Monday, October 31, 2016

Vulnerability Spotlight: Remotely Exploitable Bugs in Memcached Identified and Patched

Vulnerabilities identified by Aleksandar Nikolich of Talos.

Our efforts to make the internet safer and protect our customers involves, amongst many other things, researching and identifying zero-day vulnerabilities in the third-party software. As part of our effort to find and responsibly disclose vulnerabilities we identify through our programmatic methods, Talos is disclosing the identification of three vulnerabilities in Memcached. Memcached is an open-source, high-performance, distributed memory caching system used to speed up dynamic websites which rely on a database backend and is widely used in various online applications. Memcached developers have released a patch that address the vulnerabilities we are disclosing today.

Vulnerability Details

Multiple integer overflow vulnerabilities exist within Memcached that could be exploited to achieve remote code execution on the targeted system. These vulnerabilities manifest in various Memcached functions that are used in inserting, appending, prepending, or modifying key-value data pairs. Systems which also have Memcached compiled with support for SASL authentication are also vulnerable to a third flaw due to how Memcached handles SASL authentication commands.

Sundown EK: You Better Take Care

This post was authored by Nick Biasini

Over the last six months the exploit kit landscape has seen some major changes. These changes began with Nuclear ceasing operations in April/May and arrests in Russia coinciding with the end of Angler in June. Recently, Neutrino has been added to the list of exploit kits that have stopped being actively used in 2016.What remains is a group of smaller exploit kits vying for pole position in an industry that continues to generate millions of dollars from payloads such as ransomware and banking trojans.

It's now time to turn to another exploit kit that is active on the landscape, Sundown. The Sundown exploit kit has previously been part of a second tier of exploit kits that includes Magnitude and Sweet Orange. These kits successfully compromise users, but typically are not accompanied with the advanced techniques and wide-spread use of the other major exploit kits. It's not to say these kits aren't significant threats, but from a potential victim perspective they historically do not have the reach associated with other EKs from before such as Angler or RIG.

Wednesday, October 26, 2016

Vulnerability Spotlight: Iceni Argus Buffer Overflows

Vulnerabilities discovered by Marcin 'Icewall' Noga of Cisco Talos.

Talos has identified two stack-based buffer overflows (TALOS-2016-0200 & TALOS-2016-0202) in the Iceni Argus pdf content extraction software. This software is used to convert a pdf document into various tagged and xml-based formats (such as XHTML). Software, such as MarkLogic, uses Iceni Argus for pdf document conversions as part of their web based document search and rendering. Both vulnerabilities occur in the PDF to html converter functionality. An attacker can send or provide a specially crafted pdf file that can cause a buffer overflow to trigger either of these vulnerabilities resulting in arbitrary code execution.

CVE-2016-8333 (TALOS-2016-0200) Iceni Argus ipfSetColourStroke Code Execution

CVE-2016-8335 (TALOS-2016-0202) Iceni Argus ipNameAdd Code Execution


CVE-2016-8333 occurs when the `ipfSetColourStroke` function is executed. This function calls `getRealArgArray` which attempts to copy the elements of the `opStack` container without verifying if the source array is larger than the destination array. The maximum destination array is fixed at nine 4-byte array values. Since the data in the pdf header defines the elements of the `opStack`, a malformed pdf can create a situation in which the source contains larger than nine elements causing a buffer overflow which can lead to arbitrary code execution.

CVE-2016-8335 occurs in the ipNameAdd functionality of Iceni Argus. Examining this function, you can easily see the guilty line. The function includes the following line

strcpy(dest, src);

This occurs without any checking previous checking on the arguments. Everyone knows that this is a classic example of a buffer overflow. Surprisingly, the length check occurs after the strcpy call which makes it totally ineffective. But to take advantage of the overflow, the malformed pdf must define a `token` that is not a "regular" named object (objects that start with a `/`), since "regular" named objects never reach the strcpy line during execution.

Tested Versions


Iceni Argus Version 6.6.04 (Sep 7 2012) NK


Iceni Argus Version 6.6.04 (Sep 7 2012) NK - Linux x64
Iceni Argus Version 6.6.04 (Nov 14 2014) NK - Windows x64


Talos has released rules that detect attempts to exploit this vulnerability to protect our customers. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or

Snort Rules: 40336-40337, 40484-40487

Full Vulnerability Reports

Tuesday, October 25, 2016

Vulnerability Spotlight: LibTIFF Issues Lead To Code Execution

These Vulnerabilities were discovered by Tyler Bohan of Cisco Talos.

Talos is releasing multiple vulnerabilities (TALOS-2016-0187, TALOS-2016-0190 & TALOS-2016-0205) in the LibTIFF library . One vulnerability (TALOS-2016-0187) is an exploitable heap based buffer overflow that impacts the LibTIFF TIFF2PDF conversion tool. Another vulnerability (TALOS-2016-0190) impacts the parsing and handling of TIFF images ultimately leading to remote code execution. The final vulnerability (TALOS-2016-0205) is an exploitable heap based buffer overflow in the handling of compressed TIFF images in LibTIFF's PixarLogDecode API. An attacker who can trick a user into processing a malformed TIFF document can use one of these vulnerabilities to achieve remote code execution on the targeted system.

The Tagged Image File Format (TIFF)  was developed in the mid-1980’s as a common file format able to store image data in a lossless format for the burgeoning image manipulation industry. Since then TIFF files have been widely adopted within the graphic arts industry, and also by electronic fax systems.

Monday, October 24, 2016

Pumpkin Spiced Locky

This post was authored by Warren Mercer & Edmund Brumaghin


We had .locky, we had .odin and then we had .zepto but today we hit rock bottom and we now have Locky using .shit as their encrypted file extension. In today's latest wave of spam, Talos has observed three distinct spam campaigns distributing the newest version of Locky ransomware. This comes after a seeming vacation for Locky for around two weeks. Using the LockyDump utility that was previously released by Talos, we were able to determine that there are distinct differences in the characteristics of the malware campaigns that seem to correlate with the Affiliate ID associated with the Locky binaries that are delivered by each campaign.

The technical details associated with the Locky ransomware family itself has been extensively documented and reported on, so we won’t spend time providing an in-depth technical analysis of the ransomware family itself. This post highlights some of the distinct characteristics that we have observed for each campaign. We will summarize all Indicators of Compromise (IOCs) at the end of this post.

Wednesday, October 19, 2016

MBRFilter - Can't Touch This!

 This post was authored by Edmund Brumaghin and Yves Younan

Update: 10/20/2016 - MBRFilter has been intentionally made difficult to remove to prevent malware from simply disabling or removing this protection during the infection process. Test thoroughly before deploying within production environments. 


Ransomware has become increasingly prevalent in the industry, and in many cases, unless there is a publicly released decryptor available, there is often not an easy means of retrieving encrypted files once a system has been infected. In addition to the creation and maintenance of regular system backups, it is increasingly important to focus on a multi-tiered defense-in-depth network architecture in an effort to prevent initial endpoint infection. This is often difficult in an evolving threat landscape where new ransomware families are being developed and deployed seemingly every day by threat actors of varying levels of sophistication.

While many ransomware families focus on the encryption of all or portions of a target system’s files others, such as Petya, rely on overwriting the contents of the Master Boot Record (MBR) to force a system reboot then only encrypt the Master File Table (MFT) of the hard drive on infected systems as a way to coerce users into paying the threat actors to retrieve the encryption keys required to decrypt their files.

To help combat ransomware that attempts to modify the MBR, Talos has released a new tool to the open source community, MBRFilter, a driver that allows the MBR to be placed into a read-only mode, preventing malicious software from writing to or modifying the contents of this section of the storage device.

Tuesday, October 18, 2016

Vulnerability Spotlight: Hopper Disassembler ELF Section Header Size Code Execution

Vulnerability Discovered by Tyler Bohan and Cory Duplantis of Cisco Talos

Talos has identified an exploitable out-of-bounds write vulnerability in the ELF Section Header parsing functionality of Hopper (TALOS-2016-0222/CVE-2016-8390). Hopper is a reverse engineering tool for macOS and Linux allowing the user to disassemble and decompile 32/64bit Intel-based Mac, Linux, Windows and iOS executables. During the parsing of ELF section headers, there is a user controlled size that is not validated, a malicious threat actor could craft an ELF file with specific section headers to trigger this vulnerability, potentially leading to remote code execution. A malicious threat actor could use a zip file containing the crafted executable to target threat researchers, sent via phishing or file sharing sites. This type of exploit can also be used as an anti-analysis measure in an attempt to defeat sandboxes and automated disassembly.

Hopper has been updated the changelog can be read at this URL:

Vulnerability Spotlight: Foxit PDF Reader JBIG2 Parser Information Disclosure

Vulnerability discovered by Aleksandar Nikolic of Talos.

Talos has identified an information disclosure vulnerability in Foxit PDF Reader
(TALOS-2016-0201/CVE-2016-8334). A wrongly bounded call to `memcpy`, while parsing jbig2 segments within a PDF file, can be triggered in Foxit PDF Reader causing an out-of-bounds heap memory to be read into a buffer. The `memcpy` call is properly sized, but the source is smaller than the size argument, causing the adjacent memory to be copied into a buffer, where heap metadata, addresses and pointers can be copied and later reused, disclosing memory layout. Combined with another vulnerability, this information disclosure can be used to leak heap memory layout and bypass ASLR. Phishing campaigns commonly use PDF files, as malicious attachments or linked downloads, to deliver malware.

Thursday, October 13, 2016

LockyDump - All Your Configs Are Belong To Us

This post was authored by Warren Mercer and Matthew Molyett


Locky has continued to evolve since its inception in February 2016. This has made it difficult to track at times due to changes in the way in which it's distributed as well as various characteristics of the malware itself. The actors responsible for Locky have continuously attempted to improve operational security (OPSEC) in regards to the tracking of affiliates making use of the ransomware. This post will discuss a new Locky configuration extractor that Talos is releasing, which we are naming 'LockyDump'. This is the first open source tool which can dump the configuration parameters used by all currently known variants of Locky e.g. .locky, .zepto & .odin based ransomware.

Using LockyDump you can run a known Locky sample within a virtualized environment and it will extract and provide all of the configuration information for the sample, including the AffilID associated with the sample. The latest variant of Locky made this extraction process increasingly difficult. Once this config extraction changed Talos looked to reverse further Locky samples in an attempt to gain the all important AffilID information. Obtaining the affiliate information for individual samples allows the historical tracking of Locky affiliates to identify trends and other characteristics on an individual affiliate basis such as their primary distribution method of choice e.g. through the use of Exploit Kits (EKs) or spam/phishing email.

Tuesday, October 11, 2016

Microsoft Patch Tuesday - October 2016

Patch Tuesday has once again arrived! Microsoft's monthly release of security bulletins to address vulnerabilities provides fixes for 37 newly disclosed security flaws. Today's release sees a total of 10 bulletins with five of the bulletins rated critical and address vulnerabilities in Edge, Graphics Component, Internet Explorer, Video Control, and Adobe Flash Player. Four bulletins are rated important and address flaws in Office, Windows Diagnostic Hub, Windows Kernel-Mode Drivers, and Windows Registry. One bulletin is rated moderate and addresses a flaw in Microsoft Internet Messaging API.

Bulletins Rated Critical

The following bulletins are rated critical: MS16-118, MS16-119, MS16-120, MS16-122, MS16-127

MS16-118 and MS16-119 are this month's bulletins for Internet Explorer and Edge respectively. The Internet Explorer bulletin fixes 11 vulnerabilities while the Edge bulletin fixes 13 vulnerabilities. Seven vulnerabilities were found to affect both Edge and IE. The majority of the vulnerabilities fixed are memory corruption flaws that could lead to arbitrary code execution. Several privilege escalation and information disclosure flaws were also fixed in this month's release.

Monday, October 3, 2016

Vulnerability Spotlight: FreeImage Library XMP Image Handling Code Execution Vulnerability

This vulnerability was discovered by Yves Younan.

Talos, in coordination with FreeImage, is disclosing the discovery of TALOS-2016-0189 / CVE-2016-5684.


FreeImage is widely used software integrated into over 100 products ranging from free to paid licensing and include multimedia software, games, developer tools, PDF generators and more.  FreeImage makes use of a common file format created by Adobe, Extensible Metadata Platform (XMP) that allows real-time managing of metadata.  Per Adobe, the XMP file format, allows users to “embed metadata into files themselves during the content creation process”, and FreeImage’s 3.17.0 integration of this file format into its software is vulnerable to an overflow in the “Colors Per Pixel” value of an XMP image.  Generally speaking, when FreeImage 3.17.0 opens an XMP file with a large enough Colors Per Pixel value, i.e. the number is too large, it is not handled properly by follow-on code in the function that uses it. You can liken it to taking a 99 oz. glass, turning on the faucet, and filling it up with 100+ ounces of water.  The water spills over and gets into areas you don’t want it to be.  In technical terms, the large value is not properly validated during the code execution and it can trigger an out of bounds write.  This causes an arbitrary memory overwrite that can effectively result in remote code execution. This is likely to be exploited if someone sends you a maliciously crafted image file as an email attachment or possibly via an instant message.

Due to the widespread integration and the relative ease with which the vulnerability can be exploited, we strongly encourage anyone using software that integrates FreeImage to patch their platforms as soon as possible.  A list of software can be found on FreeImage’s site here.

FreeImage patched this vulnerability in CVS on August 7th, however they have not released a new version of the software. If you use FreeImage, it is recommended that you update to the CVS version to avoid being exposed to this vulnerability.

For the full technical details regarding this vulnerability, please refer to the vulnerability advisory which can be found on our website here.


Talos has released rules that detect attempts to exploit this vulnerability to protect our customers. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or

Snort Rules: 39883 & 39884

For further zero day or vulnerability reports and information visit: