Pierluigi Paganini April 04, 2012

Recently ESET security firm has reported the latest version of the Blackhole exploit kit that has been updated to include a new exploit for the Java CVE-2012-0507 vulnerability.  The exploit was discovered for the first time on 7.03.2012 and it first detections were dated on March 12, 2012 and today a public module for Metasploit Framework multi platforms has been released for exploitation of CVE-2012-0507.

I have opened the article with this information to introduce a really interesting topic, the 1-day exploit, exploits based on checking patched versions of software to identify what the vulnerabilities that have been patched actually are. The concept is quite simple, simply analizing the patch management status of a system it possible to know with vulnerability haven’t yet patched. exploiting these vulnerabilities it is possible to attack an unpatched system.

Of course compared to a 0-day vulnerabilities we have reduced possibility of success due the correct patching of a target but this attacks are really insidious and cheaper respect the 0Days. Consider also that for this vulnerabilities is quite simple to retrieve on internet information and tool to make an attacks.

In the most complex case we can imagine a research that through a revers engineering of a released patch develop its own kit to a attack unpatched target.

The majority of this exploits are related today to Java vulnerabilities also due its large diffusion on multiplatform sistems. Jave exploits are in fact an effective way to inslall malicious programs on target machine, consider the recent spam campaign that have infected a huge quantity of machine or the incredible number of infected web sites that allow this kind of attacks. The mechanism is simple, a legitimate web site is infected introducing iFrames that redirect victims to the latest version of Blackhole. The malicious domain name and infected webpage are identical to the legitimate one. Once on the infected website the damage is done!

According Eset same infection method and the same redirection methods have been used several times, famous the case of the popular news resource izvestia.ru where a modified versions of the Win32/TrojanDownloader.Carberp family were loaded onto the victim machines.

Java vulnerabilities and in particular every 1-day exploits is increasing used by cyber crime and state sponsored a hackers.

“This is the most effective way for exploiting end-user systems and is sometimes effective across a variety of platforms,” writes ESET. Consider that the development of a 0-days is really expensive and time-consuming due the intense research that must be conduced to discovery and exploit the vulnerabilities, for this reasons typically this kind of exploit are used by governments.

Cybercrime has mass market approach that not necessary needs a so sophisticated attack methodology, that’s why the 1-day exploit approach is taking place.  To give an idea of a typical patching process I have designed the following chart, its duration is highly variable depending on the structure of the organization that implement the procedures and the duration of each stage components.

It’s clear that few organizations are able to patch their systems in a short time. Consider large organizzation with complex architectures, for them the impact of a patch must be analyzed in detail to avoid problems to IT infrastructure, then this case in is necessary to extend the duration of the test phase.

Also the phase of deployment can have variable length, for example in a company located over multiple locations with a high number of systems to patch and strongly heterogeneous. the deployment activities will be more expensive.  It ‘easy to understand that the time between the disclosure of Partch and its application in a production environment is the interval in which systems are vulnerable to 1-Day vulnerabilities.

ESET has demonstrated how quickly the Blackhole gang can react to the 1-day opportunity.

“There’s intense interest in vulnerability research, with legitimate research seized upon by malware authors for malicious purposes,”

David Harley, a senior research fellow and co-author of this research told Infosecurity:

“The increase in volumes of 1-day exploits suggests that even if 0-days research prices itself out of the mass market for exploits, inadequate update/patch take-up among users is leaving plenty of room for exploits of already-patched vulnerabilities (as with the current spate of Tibet attacks).”

Just few minutes after the release of patches, using binary diffing techniques researchers and criminals are able to identify the vulnerabilities that the have been fixed. The term diff derive from the name of the command utility used for a comparison of files, in the same manner are compared binary of a system before and after the patch is applied.

This binary diffing technique are particulary efficient against Microsoft’s binaries because the company releases patchs regularly and inside the patch code quite simple to identify the code that patch the vulnerability usually concentrated in small portion of the binary code.
Today an attackers have access to a huge quantity of tools to identify unknown vulnerabilities just patched, they only need to launch the attacks during the time frame users or corporates are applying patches.

During patch applying time frame, the end users are more vulnerable and targeted using 1-day attack. Most famous frameworks for Binary diffing are DarunGrim2 and Patchdiff2.

In the reality the process of reverse engineering of a patch is more complicated because each vendors use different compilers and optimization methods. Remember the case of the mystery related to the source code of malware Duqu … it was even difficult to understand the programming language used because the developers had adopted a compilation with special options.

The 1-day exploit are real threats that happening every patch days. Sometimes some people diff different version of product, finding in their binaries vulnerabilities fixed silently . So as the attacking technology improves, the protection techniques need to evolve accordingly, we already have several anti diffing tools like “Hondon” but is also necessary that the major vendors will adopt strongest solution for the patching of their products.

In the meantime the only guaranteed defense against the 1-day attack is to patch our system before the criminal exploits.

Pierluigi Paganini

http://www.blackhat.com/presentations/bh-usa-09/OH/BHUSA09-Oh-DiffingBinaries-PAPER.pdf