Xanda's Blog !~!

Yara Rule for CVE-2010-1297

Jun
11
rule FlashNewfunction: decodedPDF
{
   meta:  
      ref = "CVE-2010-1297"
      hide = true
      impact = 5 
   strings:
      $unescape = "unescape" fullword nocase
      $shellcode = /%u[A-Fa-f0-9]{4}/
      $shellcode5 = /(%u[A-Fa-f0-9]{4}){5}/
      $cve20101297 = /\/Subtype ?\/Flash/
   condition:
      ($unescape and $shellcode and $cve20101297) or ($shellcode5 and $cve20101297)
}

Erasing the Content of Flash ROM

Nov
18

Hi all especially HTC users.

This HOWTO gonna cover steps that are needed to erase the content of flash ROM for HTC device to prevent the automagic hard reset when a cooked ROM crashed.

I believe that you are now running a cooked ROM on your device (Huh? Still running on the original ROM? Come on.. Dont be such a lame goat) and for those who already flash their device for several times (with several different ROMs), you might have the auto hard reset problem that gonna occur almost every day. Besides data loss, it will also cause you headache and hair loss 😛

There are several reasons that gonna lead to this problem (please leave comment if you found that I’m wrong) and they are:

  1. Installed a corrupted ROM
  2. Flash the radio ROM after the OS ROM
  3. Install the Hard-SPL without flashing the radio and OS ROM (after that)
  4. Memory Bad Blocks

If you think that reason no 1,2 and 3 is not related to you, the only way to solve your problem is by wiping/erasing the content of the entire ROM before you flash it back into the new ROM (which caused by reason no 4).

Here are the steps that you need to follow:

  1. MAKE SURE YOU ALREADY HAVE HARD-SPL INSTALLED (not sure? DONT proceed)
  2. BACKUP ALL OF YOUR DATA
  3. Turn on your device into bootloader menu (if you dont know how to do it, please refer device manual)
  4. Connect the USB cable from your device to your computer
  5. Enter the bootloader cmd prompt
    • For Windows user : Make sure you have disabled the USB connection in ActiveSync, before trying to connect to the bootloader: File –> Connection settings –> uncheck “allow USB connections” then, download and run the mtty program
    • For Linux user: Download the htc-flasher, run it, and choose Bootloader Cmd Prompt
  6. Type the following command (for advance user: dont set any value for StartAddr and Len in erase, just use default value)
    password BsaD5SeoA
    erase
    task 28
  7. Reset/restart your device by poking into the reset hole or you can issue the following command
    ResetDevice
  8. Now you can flash your GSM/Radio ROM
  9. And finally you can flash your cooked ROM as usual/normal
  10. If you device is still stuck in tri-colour / boot loader mode, perform the following command
    set 16 0
    ResetDevice

Cheers…! 😀

Research shows that 80% of Web users running unpatched versions of Flash/Acrobat

Aug
25

According to a research published by Trusteer earlier this month, 79.5% of the 2.5 million users of their Rapport security service run a vulnerable version of Adobe Flash, with 83.5% also running a vulnerable version of Acrobat.

The company has also criticized Adobe by insisting that their update mechanism “does not meet the requirements of a system that is used by 99% of users on the Internet and is highly targeted by criminals“, but is praising the update mechanism of Google’s Chrome and Firefox, whose silent updates close the window of opportunity for malicious attackers to take advantage of.

[Read more HERE]

Flash Attack Vectors – Cross Site Flashing (XSF)

Aug
25

A few days ago a lot of media wrote about a Flash worm. I managed to get hold of samples and analyzed it (thanks to Peter Kruse of CSIS for the samples).

First of all, while the exploit code contains Flash, it is actually just used as an attack (or, if we stretch it, infection) vector. The worm itself is contained in JavaScript and is very similar to the Twitter worm I analyzed back in April this year (see http://isc.sans.org/diary.html?storyid=6187). That is not surprising as both worms are attacking similar services.

The worm was first identified on a popular Chinese social web site (for schools, if I’m not wrong), Renren (http://www.renren.com). This site is in many ways similar to Twitter or Facebook, but much more media intensive and it allows users to share various information, including pictures, movies etc.

[Read more HERE]

More and More Exploits are Now Targeting Clientside & Mobile

Jul
12


[img source]

(The facts that I’m gonna talk about are based on my observations)

Back in mid 2007, Mass SQL injection that contain malicious JavaScript started to bring havoc the our cyberspace. But it brought not enough impact to alert and educate the internet user.. Until mid 2008 where another flood of Mass SQL injection happened attacking MS SQL and not so long after that people cant stop talking about 0day in IE, follow by Adobe Flash Player, Adobe Acrobat Reader, Mozilla Firefox and etc..

This clearly shows that the attacking vector is now somehow changed into the client side. This is due to the number of victim on the client side is way more compare to on the server side. Normally the mission of this kind of attack is to force the vulnerable application to crash and execute arbitrary code usually used to download another malicious file and execute it (drive by download). The victim (client) is now part of the attacker’s botnet. Awuuuooo0… (That is how the botnet sound alike.. Hahahaha)

Now in 2009, more and more client side attacks appear abusing IE, Firefox, Thunderbird, Adobe Acrobat Reader, Adobe Flash Player, Microsoft Office Power Point, Microsoft Office Excel, Google Chrome, Apple QuickTime, Foxit PDF Reader, Sun Java Runtime Environment, Adobe Shockwave Player, ActiveX and etc.. The attackers are also aware of the current world issues and trends. That is why we can see some events like H1n1, death of Michael Jackson, independent day, April Fool and many more events have been abuse by the attacker to phish for their victim.

Lately, within thin 2 months, a few mobile phone vulnerabilities have been found. iPhone, Symbian and Windows Mobile were hooked in these exploits. The attackers not only manage to get sensitive data/info from the mobile device, they also able to take control of the mobile device, and from the recent cases, victim’s mobile phones have been used to send spam SMS, MMS and also Email and at the same time, the SMS, MMS and email sent, work as an agent to ‘invite’ more device to be part of the ‘mobile botnet’ society. Awuuuooo0…

Till next time..

P/S: I am writing this entry while I’m working on my presentation slide for next week presentation in one of the organization of standardization and quality. So, I think these issues need to be highlighted as well in my slides. Beside of trends, the impact also need to be highlighted and ‘how bad is the impact could be’ should also be in part of the slide. The after discussing about the trend and impact, please make this as a habit which is to discuss on the prevention and the mitigation part as well. This is important because leaving the presentation stage without prevention or mitigation steps will create FUD to the audience and this is totally not a good practice!