Friday, March 18, 2011

FlashUtil10m_Plugin.exe command line crash

Is interesting observing how nowadays some old style bug are still available. I think that this one is not a security bug but a deeper investigation is left to all whose are interested.Anyway is sufficient pass a single char as command line parameter to this FlashUtil10m_Plugin.exe (also called Flash Player Installer/Uninstaller) for generate a crash. If you are Admin appear something like the following screenshot:



Opening it with a disassembler (in this case IDA) is possible know that is a problem within the parser that handle the command line parameters:

In screen shot above is reported  the function address where the bug is triggered. While in the following screen shot is shown the line of code where is tried an write in an address of kernel32.dll a not readable address:


This bug impact Adobe Flash Player Installer/Uninstaller 10.2 r152 distributed with the latest version of Adobe Flash Player..

Tuesday, March 15, 2011

cve-2011-0609 - bugix blog analysis

April 4, 2011 - Update:
RSA has release a blog post where is described that in the recently data-breach is been used this issue:
http://blogs.rsa.com/rivner/anatomy-of-an-attack/

March 15, 2011: 
A researcher has just added a very interesting analysis about this 0day:

bugix blog cve-2010-0609 analysis - by villys777
http://bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html

Adobe Security Advisory APSA11-01
http://www.adobe.com/support/security/advisories/apsa11-01.html

Sunday, March 6, 2011

mmspicture.ru - mobile malware depot

Following a well known mailing list (clean-mx aka viruswatch) it was been retrieved the following URL:

http://mmspicture.ru/mms112/mms112.jar (md5: 33EA90E2029478D47D33409B5F48E4EB)

The JAR file is already detected from Virustotal. Playing a bit around the URL path is possible retrieve another JAR file:

http://mmspicture.ru/mms113/mms113.jar

The MD5 (4CC0EBCE1428EE3649C67A13734F2EDE) of this JAR file is not still known around. Anyway, what follows is just a quick analysis of the contents of this file. Open it with Java Decompiler appears like a canonical small JAR apps for mobiles devices (Midlet class):


The main class is named "b" and is extended from Canvas Java class:


As shown above is possible view some Cyrillic strings:


Is also show a reference to a stream (embedded in the JAR) named "info.dat". The code above use this file for decode the stream that as we'll see is the destination phone number of the data gathered from mobile devices. The "info.dat" contains the following string:  75;4x=1?==8:<95

I write a small Java app that use the code for decoding the stream:


The output revealed is the following:

The string obtained is the phone destination number used for receive SMS from the user mobile devices. The content of the SMS body is still under investigation. Probably it send entire phonebook as well the phone number could be a payment number. The SMS is send when the user accept to view the picture in the postcard ("card.png") embedded in the JAR. There is also a file named "readme" which contains an ICQ id:


In according with the countrycode.org web site (http://countrycode.org/russia) the number "+7 497 878542104" is a Russian phone number. Another detail is that the domain mmspicture.ru is attested on one IP (91.201.66.209) where is attested another interesting domain: