Pierluigi Paganini October 17, 2012

Every day we read about cyber threats, zero day vulnerabilities and new patch to apply so I decided to speak about a couple of vulnerabilities I believe potential dangerous for internet users. There is no peace for browsers, this category of application is considered a privileged target for hackers due their large diffusion. Once again has been exploited a zero-day vulnerability that make possible the loading of malicious code on victim machines. The vulnerability affects the latest editions of the IE 7 and IE 8 browser and Adobe’s Flash software running fully patched Windows XP SP3 and it’s clear the wide audience impacted all over the world. According many security experts the responsible of the exploit are Chinese hackers that unleashed other 0-day vulnerabilitie attacks in last months. The security specialist Eric Romang analyzing the compromised servers used to conduct the recent attacks against vulnerable Java installations has found a new zero day exploit for Microsoft’s Internet Explorer web browser, the discovery confirms the presence of an organized group of hackers with deep knowledge on common use application. Romang declared:

“I can confirm, the zero-day season is really not over yet.”

Principal security analysts believe that the group of hackers is still active and is rearranging his offensive, AlienVault Labs researcher Jaime Blasco declared:

“the gang behind the Java attacks in August and September may be moving on: with domains used in that attack located at new IP addresses and serving up the new and more potent attacks.”

How does the exploit works? The AlienVault Labs web site proposed an interesting representation of the process of infection:

“the file exploit.html creates the initial vector to exploit the vulnerability and loads the flash file Moh2010.swf, which is a flash file encrypted using DoSWF. The Flash file is in charge of doing the heap spray. Then it loads Protect.html.”

The mechanism is simple, the victim can get compromised visiting a malicious website, the same mechanism has been used to spread the famous Poison Ivy Trojan as part of the Nitro campaign. This kind of vulnerability once discovery are simply to exploit, Metaspoit testing framework for example has been equipped with a specific module usable by the attacker to exploit the vulnerability on Internet Explorer versions 7, 8 and 9 on Windows XP, Vista and 7. According Rapid7 researcher in the time between the discovery of vulnerability and the release of patch about 41% of Internet users in North America and 32% world-wide was at risk, these figure give us a dimension of the efficiency of this type of offensive. Attacks against browsers are just one of the infinite opportunity for the attackers, I always highlight that it is easier to attack than defend themselves from a multitude of hackers that have the primary intent to exploit common use applications and platforms. Recently researchers from ‘ReVuln’, Donato Ferrante and Luigi Auriemma reporteda vulnerability in Steam Browser Protocol.

“Steam is a digital distribution, digital rights management, multiplayer and communications platform developed by Valve Corporation. It is used to distribute games and related media online, from small independent developers to larger software houses”

As of August 2012 the platform have 54 million active user accounts and it provide over 1500 games available through Steam protocol  that allow to run, install and uninstall games, backup files, connect to servers and reach various sections dedicated to customers. The flaw allows the attacker to “write arbitrary text to file and direct victims to external payloads and even the computer can take over”. The vulnerability  impacted browsers  based on the Mozilla engine such as Firefox, but also Safari. The experts demonstrated that browsers and also software clients such as RealPlayer would execute the external URL handler without providing information to the user, making silently Steam browser protocol calls exposing customers to risk of attacks. An attacker could write malicious code in a file and executes commands when users started up Steam or execute remote code using the Unreal engine.

“In one proof of concept involving the Steam browser, attackers used malicious YouTube links within Steam user profiles to bait users. Users who viewed the videos and wished to leave comments would be phished with malicious steam:// URLs that pointed to external sites.” explained by Darren Pauli.

The cases presented raise different questions, first of all the strategic importance of the discovery of vulnerability, a new market is born,  governments, cyber criminals and private business are demonstrating great interest in the flaws such as the ones presented.

We have discussed on many occasions the development of cyber weapons in cyber warfare context, it is clear that the efficacy of the malicious exploit depend of the unknown flaw exploited. State-sponsored attacks are the first to benefit of this knowledge and the malicious agents that remains undetected for years, such as Flame, are the demonstration.

The zero-day vulnerabilities assume a great relevance if referred to a common applications due their impact on millions of users, every thing that surrounds use has an intelligent component inside, from the medical devices to the appliances, that could be exploited …

so let’s think as hacker to prevent serious attacks!

Pierluigi Paganini

(Security Affairs – Cyber security)