of a password he fills in anything’ OR ‘x’='x. Let’s see how our code evaluates this:

SELECT id
FROM logins
WHERE username = 'Joe'
AND password = 'anything' OR 'x'='x'

Now the AND password portion of the query is always returning true, not just when the password is actually the correct one. That’s because we’ve changed the execution of the query, now it reads that password can equal anything OR x = x. x will always equal x, they are equivalent values, thus the password = statement evaluates to true and the web application authenticates the user even though a proper password was never supplied.

SQL Injections in practice get much more complex than this, but the basic premise remains the same, attempt to get the web application to execute a SQL query in a way unanticipated by the web site’s developers in order to get the application to reveal information or perform a database action.

Related Posts:

• Turning an ATM into a Slot Machine
• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.

Background

The news hit the web at large on July 6th when Microsoft released advisory 972890. IBM ISS is reporting a first known exploit however on June 11th. The vulnerability, first reported by researchers Alex Wheeler and Ryan Smith (ISS employees at the time) was first reported to Microsoft in 2008, which has sparked criticism from at least one reporter covering the IT marketplace: eWeek’s Brian Prince. The problem would have been available since IE version 6, SP1.

Exploit Details

The exploit is described by MSRC Engineer Chengyun Chu as a “browse and get owned attack vector”. Once the user navigates to a web site purposely hosting the exploit, or a web site that has been compromised to host the exploit, no further user interaction is required. Examples in the wild (approximately 967 Chinese web sites according to Trend Micro) are reporting having used both .gif and .jpg files containing the exploit. The Trend Micro found web sites that redirect the users multiple times, eventually loading a .jpg file with the exploit, which upon being successful loads malware called WORM_KILLAV.AI. This malware, as it is named, terminates antivirus software processes and loads additional malicious code.

The exploit is based on an overflow condition that is created in the msvidctl.dll library when a crafted file is provided as input, causing a handler to be overwritten which then points to the exploit’s shell code, already loaded in the memory heap via heap spraying. The object that accepts the crafted input, BDATuner.MPEG2TuneRequest.1, is associated with CLSID 0955AC62-BF2E-4CBA-A2B9-A63F772D46CF, and thus this is the primary CLSID for which a kill bit needs to be set. Microsoft however recommends setting the kill bit for all of the ActiveX Control Objects hosted by msvidctl.dll.

As security vendors such as Symantec, ISS, and others are aware of the problem, antivirus and IDS signatures are either available or forthcoming.

Work Around Details

Microsoft provides an automated Fix it which entails disabling attempts to instantiate a COM object in Internet Explorer by setting the kill bit for the control in the registry. This involves adding a DWORD value to 45 keys in the registry representing Class Identifiers that relate to Microsoft Video ActiveX Control. More information can be found in the [security advisory] (href=”http://www.microsoft.com/technet/security/advisory/972890.mspx).

To implement the workaround on a single computer, you can manually enter the DWORD value 1024 (0×00000400) for each of the 45 class IDs or launch this reg file with the values.

For an enterprise environment, you have two options to deploy this workaround to your workstations. First, through the use of a computer startup script, you can add the execution of a reg file with the values for computers to launch at startup. The second option is to add a custom ADM file to a group policy object which is applied to your workstations. Which option to choose depends on preference and your environment.

Computer Start-up Script

You may already have a group policy which has a computer startup script enabled. Add a line which executes this reg file. Computer startup script is suggested as the user side startup script runs in the user’s context, and they may not have permission to modify the keys necessary. You can find more information on configuring computer startup scripts here.

 Custom ADM File in Group Policy

The challenge with an ADM file for this particular workaround is that each class ID which needs to be modified is designated as a separate key in the registry rather than a value. So, instead of being able to create a single configuration entry in a group policy object which would modify every value, you have to have an option for each key. Fortunately, the leg work has been done in this example custom ADM file, which you can cut and paste into a larger file you may already have.

Save the file where your GPO editor can browse to it. In Computer Configuration, Administrative Templates, right click and select Add/Remove templates. Once you add the template, you’ll have to ensure your filtering is setup to see “unmanaged” group policies, which are basically custom ADM entries which tattoo the registry. Under filtering, in your GPO editor, uncheck the option as shown:

gpedit

Once the ADM is added, and the filter option is cleared, you will see the configuration entries for the Microsoft Video ActiveX kill bit. Set them all to Enabled as shown:

gpedit

Once you link the policy to all your Windows XP and Windows Server 2003 computers, you will have implemented the workaround. 

Active X

ActiveX, while largely associated with Internet browsing, is not a program that runs inside the browser but rather a technology used throughout the Windows operating system. While only Windows XP and certain configurations of Windows Server 2003 are affected a similar control does exist in Windows Vista and Server 2008 that is not vulnerable.

Example Exploits

Both links provide example exploit code:

• http://www.rec-sec.com/2009/07/06/ms-directshow-msvidctl-exploit/
• http://www.csis.dk/en/news/news.asp?tekstID=799

References

• Microsoft Security Advisory (972890)
• Zero-day MPEG2TuneRequest Exploit Leads to KILLAV
• Microsoft Security Research & Defense
• Another Unpatched Vulnerability is Being Massively Exploited via Internet Explorer

Vulnerability Cross Reference

• CVE-2008-0015
• Bugtraq ID: 35558
• US-CERT Cyber Security Alert: TA09-187A

Related Posts:

• Turning an ATM into a Slot Machine
• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.