Quicklinks: Home | Contact |

Subscribe to the RSS feed in case you are interested in updates

This paper explains the vulnerability for a broader audience and summarizes the information that is currently available. The document is prone to updates and is believed to be accurate by the time of writing.

  • Updated 18.11.2009 : Added SMTP over TLS attack scenario, added s_client testcase
  • Updated 30.11.2009 : Added FTPS analysis, new attacks against HTTPS (injecting responses and downgrading to HTTP)  
  • Updated 09.12.2009 : Proof of concept files for TRACE and 302 redirect using TLS rengotiation flaw

Download "TLS / SSLv3 renegotiation vulnerability explained"

posted by Thierry Zoller

Related post: Vulnerabilities like it's 1999 SSLv3 / TLS Man in the Middle vulnerability - update #8

Subscribe to the RSS feed in case you are interested in updates

  • Updated 17:50 GMT+1 / 05.2009 - added Mitigation / Impact 
  • Updated 16:40 GMT+1 / 06.2009 - added IETF draft 
  • Updated 14:35 GMT+1 / 07.2009 - added SSLTLS Test Tool 
  • Updated 16:34 GMT+1 / 07.2009 - added OpenSSL patch 
  • Updated 13:00 GMT+1 / 09.2009 - added GNUTLS patch 
  • Updated 19:40 GMT+1 / 09.2009 - added Mikestoolbox.net testing TLS renegotiation support 
  • Updated 21:29 GMT+1 / 09.2009 - added Apache patch, Mozilla Bug ID, Redhat Bug ID, Mozilla patch disabling tls renegotiation, Tomcat mitigation 
  • Updated 21:00 GMT+1 / 12.2009 - added a whitepaper trying to explain the vulnerability and it's implications to a broader audience

After some in-house tests, we can confirm that the vulnerability presented at http://www.extendedsubset.com/ indeed real and should pose a significant threat to most. The vulnerability has been discovered by Marsh Ray, Steve Dispensa and Martin Rex.

We are currently looking into possible mitigations and will update this blog post regularly with more information regarding said vulnerability.


Impacts :
Currently known to exist
  • In general an attacker positioned in the middle of a connection may inject arbritary content into the beginning of an authenticated stream it will be interesting to see what potential impact this vulnerability has within each of the applications / protocols supporting it. IMAPS, FTPSSL, POP3 etc
  • For web servers - Attackers (if in the middle) can inject data into a segment that is authenticated to the web server, the web server will merge those requests and process them. (GET requests are trivially exploitable, POST are not known to be)  
Posted by Thierry Zoller

    Subscribe to the RSS feed in case you are interested in updates

    Here is quick overview of one possible way to solve the Hack.lu 2009 crackme  (reversing challenge) with the classical JZ/JNZ method (hence the 1998 reference).

    Disclaimer : If you are used to reversing software, you can skip this post, there is nothing new for you to glimpse here.  This is one way to solve this crackme, of course you could try to reverse engineer the serial generation algorithm. In reality, if you'd  use a serial system like this in a shareware type of application nobody would bother to do so. 

    Although there are no classical packer signatures to be detected (PEid, ExeInfoPE), looking at the results of entropy tests it is clear that the sample is compressed/crypted in some way or another.  Entropy being the measure for randomness/chaos.

    Examples : 

    • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwx has an entropy of 96,04%

     Entropy measurement of crackme.exe

    There are several ways to measure whether a binary (or parts of it) are compressed/encrypted, I happen to use gynvaels' excellent tool ENT (not to be confused by a similar entropy measurement tool) as it offers several advantages such as mapping to .code and .data section of a PE file. As we can see above the entropy of the code section (Green) is that of normal code, the data section is high on entropy at the very end of it.

    Luckily for us it doesn't use stolen bytes or more advanced methods to hinder dumping from memory while the sample decrypted/decompressed itself.

    So we proceed with

    • Loading the sample in Ollydbg - Wait until it hits OEP
    • Dump the process using Ollydump 
    • fix import table
    • Search for "serial"
    • Look for branching code 
    • Patch branching code from JZ to JNZ

    Patching the Jump Zero to a Jump Not Zero instruction

    This is it

    Posted by Thierry Zoller

    Subscribe to the RSS feed in case you are interested in updates

    G-SEC released an advisory today that affects various Computer Associates products. The most interesting part is the multitude of ways this vulnerability can be triggered, if you skim through the list of affected products you can draw your own picture. Network, USB, Email, CD, DVD, OLE2 (DOC, XLS) and more.

    Picture courtesy of Norton AV Gaming edition

    List of affected products :
    • CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) 7.1
    • CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8
    • CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) r8.1
    • CA Anti-Virus 2007 (v8)
    • CA Anti-Virus 2008
    • CA Anti-Virus 2009
    • CA Anti-Virus Plus 2009
    • eTrust EZ Antivirus r7.1
    • CA Internet Security Suite 2007 (v3)
    • CA Internet Security Suite 2008
    • CA Internet Security Suite Plus 2008
    • CA Internet Security Suite Plus 2009
    • CA Threat Manager for the Enterprise (formerly eTrust Integrated Threat Management) r8
    • CA Threat Manager for the Enterprise (formerly eTrust Integrated Threat Management) 8.1
    • CA Threat Manager Total Defense
    • CA Gateway Security r8.1
    • CA Protection Suites r2
    • CA Protection Suites r3
    • CA Protection Suites r3.1
    • CA Secure Content Manager (formerly eTrust Secure Content Manager) 1.1
    • CA Secure Content Manager (formerly eTrust Secure Content Manager) 8.0
    • CA Network and Systems Management (NSM) (formerly Unicenter Network and Systems Management) r3.0
    • CA Network and Systems Management (NSM) (formerly Unicenter Network and Systems Management) r3.1
    • CA Network and Systems Management (NSM) (formerly Unicenter Network and Systems Management) r11
    • CA Network and Systems Management (NSM) (formerly Unicenter Network and Systems Management) r11.1
    • CA ARCserve Backup r11.5 on Windows
    • CA ARCserve Backup r12 on Windows
    • CA ARCserve Backup r12.0 SP1 on Windows
    • CA ARCserve Backup r12.0 SP 2 on Windows
    • CA ARCserve Backup r12.5 on Windows
    • CA ARCserve Backup r11.1 Linux
    • CA ARCserve Backup r11.5 Linux
    • CA ARCserve for Windows Client Agent
    • CA ARCserve for Windows Server component
    • CA eTrust Intrusion Detection 2.0 SP1
    • CA eTrust Intrusion Detection 3.0
    • CA eTrust Intrusion Detection 3.0 SP1
    • CA Common Services (CCS) r3.1
    • CA Common Services (CCS) r11CA Common Services (CCS) r11.1
    • CA Anti-Virus SDK (formerly eTrust Anti-Virus SDK)
    • CA Anti-Virus Gateway (formerly eTrust Antivirus Gateway) 7.1
    posted by Thierry Zoller on the 13/10/2009

    Subscribe to our RSS feed for regular updates

    Renowed security researcher "Kingcope" published a recent zero day vulnerability (i.e no patch and unkown at the time of publication) affecting Microsoft IIS 5 and IIS 6. Functional exploit code exists for IIS 5 / 5.1 no functional code execution exploit code is known to exist for IIS 6.

    Update: Kingcope released another exploit against IIS5/IIS6/IIS7 that performs a Denial of Service attack against IIS5/IIS6/IIS7 using unsecure globbing mechanism. This attacks works with standard user accounts (doesn't required write access). The second exploit is tracked under CVE-2009-2521

    Updates :
    • Kingcope publishes a new attack against IIS5/IIS6/IIS7 - Denial of service only - CVE-2009-2521
    • Microsoft published KB975191 with more information
    • VDB IDS are : CVE-2009-3023 , VU#276653
    • To perform a DoS attack write access is not required - this is also the case for IIS6
    • Summary: Code execution possible on IIS5/5.1 if write access granted, DoS is possible on both IIS5 and IIS6. Note - there is a improbable condition that may allow code execution on IIS5/5.1 even if write access is not granted, the condition is that a directory is present that has certain characters in it. It's improbable but possible. Thanks to Guido Landi for the insight.
    Fast facts IIS5/6 Code execution (CVE-2009-3023:
    • Affects IIS5 /5.1 and IIS6 - currently only a functional code execution exploit for IIS 5/Win2k exists, DoS attacks is possible against all versions.
    • The attacker must use an FTP account that is allowed to create directories (anon or known user) for the exploit to work
    • The FTP service is not enabled by default
    • Anonymous access is not enabled by default
    Current vulnerability requirements (code execution):
    • IIS 5 (5.1) or IIS 6 installed and
    • FTP service enabled and
    • Code exec only requirement : NTFS write permissions given to anonymous or known users
      (IIS5 and IIS6 run on Windows XP, Windows 2000, Windows 2003)
      Current mitigations :
      • Disable FTP service on IIS5 and IIS6 if not required or
      • If FTP is required, disable create directory permissions (see KB975191) or disable write access all together (pic) Note: this will not protect against Denial of Service attacks

        Browse to the root directory of your FTP site. By default this is in %systemroot%\inetpub\ftproot.
        Right-click on the directory and select Properties.
        Click the Security tab and click Advanced.
        Click Change Permissions.
        Select the Users group and click Edit.
        Deselect Create Folders/Append Data.
      Comments :
      • Successfull  code execution might be possible without the need to be able to create directories (more research required). Note: For a successful  Denial of Service attack the creation of a directory is not required.

      • The reason there is no functional exploit against IIS6 (Windows 2003) is that the exploit mitigations that ship with Windows2003 make it harder to reliably exploit (if at all)

      • It's possible that the vulnerable part of the IIS code can be reached by other means, if other methods are known we will update this blog.
      Tools :
      • Nmap script to scan network for IIS FTP with write permissions (Credit: Xavier Mertens)
      • OpenVas is able to scan for this flaw
      Links :
      Posted by Thierry Zoller, Luxembourg

      Subscribe to the RSS feed in case you are interested in updates

      As you may or may not know there is massive client-side exploitation movement going on since last year (there has been before but on a less massive scale). There seems to be an ongoing competition between different nations (government orgs.) , revolving around who is able to order chinese servers, deploy client side exploits and run with the false flag the fastest.

      Those that had to look into client-side attacks surely feel the pain of doing so, apart from run-time analysis, it takes some in-depth knowledge of the format and common exploitation techniques (recognise shellcode patterns ) to spot and dissect them.

      The office file format is a file format on steroids, has it's on MFT and own structure - hell the file format can even fragment - that kind of steroid. One can only imaging how this format came to live, did Microsoft launch an internal competition of who comes up with the most complicated and most difficult file format ever ? Compatibility was surely not the goal [1]. Anyway enough ramblings...

      Luckily there has been good progress on the Office fileformat analysis front, there was Officecat [2] and STG Docfileviewer [3] but honestly in terms of supporting analysts, these didn't cut it.

      This week Microsoft released "Offvis", basically DOC/XLS/PPT/OLE parser with added bonus of detecting existing attacks. It's main goal is to help researchers and vendors to facilitate the parsing and dissection of the awfully complicated office file format.

      On another front, Frank Boldewin releases an awesome automatic and generic doc/ppt/xls dissection tool. The tool extracts macros and information about the structure of the file, and searches for common shellcode patterns, has it's own small disassembly logic and, as an added bonus, brute forces possible XOR and ADD obfuscation loops.


      As input Offvis takes Office file format files, such as DOC,XLS and so forth. On the left hand it displays raw content of the file, on the upper right it displays the result of the parsing attempt. The display is interactive allowing you to select a field and see the raw content displayed.

      If the file exploits includes a commonly and known vulnerability, it will display and warn you. It does not detect any other attempts, including the commonly used method of dropping malicious code using macros.

      There seems to be no generic detection of shellcode or malware. In essence Offviss' goal appears to be to help developers and vendors at better understanding the format itself and test the implementations of their parsers. The added CVE recognition of known exploits is a bonus at best, although it has one nifty feature that comes in handy during analysis - defragementation.

      » Download Offviz : http://go.microsoft.com/fwlink/?LinkId=158791
      » Download Fact sheet

      Office Malscanner
      Office Malscanner is a new suite of tools from Frank Boldewin
      • OfficeMalscanner - Scans, parses the format, searches for shellcode patterns, extracts macros, bruteforces all possible XOR and ADD obfuscation keys and searches for executable magic bytes.

      • Disview - Takes an offset as an argument and tries to disassemble the input

      • MalHost-Setup - Patches the shellcode as to halt on execution to allow debugging of the shellcode

      The results we had with the tool were great, it is the first (to our knowledge) generic utility to detect malicious code within office file formats, by that we mean that it doesn't look for specific patterns of known exploits, but uses generic means to detect possible malicious code with the possibility of false positives (as in all generic methods).

      OfficeMalScanner in action analysing a malicious PPT file

      It detects the api hashing method commonly used in shellcode at offsets that are located nearby, it then brute forces all possibly XOR keys and matches MZ,PE signatures indicating binary executables, and extracts them to disk. Additionally it rates the different findings in a metric called "Malicious Index", one might imagine this index to be used to filter out malicious documents at the border setting a minimum "malicious index" to reach.

      Video of the extraction and analysis of a macro based Word dropper

      Click here to see the video in full screen

      The video shows the extraction of a malicious VBA macro included in a Word document and the modifications done to the vba file to drop the exe without executing it.

      Malhost-Setup - disassembling shellcode (here exploit targeting office)

      Malhost-setup can be used to analyse malicious code that directly exploits office - Malhost-setup takes the malicious file as input and the address of the start of the shell code as hexadecimal offset. It then extracts the shellcode and embeds it into an executable allowing to proceed with analysis in your debugger of choice.

      » Download : OfficeMalScanner
      » Paper and malicious samples : Analyzing MSOffice malware with OfficeMalScanner

      Posted by Thierry

      [1] http://www.microsoft.com/interop/docs/OfficeBinaryFormats.mspx
      [2] http://www.snort.org/vrt/vrt-resources/officecat
      [3] http://support.microsoft.com/kb/139545/de