Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:


  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    3031  
  • Email Subscription

  • About Us


    Author Archive - Peter Pi (Threats Analyst)




    The hits keep on coming from the Hacking Team. After three separate Adobe Flash zero-days, another vulnerability that could take over user systems has been found. Our latest discovery is in Internet Explorer, and has been acknowledged by Microsoft and patched as part of the regular Patch Tuesday cycle as MS15-065. It has been designated as CVE-2015-2425. While we did find proof-of-concept (POC) code, there are still no known attacks exploiting this vulnerability.

    Vulnerability Information

    This zero-day vulnerability is a just-in-time (JIT) function UAF (Use-After-Free) vulnerability in jscript9.dll, specifically in the MutationObserver object. It occurs when MutationObserver tries to keep track of an element that has been already destroyed. Only Internet Explorer 11 is affected, as the older versions of the browser do not support this feature..

    The POC code we found confirms that an exploit can crash Internet Explorer 11 every time it is loaded. The crash point is at JMP EAX, where the value of EAX is an invalid heap address whose memory property is MEM_RESERVE, and this heap address was a JIT function address before it was freed. Internet Explorer 11 crashes as seen below; the EIP value is the same as EAX.

    Figure 1. Internet Explorer crash

    The function in jscrpt9.dll where the crash occurs is in the following picture:

    Figure 2. Function where jscript9.dll crashes

    Is it exploitable?

    Microsoft has confirmed that this particular vulnerability is exploitable.

    An ideal attack would use a heap spray to occupy the freed memory before it is used. However, because the freed memory is JIT memory and the freed memory is reserved by the heap for JIT generation, a normal heap spray is not possible. But a JIT spray can occupy this kind of memory, so JIT spray may be used to spray shellcode into the freed memory location. If the JMP EAX instruction jumps into the sprayed shellcode, this shellcode will be run within the context of the IE tab process.

    Simply put, if an attacker successfully exploits the vulnerability, he can basically run any code on the system. The extent of the attacker’s advances, though, is dependent on the OS version. On Windows 7, the IE11 tab process has the same privilege as the IE11 frame process. The shellcode will be run with the same privileges as the logged in user. On Windows 8.1 and later, the privilege of IE11 tab process is low by default. A successful attack would require a separate privilege escalation vulnerability.

    Conclusion

    The Hacking Team data has been available to the public (and attackers) for just over a week, which means it is readily available to attackers. We suggest that users running a vulnerable version of Internet Explorer 11 update to a patched version immediately; a patch has been made available as part of this month’s Patch Tuesday cycle.

    While only POC code exists, the vulnerability is still exploitable. We are monitoring for possible threats or attacks that target this vulnerability. We will update this post if any attacks are found in the wild.

     



    After two Adobe Flash player zero-days disclosed in a row from the leaked data of Hacking Team, we discovered another Adobe Flash Player zero-day (assigned with CVE number, CVE-2015-5123) that surfaced from the said leak. Adobe has already released a security advisory after we reported the said zero-day. This vulnerability is rated as critical and can allow an attacker to take control of the affected system once successfully exploited.  It affects all versions of Adobe Flash in Windows, Mac, and Linux.

    This vulnerability is the second zero-day vulnerability in Flash to be found in recent days. The first one, identified as CVE-2015-5122, could also be used to take control of affected machines. This was on top of the first Flash zero-day attributed to Hacking Team which was disclosed several days ago and was soon integrated into various exploit kits. A separate Java zero-day (not related to any Hacking Team disclosures) has also been found by Trend Micro researchers.

    Root cause analysis

    Based on our analysis, this vulnerability is also of valueOf trick bug. However, compared to the first two reported Flash zero-day exploits, it involves the BitmapData object and not the TextLine and ByteArray.

    The vulnerability can be triggered by the following steps:

    1. From a new BitmapData object, prepare two Array objects, new two MyClass objects, and assign the MyClass object to each Array objects.
    2. Once the valueOf function of MyClass is override, it calls the BitmapData.paletteMap with the two Array objects as parameters. The BitmapData.paletteMap will trigger the valueOf function.
    3. In the valueOf function, it will call BitmapData.dispose() to dispose the underlying memory of BitmapData object, thus causing Flash Player to crash.

    We are currently monitoring this proof-of-concept (POC) for any active attacks that may employ this zero-day exploit. We will update this entry as new information and findings surface. Considering that the Hacking team leak is publicly available already, it poses risks to users. As such, we recommend users to disable Adobe Flash Player for the meantime until the patch from Adobe becomes available.

    Trend Micro users are proactively protected against this threat via our Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery. It can detect this threat via its behavior without any necessary updates. In addition, the Browser Exploit Prevention feature in the Endpoint Security in Trend Micro™ Smart Protection Suite detects the exploit once the user accesses the URL where the exploit is hosted. This security feature can detect exploits targeting browsers or related plugins.

    Vulnerability protection in Trend Micro Deep Security protects user systems from threats that may leverage this vulnerability with the following DPI rule:

    • 1006859 – Adobe Flash Player BitmapData Remote Code Execution Vulnerability (CVE-2015-5123)

    We would like to thank Peleus Uhley of Adobe for helping us in this analysis.

    Adobe has released security updates that address critical vulnerabilities, including the one mentioned in this entry, in Adobe Flash Player for Windows, Mac, and Linux. These vulnerabilities could allow attackers to take control of the affected system. The advisory APSB15-18 states that the update addresses affected versions, which include versions 18.0.0.203 and earlier.

    Users should update their Adobe Flash as soon as possible. They can verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select About Adobe (or Macromedia) Flash Player from the menu.

    Updated on July 12, 2015, 6:48 PM PDT (UTC-7) to add Trend Micro Deep Security solutions.

    Updated on July 12, 2015, 11:15 PM PDT (UTC-7) to add links to earlier incidents.

    Updated on July 14, 2015, 9:51 AM PDT (UTC-7) to add the Adobe security updates.

     

    Timeline of posts related to the Hacking Team

    DATE UPDATE
    July 5 The Italian company Hacking Team was hacked, with more than 400GB of confidential company data made available to the public.
    July 7

    Three exploits – two for Flash Player and one for the Windows kernel—were initially found in the information dump. One of these [CVE-2015-5119] was a Flash zero-day.

    The Windows kernel vulnerability (CVE-2015-2387) existed in the open type font manager module (ATMFD.dll) and can be exploited to bypass the sandbox mitigation mechanism.

    The Flash zero-day exploit (CVE-2015-5119) was added into the Angler Exploit Kit and Nuclear Exploit Pack. It was also used in limited attacks in Korea and Japan.

    July 11 Two new Flash zero-day vulnerabilities, CVE-2015-5122 and CVE-2015-5123, were found in the hacking team dump.
    July 13 Further analysis of the hacking team dump revealed that the company used UEFI BIOS rootkit to keep their Remote Control System (RCS) agent installed in their targets’ systems.
    July 14 A new zero-day vulnerability (CVE-2015-2425) was found in Internet Explorer.
    July 16 On the mobile front, a fake news app designed to bypass Google Play was discovered.
    July 20 A new zero-day vulnerability (CVE-2015-2426) was found in Windows, which Microsoft fixed in an out-of-band patch.
    July 21 Analysis of the RCSAndroid spying tool revealed that Hacking Team can listen to calls and roots devices to get in.
     
    Posted in Vulnerabilities |



    Hot on the heels of the last zero-day vulnerability that was found from the Hacking Team data leak (i.e. CVE-2015-5119) comes yet another that may be as dangerous: CVE-2015-5122, a vulnerability in Adobe Flash Player. If exploited, it could result in a crash that would allow an attacker to take control of the vulnerable system. And yes, just like CVE-2015-5119, it affects all recent versions of Flash on Windows, Mac and Linux (i.e. 18.0.0.203).

    This is a new vulnerability apart from the ones we discussed in Unpatched Flash Player Flaw, More POCs Found in Hacking Team Leak, which were two Flash bugs and one in the Windows kernel. One of these Flash vulnerabilities has since been used in various exploit kits.

    The good news: it’s still a Proof-of-Concept, and we are still looking to see if it is already being used in an attack. The bad news: there’s no patch for it out yet, but there should be one coming up as we had notified Adobe as soon as we verified the vulnerability itself (July 11, 10:30 AM, GMT +8). Adobe sent out the security advisory for this vulnerability at 11:40 AM (GMT+8).

    So how does the vulnerability work?

    With our analysis, we discovered that it is a Use-After-Free vulnerability involving the methods TextBlock.createTextLine() and TextBlock.recreateTextLine(textLine).

    The trigger involves the method my_textLine.opaqueBackground = MyClass_object. What happens is that the MyClass.prototype.valueOf is overriden, as such the valueOf function it will call TextBlock.recreateTextLine(my_textLine). The my_textLine function is then used after it is freed.

    We debugged the POC on an X86 environment, so the vulnerability trigger is in MyClass32 class. The exploit function itself is TryExpl of MyClass32.

    The exploit steps are as follows:

    1. A new Array is named _ar, the length of _ar is _arLen = 126. _ar[0…29] is set by Vector.<uint>, vector length is 0x62.  _ar[46….125] is set by Vector.<uint>, vector length is 0x8.  _ar[30….45] is set by testLine using _tb.createTextLine(), and the textLine. opaqueBackground is set to 1.

    1. The MyClass.prototype.valueOf is overriden using MyClass.prototype.valueOf = valueOf2, and using _ar[_cnt].opaqueBackground = _mc to trigger the valueOf2 function. _mc is an instance of MyClass.

    1. In valueOf2 function, it will call _tb. recreateTextLine(_ar[index]) to free the textLine function allocated in step 1. Then, the vector’s length is set from 0x8 to 0x62 to occupy the memory of the freed textLine. The valueOf2 function will return with 0x62 + 8 = 0x6a, so _ar[_cnt].opaqueBackground will be set to 0x6a until valueOf2 return. To ensure the overwriting of the occupy vector length field, the valueOf2 function uses recursive invocation.

    1. After overwriting the vector length to 0x6a, it searches the corrupt vector, and sets the neighbor vector length to 0x40000000.

    The POC can open calc.exe, which means it can also be crafted to run malicious executables.
    We are currently monitoring this development and will update this blog entry as the story progresses. For now we recommend users to disable Flash in order to avoid possible attacks exploiting this vulnerability.

    Updated July 11, 2015, 12:43 AM (UTC-7) to clarify some technical details.

    Updated July 12, 2015, 7:46 PM (UTC-7)

    Vulnerability protection in Trend Micro Deep Security protects user systems from threats that may leverage this vulnerability with the following DPI rule:

    • 1006858 – Adobe Flash ActionScript3 opaqueBackground Use After Free Vulnerability (CVE-2015-5122)

    Updated July 14, 2015, 3:05 AM PDT (UTC-7)

    Upon further investigation of feedback from the Trend Micro™ Smart Protection Network™, after Kafeine mentioned that Angler Exploit Kit added the exploit code using CVE-2015-5122, we found that the Nuclear and Rig Exploit Kits now include CVE-2015-5122 to their laundry list of exploits on July 13 (UTC – 07:00). The Nuclear Exploit Kit leads to one of notorious banking Trojan family, TROJ_CARBERP (NvdUpd.exe), and the Rig Exploit Kit leads to one of backdoor with possible infostealing capabilities, BKDR_TOFSEE (F01A – Copy.tmp). We are currently analyzing these payloads and will later update this blog post with the details.

    With analysis by Brooks Li

    Updated July 14, 2015, 9:53 AM PDT (UTC-7)

    Adobe has released security updates that address critical vulnerabilities, including the one mentioned in this entry, in Adobe Flash Player for Windows, Mac, and Linux. These vulnerabilities could allow attackers to take control of the affected system. The advisory APSB15-18 states that the update addresses affected versions, which include versions 18.0.0.203 and earlier.

    Users should update their Adobe Flash as soon as possible. They can verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select About Adobe (or Macromedia) Flash Player from the menu.

     

    Timeline of posts related to the Hacking Team

    DATE UPDATE
    July 5 The Italian company Hacking Team was hacked, with more than 400GB of confidential company data made available to the public.
    July 7

    Three exploits – two for Flash Player and one for the Windows kernel—were initially found in the information dump. One of these [CVE-2015-5119] was a Flash zero-day.

    The Windows kernel vulnerability (CVE-2015-2387) existed in the open type font manager module (ATMFD.dll) and can be exploited to bypass the sandbox mitigation mechanism.

    The Flash zero-day exploit (CVE-2015-5119) was added into the Angler Exploit Kit and Nuclear Exploit Pack. It was also used in limited attacks in Korea and Japan.

    July 11 Two new Flash zero-day vulnerabilities, CVE-2015-5122 and CVE-2015-5123, were found in the hacking team dump.
    July 13 Further analysis of the hacking team dump revealed that the company used UEFI BIOS rootkit to keep their Remote Control System (RCS) agent installed in their targets’ systems.
    July 14 A new zero-day vulnerability (CVE-2015-2425) was found in Internet Explorer.
    July 16 On the mobile front, a fake news app designed to bypass Google Play was discovered.
    July 20 A new zero-day vulnerability (CVE-2015-2426) was found in Windows, which Microsoft fixed in an out-of-band patch.
    July 21 Analysis of the RCSAndroid spying tool revealed that Hacking Team can listen to calls and roots devices to get in.
     



    Earlier this week the Italian company Hacking Team was hacked, with more than 400GB of confidential company data made available to the public. The company was known for selling what it described as tools used to lawfully intercept communications that could be used by governments and law enforcement agencies. The company has stated they do not do business with oppressive countries in the past.

    Most of the leaked information covered Hacking Team’s business practices, which seemingly contradict their official statements on who they sell their products to. However, the leak also included the tools provided by the company to carry out attacks, and this included several exploits targeting Adobe Flash Player and Windows itself.

    The information dump includes at least three exploits – two for Flash Player and one for the Windows kernel. One of the Flash Player vulnerabilities, CVE-2015-0349, has already been patched.

    One of the Flash exploits is described by Hacking Team as “the most beautiful Flash bug for the last four years.” This Flash exploit has not yet been given the CVE number.

    Figure 1. Description of vulnerability by Hacking Team

    Vulnerability Information

    The leaked package contains both a Flash zero-day proof-of-concept (POC) which can open the Windows calculator and a release version with real attack shellcode.

    In the POC, there is a readme document which describes the details of this zero-day as we can see below. It states that this exploit can affect Adobe Flash Player 9 and later, and that desktop/metro IE, Chrome, Firefox and Safari are all affected. External reports have stated that the latest version Adobe Flash (version 18.0.0.194) is also affected.

    Figure 2. Description of vulnerability by Hacking Team

    Root Cause Analysis

    The readme also describes the root cause of the vulnerability. This is a ByteArray class user-after-free (UAF) vulnerability, which we can describe simply.

    • When you have a ByteArray object ba, and perform an assignment like this ba[0] = object, it will call this object’s ValueOf function
    • The ValueOf function can be overridden, so someone can change value of ba in the object ValueOf function
    • If you reallocate the ba memory in the ValueOf function, it will cause a UAF because ba[0] = object will save the original memory and use it after ValueOf function has been called.

    Release Version Exploit Analysis

    After triggers UAF vulnerability, it corrupts the Vector.<uint> length to achieve arbitrary memory read and write capabilities in the process. With this ability, the exploit is capable of performing the following:

    • Search for the kernel32.dll base address in process, then find the VirtualProtect address
    • Find the address of shellcode which is contained in a ByteArray
    • Call VirtualProtect to change the shellcode memory to become executable.
    • There is an empty static function named Payload defined in AS3 code.
    • Find the Payload function object address and then find the real function code address contained by the Payload function object.
    • Overwrite the real function code address with the shellcode address
    • Call the static function Payload in AS3, which causes the shellcode to be called
    • After the shellcode executes, reset the static function address.

    We can see that this exploit method can bypass Control Flow Guard by overwriting a static function code address.

    Conclusion

    While Hacking Team stated that this was the most beautiful bug since CVE-2010-2161, we can see that several bugs have used this ValueOf trick, including CVE-2015-0349 which was used at Pwn2Own 2015.

    Users do not need to be overly concerned about this vulnerability at this time, as an active attack has not yet been spotted in the wild. We will update this post with more information and advice if it becomes necessary at a later time.

    Trend Micro is already able to protect users against this threat out of the box, without any necessary updates. The existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can be used to detect this threat by its behavior. The Browser Exploit Prevention feature in the Endpoint Security in Trend Micro™ Smart Protection Suite detects the exploit once the user accesses the URL it is hosted in. Browser Exploit Prevention detects against exploits that target browsers or related plugins.

    Update as of July 7, 2015, 07:44 A.M. PDT (UTC-7)

    Based on further verification, we note that Adobe Flash Player vulnerability and the Windows kernel flaw have no assigned CVEs yet. We have updated the blog entry to reflect this.

    Update as of July 7, 2015, 09:48 A.M. PDT (UTC-7)

    Based on our ongoing investigation, we believe that this zero-day vulnerability from this leak has  been used in an attack we’ve been tracking recently. We will be providing additional information in another blog entry soon.

    Vulnerability protection in Trend Micro Deep Security  protects user systems from threats that may leverage this vulnerability with the following DPI rule:

    • 1006824  – Adobe Flash ActionScript3 ByteArray Use After Free Vulnerability

    Update as of July 8, 2015, 7:00 PM PDT (UTC – 7)

    Adobe has released a fix for the Flash zero-day vulnerability. Information about this update has been released in APSB15-16. We recommend that users apply this update as soon as possible.

    Update as of July 14, 2015, 4:48 PM PDT (UTC – 7)
    To clarify, the used-to-be zero-day vulnerability was assigned CVE-2015-5119 in APSA15-03 on July 7.

     

    Timeline of posts related to the Hacking Team

    DATE UPDATE
    July 5 The Italian company Hacking Team was hacked, with more than 400GB of confidential company data made available to the public.
    July 7

    Three exploits – two for Flash Player and one for the Windows kernel—were initially found in the information dump. One of these [CVE-2015-5119] was a Flash zero-day.

    The Windows kernel vulnerability (CVE-2015-2387) existed in the open type font manager module (ATMFD.dll) and can be exploited to bypass the sandbox mitigation mechanism.

    The Flash zero-day exploit (CVE-2015-5119) was added into the Angler Exploit Kit and Nuclear Exploit Pack. It was also used in limited attacks in Korea and Japan.

    July 11 Two new Flash zero-day vulnerabilities, CVE-2015-5122 and CVE-2015-5123, were found in the hacking team dump.
    July 13 Further analysis of the hacking team dump revealed that the company used UEFI BIOS rootkit to keep their Remote Control System (RCS) agent installed in their targets’ systems.
    July 14 A new zero-day vulnerability (CVE-2015-2425) was found in Internet Explorer.
    July 16 On the mobile front, a fake news app designed to bypass Google Play was discovered.
    July 20 A new zero-day vulnerability (CVE-2015-2426) was found in Windows, which Microsoft fixed in an out-of-band patch.
    July 21 Analysis of the RCSAndroid spying tool revealed that Hacking Team can listen to calls and roots devices to get in.
     



    Earlier we talked about the out-of-band update for Flash Player that was released by Adobe (identified as APSB15-14) that was released to fix CVE-2015-3113. This update raised the Flash Player version to 18.0.0.194.

    Our analysis of the current flaw reveals that the root cause of CVE-2015-3113 is similar to CVE-2015-3043. Both cause a buffer overflow within the Flash Player code. In fact, code targeting the previous exploit can also cause crashes in version 18.0.0.160 (the version immediately before this emergency update).

    Both vulnerabilities can be used to run arbitrary code (i.e., malware) on user systems if they visit a site with a malicious Flash file. Users who visit a malicious or compromised site containing malicious Flash files that still use older, unpatched versions of Flash Player are at risk.

    Vulnerability comparisons

    Both CVE-2015-3113 and CVE-2015-3043 are heap overflow vulnerabilities in the FLV audio parsing flow. They are both in how Flash Player processes audio with the Nellymoser codec; they can be triggered by modifying the FLV file’s audio tag. They both overflow a hardcoded length heap buffer with a length of 0x2000.

    CVE-2015-3043 and CVE-2015-3113 both trigger this bug using sample_count * sample_size > 0x2000, and bypass the length check.

    Old Patch for CVE-2015-3043

    CVE-2015-3043 was originally patched in 17.0.0.169. This was done by limiting the sample count acquired from the FLV audio tag.

    Figure 1. Original patch

    We can see that the sample count is limited to 0x400. We can compute the biggest buffer size needed from this: FLV specifies a size of 4 as the biggest size per sample. The Nellymoser codec has a hardcoded multiple size of 2 (as seen in the code below). Therefore, the biggest buffer needed is 0x400 * 4 *2 = 0x2000.

    Figure 2. Nellymoser doubling

    New Patch in 18.0.0.160

    However, the code underwent significant changes in 18.0.0.160. The code now looks like this:

    Figure 3. New patch

    The GetSampleCount function checks the final buffer size needed. If the final buffer size is larger than 0x2000, it will limit it to 0x2000. However, this ignores the Nellymoser decode function’s hardcoded double operation; this can be used to trigger a heap buffer overflow once again.

    Conclusion

    The analysis above shows that both the previous Flash zero-day and the current incident share the same underlying root cause. In fact, code targeting the previous zero-day will cause 18.0.0.160 to crash.

    This incident highlights how important careful development of patches is, to prevent patched bugs from being re-exploited at a later time. Regression testing must also be a part of software development in order to check that old bugs do not threaten new versions of software.

    Update as of June 24, 2015, 8:08 A.M. (PDT):

    Trend Micro Deep Security and Vulnerability Protection protect user systems from threats that may leverage this vulnerability with the following DPI rule:

    • 1006810 – Adobe Flash Player Heap Buffer Overflow Vulnerability (CVE-2015-3113)

    Update as of June 26, 2015, 3:10 P.M. PDT (UTC-7):

    Trend Micro solutions are available to help protect users against threats that may leverage this vulnerability. Endpoint products detect malware that attempt to exploit this vulnerability as SWF_EXPLOYT.S. The existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can be used to detect this threat by its behavior without any engine or pattern updates.

    Below are the SHA1 hashes related to this threat:

    • 5f6a2521c6bfd5becfefc3a3db74d0a23d382f0e
    • 5f28787f60c5f8d9f3aa9163975422d1ff55f460
     
    Posted in Malware | 1 TrackBack »


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice