Xanda's Blog !~!

Weekly Summary : Internet Explorer Vulnerability & New BlackHole 2.0 Pattern

Sep
23

The biggest news for this week is of course related to the recent 0day vulnerability found in Internet Explorer, CVE-2012-4969. The exploit code that has leaked on the same server with the previous Java oday, has been discovered by several researchers and without any delay, it has been ported to Metsaploit framework.

I’ve done a quick writeup on this news earlier, and back then, there is no patch/fixit yet released by Microsoft. So I end up make a reference to MyCERT advisory which recommend users to use EMET and disable Active Script. But recently, Microsoft has released fixit and out of band patch to address this issue. As for now, there is no reported/blogged/twitted information saying that Malaysia has been targeted with this new vulnerability, and there is no Information on this vulnerability has been ported to BlackHole 2.0 as well.

Speaking about BlackHole 2.0, I’ve been seeing new pattern used in BlackHole 2.0 and could bypass most/some detection rules that specifically written based on the initial release of BlackHole 2.0. Thanks to #MalwareMustDie and MalwareDomainList for the brand new and fresh samples. My yara rules updated for both CVE-2012-4969 and BlackHole 2.0++, and MyYaraSIG members may perform a git pull to see the update.

Thats all for this week.

Thanks

Weekly Summary : Merdeka and Internet Explorer

Sep
08

This week I’ll be writing on a short update related to Malaysia merdeka (independence) day and Internet Explorer MS12-052 bug.

It is almost like a tradition here, in Malaysia, to receive a massive number of system intrusion and website defacement on our merdeka (independence) day. Based on the data of the previous years, most of the attacks came from the foreign countries, and the messages left by them clearly reflect their political motive on performing the attack.

But in 2012, the incidents landscape on the merdeka day (week) shifted. The total number of system intrusion and website defacement reduced a lot compare to the same period of time in the previous years. This data can be verified by performing zone-h search, and you can cross check your findings with MyCERT monthly statistic by end of this month (or early next month).

One thing that is sad to be shared here is, it is not only the number that has shifted, the source of attack for this year is also showing some differences. Most of the defacement cases this year, that is related to .MY domain, or websites that are hosted in the IP range of Malaysia, were performed mostly by local attackers. Their messages are not clear, but a quick conclusion that I can make is, it was for fame.

Also in this week’s update, I’ll cover a bit on the “Internet Explorer Script Interjection Code Execution (updated)” that has been posted to Bugtraq mailing list. You can read the details part of the advisory in the “VULNERABILITY DETAILS” section. As of the writing of this update, there is no news yet on this vulnerability (MS12-052) has been used in the wild, and I’ve cross checked with Metasploit and confirmed that, it is not yet ported to Metasploit. However, with the detail explanation provided in the advisory, I don’t think it will take any longer for the working exploit to be made public.

You can use the following generic Yara rule to detect a malicious html/JS file exploiting this vulnerability:

rule MS12_052
{
        meta:
                author = "Adnan Mohd Shukor" 
                author_email = "adnan.shukor @ G!"
                ref = "MS12-052"
                ref_url = "http://seclists.org/bugtraq/2012/Sep/29"
                cve = "CVE-"
                version = "1"
                impact = 4
                hide = false
        strings:
                $ms12052_1 = /mailto\:.{2000,}/ nocase fullword
                $ms12052_2 = /\.getElements?By/ nocase
                $ms12052_3 = /\.removeChild\(/ nocase
                $ms12052_4 = /document\..*?= ?null/ nocase
        condition:
                $ms12052_1 and $ms12052_2 and ($ms12052_3 or $ms12052_4)
}

Thats all for this week.

Thanks

Java 0day

Apr
20

I’ve play around with Java Deployment Toolkit exploit last week and found that the exploit is damn easy to trigger, but mitigation is a bit tricky (for Firefox especially if you have multiple version of Java installed)

Anyway, the patch released and people dont have to worry much about this anymore.

I’ve wrote a short analysis on the exploit (sample taken from the wild) and soon to be published in the Lebahnet Blog (pending for review). I’ve also wrote Yara rule to detect this exploit and it can be used with Jsunpack for automated analysis 🙂 owh.. I’ll publish the rule soon 😉

Many people are talking about this exploit including this blog. By the time I read through the content, I’ve found that they had published a non-valid code (maybe due to improper de-obfuscation or error during copy and paste for the entry). I’ve left 2 comments, correcting 2 lines of code in the entry. They made the changes but delete my comments (poor me, no credit :P)

Insyaallah I’ll publish the Yara rule by tomorrow 🙂

Yara Rule For CVE-2010-0805

Apr
06

Internet Explorer Tabular Data Control ActiveX Memory Corruption CVE-2010-0805 ported to Metasploit, so I decided to release the detection rule for Yara

rule MSIETabularActivex
{
        meta:
                ref = "CVE-2010-0805"
                impact = 7
                hide = true
        strings:
                $cve20100805_1 = "333C7BC4-460F-11D0-BC04-0080C7055A83" nocase fullword
                $cve20100805_2 = "DataURL" nocase fullword
                $cve20100805_3 = /value\=\"http:\/\/(.*?)\"/ nocase fullword
        condition:
                ($cve20100805_1 and $cve20100805_3) or (all of them)
}

Credit:

  1. ZSploit.com
  2. Metasploit
  3. @d3t0n4t0r

CVE-2010-0249 – Aurora IE 0day Exploit :: DEP bypassed

Jan
19

:: Quick update ::

Today, I’ve been working on a video on the Aurora IE 0day exploit PoC that really mimics the original Aurora’s exploit on Google.

However, the original exploit gonna fail if you enable DEP on the machine.

A few minutes back, someone ping and inform me on the new PoC that gonna bypass the DEP. If true, enabling DEP wont protect IE users anymore 😉

But you are still safe if you disable Active Script / JavaScript support for your IE

Here is how you can disable the Active Shit/JavaShit Active Script / JavaScript support in your IE: Advisory