Viry a Červi

Brit govt told to do its homework ahead of talks over post-Brexit spy laws and data flows

The Register - Anti-Virus - 10 Květen, 2018 - 08:03
MPs warned that negotiations could take years, better lay the groundwork now

There is no doubt that the UK's surveillance regimes will come under scrutiny in negotiations on continued data flows with Europe after Brexit, and the government needs to start preparing for that now, MPs have been told.…

Kategorie: Viry a Červi

IBM bans all removable storage, for all staff, everywhere

The Register - Anti-Virus - 10 Květen, 2018 - 07:01
Risk of ‘financial and reputational damage’ is too high, says CISO

IBM has banned its staff from using removable storage devices.…

Kategorie: Viry a Červi

Bugs in Logitech Harmony Hub Put Connected IoT Devices at ‘High Risk’

VirusList.com - 9 Květen, 2018 - 22:20
Researchers found an array of vulnerabilities in the Logitech Harmony Hub, shedding light on IoT security.
Kategorie: Viry a Červi

Severe Keyboard Flaws in LG Smartphones Allow Remote Code Execution

VirusList.com - 9 Květen, 2018 - 19:00
An attacker can gain man-in-the-middle access to inject a rogue executable file onto the phone.
Kategorie: Viry a Červi

Patch now! Microsoft and Adobe release critical security updates

Sophos Naked Security - 9 Květen, 2018 - 18:23
...And the Microsoft vulnerabilities include 0-days. Get the patches now!

Georgia Governor Vetoes Controversial Hack-Back Bill

VirusList.com - 9 Květen, 2018 - 18:08
The bill would have allowed companies in the state to perform offensive cyberactions in the face of an attack.
Kategorie: Viry a Červi

Hide'n'Seek IoT botnet adds persistence

Virus Bulletin News - 9 Květen, 2018 - 14:34
The Hide'n'Seek IoT botnet has received an update to make its infection persist on infected devices beyond a restart.

Read more
Kategorie: Viry a Červi

Critical bug in 7-Zip – make sure you’re up to date!

Sophos Naked Security - 9 Květen, 2018 - 13:37
Uninitialised variables and no Address Space Layout Randomisation led to an exploitable vulnerability...

Uber car software detected woman before fatal crash but failed to stop

Sophos Naked Security - 9 Květen, 2018 - 12:34
Uber has reportedly discovered that the fatal crash was likely caused by a software bug in its self-driving car technology.

Google cracks down on election meddling advertisers

Sophos Naked Security - 9 Květen, 2018 - 12:08
Google will now require people or groups purchasing federal election ads to show that they're US citizens or lawful residents.

Could this be the end of password re-use?

Sophos Naked Security - 9 Květen, 2018 - 11:51
It’s password security’s Achilles heel: too many people make life easy for cybercriminals by re-using the same ones over and over. But what if there were a way for websites to compare notes on whether a password (or similar password) has been set by a user elsewhere?

Every major OS maker misread Intel's docs. Now their kernels can be hijacked or crashed

The Register - Anti-Virus - 9 Květen, 2018 - 08:53
Grab those patches as Chipzilla updates manuals

Updated  Linux, Windows, macOS, FreeBSD, and some implementations of Xen have a design flaw that could allow attackers to, at best, crash Intel and AMD-powered computers.…

Kategorie: Viry a Červi

The King is dead. Long live the King!

Kaspersky Securelist - 9 Květen, 2018 - 08:00

In late April 2018, a new zero-day vulnerability for Internet Explorer (IE) was found using our sandbox; more than two years since the last in the wild example (CVE-2016-0189). This particular vulnerability and subsequent exploit are interesting for many reasons. The following article will examine the core reasons behind the latest vulnerability, CVE-2018-8174.

Searching for the zero day

Our story begins on VirusTotal (VT), where someone uploaded an interesting exploit on April 18, 2018. This exploit was detected by several AV vendors including Kaspersky, specifically by our generic heuristic logic for some older Microsoft Word exploits.

Virustotal scan results for CVE-2018-8174

After the malicious sample was processed in our sandbox system, we noticed that a fully patched version of Microsoft Word was successfully exploited. From this point we began a deeper analysis of the exploit. Let’s take a look at the full infection chain:

Infection chain

The infection chain consists of the following steps:

  • A victim receives a malicious Microsoft Word document.
  • After opening the malicious document, a second stage of the exploit is downloaded; an HTML page containing VBScript code.
  • The VBScript code triggers a Use After Free (UAF) vulnerability and executes shellcode.
Initial analysis

We’ll start our analysis with the initial Rich Text Format (RTF) document, that was used to deliver the actual exploit for IE. It only contains one object, and its contents are obfuscated using a known obfuscation technique we call “nibble drop“.

Obfuscated object data in RTF document

After deobfuscation and hex-decoding of the object data, we can see that this is an OLE object that contains a URL Moniker CLSID. Because of this, the exploit initially resembles an older vulnerability leveraging the Microsoft HTA handler (CVE-2017-0199).

URL Moniker is used to load an IE exploit

With the CVE-2017-0199 vulnerability, Word tries to execute the file with the default file handler based on its attributes; the Content-Type HTTP header in the server’s response being one of them. Because the default handler for the “application/hta” Content-Type is mshta.exe,it is chosen as the OLE server to run the script unrestricted. This allows an attacker to directly call ShellExecute and launch a payload of their choice.

However, if we follow the embedded URL in the latest exploit, we can see that the content type in the server’s response is not “application/hta”, which was a requirement for CVE-2017-0199 exploitation, but rather “text/html”. The default OLE server for “text/html” is mshtml.dll, which is a library that contains the engine, behind Internet Explorer.

WINWORD.exe querying registry for correct OLE server

Furthermore, the page contains VBScript, which is loaded with a safemode flag set to its default value, ‘0xE’. Because this disallows an attacker from directly executing a payload, as was the case with the HTA handler, an Internet Explorer exploit is needed to overcome that.

Using a URL moniker like that to load a remote web page is possible, because Microsoft’s patch for Moniker-related vulnerabilities (CVE-2017-0199, CVE-2017-8570 and CVE-2017-8759) introduced an activation filter, which allows applications to specify which COM objects are restricted from instantiating at runtime.

Some of the filtered COM objects, restricted from creating by IActivationFilter in MSO.dll

At the time of this analysis, the list of filtered CLSIDs consisted of 16 entries. TheMSHTML CLSID ({{25336920-03F9-11CF-8FD0-00AA00686F13}}) is not in the list, which is why the MSHTML COM server is successfully created in Word context.

This is where it becomes interesting. Despite a Word document being the initial attack vector, the vulnerability is actually in VBScript, not in Microsoft Word. This is the first time we’ve seen a URL Moniker used to load an IE exploit, and we believe this technique will be used heavily by malware authors in the future. This technique allows one to load and render a web page using the IE engine, even if default browser on a victim’s machine is set to something different.

The VBScript in the downloaded HTML page contains both function names and integer values that are obfuscated.

Obfuscated IE exploit

Vulnerability root cause analysis

For the root cause analysis we only need to look at the first function (‘TriggerVuln’) in the deobfuscated version which is called right after ‘RandomizeValues’ and ‘CookieCheck’.

Vulnerability Trigger procedure after deobfuscation

To achieve the desired heap layout and to guarantee that the freed class object memory will be reused with the ‘ClassToReuse’ object, the exploit allocates some class objects. To trigger the vulnerability this code could be minimized to the following proof-of-concept (PoC):

CVE-2018-8174 Proof Of Concept

When we then launch this PoC in Internet Explorer with page heap enabled we can observe a crash at the OLEAUT32!VariantClear function.

Access Violation on a call to freed memory

Freed memory pointer is reused when the second array (ArrB) is destroyed

With this PoC we were able to trigger a Use-after-free vulnerability; both ArrA(1) and ArrB(1) were referencing the same ‘ClassVuln’ object in memory. This is possible because when “Erase ArrA” is called, the vbscript!VbsErase function determines that the type of the object to delete is a SafeArray, and then calls OLEAUT32!SafeArrayDestroy.

It checks that the pointer to a tagSafeArray structure is not NULL and that its reference count, stored in the cLocks field is zero, and then continues to call ReleaseResources.

VARTYPE of ArrA(1) is VT_DISPATCH, so VBScriptClass::Release is called to destruct the object

ReleaseResources, in turn will check the fFeatures flags variable, and since we have an array of VARIANTs, it will subsequently call VariantClear; a function that iterates each member of an array and performs the necessary deinitialization and calls the relevant class destructor if necessary. In this case, VBScriptClass::Release is called to destroy the object correctly and handle destructors like Class_Terminate, since the VARTYPE of ArrA(1) is VT_DISPATCH.

Root cause of CVE-2018-8174 – ‘refCount’ being checked only once, before TerminateClass function

This ends up being the root cause of the vulnerability. Inside the VBScriptClass::Release function, the reference count is checked only once, at the beginning of the function. Even though it can be (and actually is, in the PoC) incremented in an overloaded TerminateClass function, no checks will be made before finally freeing the class object.

Class_Terminate is a deprecated method, now replaced by the ‘Finalize’ procedure. It is used to free acquired resources during object destruction and is executed as soon as object is set to nothing and there are no more references to that object. In our case, the Class_Terminate method is overloaded, and when a call to VBScriptClass::TerminateClass is made, it is dispatched to the overloaded method instead. Inside of that overloaded method, another reference is created to the ArrA(1) member. At this point ArrB(1) references ArrA(1), which holds a soon to be freed ClassVuln object.

Crash, due to calling an invalid virtual method when freeing second object

After the Class_Terminate sub is finished, the object at ArrA(1) is freed, but ArrB(1) still maintains a reference to that freed class object. When the execution continues, and ArrB is erased, the whole cycle repeats, except that this time, ArrB(1) is referencing a freed ClassVuln object, and so we observe a crash when one of the virtual methods in the ClassVuln vtable is called.

Conclusion

In this write up we analyzed the core reasons behind CVE-2018-8174, a particularly interesting Use-After-Free vulnerability that was possible due to incorrect object lifetime handling in the Class_Terminate VBScript method. The exploitation process is different from what we’ve seen in exploits for older vulnerabilities (CVE-2016-0189 and CVE-2014-6332) as the Godmode technique is no longer used. The full exploitation chain is as interesting as the vulnerability itself, but is out of scope of this article.

With CVE-2018-8174 being the first public exploit to use a URL moniker to load an IE exploit in Word, we believe that this technique, unless fixed, will be heavily abused by attackers in the future, as It allows you force IE to load ignoring the default browser settings on a victim’s system.

We expect this vulnerability to become one of the most exploited in the near future, as it won’t be long until exploit kit authors start abusing it in both drive-by (via browser) and spear-phishing (via document) campaigns. To stay protected, we recommend applying latest security updates, and using a security solution with behavior detection capabilities.

In our opinion this is the same exploit which Qihoo360 Core Security Team called “Double Kill” in their recent publication. While this exploit is not limited to browser exploitation, it was reported as an IE zero day, which caused certain confusion in the security community.

After finding this exploit we immediately shared the relevant information with Microsoft and they confirmed that it is in fact CVE-2018-8174, and received an acknowledgement for the report.

This exploit was found in the wild and was used by an APT actor. More information about that APT actor and usage of the exploit is available to customers of Kaspersky Intelligence Reporting Service. Contact: intelreports@kaspersky.com

Detection

Kaspersky Lab products successfully detect and block all stages of the exploitation chain and payload with the following verdicts:

  • HEUR:Exploit.MSOffice.Generic – RTF document
  • PDM:Exploit.Win32.Generic – IE exploit – detection with Automatic Exploit Prevention technology
  • HEUR:Exploit.Script.Generic – IE exploit
  • HEUR:Trojan.Win32.Generic – Payload
IOCs
  • b48ddad351dd16e4b24f3909c53c8901 – RTF document
  • 15eafc24416cbf4cfe323e9c271e71e7 – Internet Explorer exploit (CVE-2018-8174)
  • 1ce4a38b6ea440a6734f7c049f5c47e2 – Payload
  • autosoundcheckers[.]com

Second wave of Spectre-like CPU security flaws won't be fixed for a while

The Register - Anti-Virus - 9 Květen, 2018 - 05:58
Intel needs more time and it could be Q3 before all the patches for OSes and VMs land

The new bunch of Spectre-like flaws revealed last week won't be patched for at least 12 days.…

Kategorie: Viry a Červi

Second wave of Spectre-like CPU security flaws won't be fixed for a while

The Register - Anti-Virus - 9 Květen, 2018 - 05:58
Intel needs more time and it could be Q3 before all the patches for OSes and VMs land

The new bunch of Spectre-like flaws revealed last week won't be patched for at least 12 days.…

Kategorie: Viry a Červi

Mirai botnet cost you $13.50 per infected thing, say boffins

The Register - Anti-Virus - 9 Květen, 2018 - 04:31
Researchers infected devices and totted up all the 'leccy and bandwidth they used

Berkeley boffins reckon the Dyn-based Internet of Things attack that took down Brian Krebs' Website in 2016 cost device owners over $US320,000.…

Kategorie: Viry a Červi

It's 2018, and a webpage can still pwn your Windows PC – and apps can escape Hyper-V

The Register - Anti-Virus - 9 Květen, 2018 - 03:41
Scores of bugs, from Edge and Office to kernel code to Adobe Flash, need fixing ASAP

Patch Tuesday  Microsoft and Adobe have patched a bunch of security bugs in their products that can be exploited by hackers to commandeer vulnerable computers, siphon people's personal information, and so on.…

Kategorie: Viry a Červi

Red Hat smitten by secure enclaves 'cos some sysadmins are evil

The Register - Anti-Virus - 9 Květen, 2018 - 01:29
Also reveals plans to replace Atomic Host with CoreOS Linux

Red Hat Summit  Red Hat has revealed a plan to to work with CPU-makers so that its wares can take advantage of in-silicon security features such as secure enclaves.…

Kategorie: Viry a Červi

May Patch Tuesday Fixes Two Bugs Under Active Attack

VirusList.com - 8 Květen, 2018 - 22:42
In total, Microsoft’s May Patch Tuesday roundup included 68 security patches, with 21 listed as critical, 45 rated important and two listed low in severity.
Kategorie: Viry a Červi

Sierra Wireless Patches Critical Vulns in Range of Wireless Routers

VirusList.com - 8 Květen, 2018 - 22:27
The flaws would leave the enterprise devices helpless to a range of remote threats, including the charms of the Reaper IoT botnet.
Kategorie: Viry a Červi
Syndikovat obsah