Wednesday, May 15, 2013

Java Web Start or as it should be called "Sure go ahead and run what you like"

Late last month, Immunity published a blog post concerning a new way to escape the Java security warnings using a novel and simple method, by using the convenient Java Web Start framework. The Immunity team discovered a parameter called __applet_ssv_validated that sets whether you can run older versions of jre without user validation (Secure Static Versioning). Setting this parameter to true in the applet itself did nothing.

This brings us to Java Web Start.  As a framework meant to facilitate running applets, JWS uses a custom XML document with a special tag, jnlp. When you call an applet you can pass along parameters to the applet you want to run in your browser, including __applet_ssv_validated, like so: "<param name="__applet_ssv_validated" value="true" />".  This is one of the simplest Java exploits to come out in the last year or so, and it was jumped on immediately by exploit kit builders, most notably Blackhole.

The good news is that since it's so simple it can easily be detected, ClamAV signature Java.Trojan.Agent-26 detects it and Snort rules 26524 and 26525 have been out since the beginning of this month and have caught many potential attacks, such as the one below:

Since those rules have been released, exploit kit writers have been busy trying to obfuscate this exploit. A new variant caught by another exploit kit rule, 26535, now uses a jnlp_embedded which is used to pass along supplemental applet data parameter to paste the entire exploit in it's value field, using base 64 encoding thusly:

Detecting the jnlp_embedded parameter we can set snort to decode base 64 data and look for the same exploit conditions. Those rules are 26646 and 26647 and clam sig Java.Trojan.Agent-29.

Tuesday, May 14, 2013

Microsoft Update Tuesday: Update for IE8 0-day and More

Today is Update Tuesday and Microsoft is releasing updates for 33 CVEs across 10 bulletins. We'll be discussing some of the highlights here.

One of the most important updates (MS13-038) that is being released is for the recent 0-day in Internet Explorer, which was used in a watering hole attack on a Department of Labor internal website targeting Department of Energy employees. This vulnerability, CVE-2013-1347, affects IE8 and can allow an attacker to perform remote code execution via a use-after-free vulnerability. While it's currently not being exploited in any of the exploit kits that we monitor, Metasploit released an exploit for the vulnerability early last week. Sourcefire has detection for this vulnerability through SIDs 26569-26572.

Microsoft is also releasing a cumulative update for 11 other browser issues, including use-after-free vulnerabilities that could allow for remote code execution (MS13-037). These issues cover all supported IE versions, ranging from IE6 to IE10.

Publisher will also get updates for 11 issues that could allow for remote code execution (MS13-042). One slightly mitigating factor for these vulnerabilities is that they require a user to open the files in Publisher to be able to exploit them, so some user interaction is required as opposed to being exploitable by simply visiting a webpage. Two other products in the Office suite are also getting updates today: Word (MS13-043) is getting a fix for potential remote code execution vulnerability and Visio (MS13-044) is getting a fix for an information disclosure vulnerability. Both issues have similar mitigating factors to the Publisher vulnerability, requiring the user to load a maliciously crafted file. 

Another interesting update fixes a DirectX Graphics Kernel Subsystem Double Fetch Vulnerability (CVE-2013-1332, MS13-046) in a kernel mode driver discovered by Mateusz Jurczyk and Gynvael Coldwind using their tool bochspown, which they presented 3 weeks ago at SysScan '13. The vulnerabilities are basically the result of race conditions that are typical Time of Check to Time of Use (TOCTOU) vulnerabilities. More specifically the vulnerabilities are a result of a double-fetch, where the kernel retrieves a value from user mode, checks it and then retrieves the value from user mode again rather than using a cached copy. An attacker can modify the user-mode value between the time it is retrieved the first time and when it is retrieved again. If any checks occurred on the first fetch, they can no longer be considered valid on the second fetch. A typical example of an exploitable version of this vulnerability would be if a size for a copying function is retrieved from user-mode: it is checked to make sure the size is smaller than the destination memory's size, but during the call to the copy function the value is fetched again, resulting in an unchecked size being used. This can result in a buffer overflow if the attacker can change the value between the check and the use. Their tool found 89 potentially exploitable issues, 33 of which were not deemed exploitable, and 36 of which have already been fixed in various earlier Microsoft bulletins (MS13-016, MS13-017, MS13-031, MS13-036). Another 13 are considered local denial of services only. Today 1 more is being patched, leaving only 6 issues open according to Mateusz and Gynvael's SysScan slides.

Further updates cover an authentication bypass and an XML spoofing vulnerability in .NET (MS13-040). An important mitigating factor for the authentication bypass is that it requires non-standard configuration to be vulnerable. Another issue that is being updated is a vulnerability in Lync (MS13-041) that could allow an attacker to gain remote code execution during a session where the attacker shares content with a user. A mitigating factor for this vulnerability is that the user must accept an invitation from the attacker and must then view the content the attacker has shared.

The company is also releasing a fix for a denial of service vulnerability in HTTP.sys (MS13-039), Microsoft's kernel mode driver that handles the HTTP protocol stack for IIS since IIS6 and an update  for an information disclosure vulnerability in Windows Live essentials (MS13-045).

As always, we are releasing rules today that detect many of these vulnerabilities through SIDs 26622-26642.