Monday, January 24, 2011

Jan 24 CVE-2010-3970 DOC 'Secretary-General Liao' from dogviceroy@yahoo.com.tw (Update - Analysis by the Sematic)

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3970  Stack-based buffer overflow in the CreateSizedDIBSECTION function in shimgvw.dll in the Microsoft Graphics Rendering Engine in Windows XP SP3, Server 2003 SP2, Vista SP1 and SP2, and Server 2008 SP2 allows remote attackers to execute arbitrary code via a crafted .MIC or unsplecified Office document containing a thumbnail bitmap with a negative biClrUsed value, as reported by Moti and Xu Hao.

  General File Information

File  44.doc (part of ATT63777.7z archive)MD5  f51d3fb324d8f11b734ca63dbccbdc32SHA1 b3c4c84c98c6befaf6a480ae145cdcebb5929a82File size : 10240 bytesType:  DOC
Distribution: Email attachment

  Post Update - Vulnerability Analysis

Feb 23 Sematic blog posted an excellent analysis of the exploit

Ultimately it plans to fetch and execute the file located at:
hxxp://stonebreaker.154.99lm.info/NOTEPAD.EXE
This file would be stored under %SYSTEM32% as 'a.exe'.


Download

Thursday, January 20, 2011

Jan 20 CVE-2010-3333 DOC Materials.doc from 216.183.175.3 (Cleveland Council on World Affairs)

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3333
Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability

Please read a technical analysis of this vulnerability on the Microsoft Threat Research & Response Blog Targeted attacks against recently addressed Microsoft Office vulnerability (CVE-2010-3333/MS10-087)  29 Dec 2010 12:10 PM

  General File Information

File  Materials.doc
MD5  2EEA004842A335607B612FF10418F6C6
SHA1 
a81a35804c056186c533ddd31e22ee0c0d2aa4df
File size : 243663
Type:  DOC
Distribution: Email attachment
                           

 Post Update

February 7, 2010

 There was another mailing after the first one but from a different location. 

 From: Anne Principe [mailto:anne.principe@yahoo.com]
Sent: Friday, January 21, 2011 6:54 AM
To: XXXXXXXXXXXXX
Subject: This is the materials you need

This is The Materials I told you about. Please check it and reply as soon as possible.
  Best
Headers
Received: (qmail 736 invoked from network); 21 Jan 2011 11:54:30 -0000
Received: from web120514.mail.ne1.yahoo.com (HELO web120514.mail.ne1.yahoo.com) (98.138.85.241)
  by XXXXXXXXXXXXXXXXX; 21 Jan 2011 11:54:30 -0000
Received: (qmail 38488 invoked by uid 60001); 21 Jan 2011 11:54:29 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1295610869; bh=T6PYZhAJBvHdbMDRjYJCy748DpISxb703J9WYvNrE8M=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=KNLZKhWTr+Z+UMtiMC6dY7GmKt49wyNHC8Y1j8kv5f/KM8u7bs6ifqGFNhwckx18edFsi+ajzhsNM01R8UN+ox/r9Ss6ut/Mssll5hxwtBHXEmvIxrl8dFTUg/CmMgSjJNhW6KlOZfVkUU2nikWaMzxkqSgTJ9JCM828Qw1xZbM=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
  h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
  b=eqwO+5NenEdsqmjuNowZ25VlFcli8zNaedc26kn00QeqFLcMxeSuTDB+vYhmeUYJfAYe+fZ13q8p1qKILMX0AMH7/MDwbeBOBaRL8xTf33LpWE4KwgeYq4uEKjZfptSRvA6RrpPHjDLWoE55D0uAMGV/hMk50g7s/eGes9VnAc0=;
Message-ID: <416336.37770.qm@web120514.mail.ne1.yahoo.com>
X-YMail-OSG: duFcYVsVM1lbQScN.uiS.a_.kSCtbZmEsYYlwKxqs50olw9
 S80HwIFK3gqCA7OM9LSU.JBWKbHZXNzNbBWlx1y8__meJqFUjCoB3qTY9ll4
 79Y_9XKC5KZXY6_OTA6RVB1j8NwW8Ozasz_xzbX5Ajh.yX7Y2NqePEUnApDc
 pWb0wpspWrIpPe9w9gzbAfrYmQRTXiyQtlxFjd_gk272zbKkWkcTAtxtFsiY
 UjAwiofHbox4vUrwVCekO.jf11bo-
Received: from [211.55.34.205] by web120514.mail.ne1.yahoo.com via HTTP; Fri, 21 Jan 2011 03:54:29 PST
X-Mailer: YahooMailRC/555 YahooMailWebService/0.8.107.285259
Date: Fri, 21 Jan 2011 03:54:29 -0800
From: Anne Principe
Subject: This is the materials you need
To: XXXXXXXXXXXXXXXXXXX
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-1514884592-1295610869=:37770"

211.55.34.205
Hostname:    211.55.34.205
ISP:    KRNIC
Organization:    Korea Telecom
Country:    Korea
State/Region:    Soul-t'ukpyolsi
City:    Seoul

Download

Wednesday, January 19, 2011

Jan 12 CVE-2010-3654 + CVE-2009-4324 + CVE-2009-0927 + CVE-2008-0655 PDF JANUARY 2011 from a compromised Thai Police account

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3654 Adobe Flash Player 10.1.85.3 and earlier on Windows, Mac OS X, Linux, and Solaris and 10.1.95.2 and earlier on Android, and authplay.dll (aka AuthPlayLib.bundle or libauthplay.so.0.0.0) in Adobe Reader and Acrobat 9.x through 9.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted SWF content, as exploited in the wild in October 2010.

 

CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009.  

 

CVE-2009-0927 Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code via a crafted argument to the getIcon method of a Collab object, a different vulnerability than CVE-2009-0658.  

 

CVE-2008-0655 Buffer overflow via specially crafted arguments to Collab.collectEmailInfo

  General File Information

File  JAN 2011.pdf
MD5  F928C39F0BFEBAAF3A5FB149557DDF66
SHA1
  87c17dc9282792906ef41670011c2473c87c9b9b   
File size :  384271
Type:  PDF
Distribution: Email attachment
 

read more...

Sunday, January 9, 2011

Jan 6 CVE-2010-3333 DOC with info theft trojan from the American Chamber of Commerce

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3333
Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability

Please read a technical analysis of this vulnerability on the Microsoft Threat Research & Response Blog Targeted attacks against recently addressed Microsoft Office vulnerability (CVE-2010-3333/MS10-087)  29 Dec 2010 12:10 PM

This particular exploit was tested on and successfully exploits Office 2003 and 2007 without the patch.

  General File Information

File  Three Big Risks to China's Economy In 2011.doc
MD5  5A0AAC44DDAAD1E512A0D505C217BAFF
SHA1
ab6f90bf582bf01985989c1e9a99932243402479
File size :51643
Type:  DOC
Distribution: Email attachment
                           


Download

The message came from the American Chamber of Commerce in China. The interesting thing about this message is that the sender is not spoofed and the headers are real, which means that the message indeed came from the mailbox of the sender @amchamchina.org, who also happens to be a real person working at amchamchina.org - can be easily found in Google searches. The sender name and address do not match the message signature.  I have removed part of the sender's name for privacy reasons.

In this case, there are three possible scenarios:

a) someone broke into that employee mailbox and sent the malicious message (in this case, I hope the IT staff at the American Chamber of Commerce in China see this post and fix the problem)
b) the sender sent a malicious attachment not realizing it is malicious (less likely, as the attached Word document does not display readable text),
c) the sender sent the malicious message on purpose (..)
We may never know how that happened but hope it is a case of a mailbox password compromise.
 The files created by the malicious attachment generate traffic to a server in China.

Upon opening, the file will dispay garbage text if the attack fails (fully patched MS Office) and will just close without displaying any document if the exploit is successful.

The trojan that gets installed is designed for stealing information from the infected computer - files and passwords - see the detailed analysis below.