My Anti Spyware

New way for push exploit to your PC

Full exploit code

This code exploit “double free error” in msado15.dll NextRecordset() function.
As a result of double freeing of same string, rewriting of Heap Control Block
by malicious data is occuring.
Technique of exploitation is based on “Lookaside remapping”.

was published for Microsoft Data Access Components vulnerability MS07-009. The original demonstration of this vulnerability occurred on July 29, 2006 in HD Moore’s Month of Browser Bugs

On February 13, 2007, Microsoft® released patch MS07-009 to address this vulnerability. You should apply this patch immediately, if you have not yet done so.

Affected Software:
•    Microsoft Data Access Components 2.5 Service Pack 3 on Microsoft Windows 2000 Service Pack 4
•    Microsoft Data Access Components 2.8 Service Pack 1 on Microsoft Windows XP Service Pack 2
•    Microsoft Data Access Components 2.8 on Microsoft Windows Server 2003
•    Microsoft Data Access Components 2.8 on Microsoft Windows Server 2003 for Itanium-based Systems

Found first security flaw hits Vista

The security firm eEye has discovered one of the first security flaws to directly affect Windows Vista, a bug that it claims allows local users to escalate their privileges.

The flaw involves Windows’ system for managing user security levels, User Account Control (UAC), which was introduced with Vista. UAC is designed to limit the damage that can be caused by mass attacks such as worms by giving standard users limited privileges, a practice common with other operating systems.

Combined with a remote vulnerability, the newly discovered bug could essentially render UAC useless, escalating standard user privileges to system-level access, according to eEye.

eEye said: “A flaw exists within Windows Vista that allows local privilege escalation to System”

Read more: User-privilege flaw hits Vista

Found vulnerability in the Firefox built-in popup blocker

This vulnerability, coupled with an additional trick, allows the attacker to read arbitrary user-accessible files on the system, and thus steal some fairly sensitive information.

Vulnerable Systems: Firefox version 1.5.0.9

For security reasons, Firefox does not allow Internet-originating websites to access the file:// namespace. When the user chooses to manually allow a blocked popup however, normal URL permission checks are bypassed. The attacker may fool the browser to parse a chosen HTML document stored on the local filesystem, and because Firefox security manager treats all file:/// URLs as having “same origin”, such a document could read other local files at its discretion with the use of XMLHttpRequest, and relay that information to a remote server.

For protect your PC, upgrade Firefox to Firefox 2.0

Read more: Firefox Popup Blocker Allows Reading Arbitrary Local Files

Found new vulnerability in the Internet Explorer / how to protect

Found new vulnerability in Microsoft Windows, which can be exploited by malicious people to compromise a user’s system.

The vulnerability is caused due to an error in the Windows Shell and is exposed via the “setSlice()” method in the WebViewFolderIcon ActiveX control (webvw.dll). This can e.g. be exploited via Internet Explorer by a malicious website to corrupt memory by passing specially crafted arguments to the “setSlice()” method.

Successful exploitation allows execution of arbitrary code.

For protect your PC you can make next:

You can disable attempts to instantiate this ActiveX control in Internet Explorer by setting the kill bit for the control in the registry.

To set the kill bit for a CLSID with a value of {e5df9d10-3b52-11d1-83e8-00a0c90dc849}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{e5df9d10-3b52-11d1-83e8-00a0c90dc849}]
“Compatibility Flags”=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{844F4806-E8A8-11d2-9652-00C04FC30871}]
“Compatibility Flags”=dword:00000400

You can apply this .reg file to individual systems by double-clicking it.

You can help protect against this vulnerability by changing your Internet Explorer settings to prompt before running ActiveX controls. To do this, follow these steps:

1. In Internet Explorer, click Internet Options on the Tools menu.
2. Click the Security tab.
3. Click Internet, and then click Custom Level.
4. Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.
5. Click Local intranet, and then click Custom Level.
6. Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.
7. Click OK two times to return to Internet Explorer.

You can help protect against this vulnerability by changing your settings for the Internet security zone to prompt before running ActiveX controls. You can do this by setting your browser security to High. To raise the browsing security level in Microsoft Internet Explorer, follow these steps:

1. On the Internet Explorer Tools menu, click Internet Options.
2. In the Internet Options dialog box, click the Security tab, and then click the Internet icon.
3. Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.

Read more: Vulnerability in Windows Shell Could Allow Remote Code Execution, WebViewFolderIcon setSlice, Microsoft Windows Shell Code Execution Vulnerability

How to block VML exploit

Some days ago has been found new Zero day exploit. The exploit uses a bug in VML in Internet Explorer to overflow a buffer and inject shellcode. It is currently on and off again at a number of sites.

Secunia reported:

The vulnerability is caused due to a boundary error in the Microsoft Vector Graphics Rendering(VML) library (vgx.dll) when processing certain content in Vector Markup Language (VML) documents. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into viewing a malicious VML document containing an overly long “fill” method inside a “rect” tag with the Internet Explorer browser.

Successful exploitation allows execution of arbitrary code with the privileges of the application using the vulnerable functionality in the library.

For block the VML Exploit, try next:

1. Click Start, click Run, type “regsvr32 -u “%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll ” (without the quotation marks), and then click OK.
2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Impact of Workaround: Applications that render VML will no longer do so once Vgx.dll has been unregistered. To undo this change, re-register Vgx.dll by following the above steps. Replace the text in Step 1 with “regsvr32 “%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll” (without the quotation marks).

Thanks to SunbeltBlog.

Found new Internet Explorer Vulnerability

Found Internet Explorer (daxctle.ocx) Heap Overflow Vulnerability.

When Internet Explorer handle DirectAnimation.PathControl COM
object(daxctle.ocx) Spline method, Set the first parameter to 0xffffffff will triggers an
invalid memory write, That an attacker may DoS and possibly could execute arbitrary code.

Affected windows version:
Windows 2000
Windows XP
Windows 2003

Windows users.. check out Firefox, Opera, and whatever other nice browsers you can throw out there.

Exploits for new microsoft vulnerabilities available

Internet Storm Center reported about available exploit code for MS06-034, MS06-035, and MS06-036.
If you haven’t already patched for these vulnerabilities you should take immediate action.

MS06-034 - unchecked IIS buffer vulnerability in ASP files processing

This patch fixes what seems to be a buffer overflow in IIS. This buffer overflow can be exploited when IIS is processing ASP files.

In other words, in order to exploit this vulnerability, an attacker has to somehow be able to upload ASP files on the target server, which is running IIS (versions 5.0, 5.1 and 6.0 are affected). Normally, you would require a user to authenticate before they can upload files to the server, so the vulnerability is rated moderate/important.

In case that you do allow people to upload ASP files on your IIS server, it would be wise to apply the patch as soon as possible, although we don’t know about any public exploits yet.

MS06-035 (CVE-2006-1314)

The vulnerability can be exploited remotely against the “Server” service.
So this would definitely be something that could be used for
widespread compromise with no user interaction, or a worm.

Looks like Windows 2000 SP4 is vulnerable by default. Windows XP SP2
and Server 2003 don’t appear to be vulnerable with a default
installation unless services are listening on Mailslots. At this
point, it is unclear exactly what software would enable Mailslots to
create a vulnerable condition.

MS06-036 - unchecked buffer Vulnerability in DHCP Client Service Could Allow Remote Code Execution (914388)

MS has said systems “Primarily” at risk are Microsoft Windows 2000, Windows XP and Windows Server 2003.

“How could an attacker exploit the vulnerability?
An attacker could exploit the vulnerability by answering a client’s DHCP request on the local subnet with malformed packets.”

“Could the vulnerability be exploited over the Internet?
An attacker could try to exploit this vulnerability over the Internet.”

“Are Windows 98, Windows 98 Second Edition or Windows Millennium Edition critically affected by this vulnerability?
No. Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, however the vulnerability is not critical.”

New way - Exploiting over distiance

An ISC reader pointed out this relatively new exploit vector. At the upcoming BlackHat conference, a duo is going to demonstrate hacking WiFi device drivers to assume control of a target machine.

The two researchers used an open-source 802.11 hacking tool called LORCON (Loss of Radio Connectivity) to throw an extremely large number of wireless packets at different wireless cards. Hackers use this technique, called fuzzing, to see if they can cause programs to fail, or perhaps even run unauthorized software when they are bombarded with unexpected data.

Using tools like LORCON, Maynor and Ellch were able to discover many examples of wireless device driver flaws, including one that allowed them to take over a laptop by exploiting a bug in an 802.11 wireless driver. They also examined other networking technologies including Bluetooth, Ev-Do (EVolution-Data Only), and HSDPA (High Speed Downlink Packet Access).

The combination of device drivers (which sit close to the kernel) and wireless technology makes this vector uniquely possible. Most devices drivers you couldn’t safely attack because devices are attached to the actual hardware, but wireless is meant to work over distance. The vector is still limited by distance to those close enough to some transmission agent, but with the growing prevalence of free wireless hotspots it is easy to find places where enough laptops congregate to get good results (say a conference or in an airport terminal).

OpenOffice.org fixes three security vulnerabilites

OpenOffice.org 2.0.3 fixes three security vulnerabilites that have been found through internal security audits. Although there are currently no known exploits, They urge all users of 2.0.x prior to 2.0.2 to upgrade to the new version or install their vendor’s patches accordingly. Patches for users of OpenOffice.org 1.1.5 will be available shortly.

The three vulnerabilities involve:

• Java Applets, CVE-2006-2199

It is possible for some Java applets to break out of the secure “sandbox” in which they are normally constrained. The applet code could potentially have access to the entire system with whatever privileges the current user has.

A workaround is provided to temporarily disable support for Java applets. Instructions are provided for both 1.1.x and 2.0.x.

• Macro, CVE-2006-2198;
  A flaw with the macro mechanism could allow an atatacker to include certain macros that would be executed even if the user has disabled document macros. Such macros could potentially have access to the entire system with whatever privileges the current user has.There is no workaround for this issue
• File Format, CVE-2006-3117
  A flaw in the parsing of the XML file formats allows for possible buffer overflows in specially malformed documents. The buffer overflow can crash the OpenOffice.org application and might be exploitable for arbitrary code-execution.There is no workaround for this issue.

Update OpenOffice now.

Found new vulnerability in Microsoft Excel

ISC and Microsoft reported about new vulnerability in Microsoft Excel. Also found exploit using the vulnerability for install malware.

Now Symantec can to detect this attack.

Trojan.Mdropper.J is a Trojan horse that drops Downloader.Booli.A on the compromised computer. It exploits an undocumented vulnerability in Microsoft Excel.

The Symantec website also reports … Downloader.Booli.A may arrive on the compromised computer, dropped by Trojan.Mdropper.J, with the following name: %System%\svc.exe

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

When Downloader.Booli.A is executed, it performs the following actions:

• Attempts to run Internet Explorer and inject its code into Internet Explorer to potentially bypass firewalls.
• Attempts to download a file from the following location: [http://]210.6.90.153:7890/svcho[REMOVED]
• Saves the file as the following and if the download was successful, executes the file: c:\temp.exe
• Creates an empty file before exiting: c:\bool.ini

Now we recommend use the same defenses as for lastest Microsoft Word vulnerability: How to block Microsoft Word vulnerability, recommended defenses.

Kaspersky lab released detection for malware exploiting the MS Word vulnerability

Some days ago we have reported about vulnerability in the Microsoft Word.

Malware which spreads via email is exploiting the vulnerability as a specially crafted MS-Word .DOC attachment.If the attachment is launched, this triggers a process which results in a backdoor being installed.

Kaspersky lab released detection for the malware, a dropper and backdoor. As ever, users should update their databases as soon as possible. Kaspersky products will detect the dropper as Trojan-Dropper.MSWord.1Table.bd, and the backdoor as Backdoor.Win32.Gusi.a.

How to block Microsoft Word vulnerability, recommended defenses.

Microsoft will release a patch against this problem in June, but even after that there are likely to be other attacks using other exploits. So let’s think a bit beyond the next couple of days on how to defend your network.

• User education is of course key, but likely insufficient. Attacks like that will use very plausible messages. Create some examples to re-emphasize this fact. “What if you receive a message from a customer you know, referencing a project you are working on, that includes a Word document”. Teach users to double check out of band. “Do not open the document before calling the customer”.
• Do not trust Antivirus alone. Defending against 0-day is all about defense in depth. Antivirus is likely going to fail you for an exploit like that. Consider a system that quarantines attachments for at least 6-12 hours to allow anti virus signatures to catch up. This may not be acceptable for a lot of organizations, but in particular right now, with a known exploit, it may be a reasonable step.
• Limit users’ privileges. The particular sample we received will not run as a non-administrator user. It will be MUCH easier to clean up after an exploit like that if the user had no administrator rights.
• Monitor outbound traffic. Your IDS and your firewall are as valuable to protect your network from malicious traffic entering as they are in protecting you against your corporate secrets leaving your network. Consider deploying “honey tokens”, files with interesting names that contain a particular signature your IDS will detect.
• Block outbound traffic. Try to limit sites accessible to users and use techniques like proxy servers to isolate your clients further. Proxy filter logs will also work great as an IDS to detect suspect traffic.
• Limit data on desktops. Try to teach users to limit data they store “in reach”. This is a difficult balance. But a file on a remote system, which would require additional authentication, will likely not be accessible by a bot as in this case. Locally encrypted files will work too (as long as they stay encrypted until used). Encrypted file systems will not help as they will be accessible to the user opening the word document.

Again. None of these techniques are perfect. Each one can be circumvented. But the more layers you can wrap your users in the better. Think what will work well in your organization. Personal firewalls on desktop? Traffic control with flowtools or ntop? What are the tools you already have that can be used for this purpose.

There are also some rather more radical “solutions” possible if you absolutely need to be sure that you can continue working independently of this vulnerability (and the inevitable variants to follow soon):

• consider additional filtering, for example using software which converts Word DOC format to something which cannot carry the virus, e.g. RTF. Consider using the free wvWare library. You will lose formatting but that might be an acceptable bargain for e-mail incoming from outside your organisation.

• consider the possibility of disabling Word and replacing it with OpenOffice until Microsoft releases patches.

Another option might be to use the Microsoft Office viewer applications instead as your default, such as Word Viewer. You can get more information about and download the viewer programs from Microsoft. The Word Viewer application is not vulnerable to this specific exploit.

Thanks to Internet Storm Center

Found exploit using new Microsoft Word vulnerability

Internet Storm Center reported about a new Word vulnerability being used. Exploit, using the vulnerability, has been sent as email attachment to specific individuals.

The exploit functioned as a dropper, extracting a trojan byte-for-byte from the host file when executed. After extracting and launching the trojan, the exploit then overwrote the original Word document with a “clean” (not infected) copy from payload in the original infected document. As a result of the exploit, Word crashes, informs the user of a problem, and offers to attempt to re-open the file. If the user agrees, the new “clean” file is opened without incident.

The exploit communicates back to localhosts[dot]3322[dot]org via HTTP. It is proxy-aware, and “pings” this server using HTTP POSTs of 0 bytes (no data actually POSTed) with a periodicity of approximately one minute. It has rootkit-like functionality, hiding binary files associated with the exploit (all files on the system named winguis.dll will not be shown in Explorer, etc.), and invokes itself automatically by including the trojan binary in “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows“. Note that, as of this morning, no anti-virus signatures detected this file as problematic according to virustotal.com.

Update:

When the exploit is launched, early on in the process, it drops a bot, possibly Rbot or some variant.

Once the bot is in place, it begins an extensive recon of the system; installed patches, installed AV, contents of My Documents, startup file contents, IE config ..

Update - 05/23/06:

Microsoft and eEye have each released advisories related to the issue this evening.

Microsoft’s security advisory can be found here.

eEye’s advisory can be found here.

The information about vulnerable exploits differs a little between the two advisories.

Microsoft says the vulnerability only affects Word 2002/XP and Word 2003 and that Word 2000 is not vulnerable. The Microsoft advisory contains information on workarounds including not using Word as the default mail editor in Outlook and running Word in ‘Safe Mode’ to disable the functionality that is affected by the vulnerability and exploit.

eEye says that the vulnerability affects Word 2000 as well. The eEye advisory mentions that they believe there are two variants of this exploit. Thus, it may be that the first variant only affects Word 2002/XP and 2003 and the second variant affects all three versions.

Internet Explorer “object” Tag Vulnerability

Michal Zalewski has discovered a vulnerability in Internet Explorer, which potentially can be exploited by malicious people to compromise a user’s system.

The vulnerability is caused due to an error in the processing of certain sequences of nested “object” HTML tags. This can be exploited to corrupt memory by tricking a user into visiting a malicious web site.

Successful exploitation may allow execution of arbitrary code, but has not been proven.

NOTE: During analysis, Secunia discovered a variant of this vulnerability and confirmed code execution on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. Other versions may also be affected. Details about this variant will not be publicly disclosed at present, but have been sent to Microsoft, who are currently working on a patch.

For protect your PC, do not visit untrusted web sites.

New vulnerability in Internet Explorer

Hai Nam Luke has discovered a vulnerability in Internet Explorer, which can be exploited by malicious people to conduct phishing attacks.

The vulnerability is caused due to a race condition in the loading of web content and Macromedia Flash Format files (”.swf”) in browser windows. This can be exploited to spoof the address bar in a browser window showing web content from a malicious web site.

Secunia has constructed a test, which can be used to check if your browser is affected by this issue.

The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP1/SP2. The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (March edition). Other versions may also be affected.

For protect your PC Disable Active Scripting support.

Thanks to Secunia

Temporary fix for IE vulnerability

eEye has released a patch for the active IE vulnerability.

Organizations that choose to employ this workaround should take the steps required to uninstall it once the official Microsoft patch is released. This workaround is not meant to replace the forthcoming Microsoft patch, rather it is intended as a temporary protection against this flaw. Organizations should only install this patch if they are not able to disable Active Scripting as a means of mitigation [my emphasis].

Read more and download here

But small comment, don’t bother using this patch — Disable Active Scripting Support in IE is a valid mitigator.

BHO malware used IE vulnerability for install

BHO malware used IE vulnerability for install. Sans reported

There are several sites that have been compromised and now contain the exploit code. These sites all run the exploit code and get a file called ca.exe which in turn gets a file called calc.exe and installs it. It is calc.exe that we want to focus on briefly.

This malware installs a dll that is used as a Browser Helper Object (BHO) and also runscopies itself to directory you see below as nm32.exe and runs as a process. The malware creates the following on install:

C:\WINNT\fyt\mn32.dll
C:\WINNT\fyt\nm32.exe
C:\WINNT\fyt\~ipcfg636
C:\WINNT\fyt\~start636
C:\WINNT\fyt\~tmp636
C:\WINNT\fyt\~view636

It also creates one called sub.txt when you surf the internet and records everything that it can about where you surf and do and any information.

Anyway, please keep your eyes and ears open for any new sites exploiting this vulnerability!

Don`t forget, you can block vulnerability, only disable Active Scripting support.

100 confirmed sites now using the IE vulnerability

100 confirmed sites now using the IE vulnerability, as reported on security lists by Dan Hubbard (alert) at WebSense and Joe Stewart at Lurhq.

These can be very nasty. SunBelt analysed one site - www(dot)textrum(dot)se (since shutdown):
The exploit calls a file, updater.exe. It file is W32/Spybot (W32/Backdoor, Adware.NaviPromo.M)
Norman sandbox report:

Found Sandbox: W32/Backdoor; [ General information ]

* Anti debug/emulation code present.
* Creating several executable files on hard-drive.
* File length: 46644 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM32\Updater.exe.
* Creates directory C:\WINDOWS\SYSTEM32\kazaabackupfiles.
* Creates file C:\WINDOWS\SYSTEM32\kazaabackupfiles\download_me.exe.

[ Changes to registry ]
* Creates value “Windsupdate”=”Updater.exe” in key “HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce”.
* Creates value “Windsupdate”=”Updater.exe” in key “HKLM\Software\Microsoft\Windows\CurrentVersion\Run”.
* Modifies value “Dir0″=”012345:C:\WINDOWS\SYSTEM32\kazaabackupfiles\” in key “HKCU\Software\Kazaa\LocalContent”.

[ Network services ]
* Connects to “kronkrak.servequake.com” on port 6667 (IP).
* Connects to IRC server.
* IRC: Uses nickname CurrentUser7.
* IRC: Uses username CurrentUser7.

[ Security issues ]
* Possible backdoor functionality [Authenticate] port 113.

[ Process/window information ]
* Enumerates running processes.
* Will automatically restart after boot (I’ll be back…).
* Attemps to open C:\WINDOWS\SYSTEM32\Updater.exe NULL.
* Enumerates running processes several parses….
* Creates a mutex coolbot1.c4.

There is no patch available for this exploit. The only way to avoid it is
- turn off Active Scripting
- use a non-IE browser (although the latest version of IE 7, the March 20 beta 2 preview, is not affected).
Your standard protections should be in place — antivirus, firewall, antispyware.

RealNetworks Products Multiple Buffer Overflow Vulnerabilities

Some vulnerabilities have been reported in various RealNetworks products, which can be exploited by malicious people to compromise a user’s system.

1) A boundary error when processing SWF files can be exploited to cause a buffer overflow. This may allow execution of arbitrary code on the user’s system.

2) A boundary error within the handling of web pages can be exploited via a specially crafted web page on a malicious server to cause a heap-based buffer overflow. This may allow execution of arbitrary code on the user’s system.

3) A boundary error in the processing of MBC files can be exploited to cause a buffer overflow. This may allow execution of arbitrary code on the user’s system.

A weakness when executing other programs is caused due to incorrect use of the “CreateProcess()” API. This may allow execution of an arbitrary program on the system, if this can be placed in the program path.

The following products are affected by one of more of the vulnerabilities:
* RealPlayer 10.5 (6.0.12.1040-1348)
* RealPlayer 10
* RealOne Player v2
* RealOne Player v1
* RealPlayer 8
* RealPlayer Enterprise
* Rhapsody 3 (build 0.815 � 1.0.269)
* Mac RealPlayer 10 (10.0.0.305 - 331)
* Mac RealOne Player
* Linux RealPlayer 10 (10.0.6)
* Helix Player (10.0.6)
* Linux RealPlayer 10 (10.0.0 - 5)
* Helix Player (10.0.0 - 5)

Patch your RealPlayer now.

New Internet Explorer vulnerability

Secunia Research has discovered a vulnerability in Microsoft Internet Explorer, which can be exploited by malicious people to compromise a user’s system.

The vulnerability is caused due to an error in the processing of the “createTextRange()” method call applied on a radio button control. This can be exploited by e.g. a malicious web site to corrupt memory in a way, which allows the program flow to be redirected to the heap.

Successful exploitation allows execution of arbitrary code.

The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (January edition). Other versions may also be affected.

For block vulnerability disable Active Scripting support.