Sunday, December 18, 2011

Vulnerable Weekends #4

Introduction:
Report #4A analyzes the Microsoft Windows True-Type fonts handling vulnerability that the W32.Duqu malware leverages to install itself on vulnerable systems. Once installed, it could then leverage its elevated privileges to execute arbitrary code.

Report #4B analyzes the Microsoft Windows DVR-MS media files processing vulnerability that could also be leveraged to execute arbitrary code on the targeted system.

Vulnerability Report #4A: Microsoft Windows Kernel-Mode Drivers True-Type Font Handling Remote Code Execution Vulnerability

Vulnerable Product: Installations of Microsoft Windows XP, Server 2003, Vista, Server 2008, and 7

CVE ID: CVE-2011-3402

CVSS v2 Score:
Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE

Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE
Base Score:9.3

Exploitability: FUNCTIONAL
Remediation Level: OFFICIAL FIX
Report Confidence: CONFIRMED
Temporal Score:7.7

Details:
Microsoft Windows has been reported to contain a vulnerability that could be leveraged to execute arbitrary code on the targeted system. The vulnerability has been reported within the Kernel-Mode driver, Win32k.sys, that provides rendering support for True-Type fonts.

The vulnerability is due to the fact that the vulnerable font processing engine fails to perform mandatory boundary checks on user-supplied input received via crafted True-Type fonts embedded within a Microsoft Office .doc file. An attacker who could convince a remote user to open a malicious .doc file, containing the specially crafted content, could exploit this vulnerability to cause a memory corruption error within kernel space. Further, the attacker could leverage such memory corruption errors to inject arbitrary shellcode within system memory and execute it with SYSTEM privileges on the targeted system.

Public sources confirm that the W32.Duqu malware, assumed to be a variant of W32/Stuxnet-B, leverages this vulnerability to infect vulnerable systems.

The vendor, Microsoft, has released a security bulletin to confirm this vulnerability and provided official patches for its mitigation. Users are requested to keep their systems updated with the latest available patches.

Vulnerability Sources:
http://www.securityfocus.com/bid/50462
http://tools.cisco.com/security/center/viewAlert.x?alertId=24500
http://www.symantec.com/security_response/writeup.jsp?docid=2011-101814-1119-99


Vulnerability Report #4B: Microsoft Windows Media Player DVR-MS Files Processing Remote Code Execution Vulnerability

Vulnerable Product: Installations of Microsoft Windows XP, Vista, and 7

CVE ID: CVE-2011-3401

CVSS v2 Score:
Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE

Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE
Base Score: 9.3

Exploitability: UNPROVEN
Remediation Level: OFFICIAL FIX
Report Confidence: CONFIRMED
Temporal Score: 6.9

Details:
Microsoft Windows Media Player has been reported to contain a vulnerability that could be leveraged to execute arbitrary code on the targeted system. The vulnerability exists within the encdec.dll library used by the vulnerable platforms.

The vulnerability is introduced while the affected software tries to process Microsoft Digital Video Recording (DVR-MS) media files. The affected software fails to perform sufficient security checks on user-supplied input received via such files, leading to a memory corruption error within kernel space. An attacker who could convince a targeted user to open a malicious .dvr-ms file, could exploit this vulnerability and leverage the memory corruption error to execute arbitrary code with SYSTEM privileges.

The vendor, Microsoft, has released a security bulletin to confirm this vulnerability and provided official patches for its mitigation. Users are requested to keep their systems updated with the latest available patches.

Vulnerability Sources:
http://www.securityfocus.com/bid/50957
http://secunia.com/advisories/cve_reference/CVE-2011-3401/

Generic Sources:
http://cve.mitre.org
http://www.first.org/cvss/cvss-guide.html
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

No comments:

Post a Comment

Thanks for reading! I would appreciate if you could leave your comments as well.