Information Security

As an add-on to ISC Handler Lenny Zeltser's earlier diary on extracting certificates from signed Windows binaries, here's how to do the same on a Mac. Given that today's blog over at F-Secure documents a screenshot-taking Mac spyware that is signed with a developer ID, signed bad .apps might actually be more prevalent than expected.

To verify and extract signatures and certificates on an Apple .app, you can do (example Mail.app)

codesign -dvvvv --extract-certificates  /Applications/Mail.app

This will save the certificates in DER format, named codesign0, codesign1, etc. These can then be displayed as usual with OpenSSL

openssl x509 -inform DER -in codesign0 -text

 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

As an add-on to ISC Handler Lenny Zeltser's earlier diary on extracting certificates from signed Windows binaries, here's how to do the same on a Mac. Given that today's blog over at F-Secure documents a screenshot-taking Mac spyware that is signed with a developer ID, signed bad .apps might actually be more prevalent than expected.

To verify and extract signatures and certificates on an Apple .app, you can do (example Mail.app)

codesign -dvvvv --extract-certificates  /Applications/Mail.app

This will save the certificates in DER format, named codesign0, codesign1, etc. These can then be displayed as usual with OpenSSL

openssl x509 -inform DER -in codesign0 -text

 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

RETIRED: Microsoft May 2013 Advance Notification Multiple Vulnerabilities

Overview of the May 2013 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*) clients servers MS13-037 The usual monthly MSIE cumulative patch, adding fixes for 11 more vulnerabilities. All but one are use after free vulnerabilities. The odd one is about vbscript allowing read access to JSON data related to another domain.
Replaces MS13-028. MSIE

CVE-2013-0811
CVE-2013-1297
CVE-2013-1306
CVE-2013-1307
CVE-2013-1308
CVE-2013-1309
CVE-2013-1310
CVE-2013-1311
CVE-2013-1312
CVE-2013-1313
CVE-2013-2551 KB 2829530 No publicly known exploits Severity:Critical
Exploitability:1 Critical Important MS13-038 The anticipated IE8 fix.
Note that IE9 is listed as affected as well, but it's not given a rating "because the known attack vectors for the vulnerability discussed in this bulletin are blocked in a default configuration."
Note that this is not the cumulatieve IE patch, nor is the fix part of the cumulative patch this month. The bulletin states there is no need to uninstall the MSFT Fix-it released earlier for this vulnerability. MSIE

CVE-2013-1347 KB 2847204 Publicly discussed and exploit code available. Security advisory 2847140 Severity:Critical
Exploitability:1 PATCH NOW Important MS13-039 A vulnerability in the handling of HTTP headers in the HTTP stack allows a Denial of Service. HTTP.sys

CVE-2013-1305 KB 2829254 No publicly known exploits. Severity:Important
Exploitability:3 Important Important MS13-040 Incorrect validation of signed XML files allows for failing to detect changes in said files and an authentication bypass allowing unauthenticated access. The impact of these vulnerabilities high depends on what applications make use of these features.
Replaces MS10-041. .NET

CVE-2013-1336
CVE-2013-1337 KB 2836440 Microsoft claims the vulnerability CVE-2013-1337 was publicly disclosed. Severity:Important
Exploitability:? Important Important MS13-041 A memory corruption vulnerability allows random code execution in the context of the current user.
Note the lync user level install of Lync 2010 Attendee is only available from the Microsoft Download Center - not via automatic updates.
Replaces MS12-066. Lync

CVE-2013-1302 KB 2834695 No publicly known exploits. Severity:Important
Exploitability:2 Critical Important MS13-042 A multitude of vulnerabilities in Publisher allow random code execution.
Replaces MS11-091. Publisher

CVE-2013-1316
CVE-2013-1317
CVE-2013-1318
CVE-2013-1319
CVE-2013-1320
CVE-2013-1321
CVE-2013-1322
CVE-2013-1323
CVE-2013-1327
CVE-2013-1328
CVE-2013-1329 KB 2830397 No publicly known exploits Severity:Important
Exploitability:1 Critical Important MS13-043 Incorrect handling of shape data in word allows random code execution with the rights of the logged on user.
Note that when word is used to read incoming email messages, it can be affected merely via previewing incoming emailed RTF data! Word

CVE-2013-13335 KB 2830399 No publicly known exploits Severity:Important
Exploitability:2 Critical Important MS13-044 A problem in handling XML files that references external files in Visio allows information leak and read access with the rights of the logged-on user.
Replace MS11-060 and MS13-023. Visio

CVE-2013-1301 KB 2834692 No publicly known exploits. Severity:Important
Exploitability:3 Important Important MS13-045 Windows Writer - part of the Windows Essentials package - is a client to manage blogs. The vulnerability allows overriding proxy settings and overwriting files accessible to the logged-on user. Windows Essentials

CVE-2013-0096 KB 2813707 No publicly known exploits Severity:Important
Exploitability:3 Critical Important MS13-046 Multiple vulnerabilities in Kernel Mode Drivers allow privilege escalation.
Replaces MS13-036 and MS13-031. Kernel Mode Drivers

CVE-2013-1332
CVE-2013-1333
CVE-2013-1334 KB 2840221 No publicly known exploits Severity:Important
Exploitability:1 Imporant Important We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY (*): ISC rating

• We use 4 levels:
  • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
  • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
  • Important: Things where more testing and other measures can help.
  • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
• The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
• The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
• Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
• All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.

--
Swa Frantzen -- Section 66

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Overview of the May 2013 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*) clients servers MS13-037 The usual monthly MSIE cumulative patch, adding fixes for 11 more vulnerabilities. All but one are use after free vulnerabilities. The odd one is about vbscript allowing read access to JSON data related to another domain.
Replaces MS13-028. MSIE

CVE-2013-0811
CVE-2013-1297
CVE-2013-1306
CVE-2013-1307
CVE-2013-1308
CVE-2013-1309
CVE-2013-1310
CVE-2013-1311
CVE-2013-1312
CVE-2013-1313
CVE-2013-2551 KB 2829530 No publicly known exploits Severity:Critical
Exploitability:1 Critical Important MS13-038 The anticipated IE8 fix.
Note that IE9 is listed as affected as well, but it's not given a rating "because the known attack vectors for the vulnerability discussed in this bulletin are blocked in a default configuration."
Note that this is not the cumulatieve IE patch, nor is the fix part of the cumulative patch this month. The bulletin states there is no need to uninstall the MSFT Fix-it released earlier for this vulnerability. MSIE

CVE-2013-1347 KB 2847204 Publicly discussed and exploit code available. Security advisory 2847140 Severity:Critical
Exploitability:1 PATCH NOW Important MS13-039 A vulnerability in the handling of HTTP headers in the HTTP stack allows a Denial of Service. HTTP.sys

CVE-2013-1305 KB 2829254 No publicly known exploits. Severity:Important
Exploitability:3 Important Important MS13-040 Incorrect validation of signed XML files allows for failing to detect changes in said files and an authentication bypass allowing unauthenticated access. The impact of these vulnerabilities high depends on what applications make use of these features.
Replaces MS10-041. .NET

CVE-2013-1336
CVE-2013-1337 KB 2836440 Microsoft claims the vulnerability CVE-2013-1337 was publicly disclosed. Severity:Important
Exploitability:? Important Important MS13-041 A memory corruption vulnerability allows random code execution in the context of the current user.
Note the lync user level install of Lync 2010 Attendee is only available from the Microsoft Download Center - not via automatic updates.
Replaces MS12-066. Lync

CVE-2013-1302 KB 2834695 No publicly known exploits. Severity:Important
Exploitability:2 Critical Important MS13-042 A multitude of vulnerabilities in Publisher allow random code execution.
Replaces MS11-091. Publisher

CVE-2013-1316
CVE-2013-1317
CVE-2013-1318
CVE-2013-1319
CVE-2013-1320
CVE-2013-1321
CVE-2013-1322
CVE-2013-1323
CVE-2013-1327
CVE-2013-1328
CVE-2013-1329 KB 2830397 No publicly known exploits Severity:Important
Exploitability:1 Critical Important MS13-043 Incorrect handling of shape data in word allows random code execution with the rights of the logged on user.
Note that when word is used to read incoming email messages, it can be affected merely via previewing incoming emailed RTF data! Word

CVE-2013-13335 KB 2830399 No publicly known exploits Severity:Important
Exploitability:2 Critical Important MS13-044 A problem in handling XML files that references external files in Visio allows information leak and read access with the rights of the logged-on user.
Replace MS11-060 and MS13-023. Visio

CVE-2013-1301 KB 2834692 No publicly known exploits. Severity:Important
Exploitability:3 Important Important MS13-045 Windows Writer - part of the Windows Essentials package - is a client to manage blogs. The vulnerability allows overriding proxy settings and overwriting files accessible to the logged-on user. Windows Essentials

CVE-2013-0096 KB 2813707 No publicly known exploits Severity:Important
Exploitability:3 Critical Important MS13-046 Multiple vulnerabilities in Kernel Mode Drivers allow privilege escalation.
Replaces MS13-036 and MS13-031. Kernel Mode Drivers

CVE-2013-1332
CVE-2013-1333
CVE-2013-1334 KB 2840221 No publicly known exploits Severity:Important
Exploitability:1 Imporant Important We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY (*): ISC rating

• We use 4 levels:
  • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
  • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
  • Important: Things where more testing and other measures can help.
  • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
• The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
• The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
• Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
• All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.

--
Swa Frantzen -- Section 66

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Malware Protection Engine

Microsoft released security advisory 2846338 indicating that they have update their Malware Protection Engine (used in a varierty of their anti malware products) to fix a vulnerability in said engine where an attacker would be able to execute random code in the context of LocalSytem. Micorosft claims the vulnerability was publicly disclosed as a DoS.

CVE: CVE-2013-1346

ActiveX killbits rollup

Microsoft released security advisory 2820197 describing the addition of killbits for Honeywell Enterprise Buildings Integrator: {0d080d7d-28d2-4f86-bfa1-d582e5ce4867} and SymmetrE and ComfortPoint Open Manager: {29e9b436-dfac-42f9-b209-bd37bafe9317}

IE10 - flash

Microsoft updated security advisory 2755801 to announce the availability of update Adobe Flash libraries. This corresponds with APSB13-14.

CVE-2013-1347 MSHTML Shim Workaround update

Microsoft updated security advisory 2847140 to reflect the release of MS13-08

--
Swa Frantzen -- Section 66

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Microsoft .NET Framework CVE-2013-1337 Authentication Bypass Vulnerability

Microsoft .NET Framework XML Digital Signature CVE-2013-1336 Security Bypass Vulnerability

Microsoft Lync CVE-2013-1302 Remote Code Execution Vulnerability

Original release date: May 14, 2013
Systems Affected

• Microsoft Windows
• Internet Explorer
• Microsoft .NET Framework
• Microsoft Lync
• Microsoft Office
• Microsoft Windows Essentials

Overview

Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities.

Description

The Microsoft Security Bulletin Summary for May 2013 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address these vulnerabilities.

Impact

A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.

Solution

Apply Updates

Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for May 2013, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates.

References

• Microsoft Security Bulletin Summary for May 2013
• Windows Server Update Services
• Turn automatic updating on or off

Revision History

• Initial Release 5/14/2013

This product is provided subject to this Notification and this Privacy & Use policy.

Mozilla decided to join the mayhem on Black Tuesday this month and released Firefox and Thunderbird.

This updates to:

• Firefox 21.0
• Firefox ESR 17.0.6
• Thunderbird 17.0.6
• Thunderbird ESR 17.0.6

Release notes:

https://www.mozilla.org/security/known-vulnerabilities/firefox.html

Security content o fthe updates:

• MFSA 2013-48 Memory corruption found using Address Sanitizer
  CVE-2013-1676, CVE-2013-1677, CVE-2013-1678, CVE-2013-1679, CVE-2013-1680 and CVE-2013-1681
• MFSA 2013-47 Uninitialized functions in DOMSVGZoomEvent
  CVE-2013-1675
• MFSA 2013-46 Use-after-free with video and onresize event
  CVE-2013-1674
• MFSA 2013-45 Mozilla Updater fails to update some Windows Registry entries
  CVE-2013-1673 and CVE-2012-1942
• MFSA 2013-44 Local privilege escalation through Mozilla Maintenance Service
  CVE-2013-1672
• MFSA 2013-43 File input control has access to full path
  CVE-2013-1671
• MFSA 2013-42 Privileged access for content level constructor
  CVE-2013-1670
• MFSA 2013-41 Miscellaneous memory safety hazards (rv:21.0 / rv:17.0.6)
  CVE-2013-0801 and CVE-2013-1669

 

--
Swa Frantzen -- Section 66

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Microsoft Internet Explorer CVE-2013-1312 Use-After-Free Remote Code Execution Vulnerability

Microsoft Internet Explorer CVE-2013-1313 Use-After-Free Remote Code Execution Vulnerability

Microsoft Internet Explorer CVE-2013-2551 Use-After-Free Remote Code Execution Vulnerability

Apache HTTP Server Terminal Escape Sequence in Logs Command Injection Vulnerability

Apache HTTP Server Multiple Cross Site Scripting Vulnerabilities

Microsoft Internet Explorer CVE-2013-1347 Use-After-Free Remote Code Execution Vulnerability

Microsoft Remote Desktop ActiveX Control CVE-2013-1296 Remote Code Execution Vulnerability

Apache Commons Compress and Apache Ant CVE-2012-2098 Denial Of Service Vulnerability

Sometimes attackers digitally sign their malicious software. Examining properties of the signature helps malware analysts understand the context of the incident. Moreover, analysts could use the signature as an indicator of compromise. Here are some tips and tools for determining whether a suspicious Windows executable has been signed and for extracting the embedded signature in a Linux environment. We'll look at Pyew, Disitool and get a bit of help from OpenSSL.

Microsoft's Windows Authenticode Portable Executable Signature Format document explains that the signatures can be embedded "in a Windows PE file, in a location specified by the Certificate Table entry in Optional Header Data Directories." The location of the signature is stored within the PE header's OptionalHeader structure's Security field.

One way to determine whether the file contains an embedded signature is to use Pyew, which is a command-line hex editor/disassembler for malware analysis. After loading the sample into Pyew, you can look at the size of the IMAGE_DIRECTORY_ENTRY_SECURITY field. A non-zero value indicates that the file probably includes an embedded signature.To do this, load the PE file into Pyew and enter the command "pyew.pe.OPTIONAL_HEADER.DATA_DIRECTORY". Then look at the size of IMAGE_DIRECTORY_ENTRY_SECURITY as shown below:

In the Pyew output above, we see that the size of IMAGE_DIRECTORY_ENTRY_SECURITY is non-zero. This indicates that kiwi.exe probably includes an embedded signature.

Disitool provides another way of determining whether a PE file includes a signature. This tool, created by Didier Stevens, can delete, copy, extract and add signatures. If you attempt to extract a signature from a non-signed file, Disitool will tell you "source file not signed."

In the example below, we see that the file has been signed. The author of this malicious file seems to have used a stolen certificate to sign the specimen. Disitool's "extract" command pulled out the signature, so we can examine it.

Disitool saves the extracted certificate in the binary DER format. You can look at the strings embedded in the DER file to examine its contents. Even better, you can use the following OpenSSL command to convert the DER file into a more informative text file:

openssl pkcs7 -inform DER -print_certs -text -in INPUT_FILE > OUT_FILE

Knowing how to spot signed files and extract signature details can be helpful for malware and forensic analysts. On Windows, you can gather some of these details by right-clicking on the PE file and looking at its properties, as well as with the help of Microsoft's Sign Tool and Sigcheck tools. On Linux, you can accomplish this with the help of Pyew, Disitool and OpenSSL, which are installed on REMnux for your convenience.

 

-- Lenny Zeltser

Lenny Zeltser focuses on safeguarding customers' IT operations at NCR Corp. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and writes a security blog.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.