CyberInsecure.com

Archive for the ‘Vulnerabilities’ Category

Sony’s USA PlayStation website, a website with a very large number of daily visitors according to Alexa, had been the victim of an SQL injection attack. Sony PlayStation’s site is another high trafficked web site that fall victim into the continuing waves of massive botnets (ASProx botnet for example) SQL injections.

The purpose of this wave of attacks seems to be to dupe users into installing the same fake anti-virus software SophosLabs discovered on .MOBI websites earlier this week. Numerous malicious websites making use of the unusual .MOBI top level domain attempted to load a script ‘AD.JS’ located in root of each site. This in turn attempted to load another website - a fake anti-virus install site. The site pretends to do an online virus scan:

A bogus warning message then displayed, saying that one or more of the following have been detected:

Trojan.Bakloma.A
Win32.Gattman.A
Trojan.Zapchas.F
JS.Blackworm.A
Trojan.Tibs.E
Win32.Netsky.P@mm
Trojan.Winsys
Trackware.Adctech2006
Downloader.TrafficSector
Adware.Roings

If you have seen/installed this software on your PC, consider running a trusted anti-virus as soon as possible, since your machine is infected.

After this, the user is encouraged to download and run an executable (installer.exe). This malware is detected as Mal/Packer by Sophos. If the installer was run, it installs more malicious files (Troj/FakeAV-AA) on the victim machine.

Visiting the affected PlayStation site runs a script that pretends to perform the same online security scan of your computer, and presents a bogus warning message you can see on the image above. Users frightened by the fake ‘warnings’ might rush to spend money on useless software.

The fact that the Sony PlayStation site has been attacked in this way suggests that someone with malicious intent could place other harmful malware there and infect a very high number of Sony PlayStation website visitors.

Sony PlayStation’s site hasnt been targeted by hackers, it’s been targeted automatically in between the rest of thousands of other pages that were SQL injected with a malicious coldwop.com domain (yet another SQL injection attack by Chinese hackers). There are no reports of hacked Sony PlayStation’s database or customers private details, the flaw in Sony’s website only allowed injection of redirection code that loads a script from malicious site.

Mozilla have released Firefox 2.0.0.15 which according to the release notes fixes 12 security vulnerabilities.

Here is a list of fixes in Firefox 2.0.0.15 from their website, some of them are critical so if you are running Firefox 2, you should update as soon as possible.

MFSA 2008-33 Crash and remote code execution in block reflow

MFSA 2008-32 Remote site run as local file via Windows URL shortcut

MFSA 2008-31 Peer-trusted certs can use alt names to spoof

MFSA 2008-30 File location URL in directory listings not escaped properly

MFSA 2008-29 Faulty .properties file results in uninitialized memory being used

MFSA 2008-28 Arbitrary socket connections with Java LiveConnect on Mac OS X

MFSA 2008-27 Arbitrary file upload via originalTarget and DOM Range

MFSA 2008-25 Arbitrary code execution in mozIJSSubScriptLoader.loadSubScript()

MFSA 2008-24 Chrome script loading from fastload file

MFSA 2008-23 Signed JAR tampering

MFSA 2008-22 XSS through JavaScript same-origin violation

MFSA 2008-21 Crashes with evidence of memory corruption (rv:1.8.1.15)

You can get the latest version of Firefox 2 here. If you are already Firefox 2 user, you can also click “Check for updates…” under “Help” menu.

Seamonkey was also updated to version 1.1.10 and included fixes for the same issues plus one additional critical vulnerability, so if you use it, it should also be updated.

Apple has shipped a new Mac OS X update that addresses 25 documented vulnerabilities that could lead to arbitrary code execution attacks. Apple fixes in this 2008-004 Security Update code execution flaws in Launch Services, SMB File Server, System Configuration, VPN and WebKit.

Fixes for six highly critical Ruby, a popular open-source scripting language, vulnerabilities are also included. The update also installs a Tomcat patch that addresses nine vulnerabilities, the most serious of which may lead to a cross-site scripting attack.

Here is the list of vulnerabilities from Apple’s security bulletin:

Alias Manager (CVE-2008-2308): A memory corruption issue exists in the handling of AFP volume mount information in an alias data structure. Resolving an alias containing maliciously crafted volume mount information may lead to an unexpected application termination or arbitrary code execution. This issue only affects Intel-based systems running Mac OS X 10.5.1 or earlier.

CoreTypes (CVE-2008-2309): This update adds .xht and .xhtm files to the system’s list of content types that will be flagged as potentially unsafe under certain circumstances, such as when they are downloaded from a web page. While these content types are not automatically launched, if manually opened they could lead to the execution of a malicious payload.

c++filt (CVE-2008-2310): A format string issue exists in c++filt, which is a debugging tool used to demangle C++ and Java symbols. Passing a maliciously crafted string to c++filt may lead to an unexpected application termination or arbitrary code execution. This issue does not affect systems prior to Mac OS X 10.5.

Dock (CVE-2008-2314): When the system is set to require a password to wake from sleep or screen saver, and Exposé hot corners are set, a person with physical access may be able to access the system without entering a password. This issue does not affect systems prior to Mac OS X 10.5.

Launch Services (CVE-2008-2311): A race condition exists in the download validation of symbolic links, when the target of the link changes during the narrow time window of validation. If the “Open ’safe’ files” preference is enabled in Safari, visiting a maliciously crafted website may cause a file to be opened on the user’s system, resulting in arbitrary code execution. This issue does not affect systems running Mac OS X 10.5 or later.

Net-SNMP (CVE-2008-0960): An issue exists in Net-SNMP’s SNMPv3 authentication, which may allow maliciously crafted packets to bypass the authentication check. Additional information is available from US-CERT.

Ruby: Multiple memory corruption issues exist in Ruby’s handling of strings and arrays, the most serious of which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of strings and arrays. Also, if WEBRick is running, a remote attacker may be able to access files protected by WEBrick’s :NondisclosureName option.

SMB File Server (CVE-2008-1105): A heap buffer overflow exists in the handling of SMB packets. Sending malicious SMB packets to a SMB server, or connecting to a malicious SMB server, may lead to an unexpected application termination or arbitrary code execution.

System Configuration (CVE-2008-2313): A local user may be able to populate the User Template directory with files that will become part of the home directory when a new user is created. This could allow arbitrary code execution with the privileges of the new user. This issue does not affect systems running Mac OS X 10.5 or later.

Tomcat: Tomcat version 4.x is bundled on Mac OS X v10.4.11 systems. Tomcat on Mac OS X v10.4.11 is updated to version 4.1.37 to address several vulnerabilities, the most serious of which may lead to a cross-site scripting attack. Further information is available via the Tomcat site.

VPN (CVE-2007-6276): A divide by zero issue exists in the virtual private network daemon’s handling of load balancing information. Processing a maliciously crafted UDP packet may lead to an unexpected application termination. This issue does not lead to arbitrary code execution.

WebKit (CVE-2008-2307): A memory corruption issue exists in WebKit’s handling of JavaScript arrays. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. Along with this fix, the version of Safari for Mac OS X v10.5.4 is updated to 3.1.2.

Updates can be retrieved and installed using Mac OS X’s integrated update feature.

New Microsoft Internet Explorer 6 vulnerability may allow a remote, unauthenticated attacker to execute arbitrary script in the context of another domain. A proof-of-concept code for this vulnerability is already available. The vulnerability could allow an attacker to take a variety of actions, including stealing cookies, hijacking a web session, or stealing authentication credentials. At this time, Internet Explorer 7 and Firefox do not appear to be affected by this issue.

The vulnerability is caused due to an input validation error when handling the “location” or “location.href” property of a window object. The vulnerability was first published in an article in Chinese Security E-zines, called pstzine, two days ago. The issue is very similar to the “Ghost Page” issues in IE, which was originally raised by security researchers, Manuel Caballero and Fukami at Microsoft Bluehat 2008.

Until a patch is available, IE6 users should disable scripting in the browser. Another option  might be an upgrade to Microsoft Internet Explorer 7 or usage of alternative browser to help mitigate the risk.

Security researchers from SecureMac has discovered multiple variants of a new Trojan horse in the wild that affects Mac OS X 10.4 and 10.5. The Trojan horse is currently being distributed from a hacker website, where discussion has taken place on distributing the Trojan horse through iChat, Apple’s instant messaging and video chat software, and Limewire.

SecureMac, a Mac-specific anti-virus vendor, researchers discovered the Trojan in June 19. The Trojan, AppleScript.THT, was classified as a “critical” threat. SecureMac’s warning came one day after an anonymous reader disclosed a few details of the ARDAgent vulnerability on Slashdot.org, and on the same day that rival security vendor Intego provided more information about the bug.

The malware exploits a recently publicized vulnerability in the Apple Remote Desktop Agent (ARDAgent), part of Tiger’s and Leopard’s Remote Management component. Composed as a compiled AppleScript, or in another variant, script bundled into an application, the Trojan leverages the ARDAgent bug to gain full control of the victimized Mac.

The Trojan horse runs hidden on the system, and allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging. Additionally, the AppleScript.THT Trojan horse can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing.

The Trojan is distributed as either a compiled AppleScript, called ASthtv05 (60 KB in size), or as an application bundle called AStht_v06 (3.1 MB in size). The user must download and open the Trojan horse in order to become infected. Once the Trojan horse is running, it will move itself into the /Library/Caches/ folder, and add itself to the System Login Items.

Like any Trojan horse, AppleScript.THT does not spread on its own but relies on user interaction, such as downloading and launching, to infect a machine. Trojans can also be silently introduced on a computer if it’s injected after a successful attack using another vulnerability, such as a browser bug.

Users can protect themselves by removing ARDAgent from its normal location, which is System/Library/CoreServices/RemoteManagement, and archiving the application. MacScan 2.5.2 (a software by SecureMac) can also protect your system against this threat if you got the latest Spyware Definitions update (2008011), dated June 19th. SecureMac recommends that users download files only from trusted sources and sites.

Code execution vulnerability found in latest Firefox 3.0 could allow an attacker to execute arbitrary code, permitting the attacker to completely take over the vulnerable process, potentially allowing the machine running the process to be completely controlled by the attacker. The flaw found in Firefox 3.0 is considered a high-severity risk and affects earlier versions of Firefox 2, including the latest 2.0.0.14.

Several hours after the official release, an unnamed researcher has sold a critical code execution vulnerability to TippingPoint’s Zero Day Initiative (ZDI), a company that buys exclusive rights to software vulnerability data. The vulnerability puts Firefox 3.0 users at risk of PC takeover and malware infection attacks.

Technical details are kept unrevealed until Mozilla’s security team develops a patch. TippingPoint researchers continue to study the flaw to see if user-interaction required for successful exploitation, such as clicking on a link or visiting a malicious web page.

Until there is a patch, Firefox users should avoid clicking on links that arrive via e-mail or in IM messages from unknown or suspicious sources. At this point, there are no reports of this issue being exploited.

Recent versions of the notorious “Zlob” Trojan are checking the victims for wireless or wired hardware router. The Trojan attempts to guess the password needed to administer the suitable router by consulting a built-in list of default router username/password combinations. If successful, the malware alters the victim’s domain name system (DNS) records so that all future traffic passes through the attacker’s network first. DNS translate names into IP addresses and changed settings might expose victims Internet traffic.

The new Zlob Trojan, also known as DNSChanger, is using same old technique and presents itself as a video codec required to view content on certain infected websites. When installed in the system, it tries to change key settings on the victim’s Internet router so that all of the victim’s Web traffic is routed through servers controlled by the attackers. The DNS hijack occurs during the installer program, so by the time the user sees the fake codec installer screen, the malware has already attempted to change DNS settings on the victim’s router.

This appears to be the first time this behavior has been spotted in malware released into the wild. This new function should worry users since Zlob is among the most “popular” types of Trojans downloaded onto Windows machines (14.3 million instances of Zlob-related malware from customer machines in the second half of 2007, according to Microsoft).

Windows user with a machine infected with a Zlob/DNSChanger variant may succeed in cleaning the malware off an infected computer completely, but still leave the network compromised. Users will not look to the router settings, if the Internet connection seems to be functioning fine. In reality, the router might still send traffic to malicious logging servers, even when the system is virus-free.

Sunbelt confirms that the malware successfully changes DNS settings on a Linksys router (model BEFSX41). It was a new, of the factory, box with a default username and password. Another test showed that the Zlob variant successfully changed the DNS settings on a Buffalo router running the DD-WRT open source firmware.

Sunbelt also found that if there are multiple machines using the same router, all of the systems connected to that router will have their traffic hijacked. According to Eric Sites, chief technology officer at Sunbelt, this is something they have not seen before and it was only a matter of time before someone started using this attack. Sites said his team is testing the new Zlob variants against multiple routers to see how they fare against the malware.

Captured traffic shows that the new Zlob variant is trying to reconfigure different routers by requesting the local Web page for various “setup wizards” that ship with the devices. Routers on machines infected by Zlob/DNSchanger should be reset to its default configuration if the settings have been changed. If there are other Zlob-infected machines using the same router, they will need to be cleared of the trojan before resetting the router. Otherwise,the malware will simply go back and change the router’s DNS settings a few minutes after the reboot. You will need to reconfigure any security settings you had in place prior to the reset.

Credit: Sunbelt Blog, Washingtonpost Security Fix Blog

Apple released earlier QuickTime 7.5, which fixes a number of security bugs. The update is highly critical and it patches at least five code execution vulnerabilities in Windows XP, Windows Vista and Mac OS X. It fixes multiple buffer overflows, memory corruption issues and URI handling flaws that could allow malicious hackers to launch exploits with QuickTime movie or image files.

Apple’s security improvements include fixes for:

CVE-2008-1581 (for Windows Vista and Windows XP SP2): An issue in QuickTime’s handling of PixData structures when processing a PICT image may result in a heap buffer overflow. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. This issue does not affect systems running Mac OS X.

CVE-2008-1582 (for Mac OS X v10.3.9, Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2): A memory corruption issue exists in QuickTime’s handling of AAC-encoded media content. Opening a maliciously crafted media file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of media files.

CVE-2008-1583 (for Mac OS X v10.3.9, Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2): A heap buffer overflow exists in QuickTime’s handling of PICT images. Opening a maliciously crafted PICT image file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.

CVE-2008-1584 (for Mac OS X v10.3.9, Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2): An issue in QuickTime’s handling of Indeo video codec content may result in a stack buffer overflow. Viewing a maliciously crafted movie file with Indeo video codec content may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by not rendering Indeo video codec content.

CVE-2008-1585 (for Mac OS X v10.3.9, Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2): A URL handling issue exists in QuickTime’s handling of file: URLs. This may allow arbitrary applications and files to be launched when a user plays maliciously crafted QuickTime content in QuickTime Player. This update addresses the issue by revealing files in Finder or Windows Explorer rather than launching them.

Over the last few months endless malware campaigns abused Google and DoubleClick redirect links in their spam. Clicking on such safe looking link will result a redirection to a malware hosting site and an infection of user’s Windows running machine.

Even though it took Google some time to close this redirection, the malware authors have successfully switched to Dogpile.com redirection vulnerability. Here is an example of Dogpile.com cross-site scripting vulnerablity that allows redirection of visitors who click a link originating from dogpile.com domain:

http://www.dogpile.com/clickserver/_iceUrlFlag=1?
rawURL=http://CNN.com&0=

It is safe clicking on this link, it will just redirect you to CNN.com. Malware authors are actively using this redirection to infect users by sending them confusing, safe looking links to exploit hosting sites. The sad thing about it is that another redirection vulnerability on Dogpile was discovered and reported back in Novermber 2007. It is still unfixed.

Google has done quite a bit to fix the redirection problem, Dogpile should aslo fix it soon (hopefully), but the party will just move on to a different location. A good example would be a redirection vulnerability on Devicelock.com, reported by XSSed and still unfixed.
DeviceLock, Inc. is a “worldwide leader in endpoint device control security” and on their website they offer a security solution that prevents unauthorized access to USB devices. They are proudly using a Content Managment System (CMS) called Bitrix and here is the redirection example on their website:

http://www.devicelock.com/bitrix/redirect.php?event1=
demo_out&event2=sm_demo&event3=pdemo&goto=http://CNN.com

Lets say an average user is receiving an email with a link like the one above. The email says that he is a winner of some free DeviceLock promotional product and all he needs to do to claim it is clicking that link. User clicks the link, being redirected to a malware hosting site and another Windows machine probably gets infected. Although the number of popular and trusted domains is limited, it seems malware spam techniques will contain various redirection links for a long time.

Skype has released a security bulletin to address a remote vulnerability. This vulnerability is due to an error in the handling of “file:” URIs. By convincing a user to click on a specially crafted “file:” URI, a remote, unauthenticated attacker may be able to execute arbitrary code. Upon clicking, the malicious link execution of arbitrary code on the victim’s machine will be possible.

URI handler in Skype performs checks upon the URL to verify that the link does not contain certain file extensions related to executable file formats. If the link is found to contain a blacklisted executable file extension a security warning dialog is shown to the user. The check is performed using the case sensitive comparison. Another flaw in this check is that the blacklist fails to mention all potential executable file formats. This allows an attacker to bypass this security policy and execute arbitrary code if a victim clicks an attacker supplied URL.

All versions prior to and including 3.8.*.115 of Skype for Windows are vulnerable to this attack. Skype has fixed the vulnerability in version 3.8.0.139

Users should review Skype security bulletin SKYPE-SB/2008-003 and upgrade to Skype version 3.8.0.139. The preferred method for installing security updates is to download the software directly from Skype’s website, from the website of Skype’s authorized partners, or from a reliable mirror site. Skype may also be safely downloaded from other locations, but in this case it is particularly important that you verify the authenticity of the download.

A customer support application that comes bundled with HP PCs have been found to contain multiple security vulnerabilities. The vulnerabilities have been reported by Dennis Rand from CSIS (Security Research and Intelligence Security) in HP Instant Support 1.x, which potentially can be exploited by malicious people to bypass certain security restrictions and compromise a user’s system.

The pre-installed software is designed to make it easy for users to keep drivers and HP software automatically updated. Flaws in ActiveX components within HP Instant Support give rise to multiple vulnerabilities that lend themselves to drive-by download malware attacks in cases where Windows users running the vulnerable software stray onto insecure or hacker controlled websites, the CSIS Group warns.

Some vulnerabilities are caused due to boundary errors within the “ExtractCab()”, “GetFileTime()”, “MoveFile()”, and “RegistryString()” methods of HPISDataManager.dll. These can be exploited to cause a buffer overflow via an overly long string passed to the affected methods when a user e.g. visits a malicious web page. The HPISDataManager.dll ActiveX also contains insecure methods “AppendStringToFile()”, “DownloadFile()”, “StartApp()”, and “DeleteSingleFile()”, which can be exploited to e.g. overwrite, delete, and execute arbitrary files on a user’s system and download files into the location of the ActiveX component by tricking a user into visiting a malicious web page. HP Instant Support HPISDataManager.dll version 1.0.0.22 and earlier are vulnerable.

A CSIS advisory containing proof of concept demos of the flaws can be found at http://www.csis.dk/dk/forside/CSIS-RI-0003.pdf

In December last year two ActiveX bugs created a mechanism for hackers to either thrash or inject hostile code onto HP PCs running either HP Software Update or HP Info Center, so this is not the first trouble HP has had with rogue ActiveX controls in its pre-installed utilities.

Users need to upgrade to version 1.0.0.24 as explained in a security bulletin from HP.

The recently introduced data availability initiative at MySpace allowing everyone to share their profile data with other community and social networking sites across the Web, is vulnerable to a major privacy flaw exposing the private photos of MySpace users. The flaw is in a system that helps the social-networking site share information with other Web sites.

Thanks to data portability, a technology that allows personal information to be shared between social networks and other websites, one can see any profile on MySpace. For example, pictures of Paris Hilton and Lindsay Lohan from private MySpace profiles can already easily be seen by anyone on the Internet, since those two celebrities are, as usual, the first to be hit.

Byron Ng, a computer technician who earlier this year found a way to access Paris Hilton’s Facebook page, disclosed a 15-step process, that allows people to see supposedly-private pictures and other information by first logging into Yahoo, at Valleywag blog. Yahoo’s integration with MySpace makes it easy to view photos for any profile.

Byron’s instructions involve no real hacking or unauthorized access. They work because Yahoo allows its users to add their MySpace profiles to their cell phones without checking their credentials. It requires a login, but accepts any login, not the specific user’s login.

Here are the instructions for viewing any MySpace profile, as posted on Valleywag:

1. you’ll need a Yahoo account. go to www.yahoomail.com and create a yahoo account if you don’t have one already. and you will need to go to www.myspace.com to sign up for a myspace account first, if you don’t have one already.

2.go to http://beta.m.yahoo.com/w/gallery/widget click on the ‘mail’ button under “sign in to yahoo!”.

3. click on ‘click here to sign in’.

4. enter your yahoo id, yahoo password.

5. then on the top of the screen in the white box, enter: myspace then click Search Widgets Gallery.

6. you will see a green box in the middle with the word ‘myspace’ in there.

7. click the green myspace.

8. see in the middle of the screen it says “add it” - click that.

9. click yes when it asks you about sharing info.

10. go here http://beta.m.yahoo.com/w/gallery/widget.

11. enter myspace into the box. click search widgets gallery.

12. click on the green myspace. now, since you have already set it up in the previous steps, it won’t ask you to download again.

13. click on ‘go to widget’ (that’s right below the ‘already added it” text.

14. now sign in to myspace.

15. now take the URL I asked you to save above before step 1: http://beta.m.yahoo.com/w/myspace/profile/en.osl?userID=16527727 and click on it. it may ask you to sign into yahoo or my space. sign in as appropriate. now you should be able to see the person’s pictures. if you can only see your own profile, then click on it again http://beta.m.yahoo.com/w/myspace/profile/en.osl?userID=16527727 then it will work.