After the Tunisian Revolution, also called the Jasmine Revolution by many media organizations, in late 2010 or in early 2011, “Jasmine” became a hot word in China.

Last week, a friend of mine in China received an email message with an .RTF attachment entitled, “My thoughts on the jasmine flower (the language of the document is Chinese).” He had no idea who the sender was. When he opened the document and read its contents, to his surprise, the document’s author tried to persuade him to join a demonstration called the Jasmine Revolution. He was even more surprised when he found out later that his PC was infected with a backdoor program. 

After checking the .RTF file, I figured out that this sample tries to exploit CVE-2010-3333—an old stack-based buffer overflow vulnerability in Microsoft Word. By crafting a malformed .RTF file, the attacker may execute arbitrary code on a user’s machine. One of my colleagues here in Trend Micro already reported about a malware exploiting this vulnerability late last year. This vulnerability was already patched by Microsoft a month before that through MS10-087.

Read the rest of this entry »

Today, more and more exploit developers are using Return-Oriented-Programming (ROP) techniques to bypass the Data Execution Prevention (DEP) feature in recent versions of Windows. In order to successfully launch an attack using ROP, one must know the fixed base address of the targeted module. However, Address Space Layout Randomization (ASLR), another security feature, makes it more difficult for an attacker to predict target addresses by randomly arranging the locations of key data areas.

There are several methods to bypass ASLR. For example, we have seen the use of just-in-time (JIT) spray attack wherein the JIT compiler of Adobe Flash Player was used to place large amounts of code in a system’s memory. We’ve also seen DLLs that did not have ASLR enabled (such as those associated with Java or .NET) targeting Internet Explorer (IE) 8 vulnerabilities in Windows 7. Information leakage can also give the attacker some useful information about the system’s memory layout, which can be used to bypass ASLR. Today, let’s take a look at a recent proof-of-concept (POC) exploit that uses both information leakage and ROP to bypass DEP+ASLR.

The original POC has already been published on the Exploit Database and has been used to attack a known vulnerability in Windows. This vulnerability was fixed with the January 2011 Patch Tuesday (see the Microsoft bulletin MS11-002). It was designated as CVE-2011-0027 and was discovered by Peter Vreugdenhil. Together with a separate use-after-free vulnerability, it defeated a fully patched Windows 7 system running IE 8, which allowed Vreugdenhil to win “Pwn2Own 2010.”

Although the exploit code is not 100% reliable, Vreugdenhil’s idea of using the vulnerability to leak information is still worth looking at.
Read the rest of this entry »

Several weeks ago, a new Adobe Acrobat/Reader zero-day vulnerability was found and soon exploited in the wild. What’s most interesting about this particular exploit is how it used return-oriented exploitation (ROP) techniques to bypass some of Windows’ security features such as Data Execution Prevention (DEP). In addition, it uses a two-staged shellcode to perform its routine. The first stage uses ROP techniques to load the second stage. The second stage is what actually executes the malicious behavior and is sprayed into memory by JavaScript within the .PDF file itself.

Threats like these show how vulnerability threats, like malware, are evolving to become more sophisticated. Despite the best attempts of vendors such as Microsoft to incorporate new and emerging technology to make exploitation more difficult, those behind these threats are just as ready to grow and make life more difficult for users.

Read the rest of this entry »

This blog discusses our analysis of the recent Adobe Flash zero-day vulnerability. Trend Micro received a sample Shockwave Flash (.SWF) file that exploited this 0-day vulnerability. Since the original blog post was posted, we have been analyzing this sample to determine how the exploit works.

Static Analysis

Let’s call the sample .SWF file exploit.swf. Quick analysis reveals that it contains ActionScript 3.0 tags. (ActionScript is a scripting language developed by Adobe, which is used in .SWF files.) This exploit will use ActionScript commands to spray shellcode into memory and load another .SWF file using the LoadBytes function of ActionScript 3.0.

Read the rest of this entry »