Results 1 to 8 of 8

Thread: Again.. Second 0-day exploit out...

  1. #1
    The ******* Shadow dalek's Avatar
    Join Date
    Sep 2005
    Posts
    1,564

    0-day MS Explorer / Outlook Exploit in the Wild (VML Buffer Overflow) - CRITICAL

    Sunbelt Software is reporting a previously unknown, and unpatched, MS Explorer / Outlook exploit in the wild. It is currently being used to push spyware and to create botnet zombies. This is the 2nd 0day IE exploit so far this month. Rated Extremely Critical - Several updates below. Confirmation that this can spread via email.

    The exploit is being used to launch drive-by malware downloads that are hijacking Windows machines for use in botnets. These botnet computers (what use to be your computer) are normally used to distribute spam and as launching points for illegal activities. But the exploit can be used to install arbitrary executable code so anything is possible.

    This exploit has been confirmed on a fully patched Windows XP computer with SP2 and IE 6.0. It most likely runs on some previous OS versions / patch versions as well. The vulnerability is a buffer overflow in the way Internet Explorer handles VML (Vector Markup Language) code. VML is basically an XML file presented to your browser that contains a vector drawing.

    Update:

    * This vulnerability is being actively exploited on malicious websites. Here is what Microsoft is saying: "compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability". Meaning? Avoid websites that allow just anyone to post HTML content. (this site allows text only)
    * Apparently Outlook and/or Outlook Express is vulnerable as well. From Microsoft: "In an e-mail based attack of this exploit, customers who read e-mail in plain text are at less risk from this vulnerability." See advisory below. If this is the case this may go big time very quick. Check back here frequently for updates or switch to plain text email only. (update: Outlook and Outlook Express are vulnerable, see link below)


    There are no fixes available at this time and a "killbit" won't be an option (since the vulnerability is not based off of ActiveX like this month's previous exploit). The exploit can be mitigated by turning off JavaScript (though this does not fully mitigate all avenues of attack). It does not affect Firefox, Opera, or other non-Internet Explorer based browsers so these are effective tools for mitigating this IE vulnerability. (Update: Microsoft has issued some workarounds but hinting at the severity of the problem some of the workarounds are not for the feint of heart
    http://www.nist.org/news.php?extend.171
    http://www.frsirt.com/english/advisories/2006/3679
    http://xforce.iss.net/xforce/alerts/id/237
    http://blog.washingtonpost.com/secur...t_explore.html
    PC Registered user # 2,336,789,457...

    "When the water reaches the upper level, follow the rats."
    Claude Swanson

  2. #2

    Again.. Second 0-day exploit out...

    Greeting's



    I had earlier posted about an exploit for new and UNPATCHED vulnerability affecting IE.
    Here is an ACTIVE exploit that is doing rounds... It is not yet detected by any anti-virus except *cough* Microsoft *cough* *cough* *cough*

    Anyway you can get more information here... I'm not making this a extensive write-up because I know most of you use other browser then IE and for those who dont please do.. OR reconfigure your IE.


    Simple solution :

    Unregister the vgx.dll:
    regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
    To reverse this: run the command without the -u. Ever since the WMF issue around new year we know unregistering DLLs isn't for the faint of heart. Even if Microsoft recommends it.





    Oh ya this is a good line :

    Please note that Microsoft claims to be going to release a fix October 10th (in cycle) or earlier depending on customer need.

    Links :


    http://vil.nai.com/vil/content/v_140629.htm
    http://www.symantec.com/enterprise/s...801-99&tabid=2
    http://www.trendmicro.com/vinfo/viru...OD%2EA&VSect=T
    http://www.microsoft.com/technet/sec...ry/925568.mspx
    http://www.kb.cert.org/vuls/id/416092
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    For those who want to see a POC DoS for the Internet Explorer VML 0 day, see the link below. Notice how it is done and then think about what else can be done with some moderately simple modifications to this. I think it's time for text based internet browsers again.

    http://www.securiteam.com/exploits/5RP0P00JPO.html

    Enjoy.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    Greeting's

    I still dont get it !! Why the hell would microsoft release a patch for such an issue only on tuesday, October 10th with its usual patch release cycle... For those who are going to answer back to me saying they need testing time and all the other crap.. Microsoft has anyway "screwed" 2 out of its last 5 patches and hence had to release "patches" for "patches".. That doesnt mean they should be entitled for more testing time..

    The fact that they take almost 20 days for releasing patch for a vulnerability that already being exploited is something that I find sluggish.
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  5. #5
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    Originally posted here by ByTeWrangler
    Greeting's

    I still dont get it !! Why the hell would microsoft release a patch for such an issue only on tuesday, October 10th with its usual patch release cycle... For those who are going to answer back to me saying they need testing time and all the other crap.. Microsoft has anyway "screwed" 2 out of its last 5 patches and hence had to release "patches" for "patches".. That doesnt mean they should be entitled for more testing time..

    The fact that they take almost 20 days for releasing patch for a vulnerability that already being exploited is something that I find sluggish.
    It is called having a procedure. They have certain guidelines that have to be met in order for a security patch to be released outside of the 2nd Tuesday of the month schedule. Obviously this exploit is not considered severe enough yet to meet those guidelines.

  6. #6
    Senior Member genXer's Avatar
    Join Date
    Jun 2005
    Posts
    252

    InfoCon Went YELLOW

    FYI:

    http://isc.sans.org/diary.php?storyid=1727

    Yellow
    The VML exploit is now becoming more widespread, so we changed the InfoCon level to yellow to emphasize the need to consider fixes.

    If you have not taken measures yet, please consider some emergency fixes to cover the weekend (especially for those laptops surfing the web from home; they might be at high risk). The exploit is widely known, easy to recreate, and used in more and more mainstream websites. The risk of getting hit is increasing significantly.

    Outlook (including outlook 2003) is - as expected - also vulnerable and the email vector is being reported as exploited in the wild as well.

    Weekends are moreover popular moments in time for the bad guys to build their botnets.

    Actions
    We suggest following actions (do them all: a layered approach will work when one of the measures fails):

    Update your antivirus software, make sure your vendor has protection for it.
    Unregister the vulnerable dll:
    regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
    or
    regsvr32 /u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

    Consider asking your users to stop their usage of MSIE, we know it's hard to break an addiction, but you're using the most targeted browser in the world.
    Reregistering a DLL is done with the same command as unregistration, but without the "-u".

    References
    US-CERT Vulnerability Note
    auscert Vulnerability Note (phishing like technique)

    Microsoft Security Advisory 925568
    Blocking VML using a GPO (use the magic incantations at own risk)
    Snort VRT
    Websense
    McAfee
    Symantec
    Trendmicro
    Panda
    F-secure
    xforce.iss
    Sept. 21st diary
    Sept. 19th diary
    [gloworange]Happy Friday![/gloworange]
    \"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.

  7. #7

    ** Heads Up ** Ie Again..

    Greeting's

    Okay this time I have to repeat same thread because its now really serious (WIDESPREAD).

    The VML exploit is now becoming more widespread, so we changed the InfoCon level to yellow to emphasize the need to consider fixes.

    If you have not taken measures yet, please consider some emergency fixes to cover the weekend (especially for those laptops surfing the web from home; they might be at high risk). The exploit is widely known, easy to recreate, and used in more and more mainstream websites. The risk of getting hit is increasing significantly.

    Outlook (including outlook 2003) is - as expected - also vulnerable and the email vector is being reported as exploited in the wild as well.

    Weekends are moreover popular moments in time for the bad guys to build their botnets.



    Workaround :

    * Update your antivirus software, make sure your vendor has protection for it.
    * Unregister the vulnerable dll:

    regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
    or
    regsvr32 /u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

    * Consider asking your users to stop their usage of MSIE, we know it's hard to break an addiction, but you're using the most targeted browser in the world.

    Reregistering a DLL is done with the same command as unregistration, but without the "-u".

    Last time ISC's Infocon went Yellow was WMF exploit came out.. So keep sharp.. Or better just use different Browser.

    Be safe..





    All the Links you need :

    http://www.kb.cert.org/vuls/id/416092
    http://www.auscert.org.au/render.html?it=6771
    http://www.snort.org/rules/advisorie...006-09-21.html
    http://www.websense.com/securitylabs...hp?AlertID=632
    http://vil.nai.com/vil/content/v_140629.htm
    http://www.symantec.com/enterprise/s...801-99&tabid=2
    http://www.trendmicro.com/vinfo/viru...OD%2EA&VSect=T
    http://www.pandasoftware.com/virus_i...idvirus=130801
    http://www.f-secure.com/weblog/archi....html#00000974


    http://www.antionline.com/showthread...hreadid=276612


    PS : Last link here is to a thread in AO. Its only required :

    if you feel your wife whine's a lot
    or if you feel your grammer is bad
    or that all the NUTS in this world are dead (and to prove yourself otherwise)
    or that AO sucks now
    or that Most of the fools with 11 green dots have no knowledge
    or you have missed JP's gold dot for a long time (JP seriously with all due respect, no hard feeling)
    or If you want some POSITIVE antipoints either in the thread or just make partership..
    or if you are finally tiered with windows and want to go and kill everyone at Microsoft but want a reason why you shouldnt
    or if French have finally won a war
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  8. #8
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Hey Hey,

    Alrighty.... enough niceties.... seriously people... I just merged three threads... all on the same topic... and... two of them were started by the same person... There's no need to open a new thread.. append the information to the same one.

    The original post was on the 20th... The advisory on this was sitting in my inbox on the 19th and it was released to the public prior to that.... I actually had the source code prior to Bytewranglers initial post and only hours after dalek posted...

    Now... the most important fact in all of this seems to have been missed... ZERT (Zero-Day Emergency Reponse Team) has released a 3rd party patch for this from their website @ http://isotf.org/zert/

    ZERT is comprised of Joe Stewart (SecureWorks), Halvar Flake (Sabre Security), Ilfak Guilfanov (IDA Pro), and others....

    Another thing... while many push for a patch (such as ZERT) and I'm not saying I disagree.... Microsoft software runs production servers everywhere.... A patch has to be perfect.... The last IE patch did have several rereleases (mind you only in certain versions.. other versions were correct from the get go (QFE never had problems))... but accidents will happen... In order to ensure these patches are as reliable as possible they have to take the time to properly research, build, quality check, test and release.... I, as I'm sure many of the members of the site have... have seen the results of a rushed release... it can have unexpected results and that could mean more damage that these infected web pages..

    MS is doing the responsible thing..

    1) AV Solutions have signatures for most of these problems.
    2) Corporate Proxies can be set to filter these web pages
    3) Mitigation Techniques have been released.

    Think about this...

    100,000 infected home computers... vs Visa, Mastercard and American Express having key servers crash from a faulty patch.... Microsoft operatings primarily in the business world.... they have to ensure that their solutions will work for these businesses....

    Perhaps a great alternative would be for Microsoft to make the QFE branches available ASAP and for the GDRs available on MS Tuesday....

    For those of you that don't know... QFE = Quick Fix Engineering... it's not as rigorously tested... and may be bugging... Think of those customer hotfixes that you can call and ask Microsoft for.... GDR means General Distribution Releases. These are the patches that you get on Patch Tuesday.... many patches however come with both the QFE and the GDR patches inside them... meaning if you had problems with the MS06-042 stuff forcing the QFE branch to install on the original patch would have removed all your vulns... It's also interesting to install both versions on different machines and examine the differences...

    For those of you interested in more information... or to find out how to force a certain patch version to install... Check out http://support.microsoft.com/kb/824994

    Lets add a Lastly here.... remember all the hype around WMF... It wasn't nearly as bad as was expected... so ISC raising it's meter to Yellow doesn't really mean a lot....

    Peace,
    HT

    [Edit]
    I just saw the page that TH13 actualy linked... it's the HTML code required... Here's the original exploit that was released the C that generates the html -- http://www.xsec.org/index.php?module...w&type=2&id=21
    [/Edit]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •