Symantec DeepSight Threat Management System Analysis: Client-side Exploitation

To: bugtraq@xxxxxxxxxxxxxxxxx, incidents@xxxxxxxxxxxxxxxxx
Subject: Symantec DeepSight Threat Management System Analysis: Client-side Exploitation
From: David Ahmad <da@xxxxxxxxxxxxxxxxx>
Date: Fri, 25 Jun 2004 12:46:35 -0600
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mutt/1.4.2i

Good day,

Symantec has made two reports available to the public, listed at 
the end of this post.  These documents describe instances of 
client-side exploitation.  At least one instance appears to 
involve an attacker with criminal intent targeting an individual 
at a financial institution.

I'm going to do something I almost never do (and try to
avoid), and that's deliver a frank soapbox rant.  Before that, 
I would like to acknowledge the work of the following individuals, 
without whom, many of these threats would remain unknown
(apologies to any I've left out):

http-equiv
Liu Die Yu
Drew Copely & eEye
Jelmer
Georgi Guninski
GreyMagic Security
Dror Shalev
Thor Larholm
Roozbeh Afrasiabi
Andreas Sandblad
Marc Slemko

Client-side exploitation is nothing new.  We have seen and 
discussed the potential risk posed by Microsoft Internet 
Explorer (and to a lesser extent, other client applications) 
for some time.  In fact, Symantec Internet Security Threat 
Reports in the past have warned repeatedly of these issues 
specifically as future threats. 

There is really no surprise, though.  It was only a matter of 
time before attackers caught on.  I've said this before -- it's 
difficult for me to think of a better class of vulnerabilities: 
no dependence on version or memory layout or any other such messy 
factors, firewalls are totally irrelevant and VPNs become basically 
a free ride in, the browser doesn't end up crashing (i.e. the 
victim remains blissfully unaware that they've been owned).. 
and there seems to be an endless supply of new tricks to use, 
thanks to the labyrinthine complexity of components, subcomponents 
and the genetically mutated frankenstein* of an access control 
mechanism that is supposed to hold it all together.  Finally, to 
top it all off, when a bug has been patched.. you never know if 
it has really been patched, because you're not even entirely 
sure where or what the bug is.  Often these vulnerabilities are 
not single flaws, but combinations of bad behavior and weaknesses 
put together.  Fix one avenue of attack and it only takes the 
discovery of another (usually code execution in Local Zone) to 
recreate the original attack.  Recall the longevity of "CODEBASE" 
and other similar "non-vulnerabilities".

Part of the problem is that MSIE has the worst feature creep that I 
have ever seen.  This "thing" is now used as, fundamentally, an 
interface presentation tool.  The browser is used for anything and 
everything you could possibly want it to: e-mail, applications,
file management, multimedia...  and where the browser as an entire 
application isn't used, the HTML rendering component often is.

I do my best to maintain an unbiased stance.  I think that the 
other browsers are probably just as bad, to the extent possible as 
they are not as complex and integrated into the operating system 
as MSIE.  But this is the reality, folks.  

Microsoft's effort so far to understand and fix these problems one 
at a time is commendable.  They are probably the best commercial 
vendor for responding to and correcting security issues.

On the bright side, XP SP2 looks like it make some desperately 
needed changes.  Let's hope a fundamental redesign is in the works 
too, because that looks like the only solution to me.  

Until then, try to make the most of your Interweb experience with 
basically every option in the MSIE security settings set to 
"Disable".  Then again, why bother worrying about another
hole in IE, or anything else for that matter.  The average home PC
is already beyond compromised with about 50 different individual 
instances of malicious code and IRC bots and spyware all competing
with each other to log keystrokes, turn on your webcam and bind 
backdoor servers to listening ports.  

Cheers.

* e.g. tripping on "document" vs "Document"

--

The reports are available at:

http://tms.symantec.com/ClientSideExploitation.asp

Client-side Exploits: Forensic Analysis of a Compromised 
Financial Services Laptop 

This document details the forensic analysis of a machine 
compromised through the use of a client-side vulnerability. 
The evidence gathered in this analysis strongly suggests that 
this client-side attack was used to specifically target a 
financial institution, with the goal of retrieving the necessary 
authentication credentials to escalate the initial attack to 
further compromise other related systems. The analysis of 
this compromise provides us with a real-world example of 
targeted attacks against a specific company, in this case, a 
company in the Financial Services sector using a client-side 
attack vector. Although not new, the targeted exploitation of 
client-side vulnerabilities has not seen extensive documentation 
or analysis. This analysis aims to provide the reader with a 
detailed description of an actual attack exploiting a client-side 
vulnerability. 

http://tms.symantec.com/documents/040617-Analysis-FinancialInstitutionCompromise.pdf

Compromised IIS Server / Unpatched Internet Explorer 
Vulnerability Exploitation Alert 

The DeepSight Threat Analyst Team has become aware of various 
public reports of Microsoft Internet Information Services (IIS) 
servers being attacked and subsequently compromised. As a second
component of the compromise, a malicious JavaScript is hosted 
on the infected IIS system and inserted into files served from 
that system. This document contains information about the 
vulnerabilities used and the subsequently deployed malcode, which 
is not available elsewhere. The malicious JavaScript in question 
is designed to compromise client systems through multiple known, 
but unpatched vulnerabilities in Internet Explorer. The resulting 
client-side infection includes, among other things, a keystroke 
logger. The Threat Analyst Team has manually captured a sample of 
the IE exploit, and resulting binary, in the DeepSight Honeynet 
system. Further investigation of the exploit resulted in the 
conclusions described below. UPDATE: This Threat Alert has been 
updated to include additional information about the client side 
exploits used in this attack. Additional information about other 
associated files has also been added. 

http://tms.symantec.com/documents/040624-Alert-CompromisedIISServerReports.pdf

-- 
David Mirza Ahmad
Symantec 

PGP: 0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB  AB F0 1E 67 C6 1A 26 00 57 12

Prev by Date: Re: Is predictable spam filtering a vulnerability?
Next by Date: Re: Is predictable spam filtering a vulnerability?
Previous by thread: [SNS Advisory No.76] Printing from Internet Explorer Lets Users to Cause DoS
Next by thread: Mac OS X stores login/Keychain/FileVault passwords on disk
Index(es):
- Date
- Thread