Saturday, May 12, 2012

CVE-2011-3026 and CVE-2011-3045


I find myself focused on bugs and exploitation lately,  monitoring any patches for bugs that cause memory corruption and can be exploited.

Such an example is CVE-2011-3026, described on the libpng site as:

All versions of libpng from 1.0.6 through 1.5.8, 1.4.8, 1.2.46, and 1.0.56, respectively, fail to correctly validate a heap allocation in png_decompress_chunk(), which can lead to a buffer-overrun and the possibility of execution of hostile code on 32-bit systems. This serious vulnerability has been assigned ID CVE-2011-3026 and is fixed in version 1.5.9 (and versions 1.4.9, 1.2.47, and 1.0.57, respectively, on the older branches), released 18 February 2012. 

CVE-2011-3045

Integer signedness error in pngrutil.c in libpng before 1.4.10beta01, as used in Google Chrome before 17.0.963.83 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file, a different vulnerability than CVE-2011-3026. 


Before the patch, memory could be allocated with the size, prefix_size + expanded_size + 1 , so a huge prefix and expanded size will cause an integer overflow, png_malloc_warn( wrapper around malloc) will then allocate a smaller size. A few lines afterwards the allocated memory and the huge expanded size is passed to png_inflate. CVE-2011-3045 comes into play here, int copy is assigned to expanded size(unsigned) resulting in a type conversion. Copy will become a negative value, passing the "if ( avail < copy) " check.

new_size = png_inflate(png_ptr,
                (png_bytep)(png_ptr->chunkdata + prefix_size),
                chunklength - prefix_size,
                (png_bytep)(text + prefix_size), expanded_size);



Patch for CVE-2011-3045











png_memcpy( replaced with rep movs) then uses copy as a very large size parameter :).






Monday, December 12, 2011

Analyzing updated OSX/Miner-D

A few weeks ago I analyzed the original sample and since then Miner-D is becoming somewhat of a regular on OS X, over the past few weeks it has also been receiving updates. They are still using spreading through torrents with legit OS X applications, for instance the torrent I found was packaged with EvoCam. Miner-D still uses the victims computer for mining bitcoins, and I wonder how they profit since their botnet is small. This also gave me a chance to use the Hopper Disassembler from the app store. For $20 buck it works well and more, features a control flow graph and pseudo code translation. 

This sample uses the same technique as previous one by using a setup script. Checks for littlesnitch, and if Miner-D has already infected the user. After the checks, the script unzips an archive and runs the program.  The Time function is called and then used as a seed to srand, this value is later stored in a file named d_status.cfg.  



Pseudo code from Hopper :







The program will sleep unless the time stored in d_status.cfg - the current time is greater than 0xEA5F ( 59999 seconds). You can patch this spot up to get around. Next the program will decrypt the ftp credentials then call curl_easy_perform for a file transfer. To simply get the ftp credentials use gdb to break at *0x00001d11 or use a sniffer.




   Code used for decrypting


                                     

Finally, curl_easy_perform is used to retrieve the file bin.bop from an ftp server, I was unable to get the bin.bop file for now :( . I will update the blog and the files if I do find them. 



Link to bin: http://www.mediafire.com/?024a032fdbhgxtd

Wednesday, November 23, 2011

Yahoo Mail Phishing

Just as a lot people do, I also use yahoo mail :P. I was surprised to see this poor phishing attempt that unfortunately some people give in to


Another one


If your browser is awesome you should get something like this




The link takes you to google docs, Google quickly took care of this :)