Tuesday, August 10, 2010

Quick analysis of a webpage leveraging CVE-2010-1885 (aka the help and support center vulnerability)

In a previous blog post I was writing about an increase in attacks against an at the time, un-patched vulnerability. Microsoft patched it on July 13, which doesn't mean that people aren't still trying to own un-patched machines.

goodgirlsbadguys.com (213.155.12.144) is a domain registered on July 19 2010 with a registrant address listed in Cambodia. Visiting a particular webpage for that domain (trust me and don't go there...despite the name there is nothing juicy on this domain except pwnage) returns a URL as part of an iframe. Microsoft Help and Support Center is invoked with a few parameters, one of which is the URL obtained earlier:

KB2286198_help_center_command_line
Pic.1: Help and Support Center

Notice the use of the keyword "crimepack" in the hcp:// request.

In a randomly named file (in this case, "bat.vbsautba" in c:\Documents and Settings\user\Local Settings\Temp the following html can be found:

KB2286198_dropped_file.png
Pic.2: Dropped file with random name

Later, the command line utility is invoked with the following parameters:

KB2286198_cmd_exe.png
Pic.3: cmd.exe called to run script...and kill Windows Media Player

The script that is executed is called D.vbs:

KB2286198_wscript_exe.png
Pic.4: D.vbs

Snort detects this Windows Help Center escape sequence cross-site scripting attempt with sid 16665:

08/09-11:26:49.588645  [**] [1:16665:3] WEB-CLIENT Microsoft Windows Help Centre escape sequence XSS attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 213.155.12.144:80 -> 10.11.250.196:107608/09-11:26:49.588645 0:1E:13:F0:2E:19 -> 0:C:29:21:50:D5 type:0x8100 len:0x59E213.155.12.144:80 -> 10.11.250.196:1076 TCP TTL:59 TOS:0x0 ID:11527 IpLen:20 DgmLen:1420 DF

ClamAV has got you covered as well with BC.Exploit.CVE_2010_1885.

2 comments:

  1. Hi Alain,

    Thanks for the post. But it's not clear from your writeup how the .lnk vulnerability plays into this at all. I would seem from your writeup that this malicious site is leveraging the Help and Support Center vuln, not the .lnk vuln. Am I missing something?

    TX

    Bk

    ReplyDelete
  2. Thanks for pointing that out, Brian. My brain is fried...blame DEFCON or my normal state. Anyway, fixed the title and the link to the Microsoft security bulletin.

    ReplyDelete

Post a Comment