Monday, November 8, 2010

CVE-2010-2883 PDF An invitation to the Nobel Prize ceremony of Liu Xiaobo

Common Vulnerabilities and Exposures (CVE)number

  CVE-2010-2883 Stack-based buffer overflow in CoolType.dll in Adobe Reader and Acrobat 9.x before 9.4, and 8.x before 8.2.5 on Windows and Mac OS X, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a PDF document with a long field in a Smart INdependent Glyphlets (SING) table in a TTF font, as exploited in the wild in September 2010. NOTE: some of these details are obtained from third party information

  General File Information

File invitation.pdf
MD5   : 29db2fba7975a16dbc4f3c9606432ab2
SHA1  : 5d65e6984e521936707b32219b39388efb4296fa

File size :
344218 bytes
Type:  PDF
Distribution: Email attachment 

Post Updates

More about similar attacks

Download

Original Message

From: Alex XXXX
[mailto:alexXXX@XXXforum.com]
Sent: Sunday, November 07, 2010 7:34 PM
To: XXXXXXXXXX
Subject: An invitation to the Nobel Prize ceremony of Liu Xiaobo

Dear Sir / Madame
I enclose a letter from Oslo Freedom Forum founder Thor Halvorssen inviting
you to join him in Oslo for the Dec. 11th Prize ceremony. Let me know if you
have any questions.
Sincerely yours,
Alex XXXXX
--
Vice President of Strategy
Oslo Freedom Forum
alexXXXXX@XXXXXforum.com

Message Headers

Received: (qmail 18379 invoked from network); 8 Nov 2010 00:36:59 -0000
Received: from capricorn.priced2go.net (HELO capricorn.priced2go.net) (97.65.113.26)
  by XXXXXXX; 8 Nov 2010 00:36:59 -0000
Received: from mailserver.com ([96.56.210.156]) by capricorn.priced2go.net with Microsoft SMTPSVC(6.0.3790.4675);
     Sun, 7 Nov 2010 16:36:23 -0800
Reply-To: "Alex XXXXX"
From: "Alex XXXXX"
To: XXXXX
Subject: An invitation to the Nobel Prize ceremony of Liu Xiaobo
Date: Mon, 8 Nov 2010 08:34:15 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="DTOEUDDBGIE"
X-Priority: 3
X-MSMail-Priority: Normal
Return-Path: alexXXXXX@XXXXXXforum.com
Message-ID:
X-OriginalArrivalTime: 08 Nov 2010 00:36:24.0028 (UTC) FILETIME=[F8AE79C0:01CB7EDC]

Sender

mirage_2008@hotmail.com


Hostname:    ool-6038d20f.static.optonline.net
ISP:    Optimum Online
Organization:    MARK WIESEN MD
Country:    United States
State/Region:    New Jersey

Automated Scans

File name:invitation.pdf
http://www.virustotal.com/file-scan/report.html?id=e134afd2ac6d04f37da7ccdf54ba298cc439a02c56636a855a8d51ee025fb697-1289198253
Submission date:2010-11-08 06:37:33 (UTC)
Current status:queued (#18) queued (#19) analysing finished
Result:21/ 43 (48.8%)
AntiVir    7.10.13.164    2010.11.07    HTML/Shellcode.Gen
Avast    4.8.1351.0    2010.11.07    PDF:CVE-2010-2883
Avast5    5.0.594.0    2010.11.07    PDF:CVE-2010-2883
AVG    9.0.0.851    2010.11.07    Exploit_c.KAH
BitDefender    7.2    2010.11.08    Exploit.PDF-TTF.Gen
DrWeb    5.0.2.03300    2010.11.08    Exploit.PDF.1608
eTrust-Vet    36.1.7958    2010.11.05    PDF/CVE-2010-2883.A!exploit
F-Secure    9.0.16160.0    2010.11.08    Exploit.PDF-TTF.Gen
Fortinet    4.2.249.0    2010.11.07    PDF/CoolType!exploit.CVE20102883
GData    21    2010.11.08    Exploit.PDF-TTF.Gen
Kaspersky    7.0.0.125    2010.11.08    Exploit.Win32.CVE-2010-2883.a
McAfee-GW-Edition    2010.1C    2010.11.07    Heuristic.BehavesLike.PDF.Suspicious.O
Microsoft    1.6301    2010.11.08    Exploit:Win32/ShellCode.A
NOD32    5599    2010.11.07    PDF/Exploit.Gen
Norman    6.06.10    2010.11.07    PDF/Suspicious.D
nProtect    2010-11-08.01    2010.11.08    Exploit.PDF-Name.Gen
PCTools    7.0.3.5    2010.11.08    HeurEngine.MaliciousExploit
Sophos    4.59.0    2010.11.08    Troj/PDFEx-DW
Symantec    20101.2.0.161    2010.11.08    Bloodhound.Exploit.357
TrendMicro    9.120.0.1004    2010.11.08    TROJ_PIDIEF.SMZA
TrendMicro-HouseCall    9.120.0.1004    2010.11.08    TROJ_PIDIEF.SMZA
MD5   : 29db2fba7975a16dbc4f3c9606432ab2
SHA1  : 5d65e6984e521936707b32219b39388efb4296fa

Analysis / CVE ID

Metasploit generated CVE-2010-2883

 Exploit PDF

Files Created

Decoy pdf
%Temp%\invitation.pdf 
File: invitation.pdf
Size: 242200
MD5:  4BC0F7B7A4804C40AF1EB131EAE51102

%Temp%\svchost.exe
http://www.virustotal.com/file-scan/report.html?id=b98740ac6814d0228d7af41adebe54a9086a65f9ddcbb79d008bc72e5146f50b-1289199948
File: svchost.exe
Size: 57344
MD5:  5336A443D420A80F6FB4A39672E82804
File name: svchost.exe
Submission date: 2010-11-08 07:05:48 (UTC)
Result: 11/ 42 (26.2%)
Antiy-AVL 2.0.3.7 2010.11.08 Trojan/Win32.OnLineGames.gen
Avast 4.8.1351.0 2010.11.07 Win32:Malware-gen
Avast5 5.0.594.0 2010.11.07 Win32:Malware-gen
ClamAV 0.96.2.0-git 2010.11.08 Trojan.Spy-77644
F-Prot 4.6.2.117 2010.11.07 W32/Dorando.B.gen!Eldorado
F-Secure 9.0.16160.0 2010.11.08 Trojan.Generic.4974556
GData 21 2010.11.08 Win32:Malware-gen
NOD32 5599 2010.11.07 Win32/Agent.RZF
nProtect 2010-11-08.02 2010.11.08 Trojan-PWS/W32.WebGame.57344.EP
TheHacker 6.7.0.1.080 2010.11.08 Trojan/Agent.rzf
VBA32 3.12.14.1 2010.11.05 TrojanPSW.OnLineGames.xevz
MD5   : 5336a443d420a80f6fb4a39672e82804

Network activity

phile.3322.org  117.65.58.237

Update Nov 10, 2010  -- IP address of the server is now 117.65.58.36

Hostname:    117.65.58.237
ISP:    CHINANET Anhui province network
Organization:    CHINANET Anhui province network
Type:    Broadband
Assignment:    Static IP
Country:    China 
State/Region:    Anhui
City:    Bengbu

Download pcap file for 117.65.58.237
Download pcap file for 117.65.58.36


No comments:

Post a Comment