CVE-2010-2568 - LNK Code execution - Proof of concept (Update)

Subscribe to the RSS feed in case you are interested in updates

 Ivanlef0u released a POC for the exploit used in targeted attacks :

• http://ivanlef0u.nibbles.fr/repo/suckme.rar

More information :

• ISC SANS
• USCERT 940193
• Microsoft Advisory

Mitigations :

• Disable display of icons (regedit changes proposed by the MS Bulletin)
• Use of Kernel mode protection drivers (Ariad, Sophos, etc.pp)

Callstack:

kd> g
Breakpoint 1 hit
eax=00000001 ebx=00f5ee7c ecx=0000c666 edx=00200003 esi=00000001 edi=7c80a6e4
eip=7ca78712 esp=00f5e9c4 ebp=00f5ec18 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
SHELL32!_LoadCPLModule+0x10d:
001b:7ca78712 ff15a0159d7c    call    dword ptr [SHELL32!_imp__LoadLibraryW (7c9d15a0)] ds:0023:7c9d15a0={kernel32!LoadLibraryW (7c80aeeb)}
kd> dd esp
00f5e9c4  00f5ee7c 000a27bc 00f5ee78 00000000
00f5e9d4  00000020 00000008 00f5ee7c 00000000
00f5e9e4  00000000 0000007b 00000000 00000000
00f5e9f4  00200073 002000e0 0000064c 0000028c
00f5ea04  1530000a 00000000 003a0043 0064005c
00f5ea14  006c006c 0064002e 006c006c 006d002e
00f5ea24  006e0061 00660069 00730065 00000074
00f5ea34  00090608 7c92005d 00000000 00000007
kd> db 00f5ee7c
00f5ee7c  43 00 3a 00 5c 00 64 00-6c 00 6c 00 2e 00 64 00  C.:.\.d.l.l...d.
00f5ee8c  6c 00 6c 00 00 00 92 7c-c8 f2 f5 00 00 17 72 02  l.l....|......r.
00f5ee9c  4b d2 00 00 d8 f2 f5 00-8b d2 a1 7c 00 00 00 00  K..........|....
00f5eeac  ac 80 9d 7c 30 d8 0d 00-34 d8 0d 00 b8 d7 0d 00  ...|0...4.......
00f5eebc  9a d2 a1 7c 30 d8 0d 00-c8 f2 f5 00 50 40 15 00  ...|0.......P@..
00f5eecc  50 40 15 00 00 00 00 00-b8 00 92 7c 40 b7 0c 00  P@.........|@...
00f5eedc  a8 ef f5 00 41 00 92 7c-18 07 09 00 5d 00 92 7c  ....A..|....]..|
00f5eeec  c8 f2 f5 00 00 ef f5 00-00 00 00 00 b8 00 92 7c  ...............|
kd> kv
ChildEBP RetAddr  Args to Child
00f5ec18 7ca81a74 00f5ee7c 000a27bc 00f5f2c4 SHELL32!_LoadCPLModule+0x10d (FPO: [1,145,4])
00f5ee50 7ca82543 00f5ee74 000a27bc 000a27c0 SHELL32!CPL_LoadAndFindApplet+0x4a (FPO: [4,136,4])
00f5f294 7cb56065 000a25b4 000a27bc 000a27c0 SHELL32!CPL_FindCPLInfo+0x46 (FPO: [4,264,4])
00f5f2b8 7ca13714 00000082 00000000 00000104 SHELL32!CCtrlExtIconBase::_GetIconLocationW+0x7b (FPO: [5,0,0])
00f5f2d4 7ca1d306 000a25ac 00000082 00f5f570 SHELL32!CExtractIconBase::GetIconLocation+0x1f (FPO: [6,0,0])
00f5f410 7ca133b6 000dd7e0 00000082 00f5f570 SHELL32!CShellLink::GetIconLocation+0x69 (FPO: [6,68,4])
00f5f77c 7ca03c88 000dd7e0 00000000 0015aa00 SHELL32!_GetILIndexGivenPXIcon+0x9c (FPO: [5,208,4])
00f5f7a4 7ca06693 00131c60 000dd7e0 0015aa00 SHELL32!SHGetIconFromPIDL+0x90 (FPO: [5,0,4])
00f5fe20 7ca12db0 00131c64 0015aa00 00000000 SHELL32!CFSFolder::GetIconOf+0x24e (FPO: [4,405,4])
00f5fe40 7ca15e3c 00131c60 00131c64 0015aa00 SHELL32!SHGetIconFromPIDL+0x20 (FPO: [5,0,0])
00f5fe68 7ca03275 000f8090 0014d5b0 0014a910 SHELL32!CGetIconTask::RunInitRT+0x47 (FPO: [1,2,4])
00f5fe84 75f11b9a 000f8090 75f11b18 75f10000 SHELL32!CRunnableTask::Run+0x54 (FPO: [1,1,4])
00f5fee0 77f49598 00155658 000cb748 77f4957b BROWSEUI!CShellTaskScheduler_ThreadProc+0x111 (FPO: [1,17,0])
00f5fef8 7c937ac2 000cb748 7c98e440 0014cfe0 SHLWAPI!ExecuteWorkItem+0x1d (FPO: [1,0,4])
00f5ff40 7c937b03 77f4957b 000cb748 00000000 ntdll!RtlpWorkerCallout+0x70 (FPO: [Non-Fpo])
00f5ff60 7c937bc5 00000000 000cb748 0014cfe0 ntdll!RtlpExecuteWorkerRequest+0x1a (FPO: [3,0,0])
00f5ff74 7c937b9c 7c937ae9 00000000 000cb748 ntdll!RtlpApcCallout+0x11 (FPO: [4,0,0])
00f5ffb4 7c80b729 00000000 00edfce4 00edfce8 ntdll!RtlpWorkerThread+0x87 (FPO: [1,7,0])
00f5ffec 00000000 7c920250 00000000 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])

You got pwned - The song

Subscribe to the RSS feed in case you are interested in updates

I am pretty confident this song will win the pwnie award this year :

Credit Drraid - Download : http://sophsec.com/pwned.mp3
 

Top 10 Vulnerability Researcher 2009

Subscribe to the RSS feed in case you are interested in updates

Thanks @edisoar for the hint: IBM ISS collected information about the researches that discovered and published most Vulnerabilities in 2009 and apparently I am one of them :).

One should add that XSS was also counted as a vulnerability, would this type of low key vulnerability have been ignored I would have moved up by a few places.

Some vulnerabilities included on that list can be found here, including Remote code execution vulnerabilies in products from SUN, Oracle, Microsoft, Apple (Iphone). Needless to say that all of those vulnerabilities have been disclosed responsibly adhering to the responsible disclosure guideline.

Source: IBM ISS

Videos of IDF Nominees in "Excellence in Visual Art"

Subscribe to the RSS feed in case you are interested in updates

The Independant Games Festival is taking place right now, the Indie games [1] below have been nominated in the category "Excellence in Visual Art" :

New Paper: SSL/TLS Hardening and Compatibility report 2010

Subscribe to the RSS feed in case you are interested in updates

Copied from the post over at G-SEC:
At last. What started as an "I need an overview of best practise in SSL/TLS configuration" type of idea, ended in a 3 month code, reverse engineer and writing effort. I really hope this comes in handy for you and was worth the effort. This is the "Release candidate" version of the paper, should no errors be found it will be the final version.

This paper aims at answering the following questions :

• What SSL/TLS configuration is state of the art and considered secure (enough) for the next years?
• What SSL/TLS ciphers do modern browsers support ?
• What SSL/TLS settings do server and common SSL providers support ? 
• What are the cipher suites offering most compatibility and security ?
• Should we really disable SSLv2 ? What about legacy browsers ?
• How long does RSA still stand a chance ?
• What are the recommended hashes,ciphers for the next years to come

The paper includes two tools :

• SSL Audit (alpha) :  SSL scanner scanning remote hosts for SSL/TLS support (Video)
• Harden SSL/TLS (beta) : Windows server and client SSL/TLS hardening tool (Video)

Without further ado here is the complete package

PS: In order to know whether this type of publication is useful to some and whether I should spend time on such publications in the future, I would appreciate a heads-up if you find this to be interesting. Thierry

SSL/TLS Audit - New tool

Subscribe to the RSS feed in case you are interested in updates

Developed as part of G-SEC's investigation into the "Secure SSL/TLS configuration Report 2010" (to be published) we developed this little tool called SSL Audit. (More to follow in the next days - stay tuned).

SSL Audit scans web servers for SSL support, unlike other tools it is not limited to ciphers supported by SSL engines such as OpenSSL or NSS and can detect all known cipher suites over all SSL and TLS versions.

Apart from scanning available ciphersuites it has an interesting tidbit : The Fingerprint mode (Experimental). Included is an experimental fingerprint engine that tries to determine the SSL Engine used server side. It does so by sending normal and malformed SSL packets that can be interpreted in different ways.

SSL Audit is able to fingerprint :

· IIS7.5 (Schannel)

· IIS7.0 (Schannel)

· IIS 6.0 (Schannel)

· Apache (Openssl)

· Apache (NSS)

· Certicom

· RSA BSAFE

Download available on the product page

TLS / SSLv3 renegotiation vulnerability explained - NEW update

Subscribe to the RSS feed in case you are interested in updates

I updated the whitepaper "TLS / SSLv3 vulnerability explained" :

Updated 18.11.2009 : Added SMTP over TLS attack scenario, added s_client testcase
Updated 30.11.2009 : Added FTPS analysis, new attacks against HTTPS (injecting responses and downgrading to HTTP)  

Download : http://clicky.me/tlsvuln

New SSLv3 / TLS vulnerability - MITM attacks possible

Subscribe to the RSS feed in case you are interested in updates

In order to allow me to update in a more convenient manner, the latest updates will be added to the G-SEC blog only. Once the final revision of this blog post will be achieved I will update this blog with the latest one.

---

• Updated 17:50 GMT+1 / 05.2009 - added Mitigation / Impact 
• Updated 16:40 GMT+1 / 06.2009 - added IETF draft 
• Updated 14:35 GMT+1 / 07.2009 - added SSLTLS Test Tool 
• Updated 16:34 GMT+1 / 07.2009 - added OpenSSL patch 
• Updated 13:00 GMT+1 / 09.2009 - added GNUTLS patch 
• Updated 19:40 GMT+1 / 09.2009 - added Mikestoolbox.net testing TLS renegotiation support 
• Updated 21:29 GMT+1 / 09.2009 - added Apache patch, Mozilla Bug ID, Redhat Bug ID, Mozilla patch disabling tls renegotiation, Tomcat mitigation 
• Updated 21:00 GMT+1 / 12.2009 - added a whitepaper trying to explain the vulnerability and it's implications to a broader audience

After some in-house tests, we can confirm that the vulnerability presented at http://www.extendedsubset.com/ indeed real and should pose a significant threat to most. The vulnerability has been discovered by "Marsh Ray".

We are currently looking into possible mitigations and will update this blog post regularly with more information regarding said vulnerability - if available.

Details

• G-SEC Whitepaper (DRAFT) about the renegotiation vulnerability
  
• Protocol and attack flow graph (Author: Marsh Ray)
  
• White paper about the attack (Author: Marsh Ray)
• Network data captures (Author: Marsh Ray)
• Explanation by Ivan Ristic
• IETF Draft
• SSLTLS Test tool (Leviathan Security)
• Mikestoolbox.net - Test client implementation for TLS renegotiation extension

Patches

• OpenSSL 0.9.81 ( Attention: OpenSSL removed the TLS/SSL renegotiation feature from this package - you need to test application before/after updating to this version ) (via ISC)
• GnuTLS patch (implements a new TLS extension proposed in the IETF Draft) (via SID)
• Apache patch (patches renogtiation prefix attacks at the application layer, still need openssl fixes for other attacks)

Impacts :

Currently known to exist

• In general an attacker positioned in the middle of a connection may inject arbritary content into the beginning of an authenticated strea, it will be interesting to see what potential impact this vulnerability has within each of the applications / protocols supporting it. IMAPS, FTPSSL, POP3 etc
• For web servers - Attackers (if in the middle) can inject data into a segment that is authenticated to the web server, the web server will merge those requests and process them. (GET requests are trivially exploitable, POST are not known to be)
  

Mitigations :

• Monitor renegotiation requests
• To mitigate possible attacks against web applications - use an IPS/IDS/Application firewall to catch recurrent HTTP request that are enclosed within each other

Computer Associates multiple products - RCE

Subscribe to the RSS feed in case you are interested in updates

I released another advisory today, the affected products are from Computer Associates who I'd like to thank for the cooperation and feedback.

I published the advisory @G-SEC

Derren Brown guessed the lottery numbers - afterwards

Subscribe to the RSS feed in case you are interested in updates

Derren Brown, the NLP master and magician  "predicted" the Lotterie numbers Live on TV and promised to tell on Friday how he did it - well he didn't really. The explanations on Friday is obviously not very convincing. He claimed to have used the phenomenon called "Crowd wisdom" whereas a group of poeple, taking the average often guess correctly. Right.

Daren Brown predicting the Lottery




The "ball" that gave it away
<


Simulation of the trick



Real NLP trickery

• Sublimal advertising
• Paying with plain paper
• BMX
• More Derren Brown