Archive

Archive for the ‘Exploits’ Category

iOS Security Updates

August 12, 2010 Leave a comment

iPod, iPhone and iPad users MUST immediately apply the security updates.

Visit Apple Security Updates for details.

Reference:

iPad http://support.apple.com/kb/HT4291;

iPhone and iPod http://support.apple.com/kb/HT4292

Why important?

This will protect you from in-the-wild drive-by download hack attack!

JailBreakMe by comex (et al.) demonstrated a serious security hole that allows users to jailbreak their iOS devices simply by just visiting a website and/or tapping a link. This security hole is very dangerous, by just browsing the web users could be exposed from abusive sites that may harvest their credentials and information.

How it work?

Safari browser loads a crafted PDF that exploits the following vulnerabilities:

First, it is triggered by unrecognized font, the Compact Font Format (CFFType 1C, which causes the second exploit code to execute. This vulnerability is referred as CVE-2010-1797.

<</Subtype /Type1C

Second, the value is too large for the integer data type to handle(refer example IOSurface property list below), resulting to execution of malicious code running as user to escalate to system or root privilege.

This vulnerability is referred as CVE-2010-2973.

So, an attacker entice a targeted user to open a URL. Upon opening the URL in Safari the PDF file will be automatically parsed and exploitation will occur. The file may also arrive as an email attachment.

Stay safe!

Recommended reading:

iPhone 4 / iPad: The Keys Out Of Prison by Axelle Apvrille

Technical Analysis on iPhone Jailbreaking by Matt Oh

Categories: Exploits, iPhone Tags: , , , , , , , , , ,

0day: Apple Safari AutoFill

July 23, 2010 Leave a comment

Description

Jeremiah Grossman has discovered a weakness in Apple Safari, which can be exploited by malicious people to disclose potentially sensitive information.

The weakness is caused due to the AutoFill feature being enabled to use information from the personal address book card by default. This can be exploited to secretly disclose personal information from the personal address book card when a user visits a specially crafted web page.

The weakness is confirmed in Safari version 5.0. Other versions may also be affected.

Impact :  Exposure of sensitive information

Reference : Secunia Advisory SA40664

Solution
Disable the AutoFill feature for address book card information.

How? Show Safari preferences (press Command-comma or ⌘,) and uncheck the autofill web form.

Further reading:

http://jeremiahgrossman.blogspot.com/2010/07/i-know-who-your-name-where-you-work-and.html

PoC : http://ha.ckers.org/weird/safari_autofill.html

Personal information exposed?   It depends on the data, here’s my browser result.

Categories: Exploits, OS X Tags: , , , ,

0day: Apple Safari “parent.close()”

May 8, 2010 Leave a comment

Release Date : 2010-05-07
Criticality level : Highly critical
Impact : Remote code execution
Solution Status : Unpatched

Description:
A vulnerability has been discovered in Apple Safari, which can be exploited by malicious people to compromise a user’s system.

The vulnerability is caused due to an error in the handling of parent windows and can result in a function call using an invalid pointer. This can be exploited to execute arbitrary code when a user e.g. visits a specially crafted web page and closes opened pop-up windows.

The vulnerability is confirmed in Safari version 4.0.5 for Windows. Other versions may also be affected.

Solution:
Do not visit untrusted web sites or follow links from untrusted sources.

PROVIDED AND/OR DISCOVERED BY:
Krystian Kloskowski (h07)

Original Advisory:
http://h07.w.interia.pl/Safari.rar

Advisory Reference:

http://secunia.com/advisories/39670/

Categories: Exploits, OS X, Vulnerability Tags: , , ,

CVE-2010-1120

April 16, 2010 1 comment

DESCRIPTION:
A vulnerability has been reported in Apple Mac OS X, which can be
exploited by malicious people to compromise a user’s system.

The vulnerability is caused due to an indexing error in Apple Type
Services within the “TType1ParsingContext::SpecialEncoding()” method
in libFontParser.dylib when parsing embedded fonts. This can be
exploited to corrupt memory e.g. via a specially crafted PDF file
opened in Preview.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in Mac OS X Server 10.5, Mac OS X 10.5,
Mac OS X 10.6, and Mac OS X Server 10.6.

SOLUTION:
Apply Security Update 2010-003.

Sourced: http://secunia.com/advisories/39426/

Reference: CVE-2010-1120 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1120

Description:
Unspecified vulnerability in Safari 4 on Apple Mac OS X 10.6 allows remote attackers to execute arbitrary code via unknown vectors, as demonstrated by Charlie Miller during a Pwn2Own competition at CanSecWest 2010.

Categories: Exploits Tags: , , ,

Apple Safari Stylesheet Redirection vulnerability

January 25, 2010 Leave a comment

There’s a 0-day vulnerability affecting Safari 4.x users, it’s not critical, but it is important to be aware of it.


<link rel="stylesheet" type="text/css" href="www.yahoo.com">
Hola
<script language="javascript">
setTimeout("alert(document.styleSheets[0].href)", 10000);
//setTimeout is used just to wait for page loading
</script>

Listing 01 – Apple Safari Stylesheet Redirection PoC

Cesar Cerrudo has discovered this vulnerability, and discussed that Safari wasn’t able to display the LINK specified in href value, instead it reads the stylesheets to redirect to a target URL.

Malicious user may take advantage of this vulnerability to steal sensitive information.

Be cautious when surfing the net!

Categories: Exploits, OS X Tags: , ,

Avoid Phish Bombing, Update your Safari version to 4.0.3

August 16, 2009 Leave a comment

Avoid phish bombing, Update your Safari version to 4.0.3!

This latest version also includes multiple fixes to critical vulnerabilities, that can be exploited by malicious people or evil websites to manipulate data, disclose sensitive information, perform spoofing attacks and/or compromise your system.  Further information About the security content of Safari 4.0.3

What is Phish Bomb and how does it works?

Phishing is a fraudulent attempt that falsely claims to be from a legitimate known website or organization thus tricking the target victim into voluntarily provide sensitive information such as user name, password, credit card, social security and etc…

However, phish bombs is a just like an explosive of phishing attack, which in Safari 4 allows attacker to manipulate your Top Sites (keyboard shortcut press command+shift+1) . This vulnerability was discovered by Inferno of SecureThoughts.com.

Inferno published his PoC and explains:

“The two input parameters in this attack are the number of times the fake website should be visited (n)(default=28) and timeout(t)(default=2 sec) that triggers a switch between two fake websites. It is very simple and adds two fake websites for bankofamerica.com and gmail.com to your top sites.”

PhishBomb

Update and stay safe!

Categories: Exploits Tags: , , , ,

PDF Adobe Reader Zero Day

May 3, 2009 Leave a comment

Adobe Reader has two vulnerable JavaScript functions getAnnots() and spell.customDictionaryOpen() that could allow a remote attacker to execute arbitrary code on the system. PoCs were published here.

PSIRT blogged an update saying that this vulnerability is still under investigation and updates will be available by 12th May:

We are in the process of fixing the issue, and expect to make available product updates for the relevant supported Adobe Reader and Acrobat versions and platforms by May 12th, 2009.

Adobe Released Security Bulletin

Release date: May 1, 2009

Vulnerability identifier: APSA09-02

CVE number: CVE-2009-1492, CVE-2009-1493

Platform: All Platforms

Mac users are vulnerable and affected with this vulnerability and as usual it is best recommended that you disable JavaScript if you are using Adobe Reader. Please follow the instruction here.

Categories: Exploits, Vulnerability Tags: , , , , ,

Do you use Adobe Reader?

February 28, 2009 4 comments

Exploited PDFs has been prevalent attack vector for awhile now but only in Windows but never been in Mac.

I had discussed this here, the prevalence, util.printf(), Virut generated PDFs and now the Zero day.  This zero day vulnerability exist in Adobe Reader 9.0 and earlier and Acrobat 9.0 and earlier version. Unfortunately, this flaw remains unpatched as of the moment – as announce in advisory “Adobe expects to make available an update for Adobe Reader 9 and Acrobat 9 by March 11th, 2009.”

Here’s few recommendation to avoid this attack:

Mac Users:

1) Go to Application folder and look for Adobe Reader  and execute it.

2) Once open, click “Adobe Reader” and “Preferences” – or use shortcut key by pressing command and comma (,)

3) In Categories, click “Internet” and look on Web Browser options and uncheck “Display PDF in browser…”

4) Again in Categories, click “JavaScript” and look on JavaScript options and uncheck “Enable Acrobat JavaScript”

5) Do not open or access PDF documents from an untrusted source, specifically if you are not expecting it.

6) Make sure your security scanner is using the latest signature update, and ensure that features like real time scanning are turned on.

For Windows users:

1) Prevent your default browser from automatically opening PDF documents. To do this, open your Adobe Reader by clicking on Start > All Programs > Adobe Reader <x> (where ‘<x>’ is the version). Once open, click Edit > Preferences, and uncheck Display PDF in Browser.

2) Disable JavaScript in Adobe Reader and Acrobat. Click Edit > Preferences and uncheck Enable Acrobat JavaScript.

3) Do not open or access PDF documents from an untrusted source, specifically if you are not expecting it.

4) Make sure your security scanner is using the latest signature update, and ensure that features like real time scanning are turned on.

Take note that this vulnerability does not require Javascript to exploit. However, for attackers crafting PDF to get into users’ machine requires script to sucessfully execute its payload (base on exploited PDFs, I’ve seen),  so it is best to disable it!

Please feel free to drop by and comment if this has been helpful to you! Also, if you have found suspicious websites or file, don’t hesitate to send it through @ meths101 (at) optusnet (dot) com (dot) au. Definitely, this will help other users!

Categories: Exploits Tags: , , , , , , , ,

Safari Vulnerability Could Expose Users Data

January 17, 2009 Leave a comment

A severe critical flaw in Safari was recently discovered and NO available patch yet released as of writing.  Brian Mastenbrook discovered this vulnerability last 13th January and disclosed the following information below:  [Further reading

————————————————————————————-

I have discovered that Apple’s Safari browser is vulnerable to an attack that allows a malicious web site to read files on a user’s hard drive without user intervention. This can be used to gain access to sensitive information stored on the user’s computer, such as emails, passwords, or cookies that could be used to gain access to the user’s accounts on some web sites. The vulnerability has been acknowledged by Apple.

All users of Mac OS X 10.5 Leopard who have not performed the workaround steps listed below are affected, regardless of whether they use any RSS feeds. Users of previous versions of Mac OS X are not affected.

Users of Firefox, Camino, and Opera on Mac OS X are substantially better protected against exploitation by a malicious web page than users of Safari or OmniWeb. If users of these browsers are asked to open a link in Safari, they should not allow the request and close the page which triggered the request immediately. All users of Mac OS X may still be affected by clicking on a malicious link from their email client, instant messaging program, or another application, and should perform the workaround steps given below.

————————————————————————————-

Good thing, there was no technical details disclosed. For sure, nosy attackers would never let it slipped without jumping into this opportunity.

Categories: Emerging Threats, Exploits Tags: , , , ,

IE & WordPad Zero Day In-The-Wild

December 11, 2008 1 comment

IE XML Parsing Remote Buffer OverFlow Exploit [Read Shadowserver Diary]

As many of you have seen, there is a new 0-day exploit in the wild affecting Internet Explorer 7 users. This is a new exploit that is being actively exploited and it was not patched yesterday (meaning there is no patch available, yet). Visiting a website with this exploit can result in a full compromise of an affected system. Currently most of the exploits out there will attempt to download a trojan onto the system.

Recommendation: Do NOT use IE until patch.

Reference: ISC Diary ;  SecmaniacBlog

PoC: 7403 ; 7410

oooOOooo

Microsoft Security Advisory (960906): Vulnerability in WordPad Text Converter Could Allow Remote Code Execution 

Recommendation: Do not use WordPad to open files with .doc, .wri, or .rtf extensions that you receive from untrusted sources or receive unexpectedly from trusted sources. This vulnerability could be exploited when using WordPad to open a specially crafted file. We also recommend customers using Windows XP to upgrade to Windows XP Service Pack 3, which is not affected. 

Affected Systems: Microsoft Windows 2000 Service Pack 4; Windows XP Service Pack 2 Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 ;Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 ; Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems ; Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2

Reference: MS Advisory; CVE-2008-4841Secunia Advisories ; Security Focus

PoC: 6560 ; 31399


Categories: Daily Thoughts, Emerging Threats, Exploits Tags: ,
Follow

Get every new post delivered to your Inbox.