We posted an aside yesterday citing Microsoft’s recent blog post for new security advisory 981374 referencing a new zero day vulnerability in Internet Explorer versions 6 and 7. New details have emerged since, and the exploit has moved from being what was described as part of “limited targeted attacks” to being widely accessible and available as a new module for the Metasploit framework.

The major concern as always with vulnerabilities like this one is that the user needs only to visit a web site hosting the exploit to have their computer infected (there is no visible sign of a download or other user interaction required).

The vulnerability is a use after free vulnerability (memory is deallocated but then later accessed causing unexpected results such as a crash or arbitrary code execution) where an invalid reference is made to a freed pointer in the file iepeers.dll. This type of code error is fairly common, this is the second major instance of this type of error in Internet Explorer recently (with the well publicized ‘Google Aurora’ attack being associated with a similar type of code defect in the popular browser).

In terms of impact, together these two versions of IE account for approximately 20% of the browser market share. Microsoft has referenced protected mode, enabling Data Execution Prevention (DEP), and not running as a high privilege user (admin) as possible mitigating steps. While always a good idea, we’ve seen in the past methods that allow both DEP and protected mode to be bypassed. In terms of user privileges, its never a good idea to browse the Internet as a high privilege user, however user escalation vulnerabilities can be employed by the attacker once access is gained to the computer. The net of this is that the most effective mitigations available are to, if you are very concerned, temporarily use a different browser and that a patch be made available in a timely manner by Microsoft.

The Exploit

As provided by Trancer (Moshe Ben Abu) with modifications to the original that unobfusticate portions of code and remove the malware payload:

The Attack

The specific attack noticed on a web site (now down) called Topix21century.com occurs as follows:

• A user visits the web site, and a file called notes.exe or svohost.exe is downloaded and executed (drive by download).
• This executable creates two copies of itself in the /temp directory and drops a .dll file which is then injected into the process for Internet Explorer, providing back door remote access to the computer for the attacker.
• Once the attacker is in the system, he or she can perform actions as the user including attempting to escalate privileges, downloading files, etc..
• Activity was noted by McAfee where the infected system attempts to create an SSL connection to communicate with the domain: notes.topix21century.com.

Topix21century.com

The only references to this topix21century.com site we noted are links in Japanese language forums referencing pictures of women in the Japanese Self-Defense Force.

The site is hosted on ISP GoDaddy, a geolocation lookup on the IP (68.178.232.100) shows a location of Scottsdale, Arizona.

The whois for the site hosting the exploit is as follows:

Registrant:
   jack lee
   13block
   LA, California 55462
   United States

   Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
   Domain Name: TOPIX21CENTURY.COM
      Created on: 06-Mar-10
      Expires on: 06-Mar-11
      Last Updated on: 06-Mar-10

   Administrative Contact:
      lee, jack  robertwanger@aol.com
      13block
      LA, California 55462
      United States
      (818) 581-6872      Fax -- 

   Technical Contact:
      lee, jack  robertwanger@aol.com
      13block
      LA, California 55462
      United States
      (818) 581-6872      Fax -- 

   Domain servers in listed order:
      NS17.DOMAINCONTROL.COM
      NS18.DOMAINCONTROL.COM

A similar registrar entry is listed for the domain hotgreenlight.com, currently a parked domain:

Registrant:
   thomason lee
   12block
   LA, California 95512
   United States

   Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
   Domain Name: HOTGREENLIGHT.COM
      Created on: 18-Dec-09
      Expires on: 18-Dec-10
      Last Updated on: 18-Dec-09

   Administrative Contact:
      lee, thomason  robert.wanger@hotmail.com
      12block
      LA, California 95512
      United States
      (626) 395-6544      Fax -- 

   Technical Contact:
      lee, thomason  robert.wanger@hotmail.com
      12block
      LA, California 95512
      United States
      (626) 395-6544      Fax -- 

   Domain servers in listed order:
      NS61.DOMAINCONTROL.COM
      NS62.DOMAINCONTROL.COM

McAfee and Blame? (Update 03/11)

For some silly reason, McAfee Labs is eating some blame over being transparent and informative in their Avert Labs post on Tuesday. When Israeli security researcher Moshe Ben Abu (who is a legitimate security researcher not some shadowy underworld black hat) noticed the post had a URL reference to Topix21century.com, he went and had a look at the site, analyzed how the exploit worked, and made a contribution to the Metasploit project detailing how the exploit functions.

Or put another way, he analyzed an existing exploit being used by attackers and took the time to explain it. He didn’t invent it, use it to compromise computers, or any other related black hat activity. Some will argue that he amplified its effect, something that would require an entire blog post to dispute, so we won’t get into it here.

Ryan Naraine highlights this flow, but passes no judgment on it in an article on ZD Net. Unfortunately fellow CNET journalist Elinor Mills takes it a step further, suggesting by inference (by asking McAfee to “respond”) that the anti-virus company has some culpability here, to which McAfee responded:

“McAfee Labs does not support the release of exploit code, particularly in advance of a security patch being made available. We regularly sanitize blog content to prevent providing information that might assist attackers, while at the same time providing a service to customers and the security community to help improve protection levels,” the spokesman said in a statement via e-mail. “The post in question did not contain enough information to directly lead anyone to exploit code. However, we regret that in this unique situation the post did contain details that may have given exploit writers a starting point to hunt for exploit code. Future blog posts will be subject to additional sanitization.”

Such “sanitization”, a great Orwellian word, means that blog posts will be slower to publish (going through further ‘review’ cycles) and contain a less complete picture of what has happened. Interestingly, since McAfee does not have the Amazing Kreskin working for them, they get information like everyone else, by having customers or related parties share it with them (presumably in un-sanitized form).

For anyone who hangs around in black/gray hat discussion forums, you don’t see Plato’s dialogues going on in there, but you do note that the yin side of the information security paradigm is pretty good at disseminating vulnerability information post discovery.

Worse yet, the response is contradictory, stating on one hand that the information in the post was appropriate and did not assist “attackers” (Abu is still not an attacker, so assuming they mean groups working off the Metasploit module), but then reverses itself and says they regret the post and will ’sanitize’ more in the future.

The problem is that the analysis of the exploit had a lot more to do with the analytical talent of Abu and not a whole lot to do with the somewhat refreshing transparency that has marked McAfee’s blogs since the Google Aurora incident. Unfortunately, looking at the response above, this period of valuable content may be at this corporate censored end.

Further, as Abu himself points out, he would have found the exploit code anyway regardless of any McAfee post.

Finally

The timing of this could be better for Microsoft, in that this closely follows the Aurora incident with Google that played out so publicly, and the defect is a nearly identical type of problem. That said, the saving grace for Microsoft in the retail market is that the IE 8 code is stated to not be affected, and Redmond would prefer you upgrade to the latest and greatest anyway.

The anti-virus vendors largely have the original payload on this one figured out, but unfortunately the payload can be changed as the infection vector is the thing to worry about. For that to be corrected, Microsoft will have to issue a patch. You do have the option of temporarily using another browser, or alternatively upgrading to IE version 8, which is currently reported to not be affected.

This advice is reasonable for the home user, however upgrading the browser on a large corporate network is no small thing. For that reason we advise waiting for the patch, and applying it within a shortened cycle, as in terms of vulnerabilities, remote browser exploits that require no user interaction are somewhat critical problems. As always, users should avoid links to sites they’re not familiar with, but in practice this is very difficult as almost everyone is susceptible to some form of an effective social engineering trick (a targeted phishing e-mail or IM seemingly from a friend and so forth).

Regarding the tempest in a teapot around the the McAfee Avert Labs blog post by Craig Schmugar and the responses of a tired drumbeat of worn out points around responsible disclosure, its time for some in the security industry to grow up a little bit. Transparency and the near free flow of shared information are the only way the defensive side of information security can hope to catch up to the attackers.

References

• CVE-2010-0806
• OSVDB 62810
• MSFT Security Advisory 981374
• Targeted Internet Explorer Zero-Day – McAfee Labs
• Microsoft Internet Explorer iepeers.dll use-after-free exploit

Related Posts:

• Press F1 for Help, pwned.
• The “Aurora” IE Exploit Used Against Google in Action
• Windows 7 SMB Kernel Crash Video
• Juniper Kernel Crash – scapy Code
• JUNOS (Juniper) Kernel Crash Video

Microsoft published security advisory 981169 yesterday in response to the zero day vulnerability reported a few days prior. The vulnerability is in the help system and can be triggered by luring an Internet Explorer user into pressing the F1 key. Windows 2000, Windows XP SP2 & SP3, and Windows 2003 SP2 with Internet Explorer 7 and Internet Explorer 8 are all affected.

Credit to Maurycy Prodeus for publishing the initial details of the vulnerability.

Details

Using the MsgBox VBScript function in an html file, an attacker can create a dialog box prompting the user to hit F1, something that is likely not difficult to do with a message such as “Internet Explorer encountered an error, press F1 to continue”. The MsgBox function is important as its fourth argument specifies a helpfile parameter, basically which hlp or chm file to launch when the user asks for help via F1.

I created a simple help file with the word “Test” using the Microsoft Help Workshop version 4.03. In addition to this, I added the macro to launch a command prompt (cmd.exe). When I double click this file in Windows XP SP3, I get my test helpfile and the command prompt launches as well:

Cmd.exe launched with my Help file.

So we now have a .hlp file which executes code. As mentioned before, the MsgBox function has a parameter to specify a help file to launch when the user hits F1. Here is where I come back to a recurring issue of SMB traffic and allowing it outbound on firewalls. In order for the MsgBox parameter to launch the .hlp file, the attacker must point to a local file (which the user would have had to already download) or host a file on an internet accessible SMB share. If you look at the proof of concept code circulating, currently you will see the MsgBox help parameter is “\x.x.x.x\attackfile.hlp”, a pointer to a help file on an SMB share. Corporate enterprises should certainly block SMB outbound, and with this vulnerability and the several previous attacks via SMB client, users should be blocking this outbound traffic as well.

Vista, Windows 7, & Server 2008

The vulnerability does not work on Vista, Windows 7 and Windows 2008 due to Microsoft no longer including winhlp32.exe with these versions. However, there is an update which can install winhlp32 for these versions (Windows 7 Version I installed from here). I found that these updates did not launch the cmd.exe as the Windows XP version did (I also tried Prodeus’s PoC help file and it displayed but did not run calc.exe). It is possible that Microsoft removed this code execution function from these versions.

Workarounds

The warnings are avoid hitting F1 when prompted by websites. Additionally, permissions to winhlp32.exe can be modified so that it doesn’t execute. In an Active Directory environment, a Group Policy software restriction setting can prohibit winhlp32.exe from launching. As mentioned, I recommend blocking outbound SMB traffic, as there is rarely a justification for mounting a network share on the public internet. This helps with many known vulnerabilities disclosed in the past as well.

Related Posts:

• Turning an ATM into a Slot Machine
• iPhone 4 Ordering and Session Switching
• Thou Shalt Not Send Naked Pictures…To Anyone Ever
• May’s Patch Tuesday
• IEPeers – A New Internet Explorer Zero Day Vulnerability

The big news hit earlier this week that the attack vector that allowed bad actors presumably from China into the networks of Google, Juniper, Adobe, and some 29 other firms was an Internet Explorer zero day, a use after free vulnerability on an invalid pointer reference affecting IE 6, 7, and 8 but only used by attackers on IE 6 according to Microsoft. Per Microsoft’s Advisory 979352: “In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution. Earlier today this entry from yesterday at Wepawet (an online analysis engine for malware) was pointed out to H.D. Moore, and within hours Metasploit has an exploit of the vulnerability integrated. McAfee has confirmed that the exploit is out and the same one they saw during the investigation. The video below demonstrates how crackers initially gained access to the corporate networks of Google, et al. using this zero day attack.

Here It Is

The video below demonstrates how Google and the rest have been, according to most news reports, exploited via the “Aurora” vulnerability in Internet Explorer, and had their “intellectual property” taken.

In the video you will see Metasploit set up a listening session, set up a web site that serves up the malicious code, and watch as an unsuspecting user visits the web site, triggers the attack that uses the IE vulnerability, and unknowingly opens a connection to a computer owned by the attacker. The attacker then lists the user’s processes, and elects to kill Notepad where the user was working on an important document. IE 6.0 is used, as this is the version Microsoft references as having been used in the “targeted attacks” on some 30+ U.S. companies.

A silly example for demonstration to be sure, but once the backdoor is open to the user’s PC the attacker can use it as a pivot point for other attacks against the internal network, escalate his or her privileges, take information off the PC, basically do anything the user can do.

The Vector

The attack scenario is that users were pointed to a web site (probably through a targeted Spam e-mail, an attack called spear phishing) containing a JavaScript that references this invalid pointer and injects the included shell code. The code below was released publicly yesterday.

Update

• Ahmed Obied has published a clean python version of the exploit (opens your Windows Calculator) for testing also: ie_aurora.py.
• CVE-2010-0249 has been opened for this issue.

Finally

“At this time, we are aware of limited, active attacks attempting to use this vulnerability against Internet Explorer 6. We have not seen attacks against other affected versions of Internet Explorer.” – Microsoft.

This situation has the potential to change rapidly now that it appears the exploit has been found. Microsoft last patched a vulnerability off cycle in July of 2009, they could elect to pursue the same response here.

Or as McAfee correctly opines: “What started out as a sophisticated targeted attack is likely to lead to large-scale attacks on vulnerable Microsoft Internet Explorer users.”

Related Posts:

• IEPeers – A New Internet Explorer Zero Day Vulnerability
• Press F1 for Help, pwned.
• Scareware Purveyors, Spammers, and Crooks Take Advantage of Haiti Earthquake
• Windows 7 SMB Kernel Crash Video
• Baidu.com the Latest Victim of Iranian CyberArmy

• MS09-071 – Vulnerabilities in Internet Authentication Service Could Allow Remote Code Execution (974318)
• MS09-074 – Vulnerability in Microsoft Office Project Could Allow Remote Code Execution (967183)
• MS09-072 – Cumulative Security Update for Internet Explorer (976325)
• MS09-069 – Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service (974392)
• MS09-070 – Vulnerabilities in Active Directory Federation Services Could Allow Remote Code Execution (971726)
• MS09-073 – Vulnerability in WordPad and Office Text Converters Could Allow Remote Code Execution (975539)

Severity Levels

Microsoft has a rating system for bulletins which includes: Critical, Important, Moderate, and Low. The severity levels I provide below are not directly from Microsoft. For example, MS will give an important rating when exploitation could result in compromise of availability, as in a denial of service. MS09-069 can result in a denial of service, however, the attacker must already be authenticated. For this reason I drop the severity to Low.

Bulletin Summaries

Bulletin: MS09-071
Recommended Action: Update Windows 2008 Server (32-bit and 64-bit) which have IAS configured to use PEAP with MS-CHAP v2 authentication.
My Severity Rating: Moderate, should patch the above mentioned software.

This update addresses two vulnerabilities in the Internet Authentication Service (IAS). One is an IAS memory corruption vulnerability and the second is an authentication bypass vulnerability in MS-CHAP authentication. Client operating systems contain the vulnerable code but the components are not used in a way to make them vulnerable.

Bulletin: MS09-074
Recommended Action: Update MS Project 2000 SR-1.
My Severity Rating: Important for Project Software

This update addresses a vulnerability in Microsoft Project which can cause remote code execution when a specially crafted Project file is opened.  Microsoft Project 2000 SR-1, Project 2002 SP1 and Project 2003 SP3 are affected.

Bulletin: MS09-074
Recommended Action: Update Internet Explorer
My Severity Rating Critical

This update addresses five difference vulnerabilities with at least one or more affected every version of Internet Explorer. Attackers can host malicious code which can lead remote code execution on vulnerable systems. Any issues that lead to remote execution in IE should be addressed immediately; even if you are confident about not browsing malicious sites, a known site, such as the Pentagon web site, could be used to automatically execute or redirect you to malicious code using cross-site scripting.

Bulletin: MS09-069
Recommended Action: Update Windows 2000, Windows XP and Windows 2003
My Severity Rating: Low

A vulnerability in LSASS can cause a denial of service. The attacker must be authenticated and communicating through IPSEC.

Bulletin: MS09-070
Recommended Action: Update Windows 2003 and Windows 2008 Servers
My Severity Rating: Low

This update addresses two vulnerabilities in Active Directory Federation Services, one which can be used to spoof an authenticated user and the second which can cause remote code execution. The spoofing requires access to a workstation and browser recently used by a targeted user and the remote code execution requires the attacker to have valid logon credentials to the vulnerable server.

Bulletin: MS09-069
Recommended Action: Update Windows XP SP3 and/or Office 2003 SP3
My Severity Rating: Moderate

A vulnerability in text converters in WordPad and Office can cause remote code execution. Malicious code can be hosted on a website to trigger an exploit, however, an attempt would cause a dialog box to appear prompting the user to open the file (unless the option to “Always ask before opening this type of file” has been unchecked).

Adobe

Adobe has mirrored the patch Tuesday schedule of releasing patches on the first Tuesday of the month. The severity ratings also follow the same definitions a s Microsoft’s.

Adobe has two advisories for this month:

Bulletin: APSA09-06
Recommended Action: Update Adobe Illustrator CS4 and earlier. (Avail Jan 8)
My Severity Rating: Low

A vulnerability in Illustrator CS4 and earlier could lead to remote code execution. The target is required to open a malicious eps file.

Bulletin: APSA09-17
Recommended Action: Update Adobe Flash Player and Adobe AIR
My Severity Rating: Low

Adobe states this is a critical update and it is scheduled for release today, but does not provide details of the update.

Updates

Adobe has released details on the Flash Player update. The update addresses six vulnerabilities, five which can lead to remote execution and one to information disclosure. The vulnerabilities were identified in Flash Player version 10.0.32.18 and earlier.

References

• Microsoft’s December Bulletins
• Adobe’s Security Advisories

Related Posts:

• Turning an ATM into a Slot Machine
• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.

Background

The news hit the web at large on July 6th when Microsoft released advisory 972890. IBM ISS is reporting a first known exploit however on June 11th. The vulnerability, first reported by researchers Alex Wheeler and Ryan Smith (ISS employees at the time) was first reported to Microsoft in 2008, which has sparked criticism from at least one reporter covering the IT marketplace: eWeek’s Brian Prince. The problem would have been available since IE version 6, SP1.

Exploit Details

The exploit is described by MSRC Engineer Chengyun Chu as a “browse and get owned attack vector”. Once the user navigates to a web site purposely hosting the exploit, or a web site that has been compromised to host the exploit, no further user interaction is required. Examples in the wild (approximately 967 Chinese web sites according to Trend Micro) are reporting having used both .gif and .jpg files containing the exploit. The Trend Micro found web sites that redirect the users multiple times, eventually loading a .jpg file with the exploit, which upon being successful loads malware called WORM_KILLAV.AI. This malware, as it is named, terminates antivirus software processes and loads additional malicious code.

The exploit is based on an overflow condition that is created in the msvidctl.dll library when a crafted file is provided as input, causing a handler to be overwritten which then points to the exploit’s shell code, already loaded in the memory heap via heap spraying. The object that accepts the crafted input, BDATuner.MPEG2TuneRequest.1, is associated with CLSID 0955AC62-BF2E-4CBA-A2B9-A63F772D46CF, and thus this is the primary CLSID for which a kill bit needs to be set. Microsoft however recommends setting the kill bit for all of the ActiveX Control Objects hosted by msvidctl.dll.

As security vendors such as Symantec, ISS, and others are aware of the problem, antivirus and IDS signatures are either available or forthcoming.

Work Around Details

Microsoft provides an automated Fix it which entails disabling attempts to instantiate a COM object in Internet Explorer by setting the kill bit for the control in the registry. This involves adding a DWORD value to 45 keys in the registry representing Class Identifiers that relate to Microsoft Video ActiveX Control. More information can be found in the [security advisory] (href=”http://www.microsoft.com/technet/security/advisory/972890.mspx).

To implement the workaround on a single computer, you can manually enter the DWORD value 1024 (0×00000400) for each of the 45 class IDs or launch this reg file with the values.

For an enterprise environment, you have two options to deploy this workaround to your workstations. First, through the use of a computer startup script, you can add the execution of a reg file with the values for computers to launch at startup. The second option is to add a custom ADM file to a group policy object which is applied to your workstations. Which option to choose depends on preference and your environment.

Computer Start-up Script

You may already have a group policy which has a computer startup script enabled. Add a line which executes this reg file. Computer startup script is suggested as the user side startup script runs in the user’s context, and they may not have permission to modify the keys necessary. You can find more information on configuring computer startup scripts here.

 Custom ADM File in Group Policy

The challenge with an ADM file for this particular workaround is that each class ID which needs to be modified is designated as a separate key in the registry rather than a value. So, instead of being able to create a single configuration entry in a group policy object which would modify every value, you have to have an option for each key. Fortunately, the leg work has been done in this example custom ADM file, which you can cut and paste into a larger file you may already have.

Save the file where your GPO editor can browse to it. In Computer Configuration, Administrative Templates, right click and select Add/Remove templates. Once you add the template, you’ll have to ensure your filtering is setup to see “unmanaged” group policies, which are basically custom ADM entries which tattoo the registry. Under filtering, in your GPO editor, uncheck the option as shown:

gpedit

Once the ADM is added, and the filter option is cleared, you will see the configuration entries for the Microsoft Video ActiveX kill bit. Set them all to Enabled as shown:

gpedit

Once you link the policy to all your Windows XP and Windows Server 2003 computers, you will have implemented the workaround. 

Active X

ActiveX, while largely associated with Internet browsing, is not a program that runs inside the browser but rather a technology used throughout the Windows operating system. While only Windows XP and certain configurations of Windows Server 2003 are affected a similar control does exist in Windows Vista and Server 2008 that is not vulnerable.

Example Exploits

Both links provide example exploit code:

• http://www.rec-sec.com/2009/07/06/ms-directshow-msvidctl-exploit/
• http://www.csis.dk/en/news/news.asp?tekstID=799

References

• Microsoft Security Advisory (972890)
• Zero-day MPEG2TuneRequest Exploit Leads to KILLAV
• Microsoft Security Research & Defense
• Another Unpatched Vulnerability is Being Massively Exploited via Internet Explorer

Vulnerability Cross Reference

• CVE-2008-0015
• Bugtraq ID: 35558
• US-CERT Cyber Security Alert: TA09-187A

Related Posts:

• Turning an ATM into a Slot Machine
• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.