Category Archives: JavaScript

[ Sharing ] More ITW Exploitation of Internet Explorer ‘Unicorn bug’ found

These few days i have seen friends asking me whether i have seen any sites during work using CVE-2014-6332.
Sad to say, i can’t talk about work. So today i will talk about what i’ve seen during my free personal time.

[ How it starts ]
So what is this vulnerability known as CVE-2014-6332?
This is an interesting bug as it exploits Internet Explorer versions 3 through 11. This means that most if not all of Internet Explorer users are vulnerable unless they are using patched systems. It was first disclosed publicly by @yuange75 here back in 01st August 2014 : http://hi.baidu.com/yuange1975/item/c667f900cf0e2fc02e4c6bed
However he found it long long ago.

I guess it’s only a matter of time that “malware writers” start using this knowledge and use it as part of their cybercrime. I’m not from any AV companies nor ThreatIntel team selling “APT” news, but i do want more people to know that there are now several compromised website(s) that are using this CVE-2014-6332 vulnerability to install malware on the computers of its unsuspecting visitors.

[ Compromised Website details ]
The very first one that i found is from www[.]uyghurweb[.]net
The page source contains 2 interesting thing that caught my “eyes”.

The 1st one is “http://122[.]10[.]91[.]20/2013/frame.js” but it’s down when i tried to grab it.
The other being the other JavaScript(s) in the page.

The one that is more interesting is “js/udg.js” as it’s actually redirecting visitors to another website serving “CVE-2014-6332

As you can see, the exploit is hosted on the domain “http://www[.]owner[.]com[.]tw
If you have seen the source of “new.htm” as shown below.
owner.com.tw.01
It looks almost identical to the one shared by @yuange75. I suppose this malware writer is quite lazy to change anything to it.

I actually found a total of 7 but some are sensitive to be shared. One of it was disclosed by ESET here:
http://www.welivesecurity.com/2014/11/20/first-exploitation-of-unicorn-bug/
The other 3 non-sensitive sites that i’ve found are from:
http://finance[.]cedare[.]int/luz.htm
http://www[.]edicot[.]com/lulz.htm
http://www[.]e-ctasia[.]com/lulz.htm

But interestingly for these 3, all are showing “Hacked by LulzSec” and the following is found in the page source.

My guess is the first one is probably not related to the other 3. But one thing is for sure, there are more of these websites serving “CVE-2014-6332” as we speak.
I’ll probably blog about the payload later.

[ Conclusion ]
Although i do not have the mass amount of data as AV companies or ThreatIntel companies to offer IOC (Indicators of Compromise), but i guess if i can find a few website(s) within a week. I suppose it’s is just a matter of time before ExploitKit(s) integrate this vulnerability to their existing toolkit. Since most of the Internet Explorer versions were affected, I guess user(s) of Internet Explorer should just update IE NOW!!!!!.

Happy Reversing
Jacob Soo

[Technical Tear Down] Fiesta Exploit Kit – Java Exploit (CVE-2012-0507)

Today, we’re going to look at another exploit that is delivered by the Fiesta Exploit Kit. As usual, the purpose of this post is to provide a technical understanding on how the exploit work. This time it is a JAVA exploit.

This is the link to the fiesta_ek_java_2012_0507 (The .JAR file contained 4 .class files and a .txt file containing the parameters that was passed to the JAVA applet by the launching Javascript). Do note that these are MALICIOUS files, so please run them in a “safe” environment.

[Part 1: Overview]

This exploit uses the CVE-2012-0507 vulnerability. It is a type confusion vulnerability affecting the AtomicReferenceArray class. More information about this vulnerability can be found at these 2 articles (http://schierlm.users.sourceforge.net/TypeConfusion.html and http://weblog.ikvm.net/PermaLink.aspx?guid=cd48169a-9405-4f63-9087-798c4a1866d3 ). This exploit will result in a JAVA sandbox escape and allow the attacker to perform privileged actions.

Exploiting type confusion vulnerabilities are very interesting and very different from exploiting overflow/code execution vulnerabilities. In a sense, it is much easier to perform. To fully understand how it works, we must first discuss about the JAVA sandbox.

[Part 2: Java Applets and Sandboxing]

For the full explanation, refer to http://docs.oracle.com/javase/tutorial/deployment/applet/security.html

In summary, there are 2 types of JAVA applets, Sandbox applets and Privileged applets. As the name suggests, sandbox applets run in a sandbox and have limited access to certain operations. Privileged applets do not have such restrictions but they have to be signed by a recognized CA (Certificate Authority) and the user must give permission to the applet to perform higher privileged operations. Most applets we see are sandbox applets.

The picture below shows some of the restricted operations of sandbox applets.

00

Take special notes of point #1 (cannot access local filesystem and execute files), #2(cannot connect to third party servers), #4(cannot change security level) and #5 (cannot create classloaders).

[Part 3: The Malicious Applet]

Below is the de-obfuscated Javascript code that is responsible for loading the applet.

01

The Javascript first checks that the Java version is Java 6u30 or lower. If it is lower than that, it will fetch the applet from the malicious url and start running the code in the “tampi” class. 2 paramters “peso” and “lapp” are also passed along to the applet.

In the following source codes, I have de-obfuscated some of the strings and variable names so as to make your reading easier. Let’s look at the “init” method of the “tampi” class. The “init” method is first called when a Java applet is loaded.

02

The 2 params that was passed in will be stored into the javaparam_lapp and javaparam_peso variables. Take note of the javaparam_peso which contains a URL link to the malicious server.  I will come back to it later.

Although a sandbox applet cannot create a ClassLoader, it is still able to get a handle to the Applet’s ClassLoader seen on line 17. The “lapp” parameter is the serialized form of an Object[] array. It is decoded by the “foro” method then deserialized by the ObjectInputStream and cast back to its Object[] form on line 19 and 20. The diagram below shows the reconstructed Object[].

03

The Object[] array contains 2 Objects.

  • preyx[] array containing 1 element (null at this point)
  • AtomicReferenceArray (I shall refer to it as ARA) containing 1 element
    • This is actually the same preyx[] array above, only casted as a ARA object

Line 22 to 24 is a Java Reflection call to set the first element of the ARA object to the classloader that was referenced earlier (Line 25 comment line is the non-reflection way to call the same method).  This means a reference to the Applet’s ClassLoader has been assigned into the preyx[] array. This violates JAVA’s type safety and hence a Type Confusion vulnerability.

Line 27 then calls the “juri” method on the first element of the preyx[] array which contains the ClassLoader now. Let’s look at the “preyx” class and its parent class, “odesh

04

05

The preyx class is actually a subclass of the ClassLoader class (See Update #1 for more details).

The “juri” method reads in the “teemb.class” class file and creates a Class object from it with the “defineClass” method on line 16. Take special notice of the last parameter of the method call. This is the “privilege” level to be assigned to this class. An instance of this class is then created on line 17. Let’s look at the “tampi.rous()” method.

06

The commented block is the non-reflection way to call the same methods. This is a typical JAVA privilege escalation method. It creates a ProtectionDomain which has access to “AllPermissions”. By AllPermissions, I mean ALL permissions. This means the “teemb” class would have access to all operations including file I/O onto the local filesystem, network connections to third party servers and so on. The applet can now perform whatever a normal executable jar file can perform when it is run from the local filesystem.

Let’s look at the “teemb” class now.

07

The 3 methods “lewd”, “orly” and “callWriteMethod” are helper methods.

  • lewd – some form of decoding function based on xor
  • orly – reads everything from the inputstream into the input byte array and returns the total number of bytes read
  • callWriteMethod – calls the write method of the specified class

The constructor of the “teemb” class calls the “doPrivileged” method which then calls the “run” method below.

08

Line 53 assigns the malicious URLs in “javaparam_peso” into the arrayOfString variable. For each url in there, the for loop on line 59 is executed. In summary, the for loop perform these operations.

  • Creates the temp file path to store the malicious file
  • Opens a URL stream to the malicious url
  • Read the first 256 bytes from the stream (this is the xor key)
  • If key is read successfully, read in the rest of the stream
  • Decode the rest of the stream with the xor key and store it into the temp file path
  • Use the Runtime class to execute the downloaded file in the temp file path

In gist, this is a Download and Execute code. At this point, the attacker would be able to download any malicious file from the Internet and execute it on the victim’s machine. This defeats all the restriction that was placed on sandbox applets, effectively bypassing the sandbox.

[Update #1]

The purpose of this update is to better explain the role of the vulnerability in this exploit. The original article did not really explain this part clearly.

Earlier in the article, I mentioned that preyx is a subclass of ClassLoader. This means under normal circumstances, the applet would not be able to create a preyx instance (e.g. thru a “new preyx()” call) because sandbox applets are not allowed to create ClassLoaders. CVE-2012-0507 allowed the applet to “smuggle” a reference to a preyx object into the applet’s execution environment without actually creating one.

However, the next question is why is the preyx object important? The answer is privilege escalation. In order to execute malicious operations, a higher privilege level is needed other than the sandbox privilege level. The defineClass method allows the attacker to create a class with a specified “privilege” level (thru the last param of the function call). However, the defineClass is a protected method which means only subclasses of ClassLoader would be able to call it and that is where the preyx class comes in.

To understand this easier, put yourself in the shoes of the exploit writer. The thinking would go something like this.

  • Goal is to run malicious code
  • Need a way to load a class with elevated privilege levels (defineClass method)
  • To call the defineClass method, need a subclass of ClassLoader (preyx class)
  • Normal applet would not allow the creation of a preyx instance, need a way to get a preyx object into the applet environment (CVE-2012-0507 vulnerability)

[End Update #1]

I hope you have gained a better understanding of this exploit. Until next time!!

Glenn (@_graypanda)

[ Technical Tear Down : Chrome Extension – Pro Visitor ]

Today, I’ll be doing another technical tear-down of a Chrome Extension that does more than what it advertises.
I was alerted to this particular interesting piece of Chrome extension by Janne Ahlberg when he tweeted about it here.
I’ve attached the link to the file here for anyone interested to try analysing it themselves.
nbpaecgogmkifkfgdeoalcilnjigcglb
The password to the attachment is “infected29A
I was encouraged by Emiliano Martinez of VirusTotal to upload this Chrome extension to see whether AV will detect such stuff.
I wasn’t surprised by the final outcome, 0/54
virustotal.com_001
https://www.virustotal.com/en/file/26eb50c2543a3f9c8cff8f01068140a00c639c5fe75843eb5d6175c6208147ba/analysis/1410057947/

[ Sample used in the analysis ]
MD5: bb93188a0e751f95e156f490f612d19f
SHA1: 624b9fd7e08ac10f194b835551f98c0a1c127118

[ How it starts ]
If you access the website, thousandssa[dot]pw, you will see something like the image below.
thousandssa.pw

It will keep prompting visitor(s) of that url to install Firefox extension or Chrome extension.
If you had peeped into the html of the above-mentioned url, you will see this interesting of Javascript below.

I’ve tried to download both the Firefox extension from http://www[dot]defends4987de[dot]asia/profilevisitor[dot]xpi but the url is no longer valid anymore.
So i’ve tried to download the Chrome extension from the official Google Chrome webstore, https://chrome[dot]google[dot]com/webstore/detail/nbpaecgogmkifkfgdeoalcilnjigcglb using my tool here, CRXDownloader

Since it’s an Chrome Extension, let’s check the permissions of this Adware and further dissect it.
Let’s try to understand how Chrome Extension works.
Chrome’s Extension will always require a manifest file, a background.html and possibly some JavaScript files as documented by Google here.

The manifest file, called manifest.json, gives information about the extension, such as the most important files and the capabilities that the extension might use.
For this particular Chrome extension, we can see what sort of permissions did manifest.json request for below.

From the above manifest.json, once user(s) install this Chrome extension.
We can see from the “permissions” that it requires:
“permissions”: [“tabs”, “http://*/*”, “https://*/*”, “webRequest”, “webRequestBlocking”]

For a better understanding of the permissions and what each individual permission mean, the following will be a good reference.
https://developer.chrome.com/extensions/declare_permissions
Of particular interest to us are the “tabs” and “webRequestBlocking
If you had read the documentation for “webRequestBlocking”, the API allows developers to observe and analyze traffic and to intercept, block, or modify requests in-flight.
It sure doesn’t sound safe to me.

From the above manifest.json and the documentation from here.
We can see that it will try to do 2 matches against webpages visited by user(s).
The 1st “Matching” seems like a typical FaceBook application installation url with all the required permission(s) and then running the 2 Javascript(s).
“js/jquery-1.8.2.min.js”, “js/installer.js”
The 2nd “Matching” just wants all the url with a match to “facebook.com” and then run 4 Javascript(s).
“js/jquery-1.8.2.min.js”, “js/bililiteRange.js”, “js/jquery.sendkeys.js”, “js/poster.js”

[ Dissecting installer.js ]
Let’s take a look at “installer.js” and we can see that it’s trying to install the FaceBook application on behalf of the user(s).

[ Dissecting Background.js ]
Let’s take a look at “background.js” and this is actually the more important piece of Javascript in solving the mystery around this Chrome extension.
We can see that once “background.js” actually in this case fetching information from http://shockingvisitor[dot]com (I will name this as C&C for the time being for simplicity sake) to click on “Like” on certain urls that were fetch from the C&C.

From the above information that we have gathered thus far, we can see the following “Domain Whois” information:

If we were to go to “http://shockingvisitor[dot]com/spotify/index.php/message/index”, you will see something like the image below.
shockingvisitor.com

That site probably is where the owner will configure what the Pro-Visitor_v0.6“user(s)” of this Chrome extension will “Like” on FaceBook when they are logged in.

[ Conclusion ]
Remember that i mentioned that this Chrome extension was like what it advertised.
It advertised to do these, “Instantly see who is viewing your profile” & “Check how many photo views you have” but it didn’t. 😛

While this is not a state of the art Chrome Extension Malware, but it’s probably one of the rare & interesting ones out there.
We can even see from the scripts that the author had hastily “Copy/Paste” from elsewhere.
It’s even more interesting that it even managed to survive in Chrome webstore for quite some time.

I hope that this is fairly simple to understand technical tear down that people can repeat the steps on their own and learn how to analyse Potentially malicious Chrome Extension on their own.

Happy Reversing,
Jacob Soo

[ Technical Tear Down : DIgiCOuppOan (PUP/Adware) ]

Recently while i was trying to troubleshoot my relative’s home network.
I happened to notice that their Chrome browser is infected with a PUP/Adware.

PUP stands for Potentially Unwanted Programs. The one that i’ve come across is DIgiCOuppOan.
I suspect that machine was infected when one of them went to some p0rn sites.

DIgiCOuppOan is classified as a potentially unwanted adware. DIgiCOuppOan claims to enhance your web browsing experiences and save your time and money by providing discounts and other bonuses and deals. DIgiCOuppOan program is compatible with the majority of the top retailers online.

DIgiCOuppOan program will display their ads with a pop up box which contains various ads according to yous queries when you browsing online. Currently DIgiCOuppOan adware program displays at least four basic types of advertising including sponsored links, coupons, video related ads and banner ads, “pop-unders” or interstitial ads.

Instead of writing what is it about. I’ll be doing my own technical tear-down of this PUP/Adware.
I’ve attached the link to the file here for anyone interested to try analysing it themselves.bkkdkcifjmepenkhibomliiocmpiejlj
The password to the attachment is “infected29A

[ Sample used in the analysis ]
MD5: c33dc4f0d10e233f6428ba8f35d5d16b
SHA1: 87fc5db935b95d0d3b84535bbffc36a8b8f1ba52

[ How it starts ]
Since it’s an Chrome Extension Adware, let’s check the permissions of this Adware and further dissect it.
Let’s try to understand how Chrome Extension works.
Chrome’s Extension will always require a manifest file, a background.html and possibly some JavaScript files as documented by Google here.

The manifest file, called manifest.json, gives information about the extension, such as the most important files and the capabilities that the extension might use.
For this particular Adware, we can see what sort of permissions did manifest.json request for below.

From the above manifest.json and the documentation from here.
We can see that it will inject content.js at the end of all webpages visited by user(s).
Once this Chrome extension started, it will start “background.html”.

From the “permissions”, we can also see the permissions that it require.
For a better understanding of the permissions and what each individual permission mean, the following will be a good reference.
https://developer.chrome.com/extensions/declare_permissions

[ Dissecting Background.html ]
Let’s take a look at “background.html” and we can see that once it’s loaded, it will start 2 other JavaScripts, “L7Y9.js” & “lsdb.js”
DIgiCOuppOan.01

[ Dissecting L7Y9.js ]
Let’s take a look at L7Y9.js and we can see that there is a decode function.
Even though on first glance, the string looks like it’s base64 encoded but in reality it is not.

Now let’s write a decode function without running the actual script. Below is a simple decoding script.

After decoding had been done. The decoded message or URL(s) in this case are

From first glance, it’s probably those links that will be injected into the webpages that the user(s) visits.
It is persistently writing data to the Local Storage as we saw that it requested “Storage” permission in the manifest.json file.

[ Conclusion ]
While this is not one of the state of the art Chrome Extension Malware, but it’s probably one of the many PUP/Adware out there.

I hope that this is fairly simple to understand technical tear down that people can repeat the steps on their own and learn how to analyse Chrome Extension PUP/Adware or even Chrome Extension malware on their own.

Happy Reversing,
Jacob Soo