Microsoft published security advisory 981169 yesterday in response to the zero day vulnerability reported a few days prior. The vulnerability is in the help system and can be triggered by luring an Internet Explorer user into pressing the F1 key. Windows 2000, Windows XP SP2 & SP3, and Windows 2003 SP2 with Internet Explorer 7 and Internet Explorer 8 are all affected.

Credit to Maurycy Prodeus for publishing the initial details of the vulnerability.

Details

Using the MsgBox VBScript function in an html file, an attacker can create a dialog box prompting the user to hit F1, something that is likely not difficult to do with a message such as “Internet Explorer encountered an error, press F1 to continue”. The MsgBox function is important as its fourth argument specifies a helpfile parameter, basically which hlp or chm file to launch when the user asks for help via F1.

I created a simple help file with the word “Test” using the Microsoft Help Workshop version 4.03. In addition to this, I added the macro to launch a command prompt (cmd.exe). When I double click this file in Windows XP SP3, I get my test helpfile and the command prompt launches as well:

Cmd.exe launched with my Help file.

So we now have a .hlp file which executes code. As mentioned before, the MsgBox function has a parameter to specify a help file to launch when the user hits F1. Here is where I come back to a recurring issue of SMB traffic and allowing it outbound on firewalls. In order for the MsgBox parameter to launch the .hlp file, the attacker must point to a local file (which the user would have had to already download) or host a file on an internet accessible SMB share. If you look at the proof of concept code circulating, currently you will see the MsgBox help parameter is “\x.x.x.x\attackfile.hlp”, a pointer to a help file on an SMB share. Corporate enterprises should certainly block SMB outbound, and with this vulnerability and the several previous attacks via SMB client, users should be blocking this outbound traffic as well.

Vista, Windows 7, & Server 2008

The vulnerability does not work on Vista, Windows 7 and Windows 2008 due to Microsoft no longer including winhlp32.exe with these versions. However, there is an update which can install winhlp32 for these versions (Windows 7 Version I installed from here). I found that these updates did not launch the cmd.exe as the Windows XP version did (I also tried Prodeus’s PoC help file and it displayed but did not run calc.exe). It is possible that Microsoft removed this code execution function from these versions.

Workarounds

The warnings are avoid hitting F1 when prompted by websites. Additionally, permissions to winhlp32.exe can be modified so that it doesn’t execute. In an Active Directory environment, a Group Policy software restriction setting can prohibit winhlp32.exe from launching. As mentioned, I recommend blocking outbound SMB traffic, as there is rarely a justification for mounting a network share on the public internet. This helps with many known vulnerabilities disclosed in the past as well.

Related Posts:

• Turning an ATM into a Slot Machine
• iPhone 4 Ordering and Session Switching
• Thou Shalt Not Send Naked Pictures…To Anyone Ever
• May’s Patch Tuesday
• IEPeers – A New Internet Explorer Zero Day Vulnerability

Adobe published an advisory yesterday confirming the vulnerability and plans to make an update available by January 12, 2010 to resolve the issue. In the meantime, a mitigation step is available by disabling JavaScript in Adobe Reader and Acrobat. Users with Microsoft DEP (“Data Execution Prevention”) enabled reduces the exploit to a denial of service attack.

Some detailed analysis of a malicious PDF reveals the Javascript and shows that a function called util.printd leads to a memory corruption issue. This function is supposed to return a date using a specified format and takes two parameters (plus a third optional parameter not typically used). The first parameter is the format of the date and time (0 for PDF, 1 for Universal, or 2 for Localized string). The second parameter is the date object submitted to format. The code shows the first parameter contains a @ followed by a series of numbers as opposed to the expected input.

JS heap spray and vulnerable function call.

Email Phishing, Malicious PDFs, and Metasploit

A Metasploit exploit module has been released taking advantage of this vulnerability. The integration into Metasploit can accelerate the spread of exploits for this vulnerability in the wild. A video demonstration utilizing this module can be seen here.

Examples of the phishing emails along with examples of the malicious PDF files can be found on the Contagio malware dump site here and here. The following two emails are examples of the phishing methods used to have users open the malicious PDF files:

Email One:

[mailto:chrisanderson58@hotmail.com]
Sent: 2009-11-30 1:56 AM
To: XXX@XXX.XXX
Subject: FW: reference
\----
From: jackr@gilbrooks.edu
To: chrisanderson58@hotmail.com
Subject: reference
Date: Mon, 30 Nov 2009 06:53:52 +0000


Dear All
Please find attached the updated country briefing notes, and staff lists.


Kind regards
Jack

Email Two:

[mailto:fureer.angelica@gmail.com]
Sent: 2009-12-13 12:14 AM
To: XXXXXX
Subject: Interview Request


This is Fureer Angelica, diplomaic broadcaster for CNN in DC.
There's growing concern about the U.S.-North Korea bilateral talks.
So, we're planning an Interview about them.
Attached is the outline of the interview.


p.s. Detailed schedules will be followed soon if you accept the offer.

Workarounds (from a previous post)

Disabling Javascript on Adobe Acrobat

Adobe notes that disabling Javascript mitigates against the specific exploit identified, although it would be possible to create a variant that does not rely on Javascript. To disable Javascript in Adobe Reader or Acrobat, select Edit>Preferences, select the JavaScript option on the left, and uncheck the Enable Acrobat JavaScript option as shown.

Uncheck to disable Acrobat JavaScript

Data Execution Prevention

Also, users with DEP enabled on Windows Vista or Windows 7 reduces the exploit from remote code execution to denial of service. Data Execution Prevention (DEP) performs additional checks on memory to help prevent malicious code from running, designed to prevent buffer overflow attacks. To enable DEP on Windows for all or individual programs, proceed to Control Panel -> System and Maintenance -> System, click on Advanced System Settings, under Performance click Settings, and finally under the Data Execution Prevention tab click Turn on DEP for all programs and services except those I select. If you can not find Acrobat in the list of programs, click Add and browse to the Acrobat executable (.exe) file and click Open. For more information on DEP settings, visit the Microsoft help page.

References

• Adobe PSIRT: New Adobe Reader and Acrobat Vulnerability
• CVE-2009-4324
• New Zero day Adobe Acrobat Reader vulnerability analysis

Related Posts:

• Turning an ATM into a Slot Machine
• Press F1 for Help, pwned.
• Microsoft’s Google Attack Patch?
• Six Bulletins in Last Patch Tuesday of 2009
• The Barack Obama Donations Site was Hacked…err, no it wasn’t.

A new zero-day vulnerability in Adobe Reader and Acrobat 9.1.3 has been identified by Chia-Ching Fang and the Taiwanese Information and Communication Security Technology Service Center that allows an attacker to remotely execute arbitrary code. The attack is seeded by providing via e-mail or download a specially crafted PDF file which in current examples will then drop a malware executable as well as an unaffected pdf file. McAfee is identifying this under Exploit-PDF.m, and has a signature for a specific Trojan already identified. This is the fourth PDF related zero-day attack of 2009, and a further incentive for enterprises to bring patching of applications in line with processes for operating system patching.

The crafted PDF file contains a Javascript which is used to execute arbitrary code via a technique known as heap spraying. The initial shell code jumps program execution to a second shell code, which in turn executes a malicious file that creates a backdoor (remote access to the infected computer). Trend Micro is identifying this malware as a Protux variant. Protux backdoors provide user level access to the machine and have been associated as the payloads of Microsoft Office (Word, PowerPoint, Excel, Access) as well as previous Adobe Reader exploits. The Protux family of Trojans has been around since at least 2007.

The identification of this exploit has prompted Adobe to announce release of a critical patch for release on Tuesday, October 13th. The company posted a security advisory yesterday, announcing plans to release the update to “resolve critical security issues”. The vulnerability is being exploited, although it is unclear how widespread the attacks are. Adobe asserts that the vulnerability is being exploited in “limited, targeted attacks” limited to Windows operating systems although the vulnerability itself also exists for other operating systems.

“There are reports that this issue is being exploited in the wild in limited targeted attacks”
– David Lenoe of Adobe

Vupen Security posted an advisory on the vulnerability (CVE-2009-3459) which states that the issue is an unspecified memory corruption error, which could be exploited allowing attackers to comprise a system remotely.

Workarounds

Disabling Javascript on Adobe Acrobat

Adobe notes that disabling Javascript mitigates against the specific exploit identified, although it would be possible to create a variant that does not rely on Javascript. To disable Javascript in Adobe Reader or Acrobat, select Edit > Preferences, select the JavaScript option on the left, and uncheck the Enable Acrobat JavaScript option as shown.

Uncheck to disable Acrobat JavaScript

Data Execution Prevention

Also, users with DEP enabled on Windows Vista or Windows 7 are protected from this exploit. Data Execution Prevention (DEP) performs additional checks on memory to help prevent malicious code from running, designed to prevent buffer overflow attacks. To enable DEP on Windows for all or individual programs, proceed to Control Panel -> System and Maintenance -> System, click on Advanced System Settings, under Performance click Settings, and finally under the Data Execution Prevention tab click Turn on DEP for all programs and services except those I select. If you can not find Acrobat in the list of programs, click Add and browse to the Acrobat executable (.exe) file and click Open. For more information on DEP settings, visit the Microsoft help page.

In Conclusion

In June Adobe moved to the same Tuesday patch management schedule that Microsoft and Oracle previously adopted. This latest zero-day exploit represents another opportunity to address an ongoing issue for organizations: that patch management must extend beyond just the operating system level. While enterprises focus on ensuring the latest Microsoft updates to the desktop and server environment, applications, such as Adobe Reader, fail to be a part of the the same rigorous patch management exercise.

Qualys demonstrated this problem when the first Adobe exploit was released this year in February, APSA09-01. While a fix was released on March 10th (demonstrated by the red line in their graph), by April 27th there was still no clear reduction in the number of vulnerable machines. A 30 day patch management cycle, including testing of the patch before full enterprise release, would have shown a steep drop off on or about April 10th:

Source: http://laws.qualys.com/lawsblog/2009/04/new-adobe-0-day-vulnerability.html

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.
• The “Aurora” IE Exploit Used Against Google in Action