Tuesday, January 28, 2014

Four vulnerabilities in Pidgin



The VRT is announcing the discovery and patching of 4 CVE vulnerabilities in Pidgin. These vulnerabilities were discovered by the VRT VULNDEV team and reported to the Pidgin team. The VRT also created TRUFFLE rules that have been protecting Sourcefire customers for these vulnerabilities since October 1st 2013, while the Pidgin team was working on patching them. TRUFFLE rules provide a way for the VRT to release cutting edge coverage without exposing threats to the public through a plaintext rule. We are releasing these rules publicly as part of our update today, since the Pidgin team is releasing Pidgin 2.10.8 that addresses these issues. It is available for download here: http://www.pidgin.im/

Here is a summary of the vulnerabilities and the associated rules, with links to blog posts describing the vulnerabilities in detail:
o   We had prior coverage for this vulnerability through an http_inspect alert GID 120, SID 8 as well as SID 2580.
o   We are releasing SID 28088 to handle this vulnerability.

o   We are releasing SIDs 28089 and 28090 to cover this vulnerability.

o   We also had prior coverage for this vulnerability through SIP preprocessor alert, GID 140 SID 16.

Monday, January 27, 2014

VRT-2013-1001 (CVE-2013-6487): Buffer overflow in Gadu-Gadu HTTP parsing

Sourcefire Vulnerability Report VRT-2013-1001 (CVE-2013-6487): Buffer overflow in Gadu-Gadu HTTP parsing

Description

An exploitable remote code execution vulnerability exists in Pidgin's implementation of the Gadu Gadu protocol in the libpurple library. An attacker who can control the Content-Length of a HTTP request can cause an undersized allocation which can later be used to overflow into the heap. An attack requires the ability to spoof messages from the gadu-gadu.pl domain to exploit this vulnerability.

Tested Versions

Pidgin 2.10.7

Coverage

Prior coverage through an http_inspect alert GID 120, SID 8 as well as SID 2580.

Details

In gg_http_watch_fd() in file pidgin-2.10.7\libpurple\protocols\gg\lib\http.c at line 353 content-length will be read from the HTTP server:

  353     while (line) {
  354         if (!strncasecmp(line, "Content-length: ", 16)) {
  355             h->body_size = atoi(line + 16);
  356         }
  357         line = strchr(line, '\n');
  358         if (line)
  359             line++;
  360     }

It then checks if h->bodysize is less than or equal to 0, however h->body_size is an unsigned integer so a negative value will return a large positive size, meaning the check for less than zero will never be true:

  362     if (h->body_size <= 0) {
  363         gg_debug(GG_DEBUG_MISC, "=> http, content-length not found\n");
  364         h->body_size = left;
  365     }

This check will also pass because left will not be larger than a negative body_size:

  367     if (left > h->body_size) {
  368         gg_debug(GG_DEBUG_MISC, "=> http, oversized reply (%d bytes needed, %d bytes left)\n", h->body_size, left);
  369         h->body_size = left;
  370     }

if h->body_size is 4294967295 (or -1) then the below will result in a malloc(0):

  374     if (!(h->body = malloc(h->body_size + 1))) {

Finally we reach our out of bounds write into the heap here:

  381     if (left) {
  382         memcpy(h->body, tmp + sep_len, left);
  383         h->body_done = left;
  384     }

The client will keep copying data as long as there's data in the http response body and will then free the original heap chunk.

VRT-2013-1002 (CVE-2013-6489): Buffer overflow in MXit emoticon parsing

Sourcefire Vulnerability Report VRT-2013-1002 (CVE-2013-6489): Buffer overflow in MXit emoticon parsing

Description

An exploitable remote code execution vulnerability exists in Pidgin's implementation of the Mxit protocol in the libpurple library. An attacker who can control the contents of an Emoticon downloaded through the Mxit protocol can cause an allocation to return NULL which can later be used to write into the lowest page of memory. An attack requires the ability to spoof messages from the mxit.com domain to exploit this vulnerability.

Tested Versions



Pidgin 2.10.7

Coverage 

SID 28088

Details

 When downloading an emoticon via the mxit protocol, it is possible to cause a buffer overflow, by providing an invalid utf8 length. This occurs in the function asn_getUtf8() at line 216 of pidgin-2.10.7\libpurple\protocols\mxit\markup.c:

  204        static int asn_getUtf8( const gchar* data, gchar type, char** utf8 )
  205         {
  206             int        len;
  207
  208             /* validate the field type [1 byte] */
  209             if ( data[0] != type ) {
  210                 /* this is not a utf-8 string! */
  211                 purple_debug_error( MXIT_PLUGIN_ID, "Invalid UTF-8 encoded string in ASN data (got 0x%02X, expected 0x%02X)\n", data[0], type );
  212                 return -1;
  213             }

 
Here len will be read in as a 1 byte value from data[]. However, because len is a signed integer, a length of 0xFF will be interpreted as a len of -1.

  215             len = data[1];                        /* length field [1 bytes] */

The memory allocation at the next line will then result in an integer overflow, resulting in a buffer overflow at line 217.

  216             *utf8 = g_malloc( len + 1 );
  217             memcpy( *utf8, &data[2], len );        /* data field */
  218             (*utf8)[len] = '\0';
  219
  220             return ( len + 2 );
  221         }    


Unlike libc's memory allocator, gmalloc returns NULL when it is called with a size of zero. As a result of that behavior, this ends up being a a write to the NULL page rather than the typical heap overflow. Writes to the zero page are exploitable if an attacker can cause enough allocations and exhaust enough of the memory address range to make the system map the low page.

VRT-2013-1004 (CVE-2013-6490): Buffer overflow in SIMPLE header parsing

Sourcefire Vulnerability Report VRT-2013-1004 (CVE-2013-6490):Buffer overflow in SIMPLE header parsing

Description

An exploitable remote code execution vulnerability exists in Pidgin's implementation of SIP/SIMPLE message handling. An attacker who can control the Content-Length of a SIP/SIMPLE message can cause an allocation to return NULL which can later be used to write into the lowest page of memory.

Tested Versions

Pidgin 2.10.7

Coverage

Prior coverage through a SIP preprocessor alert, GID 140 SID 16.

Details

 In sipmsg_parse_header() in file pidgin-2.10.7\libpurple\protocols\simple\sipmsg.c at line 114, the length of the message is read from an incoming message into an integer: 

  164           tmp2 = sipmsg_find_header(msg, "Content-Length");
  115           if (tmp2 != NULL)
  116               msg->bodylen = strtol(tmp2, NULL, 10);

 
The above sipmsg_parse_header() is called from process_input() in file pidgin-2.10.7\libpurple\protocols\simple\simple.c at line 1631. If the message specifies a negative bodylen (-1), then restlen will be larger than bodylen, which means the if statement at line 1642 will be entered. The following allocation of bodylen + 1 evaluates to a size of zero:

 1642           if(restlen >= msg->bodylen) {
 1643               dummy = g_malloc(msg->bodylen + 1);
 1644               memcpy(dummy, cur, msg->bodylen);


Unlike libc's memory allocator, gmalloc returns NULL when it is called with a size of zero. As a result of that behavior, this ends up being a a write to the NULL page rather than the typical heap overflow. Writes to the zero page are exploitable if an attacker can cause enough allocations and exhaust enough of the memory address range to make the system map the low page.

VRT-2013-1003 (CVE-2013-6486): Pidgin uses clickable links to untrusted executables

Sourcefire Vulnerability Report VRT-2013-1003: Pidgin uses clickable links to untrusted executables

Description

An exploitable remote code execution vulnerability exists in Pidgin's implementation of file:// URL handling. An attacker can supply a remote path which will be evaluated by ShellExecute and can be leveraged to execute arbitrary code. While the operating system (e.g., Windows) blocks execution of several file formats and provides a prompt to the user asking for permission, this can be bypassed by specifying alternate file types and we have achieved code execution using .jar files. 

Tested Versions

Pidgin 2.10.7

Coverage

SIDs 28089 and 28090

Details 

An attacker can pass arbitrary paths to ShellExecute() when a user clicks on a URL delivered in any of the communication protocols supported by Pidgin on the Windows platform. If this URL specifies a file:// protocol handler, the URL will be executed by the shell.

Pidgin attempts to filter file:// URLs and will try to execute them as an argument to the command "explorer.exe /select" in the function file_open_uri() in file pidgin-2.10.7\pidgin\gtkutils.c:

3279     if (purple_str_has_prefix(uri, "file://"))  
3280     {
3281          gchar *escaped = g_shell_quote(uri);
3282          gchar *param = g_strconcat("/select,\"", uri, "\"", NULL);
3283          wchar_t *wc_param = g_utf8_to_utf16(param, -1, NULL, NULL, NULL);
3284
3285          code = (int)ShellExecuteW(NULL, L"OPEN", L"explorer.exe", wc_param, NULL, SW_NORMAL);

...
3290     } else {
3291          wchar_t *wc_filename = g_utf8_to_utf16(uri, -1, NULL, NULL, NULL);
3294          code = (int)ShellExecuteW(NULL, NULL, wc_filename, NULL, NULL, SW_SHOW);


However, due to the way this function is called, a URL will never start with the file:// scheme. The following code shows how the function is called (also in gtkutils.c):

3361  #define FILELINKSIZE  (sizeof("file://") - 1)
3362  static gboolean file_clicked_cb(GtkIMHtml *imhtml, GtkIMHtmlLink *link)
3364  {
3365      const char *uri = gtk_imhtml_link_get_url(link) + FILELINKSIZE;
3366      file_open_uri(imhtml, uri);
3367      return TRUE;
3368  }


This strips out the file:// scheme from the URL before calling the file_open_uri() function, ensuring that the check at line 3279 will never be true (unless URL that starts with file://file:// is provided).

When we tested Pidgin on Windows 7, for example, WebDAV paths ending in file extensions such a .exe and .bat were filtered by the OS. However, the user can simply supply a path to an unfiltered file type such as a Java .jar to have the user download and execute arbitrary code if they have the Java Runtime Environment installed. Note, this is just one example and other file formats can be used. It's also worth noting the attacker can also control the displayed string for the URL, so the true destination of a clicked URL can be obfuscated.


Our coverage for the Recent Point of Sale Compromises

On December 19th, 2013, Target Corp announced that it fell victim to a very sophisticated cyber-attack that took place around the Thanksgiving holiday. This led to the theft of information pertaining to over 40 million credit and debit accounts used at their stores.
As many people are now aware, simply protecting your banking information on your personal computer is not enough. While attackers are still stealing information one device at a time using malware like Cryptolocker, why not simply go to a common place that everyone trusts and steal it from there? That's where PoS (Point-of-Sale) malware comes in. This is not a new process by any means, in 2007 TJX (Operator of TJ Maxx and Marshalls retail stores) announced that over 40 million credit and debit card records were exposed and stolen. The attack last December potentially affected the lives of up to 110 million Target customers.
There are many types of PoS malware on the market right now. Malware itself has become a commodity and can sell for as much as $40,000 (see carberp: http://krebsonsecurity.com/2013/06/carberp-code-leak-stokes-copycat-fears/ ). This means that slight variants of a sample could be in use by several unrelated attackers. Although each different sample can dramatically change functionality and obfuscation levels, the formula remains about the same:
·         Somehow get into the network
·         Infect the PoS terminals themselves
·         Read/Dump memory/databases on the PoS terminal
·         Offload the data somewhere
·         Send the data back to a remote server
Arguably the most detectable part of PoS malware is that it must somehow send data back across the network. While we focus on prevention in the first place, the flexibility of our platform allows us to take an approach of stopping the malware at this very significant stage as well.  We decided to make a list of the most popular PoS malware found in the wild as it relates to this threat, as well as our rule coverage for each sample:
BlackPOS (POSRAM) (Dump Memory Grabber) – Allegedly the malware used in the Target/Neiman Marcus attacks.
       
·         29420, 29421 MALWARE-CNC Win.Trojan.Reedum outbound FTP connection
Chewbacca – Malware that reads process memory, logs keystrokes and utilizes the TOR network to ship data back.
·         29440 MALWARE-CNC Win.Trojan.Chewbacca outbound communication attempt
       
Dexter – Locates, dumps and ships credit card track data in memory for potential cloning. Ships data back over HTTP.  Coverage was shipped for this threat in January of 2013.
·         25553 MALWARE-CNC Win.Trojan.Dexter variant outbound connection
Trackr/Alina – Similar to Dexter, locates, dumps and ships credit card track data in memory. Ships data back over HTTP.  Coverage was shipped for this threat in May of 2013.
·         26686 BLACKLIST User-Agent known malicious user agent - Alina
VSkimmer – Sold as a successor to Dexter with more functionality. Ships data back over HTTP.
·         29415 BLACKLIST DNS request for known malware domain posterminalworld.la
·         29416 MALWARE-CNC Win.Trojan.vSkimmer outbound connection


Businesses will need to be proactive in their approach to payment terminal security. As retail giants and small businesses alike take note of these attacks, they should be auditing their own network configurations while asking themselves a few questions:


  • How are my payment terminals connected to their respective databases? How are those databases secured?
  • How could my payment terminals (or anything they have connections to) access the internet?
  • What software am I running my payment terminals on? Are there more secure alternatives?
  • What security mechanisms are in place to detect PoS compromises?


As usual, the VRT will continue to hound the internet. We are always interested in hearing about new and interesting methods used by attackers, so feel free to drop us a line if you'd like to share what you are seeing at: askvrt@cisco.com

Thursday, January 23, 2014

Fiesta Exploit Kit, is no party

Recently, when our Cisco TRAC team contacted us about some work that we did concerning the Fiesta Exploit Kit for an article they were writing, we were happy to work with them.

As discussed in the recent Cisco Annual Security Report, exploit kits have been very pervasive in the past couple years, and while the arrest of Paunch (the author of the Blackhole Exploit Kit) caused a decline in their overall numbers, they are still out there and cranking away.

We worked with the TRAC team in order to author this blog post, found over here on the Cisco Security Blog.

Take a look here:  http://blogs.cisco.com/security/fiesta-exploit-pack-is-no-party-for-drive-by-victims/

Tuesday, January 14, 2014

Microsoft Update Tuesday: January 2014, fix for the XP/2003 0-day vulnerability


The first Microsoft Update Tuesday of 2014 is here and it’s a very light month this time around. We’ve got 4 bulletins covering 6 CVEs. What’s remarkable is that there’s no Internet Explorer bulletin this month. There are also no bulletins that are marked critical, all 4 bulletins are marked as important.

The first bulletin, MS14-001, is for Word and Office Web Apps, this bulletin covers 3 CVEs (CVE-2014-0258, CVE-2014-0259 and CVE-2014-0260.  They are memory corruption vulnerabilities in Word, which could result in remote code execution.

MS14-002 is a fix for the Windows XP/2003 0-day kernel escalation of privilege vulnerability (CVE-2013-5065) that was being exploited in the wild in tandem with the Adobe Reader vulnerability (CVE-2013-3346). Here an attacker would convince the user to open a maliciously crafted PDF that would exploit the use after free in Adobe Reader to gain code execution. Once that was done, the malicious code would exploit a vulnerability in the NDProxy driver, where an out of bounds access to a table of function pointers would attempt to execute code in userland, which allows an attacker to gain system privileges.

The next bulletin MS14-003 provides another fix for a kernel mode driver vulnerability that could allow an attacker to gain elevated privileges by exploiting a vulnerability in win32k.sys (CVE-2014-0262).

The final bulletin (MS14-004) fixes a denial of service vulnerability (CVE-2014-0261) in Microsoft Dynamics AX. 

We’re releasing rules SID 28867-28872 to address these issues.