Sunday, July 26, 2009

something about CVE-2009-1862 PoC analysis

Well, strarting from hereEvil.pdf filename it's been decided to start an (yet another) analysis about this critical vulnerabilty.

From the proof of concept founded (http://www.milw0rm.com/exploits/9233):


begin 644 hereEvil.pdf
M)5!$1BTQ+C0*)"!;(#`N,3$Q,S,@+3`N,S(R-S4@,"XR,C$V.2`M
...
and so on... it's been decoded the TAR file above with the following result:

%PDF-1.4
%Çì�¢
1 0 obj
<< /Type /Catalog /Outlines 3 0 R /Pages 4 0 R /Dests 5 0 R /AcroForm 6 0 R /Names 7 0 R /Threads 8 0 R /PageLayout /SinglePage /ViewerPreferences << /PageDirection /L2R >>
>>
endobj
2 0 obj
<< /Creator (Scribus 1.3.3.13) /Producer (Scribus PDF Library 1.3.3.13) /Title <>
/Author <>
/Keywords <>
/CreationDate (D:20090711081156)
/ModDate (D:20090711081156)
/Trapped /False


and so on... it's been obtained a well know PDF format file.

Within this "evil" PDF file, some object encoding definitions are defined as following:

9 0 obj
<<
/Type /XObject
/Subtype /Form
/FormType 1
/BBox [ 0.11133 -0.32275 0.22169 -1.01367 ]
/Resources << /ProcSet [/PDF /Text /ImageB /ImageC /ImageI]
>>
/Length 263
/Filter /#46#6c#61#74#65#44#65#63#6f#64#65 >>
stream


and anothe one:

29 0 obj
<< /Type /XObject /Subtype /Image /Width 272 /Height 345 /ColorSpace /DeviceRGB /BitsPerComponent 8 /Length 5280 /Filter /#46#6c#61#74#65#44#65#63#6f#64#65 >>
stream
...


Within the evil pdf file there are many more object defined in this manner.


The string:


/#46#6c#61#74#65#44#65#63#6f#64#65

stand for:

/FlateDecode

So from this point is possibile to proceed with usual analysis techniques.


Monday, July 13, 2009

something more about "Vulnerability in Microsoft Office Web Components Control Could Allow Remote Code Execuion"

A good keyord for search info about new "big vendors" vulnerabilities is "roadmap" :). Sometimes is very usefull, I think. Opss! another "good bug hunter trick it's just been fulldisclosed".

http://blogs.msdn.com/excel/archive/2006/07/17/668544.aspx

Anyway... The CLSID for this threat are:

{0002E541-0000-0000-C000-000000000046}
{0002E559-0000-0000-C000-000000000046}

Check the following Registry entry:



and




Advisory: http://www.microsoft.com/technet/security/advisory/973472.mspx

KB article: http://support.microsoft.com/kb/973472

CVE: CVE-2009-1136

method affected: msDataSourceObject

PoC: http://en.securitylab.ru/poc/extra/382458.php

The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System

Finally after a few of days I have received my copy of:
The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System



Source: http://www.jbpub.com/covers/newlarge/1598220616.jpg

I think that this is the best book for the Windows rootkit development and countermeasures.