Saturday, December 1, 2007

Malware via exploits

Malware authors are constantly banking on the "next-big-thing" in order to deliver their malicious payload/content onto un-suspecting user machines. Due to its huge user base, the Windows is un-undoubtedly the most targeted of operating system platforms.

Source of image: HorseHats.com

Malware delivery mechanisms have constantly been evolving from the old floppy disk days to the fast spreading Internet worms (attachments via e-mail). Today's malware delivery mechanisms are shifting more and more toward web technologies. Instead of directly delivering malicious content to user machines via e-mail attachments, malware are being hosted on a myriad of web servers world wide. Users are then enticed into somehow visiting these websites either by spamming out an e-mail with a link to a malicious website or by tainting search results to obtain a higher ranking to their malicious website. Such malicious links are also delivered via IM (Instant Messaging), bulletin boards, forums, etc.

Usually malicious websites also host recent (or in some cases older) browser/application/system exploits along with malware. An unsuspecting user who visits such a malicious website with an un-patched system or browser application is easily exploited and malware is delivered onto their system (drive-by-downloads). In case of fully-patched systems, all it takes is to entice the user or fool them into downloading and executing the malware. Such malicious web servers could be made accessible via HTTP or FTP and malicious code (HTML, JavaScript, PHP, CGI, etc.) embedded within web-pages. Malware authors could hack legitimate websites and redirect visitors to a host of malware via invisible IFrame tags. With the birth of Web2.0 technologies, and mobile platforms, newer avenues are being explored in terms of malware delivery.

In regards to Windows related vulnerabilities, with Microsoft scheduling its patch release on every second Tuesday of each month popularly known as "patch Tuesday", hackers and malware authors have coined the term "exploit Wednesday" where they exploit an un-patched vulnerability the day after Microsoft has released its patches for that particular month.

Information Gathering - Vulnerabilities and Exploits

Malware authors are constantly looking to find vulnerabilities in software in order to exploit them. The software they target could be Operating system libraries, application software, kernel mode drivers, etc. They either hack these up themselves or obtain them from published material on Fulldisclosure mailing list, or from published material via blog posts of vulnerability researchers and enthusiasts, or from a community of hackers, etc. There is also the open source vulnerability database (OSVDB) where detailed vulnerability information is published on or before the same day that a vendor patch is released.

Information and advisories about vulnerabilities can also be obtained from from the following sites listed below:

@Risk: The Consensus Security Alert
Bugtraq mailing list
Bugtraq archives at neophsis
CERT
CERIAS
CIAC.org
CVE
eeye advisories and ZeroDay tracker
Finjan Vulnerability List
FrSIRT
GovernmentSecurity (forum1, forum2)
IBM ISS (X-Force)
IDefense advisories
LWN.net
Microsoft security bulletin - List of vulnerabilities fixed since 1998
milw0rm
National Vulnerability Database
Net-Security
NIST.org
NTBugtraq
NTSecurity.net archives at neohpsis
Rapid7 vulnerability database
Rain Forest Puppy Advisories
SANS top20 list
Secunia
SecuriTeam
Security Alert Consensus
Security-database
SecurityFocus
SecurityLab
SecurityReason
SecurityTracker
Security Threat Watch archives at neohpsis
SecurityVulns
SecWatch
US-Cert
Virus.org
VulnDiscuss archives at neohapsis
VulnWatch archives at neohapsis
Xdisclose
Zone-H
Zero Day Initiative (TippingPoint)

A unique blog-roll of "month of vulnerability disclosure" was also started by certain people who decided to find vulnerabilities in various software and simply disclose them via independent blog posts. Listed below are a few:

MOAB - Month of Apple bugs
MOKB - Month of Kernel bugs
MOBB - Month of Browser bugs
MOSEB - Month of Search Engine bugs
MOAxB - Month of ActiveX bugs
MOBiC - Month of bugs in CAPTCHAs

Before the details of a vulnerability gets into Fulldisclosure, OSVDB, or such independent open blog-rolls, the researcher or hacker has several options as what he or she can do with the discovered vulnerability:

- Responsibly disclose the entire details of the vulnerability to the software vendor alone, for free.

- Sell it to certain companies that buy vulnerabilities such as IDefense (now part of VeriSign), Digital Armaments, Argeniss (now acquired by Gleg Ltd), Netragard, TippingPoint (now a part of 3com), and Immunity, that gives the buying company exclusive rights to the vulnerability.

- Place the vulnerability for an auction at Wabisabilabi and sell it to the highest bidder.

The ethics behind disclosing vulnerabilities has always been a subject of debate. Microsoft has coerced a few software vendors to join their Organization for Internet Safety (OIS) that strives to actively suppress vulnerability disclosure within their organizations.

The number of vulnerabilities have been increasing since 2006. Here are some stats:
Full stats from CERT.
A post on "The Register".

Windows Libraries - a haven for malware exploits

A large number of Windows applications leverage Windows libraries (modules that contain functions and data) as dynamic-link libraries (DLL) or OCX (libraries containing ActiveX controls). Such libraries allow their functionality to be updated and reused easily while reducing significant memory overhead when several applications use the same functionality synchronously. Thus, the discovery of a critical vulnerability in a library usually affects a wide range of applications from Microsoft and other third-party vendors that use that library. Hackers and malicious authors then try to find multiple attack vectors in order to exploit the vulnerability. For instance, a vulnerability in an image processing library could be exploited via Internet Explorer, Microsoft Office and Image Viewing software. Considering the massive base of Windows users, such an exploit ensures huge deployment.

Several such vulnerabilities have been discovered in the recent past, for which, many had exploit codes either made available or discovered before patches were released. This scenario is also known as "zero-day". Listed below are a few:

VML Exploit - (CVE-2006-4868, MS06-055) - a vulnerability in Vector Graphics Rendering engine (vgx.dll) could allow remote code execution via a specially crafted Vector Markup Language file. The vulnerable library is used by applications such as Microsoft Outlook and Internet Explorer which can be used as attack vectors.

WebViewFolderIcon Exploit (via setSlice method) - (CVE-2006-3730, MS06-057) - a vulnerability in Windows Shell, due to improper validation of input parameters when invoked by the WebViewFolderIcon ActiveX control via setSlice method, could allow remote code execution.

WMF Exploit - (CVE-2005-4560, CVE-2005-2124 MS06-001, MS05-053) - a vulnerability in the graphics rendering engine (GDI32.DLL) could allow remote code execution while handling a specially crafted Windows Metafile (WMF) image.

EMF Exploit - (CVE-2005-2123, CVE-2005-0803) - a vulnerability in the graphics rendering engine (GDI32.DLL) could allow remote code execution via a heap-based buffer overflow or cause a application crash while handling a specially crafted Enhanced Metafile (EMF) image.

ANI exploit - (CVE-2007-0038, CVE-2004-1049, CVE-2004-1305, MS07-017, MS05-002) - a vulnerability in Cursor and Icon format handling could allow remote code execution or denial of service (kernel or application crash).

Web View exploit - (CVE-2005-1191, MS05-024) - a vulnerability in Web View DLL (webvw.dll) could allow remote code execution.

PNG exploit - (CVE-2004-1244, CVE-2004-0597, MS05-009) - a vulnerability in PNG Image Processing (by Windows Media Player 9 or via libpng 1.2.5 and earlier) could allow remote code execution.

JPEG exploit - (CVE-2004-0200, MS04-028) - a buffer overflow vulnerability in JPEG (JPG) parsing engine in GDIPlus.dll could allow remote code execution.

iPhone exploit - H.D. Moore (creator of the Metaspoilt Framework) has several blog entries consisting of step-by-step descriptions of how to exploit the Apple iPhone. Here, he exploits a vulnerable version of the libtiff library that is shipped with the latest update to the iPhone.

URL handling exploit - (CVE-2007-3896, MSA-943521) - a URL/URI handling bug in Shell32.dll with Internet Explorer or Mozilla Firefox installed could allow remote code execution. Attack vectors could be applications such as mIRC, Outlook, Adobe Reader, Skype, etc.

Microsoft Office file formats - have always been a target for digging out vulnerabilities that could be exploited by malicious authors. The SANS 2006 list and SANS 2007 list of office file format vulnerabilities provides information about a number of these bugs. This Security Focus article discusses the extent of vulnerabilities in Microsoft's Office documents in recent months, while this blog entry by Symantec discusses about malware exploiting such vulnerabilities. Ryan Naraine's blog also talks about malware authors creating tools to exploit vulnerabilities in Microsoft Word document format, while Microsoft itself releases a tool called MOICE with an intent to isolate potential exploitable elements.

Vulnerabilities in Applications

Vulnerabilities or un-patched bugs in commonly used applications such as image viewers, media players, browsers, file readers, etc. are also sought to be exploited by malicious authors. Listed below are a few examples:

- A vulnerability in Windows Media Player (CVE-2006-0006, MS06-005) while processing of a specially crafter BMP image could allow remote code execution.

- A vulnerability in Windows Media Player plugin (CVE-2006-0005, MS06-006) for non-Microsoft browsers could allow remote code execution.

- A recent vulnerability in Adobe Reader for Windows (CVE-2007-5020) while processing a specially crafted PDF file could allow remote code execution via another vulnerability in Shell32.dll (CVE-2007-3896). Adobe has already released a patch for this here. This vulnerability was discovered by Petko D. Petkov of gnucitizen.

- Several vulnerabilities in Adobe Reader (SA23483) could allow remote code execution or aid CSRF attacks. Improperly handled input passed to a hosted PDF file via a vulnerable Adobe Reader browser plugin could allow remote code execution. Improperly sanitized returned values by a vulnerable Adobe Reader browser plugin, when input is passed to a hosted PDF file, could allow remote code execution. Improperly sanitized input values to a hosted PDF file via a vulnerable Adobe Reader browser plugin could allow requesting of arbitrary URLs and hence facilitating a vector for CSRF attacks.

- A vulnerability in Adobe Photoshop for Windows (FrSIRT-1523) while processing specially crafted BMP, DIB, RLE files could allow remote code execution.

- A vulnerability in Apple QuickTime (FrSIRT-3155) while processing the "qtnext" parameter withing QuickTime Link Files (.qtl files), could allow remote code execution by tricking a user into visiting a specially crafter webpage or opening a malicious file. This vulnerability was discovered by Petko D. Petkov of gnucitizen.

- A vulnerability in Apple QuickTime (US-CERT-659761, CVE-2007-6166) while processing a specially crafted RTSP (Real Time Streaming Protocol) stream could allow remote code execution. Since QuickTime is a component of Apple iTunes, all such installations are vulnerable to the attack on all supported Windows and Mac operating systems.

- A vulnerability in Adobe Flash Player (CVE-2007-3456, APSB07-12) could allow remote code execution due to a "input validation error" (buffer overflow) via a specially crafted FLV or SWF file. Another recent vulnerability (CVE-2007-3457) due to insufficiently validating HTTP referrer headers, could allow remote attackers to conduct a CSRF attack via a specially crafted SWF file.

- A vulnerability in Database Component in MPAMedia.dll in RealPlayer (CVE-2007-5601, ) could allow remote code execution via certain play-list names via the import method to the IERPCtl ActiveX control in ierpplug.dll. RealNetworks has released a patch for this here. Malicious authors have known to be exploiting this vulnerability.

- A vulnerability in RPC on DNS server (CVE-2007-1748, MS07-029) could allow remote code execution.

- Multiple vulnerabilities in Microsoft PowerPoint (MS06-058, SA22127) could allow remote code execution.

- A vulnerability in the cPanel software (control panel software that is widely used by hosting providers such as Apachi web-hosting), could allow a remote attacker to gain access to the web servers and taint web-pages with malicious iFrame links.

- A vulnerability in Winamp could allow the execution of malicious code via a specially crafter MP4 file. Here is a post on "The Register" about it.

- A myriad of Anti-Virus products as well were reveled of vulnerabilities, according to a blog post here.

- A blog post by Aviv Raff here, details the vulnerabilities discovered in Gadgets (script-able applications) on Vista.

- A post here describes a myriad of security issues with Google such as a vulnerability in Google desktop and an XSS error in Gmail, among many others.

- A recently discovered XSS vulnerability in common Shockwave Flash files.

- A vulnerability in an ATI driver allows malicious code to be loaded into Vista's kernel, in spite of its latest security measures (such as PatchGuard and only allowing signed drivers to be loaded).

And the saga continues...

Digg This Slashdot This Add to del.icio.us