Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Pavithra Hanchagaiah (Senior Security Researcher)

    The recent Internet Explorer and Flash zero-days were not the only zero-day threats that hit recently. Last Friday, the Apache Struts group released an advisory (S2-021) detailing two vulnerabilities (CVE-2014-0112 and CVE-2014-0113), and potential mitigation steps until an official patch is issued.

    Apache Struts is a framework used to build and deploy Java-based web applications. In Apache Struts2, most of the core functionality is implemented as Interceptors. These can execute code before and after an Action is invoked and each Interceptor can be mapped to one or more Actions. Two security issues exist in Struts 2 due to improper handling of user supplied parameter values to ParametersInterceptor and CookieInterceptor.

    • CVE-2014-0112 was due to incomplete security fix for another recent vulnerability : CVE-2014-0094, which was reported in early March and discussed in S2-020. The vulnerability is caused due to improper handling of class parameter values of the ParametersInterceptor class, which is directly mapped to the getClass() method. Successful exploitation will allow remote attackers to manipulate the ClassLoader objects used by the application server and leads to arbitrary code execution. ParametersInterceptor is one of the in-built Struts interceptors which set all parameters on the value stack and gets them evaluated.
    • CVE-2014-0113 is similar to the previous vulnerability. CookieInterceptor is another in-built Interceptor used to set values in the stack/action based on cookie name/value. The Java ClassLoader objects can be manipulated via CookieInterceptor, similar to ParametersInterceptor, when it is configured to accept all cookies (when “*” is used to configure cookiesName param).

    Both these vulnerabilities affect Apache Struts versions from 2.0.0 until It is strongly advised that Strust users upgrade to Struts Otherwise, the user can exclude the class parameter from the default configuration as given below.

    <interceptor-ref name=”params”>

    <param name=”excludeParams”>(.*\.|^|.*|\[(‘|”))(c|C)lass(\.|(‘|”)]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>


    We have released the following new deep packet inspection (DPI) rules to protect against exploits leveraging these vulnerabilities:

    • 1006015 – Restrict Apache Struts ‘class.classLoader’ Request
    • 1006029 – Restrict Apache Struts ClassLoader Manipulation Via HTTP Cookie Header
    Posted in Vulnerabilities | Comments Off on Season of Zero-Days: Multiple Vulnerabilities in Apache Struts

    Attackers continuously leverage vulnerabilities in popular software like Microsoft Windows and Adobe products.  Just recently, Adobe released an out-of-band update addressing three critical vulnerabilities in Flash Player. The said update APSB14-07 resolves the following issues in Flash Player:

    • Stack-based buffer overflow vulnerability (CVE-2014-0498) allows attackers to execute arbitrary code via unspecified vectors.
    • Out-of-bound read vulnerability (CVE-2014-0499) does not prevent access to address information, which in turn makes it easier for attackers to evade existing mitigation technology like Address Space Layout Randomization (ASLR). Successful exploitation results in information disclosure.
    • Double free vulnerability (CVE-2014-0502) can be exploited to cause memory corruption. Once successfully exploited, it allows remote attackers to execute arbitrary code. Adobe confirms that this is a zero-day actively exploited in the wild.  It is reported several websites being affected which redirected visitors to a malicious server containing a malicious Flash file. Based on our investigation, once users visit the compromised websites  they will unknowingly download a malicious .SWF file detected by Trend Micro as SWF_EXPLOYT.LPE.  This SWF exploit then downloads a PlugX variant detected as BKDR_PLUGX.NSC. PlugX is a remote access tool known for its stealth mechanism.

    These are the affected platforms:

    Product Updated version Platform Priority rating
    Adobe Flash Player Windows 1 Internet Explorer 10 for Windows 8.0 1 Internet Explorer 11 for Windows 8.1 1 Chrome for Windows and Linux 1
    11.7.700.269 Windows 1 Linux 3

    Trend Micro Deep Security has released the following new deep packet inspection (DPI) rules to protect against exploits leveraging these vulnerabilities:

    • 1005918 – Adobe Flash Player Stack-based Buffer Overflow Vulnerability (CVE-2014-0498)
    • 1005919 – Adobe Flash Player Out Of Bound Read Vulnerability (CVE-2014-0499)
    • 1005922 – Adobe Flash Player Remote Code Execution Vulnerability (CVE-2014-0502)

    Aside from Deep Security solutions, our browser exploit prevention technology in Titanium 7 also protects from exploits targeting CVE-2014-0498 and CVE-2014-0502. As for CVE-2014-0499, we recommend you to update to the latest version.

    Trend Micro blocks all related threats and URLs associated with this attack. We advise users to keep updating the latest version of installed software.

    With additional analysis from Kai Yu.

    Posted in Bad Sites | Comments Off on New Adobe Flash Player Zero-day Exploit Leads to PlugX

    Adobe released an out-of-band update for two critical zero-day vulnerabilities just a few days in advance to its regular monthly patch cycle. The Buffer overflow vulnerability (CVE-2013-0633), which exists in Flash Player can lead to remote code execution or denial of service conditions when exploited. This vulnerability, which has been exploited in the wild, targets Windows systems via ActiveX version of Flash Player. These attacks have been intended to deceive users by embedding malicious Flash (.SWF) file in Microsoft Word documents.

    Another vulnerability being exploited in the wild is the remote memory-corruption vulnerability covered in CVE-2013-0634. Once successfully exploited, it can lead to remote code execution or application crash. According to the Adobe advisory, these vulnerabilities are currently being exploited in the wild via sending crafted .SWF files as email attachments or by tricking the user to click a URL. Trend Micro detects these exploits as TROJ_MDROP.REF. When executed, this malware drops a backdoor detected as BKDR_PLUGAX.A. This backdoor, in turn, has the capability to gather information such as computer name, hostname, and OS version among others. It can also download and load plugins and send and receive information from a malicious website thus compromising the security of the system. Here’s the list of affected product versions:

    • Adobe Flash Player 11.5.502.146 and earlier versions for Windows and Macintosh
    • Adobe Flash Player and earlier versions for Linux
    • Adobe Flash Player and earlier versions for Android 4.x
    • Adobe Flash Player and earlier versions for Android 3.x and 2.x

    Just last month, we reported on the Java zero-day exploit employed by toolkits, Cool Exploit Kit (CEK) and Blackhole Exploit Kit (BHEK). Java released an update to address this zero-day exploit. Ironically, cybercriminals are quick to jump in and abused this opportunity to make a malware that poses as an update for Java.

    Read the rest of this entry »

    Posted in Exploits, Vulnerabilities | Comments Off on Zero-Day Vulnerabilities Found in Adobe Flash Player

    In the last month of the year, MySQL has been flooded by a set of zero-day exploits. This set was revealed by Kingcope and he has published proof-of-concept (POCs) for all these vulnerabilities.

    The newly discovered set of 0-days affects MySQL in multiple ways, such as application crash/denial of service, privilege escalation, authentication bypass, remote root on Windows systems, and heap/stack overrun. These vulnerabilities have been acknowledged by the vendor and assigned to CVE ids CVE-2012-5611, CVE-2012-5612, CVE-2012-5613, CVE-2012-5614, and CVE-2012-5615 respectively.

    Two of the critical security issues, ExploitDB: 23073 & 23083 in MySQL allow remote authenticated attackers to get the shell of a Windows system by sending specially crafted requests.

    Below are the rest of the critical issues:

    • (CVE-2012-5611). This is triggered by sending an overly long argument to GRANT FILE command, which in turn leads to stack buffer overflow. It permits remote attackers to execute arbitrary code or may even cause database crash. However, to exploit this vulnerability valid username and password are required.
    • (CVE-2012-5612). A heap buffer overflow vulnerability caused by a series of crafted commands like USE, SHOW TABLES, DESCRIBE, CREATE TABLE, DROP TABLE, ALTER TABLE, DELETE FROM, UPDATE, SET PASSWORD, etc. If exploited, it allows a remote, authenticated attacker with low privileges to change a current user’s password to an undefined value.
    • (CVE-2012-5614). This leads to a service crash via SELECT command with an UpdateXML command containing XML with a large number of unique, nested elements. The successful exploitation of this vulnerability also needs to be authenticated by a valid username and password.
    • (CVE-2012-5615). Enumeration vulnerability exists in MySQL which lets remote attackers to learn all valid usernames based on the error messages generated.
    • (CVE-2012-5613). This is not considered as a security bug since it’s a result of misconfiguration, however, it can lead to remote authenticated users gaining administrator privileges. In this case, an attacker with ‘FILE’ privilege is leveraged to create a new user that has full access similar to the MySQL administrator.

    Read the rest of this entry »

    Posted in Exploits, Vulnerabilities | Comments Off on Multiple Zero-Day POC Exploits Threaten Oracle MySQL Server

    Apart from the regular monthly patch release Microsoft issued yesterday, which included a patch for relatively large number of vulnerabilities in Internet Explorer (MS12-037), Microsoft also reported another IE vulnerability that has no patch available yet. MS Security Advisory (2719615) specifically identifies the Microsoft XML (MSXML) Core Services as the vulnerable part. MSXML provides a set of W3C compliant XML APIs which allows users to use JScript, VBScript and Microsoft development tools to develop XML 1.0 standard applications.

    There exists a remote code execution vulnerability in Microsoft XML Core Services due to accessing a COM object in an uninitialized memory. When successfully exploited, an attacker could execute arbitrary code in the context of the logged-on user.

    As mentioned above, MSXML Core Services also provides a set of APIs to access certain COM objects to simplify Document Object Model tasks such as managing namespaces. An attacker can craft these websites to host a malicious webpage invoking affected MSXML APIs, which in turn accesses a COM object in memory that has not been initialized. The vulnerability is exploited when a user opens these crafted webpages using IE. Users might stumble upon these pages as clickable links in a specially crafted email or instant message.

    Trend Micro Deep Security customers should apply the rule 1005061 – Microsoft XML Core Services Remote Code Execution Vulnerability (CVE-2012-1889) to block the access to websites serving malicious webpages invoking affected MSXML COM objects that access vulnerable JavaScript methods. In addition, protection for vulnerabilities in MS12-037 are found in this Threat Encyclopedia page. Both rules are also available for OfficeScan with the Intrusion Defense Firewall plugin.

    We are investigating reports of attacks where these two vulnerabilities are supposedly being used. This entry will be updated for developments on the investigation.

    Update as of 2:38 PM PST

    Trend Micro detects and removes the malware JS_DLOADER.HVN, which is found to exploit the vulnerability in MS Security Advisory (2719615). More information on the malware will be posted in succeeding updates.

    Update as of June 14, 2012, 7:51 AM PST

    The malware JS_LOADER.HVN is found to exploit the vulnerability in CVE-2012-1875, which is included and patched in MS12-037 bulletin. This malicious script downloads other malware on affected systems. Trend Micro users are protected from infections of this malware.

    Update as of June 15, 2012, 1:37 AM PST

    • The initially given detection name (JS_DLOADER.HVN) has been replaced with JS_LOADER.HVN.
    • JS_LOADER.HVN exploits CVE-2012-1875 and not CVE-2012-1889, as stated in the previous update.
    Posted in Malware, Vulnerabilities | Comments Off on Trend Micro Protects Users Against Active Exploits on Latest Internet Explorer Vulnerabilities


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice