'분류 전체보기' 카테고리의 글 목록 (3 Page)

'MalwareLab'에 해당되는 글 142건

2011.03.15 New Adobe Zero-Day [CVE-2011-0609]
2011.03.10 CODEGATE 2011 YUT Quals Writeups by others (update)
2011.03.07 3.4 DDoS 공격에 사용된 악성코드간의 관계도 4
2011.02.21 MS Windows Server 2003 AD Pre-Auth BROWSER ELECTION Remote Heap Overflow
2011.02.10 Adobe Flash Player, Reader/Acrobat, Shockwave Player 다중 취약점 보안 업데이트 권고
2011.01.20 ALZip 8.12.0.3 Buffer Overflow (SEH)
2011.01.18 사라진 Dancho Danchev 발견!!
2011.01.05 Microsoft Windows 'CreateSizedDIBSECTION()' Thumbnail View Stack Buffer Overflow 2
2010.12.24 Microsoft WMI Administrative Tools WBEMSingleView.ocx ActiveX control vulnerability
2010.11.25 Privilege escalation 0-day in almost all Windows versions

New Adobe Zero-Day [CVE-2011-0609]

http://www.adobe.com/support/security/advisories/apsa11-01.html

SUMMARY

A critical vulnerability exists in Adobe Flash Player 10.2.152.33 and earlier versions (Adobe Flash Player 10.2.154.13 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris operating systems, Adobe Flash Player 10.1.106.16 and earlier versions for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions of Reader and Acrobat for Windows and Macintosh operating systems.

This vulnerability (CVE-2011-0609) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment. At this time, Adobe is not aware of attacks targeting Adobe Reader and Acrobat. Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing.

We are in the process of finalizing a fix for the issue and expect to make available an update for Flash Player 10.x and earlier versions for Windows, Macintosh, Linux, Solaris and Android, and an update for Adobe Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Macintosh, Adobe Reader X (10.0.1) for Macintosh, and Adobe Reader 9.4.2 and earlier 9.x versions during the week of March 21, 2011. Because Adobe Reader X Protected Mode would prevent an exploit of this kind from executing, we are currently planning to address this issue in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011.

AFFECTED SOFTWARE VERSIONS

Adobe Flash Player 10.2.152.33 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
Adobe Flash Player 10.2.154.13 and earlier for Chrome users
Adobe Flash Player 10.1.106.16 and earlier for Android
The Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems.

NOTE: Adobe Reader 9.x for UNIX, Adobe Reader for Android, and Adobe Reader and Acrobat 8.x are not affected by this issue.

SEVERITY RATING

Adobe categorizes this as a critical issue.

DETAILS

A critical vulnerability exists in Adobe Flash Player 10.2.152.33 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems (Adobe Flash Player 10.2.154.13 and earlier for Chrome users), Adobe Flash Player 10.1.106.16 and earlier versions for Android, and the authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems.

This vulnerability (CVE-2011-0609) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment. Adobe is not currently aware of attacks targeting Adobe Reader and Acrobat. Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing.

We are in the process of finalizing a fix for the issue and expect to make available an update for Flash Player 10.x and earlier versions for Windows, Macintosh, Linux, Solaris and Android, and an update for Adobe Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Macintosh, Adobe Reader X (10.0.1) for Macintosh, and Adobe Reader 9.4.2 and earlier 9.x versions during the week of March 21, 2011. Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing. Because Adobe Reader X Protected Mode would prevent an exploit of this kind from executing, we are currently planning to address this issue in Adobe Reader X for Windows with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011.

Adobe Reader 9.x for UNIX, Adobe Reader for Android, and Adobe Reader and Acrobat 8.x are not affected by this issue.

Users may monitor the latest information on the Adobe Product Security Incident Response Team blog at http://blogs.adobe.com/psirt or by subscribing to the RSS feed at http://blogs.adobe.com/psirt/atom.xml.

Adobe actively shares information about this and other vulnerabilities with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available. As always, Adobe recommends that users follow security best practices by keeping their anti-malware software and definitions up to date.

http://www.securelist.com/en/blog/6102/New_Adobe_Zero_Day_Under_Attack

다음주쯤에 패치를 발표한다고 하는군요..

http://blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html

저작자표시 비영리 변경금지

Posted by demantos

CODEGATE 2011 YUT Quals Writeups by others (update)

해외 블로거들의 Codegate 20011 CTF writeup이 속속 나오고 있군요..

조만간 국내 참가팀들의 writeup도 올라로겠죠?

참고하시기 바랍니다.

Writeup – CODEGATE 2011 by Team Zenk
(crypto100,200 / network100,300 / binary100 / vulnerab100,200 / forensics100,300 / issues100)
http://www.lestutosdenico.com/evenements/writeup-codegate-2011

Codegate Writeups by Leet More
http://leetmore.ctf.su/wp/codegate-ctf-2011-binary-200/
http://leetmore.ctf.su/wp/codegate-ctf-2011-issue-500-bootsector/
http://leetmore.ctf.su/wp/codegate-ctf-2011-crypto-400/
http://leetmore.ctf.su/wp/codegate-yut-2011-forensic-300issue-300/
http://leetmore.ctf.su/wp/codegate-ctf-2011-mini-writeups/
http://leetmore.ctf.su/wp/codegate-ctf-2011-crypto300-writeup/
http://leetmore.ctf.su/wp/codegate-ctf-2011-vuln-300/ (03.09 added)

* Padocon CTF 2011 Writeup도 있습니다.

CODEGATE YUT 2011: Issue 500 writeup by SECURITY BLACK SWAN
http://securityblackswan.blogspot.com/2011/03/codegate-yut-2011-issue-500-writeup.html

Codegate CTF 2011 Vuln300 Writeup by UNTITLED
http://auntitled.blogspot.com/2011/03/codegate-ctf-2011-vuln300-writeup.html

Oracle padding attacks (Codegate crypto 400 writeup)
http://isc.sans.edu/diary.html?storyid=10501

Codegate 2011 CTF Writeup - Vuln 400 by bashrc
http://lollersk8ers.fatihkilic.de/2011/03/codegate-2011-ctf-writeup-vuln-400.html

03.09 added!!

hasegawa yosuke
http://www.netagent-blog.jp/archives/51762319.html

PPP
http://ppp.cylab.cmu.edu/wordpress/?p=466
http://ppp.cylab.cmu.edu/wordpress/wp-content/uploads/2011/03/Codegate2011PQ-Writeup-PPP.pdf

Hates Irony
https://hatesirony.com/codegate2011/

문제 파일들
https://files.nibbles.fr/codegate-2011/

임시 랭킹에서 1개팀(EightNine Line)이 탈락되고 PLUS가 올라왔군요!!
머 어쨋든 한국팀은 3개네요 :)

스웨덴 팀인 HackingForSoju팀이 본선에 진출해서 한국에 오겠군요.
운영위원회에서 이들에게 다양하고 맛있는 소주를 대접하리라 예상됩니다. ;)
참고로 가능하시다면 막 대학 들어갔을때 먹었던 일명 두꺼비 소주나 과일주 담그는 30도짜리 pet병에 담긴 것도 괜찮으리라 생각됩니다. 필요하시면 공수해보겠습니다. ㅋㅋ

저작자표시 비영리 변경금지

Posted by demantos

3.4 DDoS 공격에 사용된 악성코드간의 관계도

모두들 고생하셨습니다.

정치적으로 그리고 홍보 목적으로 전면에 나선 사람들 말고 진짜 뒤에서 고생하신 분들 많습니다.

(안타깝게도 전 다른 프로젝트에 참가 중이라 그리 많은 시간을 할애하지 못했습니다 ㅜ.ㅜ)

이번엔 초기보고서나 샘플이 빨리 공유되어 피해가 덜했던 것 같습니다.

절대 장비가 좋아서가 아닙니다. -_-

개인적으로 이번 사건은 사람의 힘으로 DDoS를 막았다고 평가하고 싶습니다.

여담이지만 들어오는 트래픽을 막는데만 힘을 쏟을게 아니라

그런 트래픽을 쏘는 좀비들을 찾아서 빨리 치료하는 또는 그런 좀비가 안생기게 하는게 정확한 해결책이라 생각됩니다.

본론으로 들어와서...

지금까지 나온 악성코드간의 관계도 그림이 있어 공유합니다.

<안철수연구소>

<이스트소프트>

<하우리>

<잉카인터넷>

처음부터 직접 분석을 하지 못했지만 나왔던 문서들을 토대로 저도 그림을 그려봤습니다.
(은근 그림 그리는거 좋아라 합니다. ~.~)

다들 수고하셨습니다!!

이번주말엔 푹~ 쉬시기 바랍니다!!

저작자표시 비영리 변경금지

Posted by demantos

MS Windows Server 2003 AD Pre-Auth BROWSER ELECTION Remote Heap Overflow

지난주에 Windows Server 2003 Active Directory에서 제로데이 취약점이 발견되었고 exploit이 공개되었습니다.

http://www.exploit-db.com/exploits/16166/

위 코드 실행시 타겟 서버는 블루스크린(Blue Screen of Death)이 뜨게됩니다.

metasploit에도 exploit이 공개되었는데 잘 안되더군요..

테스트한 대상시스템은 단순히 AD만 설치한 상태입니다.

저작자표시 비영리 변경금지

Posted by demantos

Adobe Flash Player, Reader/Acrobat, Shockwave Player 다중 취약점 보안 업데이트 권고

Adobe Flash Player 다중 취약점 보안 업데이트 권고
http://www.krcert.or.kr/secureNoticeView.do?num=499&seq=-1

Adobe Reader/Acrobat 다중 취약점 보안업데이트 권고
http://www.krcert.or.kr/secureNoticeView.do?num=500&seq=-1

Adobe Shockwave Player 다중 취약점 보안업데이트 권고
http://www.krcert.or.kr/secureNoticeView.do?num=501&seq=-1

임의의 코드 실행이 가능한 취약점이 많기 때문에 필히 업데이트하시는게 좋을 듯 합니다.

성의없는 포스팅 읽어주셔서 감사합니다. ㅜ.ㅜ

저작자표시 비영리 변경금지

Posted by demantos

ALZip 8.12.0.3 Buffer Overflow (SEH)

exploit-db에 PoC 코드가 공개되었습니다.

http://www.exploit-db.com/exploits/16015/

알툴즈 사이트에 가셔서 ALZip 8.2로 업데이트하시기 바랍니다.

http://www.altools.co.kr/Download/ALZip.aspx

PoC 시연 동영상

저작자표시 비영리 변경금지

Posted by demantos

사라진 Dancho Danchev 발견!!

어제 M86Security Lab의 트위터를 보고 알았습니다. Dancho Danchev가 사라졌다는 사실을요...

ZDNet 1월 14일자에 기사가 떴습니다.

http://www.zdnet.com/blog/security/we-need-help-with-the-strange-disappearance-of-dancho-danchev/7897

오늘 아침 하우리 최상명 팀장님 트위터에 Dancho Danchev가 불가리아의 한 정신병원에 입원했다는 소식을 접했습니다.

http://yro.slashdot.org/story/11/01/15/016241/The-Strange-Disappearance-of-Dancho-Danchev
http://news.ycombinator.com/item?id=2112135
http://www.dnevnik.bg/tehnologii/2011/01/17/1026425_ekspertut_po_it_sigurnost_dancho_danchev_e_nastanen_v/ (불가리아어)

불가리아어로 된 링크를 구글 번역기에서 돌린 내용입니다.

Dancho Danchev, an expert on cybersecurity, is accommodated in a Bulgarian hospital. The information was confirmed by two sources of "Diary", although from the hospital refused comment.

As Wired magazine announced a few days ago, he disappeared in September 2010 and did not meet their coordinates. Twenty-six year old Dancho Danchev writes for the blog Zero Day, part of the news site zdnet.com. His last post there is from August 2010

In early September sent an email to the editors of zdnet.com, informing them that the bathroom he installed listening devices. In addition, attached photos of the electric transformer and torn wires on the bulbs. In his letter Dancho Danchev said that the Bulgarian intelligence services follow him because he was recommended by the Attache in Sofia FBI expert on local center against computer threats.

Then keep track of Dancho Danchev disappear, but according to reliable source of "Diary" he hospitalized from December 11 onwards. It is now stabilized and will soon be discharged, our source said.

뭔가 음모가 있는듯한 느낌은 저만 받는건지 모르겠지만 아무튼 영화에서나 볼 수 있는 그런 정치적인 냄새가 좀 납니다.
(영화를 너무 많이 봤나 -_-;;)

아무튼 안타깝군요..

좋은 분석글과 제로데이 많이 보여주셨었는데 정신병원이라니...

마지막 글이 작년 9월 11일인데 이 날짜....참 거시기하군요...-_-;;

근데 하나 믿기지 않는건

Dancho가 26이라는군요..

저작자표시 비영리 변경금지

Posted by demantos

Microsoft Windows 'CreateSizedDIBSECTION()' Thumbnail View Stack Buffer Overflow

http://www.securityfocus.com/bid/45662/info

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3970

http://moonslab.com/1225

영향 받는 취약한 시스템

Microsoft Windows XP Professional x64 Edition SP2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Professional SP3
Microsoft Windows XP Professional SP2
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Media Center Edition SP3
Microsoft Windows XP Media Center Edition SP2
Microsoft Windows XP Media Center Edition SP1
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Home SP3
Microsoft Windows XP Home SP2
Microsoft Windows XP Home SP1
Microsoft Windows XP 64-bit Edition SP1
Microsoft Windows XP 64-bit Edition
Microsoft Windows XP 0
Microsoft Windows Vista Ultimate 64-bit edition SP2
Microsoft Windows Vista Ultimate 64-bit edition SP1
Microsoft Windows Vista Ultimate 64-bit edition 0
Microsoft Windows Vista Ultimate SP2
Microsoft Windows Vista Ultimate SP1
Microsoft Windows Vista Ultimate
Microsoft Windows Vista SP2
Microsoft Windows Vista SP1
Microsoft Windows Vista Home Premium SP2
Microsoft Windows Vista Home Premium SP1
Microsoft Windows Server 2008 for x64-based Systems SP2
Microsoft Windows Server 2008 for x64-based Systems 0
Microsoft Windows Server 2008 for Itanium-based Systems SP2
Microsoft Windows Server 2008 for Itanium-based Systems 0
Microsoft Windows Server 2008 for 32-bit Systems SP2
Microsoft Windows Server 2008 for 32-bit Systems 0
Microsoft Windows Server 2003 x64 SP2
Microsoft Windows Server 2003 x64 SP1
Microsoft Windows Server 2003 Itanium SP2
Microsoft Windows Server 2003 Itanium SP1
Microsoft Windows Server 2003 Itanium 0
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
3DM Software Disk Management Software SP2
3DM Software Disk Management Software SP1

module : windows/fileformat/ms11_xxx_createsizeddibsection

본 취약점은 미리보기(thumbnail) 했을때 발생하는 취약점입니다.

metasploit에서 생성한 msf.doc 파일을 미리보기로 테스트했는데 데이터 실행 방지 알림 창이 뜨면서 정상적으로 공격이 수행되지 않았습니다. 그래서 강제로 DEP 모드를 해제해고 해봤는데 계속 explorer가 죽는 현상만 반복되었습니다.

환경 구성이 잘못되었을지도 모르겠지만 Windows XP SP3라는 가장 일반적인 환경에서 테스트했을때 metasploit의 exploit이 제대로 동작하지 않는 듯 합니다.

아직 정식 패치는 발표되지 않았고 임시대응방안은 아래 하우리 사이트를 참조하시기 바랍니다.

http://www.hauri.co.kr/customer/security/alert_view.html?intSeq=79&page=1

bonus) 취약점 발견자인 Moti와 Xu Hao의 프리젠테이션 파일

Moti & Xu Hao - A Vulnerability in My Heart.pdf

저작자표시 비영리 변경금지

Posted by demantos

Microsoft WMI Administrative Tools WBEMSingleView.ocx ActiveX control vulnerability

Overview
The ActiveX control, WBEMSingleView.ocx, that is a part of the WMI Administrative Tools package contains a vulnerability.

I. Description
The AddContextRef() and ReleaseContext() functions of the WMI Object Viewer control can be passed an object pointer from an attacker that results in arbitrary code execution. An Internet Explorer user with WBEMSingleView.ocx installed can be exploited by visiting a malicious web page.

II. Impact
An attacker can execute arbitrary code as the user.

III. Solution
We are currently unaware of a practical solution to this problem.

Disable the WMI Object Viewer ActiveX control in Internet Explorer

The vulnerable ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID:

{2745E5F5-D234-11D0-847A-00C04FD7BB08}

More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved as a .REG file and imported to set the kill bit for this control:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{2745E5F5-D234-11D0-847A-00C04FD7BB08}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoftInternet ExplorerActiveX Compatibility{2745E5F5-D234-11D0-847A-00C04FD7BB08}]
"Compatibility Flags"=dword:00000400

Disable ActiveX

Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the “Securing Your Web Browser” document.

Vendor Information

References
http://www.cert.org/tech_tips/securing_browser/
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=6430f853-1120-48db-8cc5-f2abdc3ed314
http://support.microsoft.com/kb/240797
http://www.wooyun.org/bugs/wooyun-2010-01006
http://secunia.com/advisories/42693

Credit
This vulnerability was publicly disclosed on WooYun.org.
This document was written by Jared Allar.

Other Information
Date Public: 2010-12-22
Date First Published: 2010-12-22
Date Last Updated: 2010-12-22

Metasploit에 exploit이 뜨긴 했는데 테스트해 본 결과 잘 안되고 있습니다.
제가 뭔가 잘못하고 있는거겠죠? 삽질 좀 해야겠군요...-_-;;

일단 exploit이 떴으니 분석해보면 좋겠는데 오늘은 크리스마스 이브군요 ;)
게다가 내일은 마나님 생신이시니 오늘 저녁부터 즐겁게 놀아드려야 해서 주말 동안 분석을 할 수 있을지 미지수입니다.