Sometime back we had come across this interesting vulnerability posted by a Chinese researcher in his blog, claiming to have found a zero day vulnerability in php 5.2.3.

We got a chance to dig a bit deeper into this and were able to reproduce the vulnerability based on the information provided in the blog. After investigation, we found that this vulnerablility affects not only verion 5.2.3 but also version 5.2.5. It is a heap overflow which can be triggered when a web server with PHP receives a malformed URI request, it can be a simple request like “GET /index.php/aa HTTP/1.1″ . Successful exploitation of this can result in arbitrary code execution with the privileges of the WEB Server.

This happens because the author misplaced the bracket resulting in miscalculation of the buffer which can result in a heap overflow. So fixing this issue is also simple viz: In \sapi\cgi\cgi-man.c do a grep for: “ptlen + env_path_info ? strlen(env_path_info) : 0;” , and replace this with “ptlen + (env_path_info ? strlen(env_path_info) : 0); ”

This is one of the classic examples of small human errors (which can sometime be even typos) that can result in vulnerabilities.

We had reported this issue to PHP dev team almost immediately after we had come to know about this issue in the wild and they’ve just come out with a patch for this. We highly recommend users to update with the latest version of PHP 5.2.6 released . This patch besides this issue, fixes a host of other security related fixes, some of which we deem as critical. This specific issue affects FastCGI packages of PHP.

This issue has been given the identifier CVE-2008-0599.

We shall continue to monitor this threat and update if we come across anything malicious.

Some news is in circulation regarding a recently disclosed (and patched) vulnerability in Adobe’s Flash. The attack used dereferenced NULL pointers, which were believed to be very hard to exploit.

The findings were first revealed in a paper called “Application-Specific Attacks: Leveraging the ActionScript Virtual Machine,”(pdf) by Mark Dowd. The paper described a new technique for causing exploitable memory corruption vulnerability in Adobe’s Flash. Whilst the technique has targeted the ActionScript Virtual Machine for Win32/Intel platform, it’s understood that the attack could be carried out on any other platforms where Flash is available. The real question is whether this attack can be more generic to target dereferenced NULL pointers in general!

It is possible to do so, but it’s not that easy. There are certain conditions an exploit of this type has to satisfy before reaching the ultimate goal. Dowd used some wacky techniques to inject malicious ActionScript byte code into Flash runtime (basically by crafting an SWF with something to trigger the vulnerability and point the execution to another loaded-in-memory part of the file that had the malicious content). Then he forced malloc() to fail by trying to allocate some huge memory chunk. When malloc() failed, it returned NULL.

(OK, at this step a program trying to access a NULL pointer would basically crash, and something to check for malloc() return value is necessary to prevent that crash.)

In this case, Flash didn’t check for malloc() failure and did some pointer arithmetic operation to add the value of the pointer (NULL here) to some offset. Now, this “offset” was controllable, and this is where Dowd had preloaded his malicious content. (Don’t get too excited, folks. There were quite a few other conditions that Dowd’s exploit had to meet before loading his payload. But I’m eliminating a lot of details to present the overall picture). So now we have a pretty successful and reproducible exploit on Flash ActionScript VM. It even bypassed Vista’s ASLR because Vista’s Flash was compiled with the runtime security bit off.

Now, scaling this attack against native code is more difficult in spite of the success it had against ActionScript VM. We will still be looking for a controllable offset and a place to preload our payload. Nevertheless, it is still a neat discovery when taking into consideration the level of complexity needed to load the malicious payload.

This discovery reflects a trend that it is possible to circumvent runtime security countermeasures such as ASLR and the like by targeting other environments with higher privileges running on top of the native platform. And if you’re involved in any secure development lifecycle, you’d better go and check your code!

A Microsoft Works ActiveX potential zero-day threat has been disclosed on a handful of Chinese blog sites. This threat was originally posted as a proof of concept that caused a Windows host to crash, but very soon after, a working exploit was posted. (Show of hands: Who’s surprised?)

Here’s the meat of this: The flaw lies in an ActiveX component of Microsoft Works Image Server (WkImgSrv.dll). Yes, it appears successful exploitation would allow for code execution via a controlled pointer. For this to occur, the victim would need to visit a malicious Web site.

On the plus side, this control is not marked safe, and attempts to use it should be accompanied with a warning from Internet Explorer. Even though this is the case, you will want to set the kill bit for clsid:00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6 to help mitigate. Initial testing on Windows XP SP2 and Internet Explorer 7 shows this to be easily exploitable once past the “warning” hurdle.

In the mean time, McAfee Avert Labs will continue researching this issue.

There was an interesting article in InformationWeek this morning about a couple of security researchers who have presented the possibility of using offensive technologies to go after hackers. The most recent was Joel Eriksson from Bitsec, who presented at RSA last week about exploiting security holes in remote-access Trojans.

The article also brings up a five-year-old example of an earlier attempt at offensive technology to be used against hackers. In this case, Tom Liston created a tool called LaBrea (after the tar pits) that would ensnare computers which were being used to attack it either intentionally or due to worm infection.

There are plenty of people within the security industry who would like to be able to employ these tactics. The urge to take a pound of flesh for the late nights and weekends spent dealing with malware attacks is certainly understandable. But I know very few people in this industry who actually think it’s a sound idea, or worth the potential legal trouble.

Just as there are few locales where it is legal for you to shoot an intruder in your home, there are few locales where it is legal for you to attack those who intrude on your computer. Even in those locales where it is not illegal to attack an intruder, you must take into consideration the possible court costs. It’s highly likely the survivor (either the intruder or a family member) will sue you, and it will take some time with a lawyer to defend yourself against these charges. It’s entirely possible that a hacker or a worm-infected user would do likewise.

This is still assuming that your case was reasonably clear-cut, that it was genuinely a hacker or worm infection that was coming after you. It could just as easily be used as a sort of alternate flavor of Denial of Service attack–spoof the traffic or exploit a machine for the purpose of making it a target.

The general computing population is not particularly knowledgeable about the inner workings of their machines; some say there should be licensing such as for driving a car. It’s my opinion that there would first have to be this sort of licensing, and then a permit akin to a “Concealed Carry Permit” before this could be considered a good idea.

The Internet is a scary enough place without adding even more unskilled attackers.

Last week we discussed the fact that Microsoft credited three different researchers for reported CVE-2008-1087 during our monthly Patch Tuesday podcast. The fact that several independent researchers reported the issue suggested that others may not be far behind. This CVE pertains to the Microsoft Graphics Rendering Engine, which has a history of exploitation. In fact, McAfee’s Exploit-WMF detection for MS06-001 exploits was one of the top reported detections around the time that a patch was released. An exploit toolkit was released prior to the patch, which helped contribute to the number of exploits floating around. History may be repeating itself, though out of sequence.

Last Friday the first MS08-021 exploit was discovered in the field, three days after the issue was patched; and though it was not widespread, the discovery of the exploit did highlight the fact that attackers were actively working with exploit code. Today a basic exploit toolkit was posted publicly; and while this new toolkit is primitive, it may very well lead to “one-ups-manship” and the distribution of a more powerful tool.

Given the fact that a patch was released prior to this recent exploit activity it is unlikely that MS08-021 attacks will reach the level of MS06-001 attacks. However, there are still many many vulnerable systems out there, and we’ve seen prevalent exploits that have lasted for years after the issue was patched.

No, it’s not a Massive Ordnance Air Blast Bomb, thankfully. But could users of Apple software feel that it’s really that bad? January 2007 is the Month of Apple Bugs (MoAB), in which a new Apple-related vulnerability is announced for every day of the month.

The first two MoAB bugs affect Apple Quicktime and VLC Media Player respectively. If exploited, both bugs would allow remote code execution — however user interaction is needed.

MoAB is a project similar to November 2006’s Month of Kernel Bugs (MoKB). The bugs released during the MoKB affected software from a gamut of vendors, including Apple, Linux, Microsoft, NetGear, and others. In both projects, security researchers announce previously-unknown bugs in selected software in order to raise awareness about the state of security in these software products.

While many MoKB bugs remain un-patched and the software they affect remain vulnerable, Apple users affected by MoAB can thank Landon Fuller for some temporary relief. Landon, a system architect, has promised to develop unofficial patches for software affected by MoAB bugs.

The researchers at McAfee Avert Labs will continue to follow MoAB closely, so keep reading!

Well, we’ve seen the first of the promised bugs for Apple and Apple products as a part of the “Month of Apple Bugs“. And perhaps unsurprisingly, the first bug is also applicable to Windows as well, being a buffer overflow vulnerability for QuickTime. There’s also some saying that this may be rather difficult to implement.

So in short, this month of bugs that’s supposed to take Mac fans down a peg…also exposes holes in Windows. And maybe it works, maybe it doesn’t. Way to start it off with a bang, there!

As a Mac fan who realizes Apple software is written by humans just like any other software, which will inevitably have the occasional bug, perhaps I’m not the demographic they’re looking to deflate. But really, I think you’d be hard pressed to find even the most rabid Mac fan who believes Apple software is 100% bulletproof. That’s just plain deluded. I think most Mac users at this point are of the opinion that it’s more akin to the risk of mosquito bites in August at Crater Lake, versus in January at the South Pole. There’s just a lot more nasty critters flying around the Windows environs than the OS X environs for the time being.

But even from a strictly researcher perspective, I am curious to see what this month brings up, both in terms of exploits and the discussion around them. Expect to see lots more here on that subject as things progress!

Apparently not! On December 20, a new zero-day exploit for Microsoft Windows operating systems was released. This exploit targets a weakness in the Client Server Run-Time Subsystem, and allows local privilege escalation or denial of service.

Microsoft has acknowledged this vulnerability and admitted that its newest operating system, Windows Vista, is vulnerable.

Keep reading for more on exploits released this holiday season. Happy holidays!

Malware authors have been pro-active in including exploit code for almost every new vulnerability reported into bots with utmost professionalism. Apart from the numerous Microsoft windows vulnerabilities where exploit code has been methodically incorporated into bot code, McAfee Avert Labs is seeing a trend where popular applications from software vendors are being targeted. In recent weeks we have seen bots that target vulnerabilities or weak passwords in the following applications:

Famatech Remote Admin http://vil.nai.com/vil/content/v_140984.htm
Symantec Antivirus http://vil.nai.com/vil/content/v_140978.htm

Although the vulnerabilities in the above software are dated and patches available, bot authors still found them enticing enough to target machines running vulnerable versions of the these software applications.

Other popular software applications with vulnerabilities that have been targeted by bots in the recent past include:

• CA BrightStor
• Dameware
• MySQL
• WU-FTP
• VNC

Most of the major software vendors like Adobe, Microsoft and Oracle now follow a monthly patching cycle and administrators have their hands full in ensuring that every machine on the network is patched. Sadly, most administrators do not have the flexibility to deploy patches immediately to machines on the network for policy reasons. For example, the organization could be using legacy software which could break if a new service pack was applied and keeping these legacy applications running takes precedence over applying the latest hot fixes. In rare cases a fix could break something else in the operating system or adversely affect other applications. Administrators need more time to first deploy these hot fixes in a test environment and QA them properly before deploying them to the entire enterprise.

Given the trend where malware authors are expanding their attack horizon by targeting vulnerable software applications, it wouldn’t be surprising if an exploit directed at popular instant messaging (IM) clients should surface. IM is popular both in consumer and corporate networks and an exploit that gives remote shell on a machine running an instant messenger would be stunningly effective.

That being said, it will be interesting to wait, watch and revisit this topic if and when an instant messenger remote shell exploit surfaces.

Today, Avert Labs announced the availability of its podcast on the “Top Ten Security Trends in 2007”.

As part of this podcast, McAfee will identify those threats it believes businesses and consumers will face in 2007 as computer criminals become more organized and professional in their approach.

Download the podcast

It was only a matter of time, but the first security ISV has publicly announced a product that bypasses PatchGuard. Authentium, announced today that their Authentium ESP Enterprise Platform can bypass PatchGuard. In a world where less than 1% of known threats exploit the kernel in a way that PatchGuard will block, and where only 15 of 264 (less than 6%) Microsoft vulnerabilities from 2004-2006 would have been protected by PatchGuard, according to our calculations, I’m not sure whether to laugh or cry.

Patchguard is an attempt to close a software hole with more software. As Joanna Rutkowska has amply proven, there is no software-only solution to the rootkit problem. Hardware solutions, like Intel’s Vanderpool or AMD’s Pacifica are required to harden PatchGuard to the point it cannot be broken, but they will not be widely spread in the field for years to come. And in closing one small hole, it’s opening a host of others, like those addressed by the behavioral, anti-rootkit technology, and HIPs features we, and other vendors, have been working on for years. Arguably, our solutions are not immune to this same problem, the difference being that instead of one solution from a newbie security vendor, consumers today can deploy multiple solutions from many seasoned vendors to create a layered defense strategy, even at a desktop level.

So in the meantime, MS is going to try to put their fingers in the dike of PatchGuard holes, which are more valuable to security vendors than to malware authors, who can just avoid the kernel structures MS is trying to protect. In many ways, this is the final manifestation of the logical conclusion I came to when Greg Hoglund first announced his NT rootkit: We are, and always have, been locked in an arms race with the malware authors and hackers. Microsoft has just taken away our most effective weapons.

Microsoft is putting McAfee, Authentium, Symantec, Sunbelt and the rest of the security community in the interesting position of having to tell our customers that we can’t protect them beyond a reactive AV signature without “hacking” their operating system. So if we can’t protect them, and Microsoft can’t protect them (and won’t let us), what are consumers and enterprises to do? Right now, security vendors and Microsoft are in a very public standoff. It will be interesting to see what happens when Microsoft’s own customers chime in on this issue. What do you think?

Patch Tuesday refers to the second Tuesday of each month when Microsoft releases security updates for its products. As a matter of policy, Microsoft releases patches only on Patch Tuesday. (One recent exception to this was an out-of-cycle patch for the Internet Explorer VML vulnerability.)

The researchers at McAfee Avert Labs follow Patch Tuesday with interest: Microsoft’s products are used by the lion’s share of industry and home users, and un-patched vulnerabilities in Microsoft’s products can often have an impact on global security.

Back in July 2006, Patch Tuesday fell on July 11. On July 12, a Trojan, Exploit-PPT.b, was released. This Trojan exploited a previously-unknown Microsoft PowerPoint vulnerability.

An exploit for a new vulnerability follows a Patch Tuesday. A one-time event?

This month, on 12 October 2006-two days after the October Patch Tuesday-we discovered a zero-day exploit in the wild for a new Microsoft PowerPoint 2003 vulnerability, CVE-2006-5296. Microsoft has said on its TechNet blog that this exploit could carry out code execution on the victim’s machine.

Security expert Bruce Schneier has commented that exploits might be released to follow a Patch Tuesday to maximize the “window of exposure”-the time until next month’s Patch Tuesday arrives with security patches for the new vulnerability.

Is Zero-Day Wednesday (or Thursday) going to become a trend? We’ll be watching.

To follow up on my Another Day, Another 0-day post; today (Sep 27, 2006), Microsoft has released a security advisory for this vulnerability:

Microsoft Security Advisory (925984)
Vulnerability in PowerPoint Could Allow Remote Code Execution

The following versions of PowerPoint are affected:

• PowerPoint 2000
• PowerPoint 2002
• PowerPoint 2003
• PowerPoint 2004 for Mac
• PowerPoint v. X for Mac

CVE-2006-4694 was assigned for this vulnerability on Sep 11, 2006.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4694

As one zero day gets patched, (Microsoft released an out-of-cycle patch for the recent VML Fill vulnerability) another is found.

Today we discovered an exploit affecting Microsoft PowerPoint (preliminary testing shows Office 2000, Office XP, and Office 2003 are affected). A single target of this exploit has been identified, so like other recent Microsoft Office 0-day discoveries, it appears that this one is also a targeted attack.

What makes this attack interesting, is the fact that it appears that Microsoft’s antivirus product added detection three days ago. The only public information on these threats is the boiler plate Malicious Software Encyclopedia entries (which show an incorrect discovery date of Sep 26, when virus definition files from Sep 23 detect):

• Exploit:Win32/Controlppt.W
• Exploit:Win32/Controlppt.X

There isn’t a public advisory from Microsoft; suggesting the Microsoft’s security team knew of this in-the-wild attack but did not make the information public.

For the record, I am not a fan of full disclosure (the concept, not explicitly the mailing list). I believe that more money has been lost, more data stolen, and more illegal activity around exploits has happened because of full disclosure. Historically, those with the skills to find vulnerabilities and create exploits are not the ones who write Blaster and Sasser, etc. Generally, the people who heavily abuse exploit code have “copy & pasted” the work of others. They customize the payload and release, and in these cases damages would have been significantly reduced if it were not for the availability of exploit details.

That said, if an attack is in the wild, acknowledgment of the attack is not something to conceal. Non-disclose the nitty-gritty details, but do inform.

- Update Sep 27, 2006 9:30 -
Correction, coverage went into the 4861 DAT release.

- Update Sep 26, 2006 17:00 -
McAfee antivirus coverage for these two exploits was released earlier today in DAT version 4860; detected as Exploit-PPT.d trojan.

Thousands of websites are compromised everyday. Many end up defaced or vandalized with greetz to the hacker and flames to the system administrator for failing to maintain server security. Defacing is the lowest form of internet graffiti and is usually done for fun or attention.

More sinister is when organized crime groups use compromised web servers to host malware. The compromised web pages are modified to host zero-day exploits which compromise users via drive by downloads or can be used as staging servers for trojan downloaders to pull and push further malware. Attack script toolkits like WebAttacker are being sold on the internet and are then custom configured to infect visiting computers without any user interaction. An attacker only needs to send spam via email addresses or instant messenger messages inviting recipients to visit a compromised website hosting the vulnerability and its malware exploit.

So how does one know where the attacks will come from? What can be done to track down the bad guys and combat them? One, of many ways, is to scan the internet for vulnerable systems and then monitor the sites that are found to be vulnerable, waiting for them to be hacked. Once the site is compromised, don’t attempt to get the compromised server shutdown as that would only make the bad guys move elsewhere. Rather keep an eye on the server and monitor it for any malicious uploads and downloads.

To quote a recent example, when code for the Exploit-WMF was released, a security company was able to come up with a listing of over a hundred sites that were compromised and hosting this exploit, much faster than big search engines indexed the Internet. Critics may argue that this is akin to watching the enemy plant landmines and waiting for hapless victims to step on it because one happens to be in the business of manufacturing prosthetic limbs. The more intel that can be gathered, the better chance the security community has of shutting down the bad guys. Let us all work with the law enforcement and intel communities.

The internet is a scary place as crime increasingly becomes an omnipresent menace. The window between vulnerability discovery to its incorporation into exploit code has shrunk from months or weeks to true zero-day as attackers and security experts are perpetually in a race against time. Browser vulnerabilities and exploits such as the Exploit-VMLFill are just a prelude to a series of pending exploits that pose the fastest growing threats to internet surfing. At the time of writing, a security update to address this vulnerability is being worked upon by Microsoft and their goal is to release the update on Tuesday, October 10, 2006, or sooner.

With ever increasing browser-based attacks, it is more important than ever that users not trust seemingly familiar or safe links particularly when received via Instant Messengers, Internet Relay Chat or Email. McAfee Avert Labs is committed to continued research against all known exploits of the Vector Markup Language vulnerability and will continue to update our coverage as new attack vectors and threats emerge. The problem will not go away…. but we can sure make life difficult for the bad guys.

Last night Sunbelt blogged about a zero day IE exploit being discovered in the wild. This attack has taken shape much the way Exploit-WMF did back in December 2005. A trojan toolkit known as WebAttacker was updated to include exploiting a new Vector Markup Language Buffer Overflow vulnerability. This toolkit is known to be sold on the underground for as little as $17 US, but just like the Exploit-WMF case, we can expect exploit source to be readily available shortly.

General advice around this kind of attack is to stay on the straight and narrow path while touring the Internet. However, WebAttacker has historically been installed on compromised web servers, and we’ve seen message board posts and blog entries that include iframes to refer to other sites that are running WebAttacker. Disabling JavaSript effectively neuters known attacks. Using an alternate web browser also thwarts this attack.

Microsoft has posted an advisory including workarounds:
http://www.microsoft.com/technet/security/advisory/925568.mspx

McAfee product coverage (including proactive 0-day protection) can be found here:
Exploit information: http://vil.nai.com/vil/Content/v_140629.htm
Vulnerability information: http://vil.nai.com/vil/Content/v_vul26881.htm

P.S. As I write this entry, Exploit-WMF remains as the top most reported malware blocked by our VirusScan Online products.

McAfee Avert Labs has received samples of a new mass-mailing worm that we call http://vil.nai.com/vil/content/v_140497.htm. What makes it noteworthy is that this worm sometimes sends itself as a usual binary zipped attachment but sometimes mass-mails out Exploit-WMF with itself inside (zipped or non-zipped). The worm is packed inside a modified UPX container and is 78,336 bytes long.

The now ubiquitous WMF exploit first appeared in December 2005 and since then it was one of the most common attack vectors for home users. McAfee AV products have provided proactive detection of known malformed WMF files that can exploit the WMF vulnerability.

An epic transformation in the world of security is upon us. Today, we released the first issue of our semi-annual security magazine Sage. We will leverage this communication vehicle to deliver meaningful and sometime raw content to the masses. We take our responsibility to protect the public from malicious malcontents very seriously and will not shy away from difficult content or taboo topics. Instead, we will share with the world our day-to-day fight and let you decide how important the concepts being broached are to you.

The premiere issue examines the use of open source by the malware writing community. We show the pivotal role that code sharing and full disclosure have played in the evolution of the threat environment, and we anticipate a surge in malware quality and reliability as the malware writers become more professional. Though open source cannot be blamed for how some unsavory individuals may choose to use its tools, techniques, and methodologies, the movement should acknowledge that there are dangers associated with some of its fundamental beliefs.

Sage is meant to be a forum for thought leadership and serious discourse on topical security issues. By drawing on the Labs wealth of data and expertise, and writing challenging security articles, we hope to provoke important discussion about the digital battlefield we have found ourselves in.

Get Sage now from the McAfee Threat Center site:

http://www.mcafee.com/us/threat_center/white_paper.html

Once again, in the name of “software security”, exploit code has been posted publicly that targets an unpatched Microsoft Internet Explorer (IE) vulnerability. This has been labeled as a 0-day exploit, but the first public release of this vulnerability happened on July 18, during a well known vulnerability researcher’s “Month of Browser Bugs” bloganza. The original proof of concept code posted to the blog resulted in IE crashing. The code released yesterday and today allows for the execution of arbitrary code.

I contend that a public exploit released 2+ months after the initial 0-day attack can not be considered a 0-day.

Of course in the real world, it doesn’t make much difference. As I write this blog entry, Microsoft hasn’t yet acknowledged this threat, but I suspect that we will see some information soon, only 72+ days after the 0-day attack was made public. Call it a 0-day, or call it a 72nd-day, either way users are still vulnerable.

That said, the odds of being attacked by this threat were extremely low two days ago. Now that exploit code has been served up on a platter for the bad guys to use, we can expect many attacks for some time to come.

Why is it that some vulnerability researchers feel victorious upon the release of a vendor patch, when it comes at the expense of so many innocent victims? Or maybe this really isn’t about making software more secure.