CVE-2017-8759: A new Zero-Day Used to Distribute FINSPY

As part of its September Patch Tuesday, Microsoft has released a large batch of security updates to patch a total of 81 CVE-listed vulnerabilities, on all supported versions of Windows and other MS products.
The latest security update addresses 27 critical and 54 important vulnerabilities in severity, of which 38 vulnerabilities are impacting Windows, 39 could lead to Remote Code Execution (RCE).

Affected Microsoft products include:

  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • .NET Framework
  • Skype for Business and Lync
  • Microsoft Exchange Server
  • Microsoft Office, Services and Web Apps
  • Adobe Flash Player

One of the flaw have been already been used in wild

Windows .NET Framework RCE (CVE-2017-8759)

Researchers at FireEye recently detected a malicious Microsoft Office RTF document that leveraged CVE-2017-8759, a SOAP WSDL parser code injection vulnerability. This vulnerability allows a malicious actor to inject arbitrary code during the parsing of SOAP WSDL definition contents. Researchers analyzed a Microsoft Word document where attackers used the arbitrary code injection to download and execute a Visual Basic script that contained PowerShell commands.

This vulnerability resides in the way Microsoft .NET Framework processes untrusted input data.

Microsoft says the flaw could allow an attacker to take control of an affected system, install programs, view, change, or delete data by tricking victims into opening a specially crafted document or application sent over an email.

This vulnerability can be exploited as:

This zero-day flaw has actively been exploited by a well-funded cyber espionage group to deliver FinFisher Spyware (FinSpy) to a Russian-speaking “entity” via malicious Microsoft Office RTF files in July this year.

FinSpy is a highly secret surveillance software that has previously been associated with British company Gamma Group, a company that legally sells surveillance and espionage software to government agencies.

Once infected, FinSpy can perform a large number of secret tasks on victims computer, including secretly monitoring computers by turning ON webcams, recording everything the user types with a keylogger, intercepting Skype calls, copying files, and much more.

“The [new variant of FINSPY]…leverages heavily obfuscated code that employs a built-in virtual machine – among other anti-analysis techniques – to make reversing more difficult,” researchers at FireEye said.

“As likely another unique anti-analysis technique, it parses its own full path and searches for the string representation of its own MD5 hash. Many resources, such as analysis tools and sandboxes, rename files/samples to their MD5 hash in order to ensure unique filenames.”

There are 3 more publicly disclosed vulnerabilities affecting Windows 10:
  • Device Guard Security Feature Bypass Vulnerability (CVE-2017-8746): This flaw could allow an attacker to inject malicious code into a Windows PowerShell session by bypassing the Device Guard Code Integrity policy.
  • Microsoft Edge Security Feature Bypass Vulnerability (CVE-2017-8723): This flaw resides in Edge where the Content Security Policy (CSP) fails to properly validate certain specially crafted documents, allowing attackers to trick users into visiting a website hosting malware.
  • Broadcom BCM43xx Remote Code Execution Vulnerability (CVE-2017-9417): this flaw exists in the Broadcom chipset in HoloLens, which could be exploited by attackers to send a specially crafted WiFi packet, enabling them to install programs, view, change, or delete data, even create new accounts with full admin rights.

There are more vulnerabilities that are patched like BlueBorne. So the best thing to protect is to update as soon as possible.



CVE-2017-9805:A critical vulnerability in Apache Struts

Security researchers at have discovered a critical remote code execution vulnerability in Apache Struts — a popular open-source MVC framework for developing web applications in the Java programming language which supports REST, AJAX, and JSON, allowing a remote attacker to run malicious code on the affected servers.

The vulnerability (CVE-2017-9805) is a programming blunder that resides in the way Struts processes data from an untrusted source. Specifically, Struts REST plugin fails to handle XML payloads while deserializing them properly.

All versions of Struts since 2008 are affected; all web applications using the framework’s popular REST plugin are vulnerable.

At least 65% of the Fortune 100 companies are actively using web applications built with the Struts framework. Organizations like Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot, and SHOWTIME are known to have developed applications using the framework.

The vulnerability is incredibly easy for an attacker to exploit , all an attacker needs is to submit a malicious XML code in a particular format to trigger the vulnerability on the targeted server.

Successful exploitation of the vulnerability could allow an attacker to take full control of the affected server, eventually letting the attacker infiltrate into other systems on the same network.

This flaw is an unsafe deserialization in Java similar to a vulnerability in Apache Commons Collections, discovered by Chris Frohoff and Gabriel Lawrence in 2015 that also allowed arbitrary code execution.

Since this vulnerability has been patched in Struts version 2.5.13, administrators are strongly advised to upgrade their Apache Struts installation as soon as possible.

LabVIEW vulnerability allows malicious code execution

Security researchers from Cisco’s Talos Security Intelligence have discovered a critical vulnerability in LabVIEW software that could allow attackers to execute malicious code on a target computer, giving them full control of the system.

LabVIEW is a system design and development platform released by National Instruments. The software is widely used to create applications for data acquisition, instrument control and industrial automation.

Identified as CVE-2017-2779, the code execution vulnerability could be triggered by opening a specially crafted VI file, a proprietary file format used by LabVIEW.

Talos researchers explain “An exploitable memory corruption vulnerability exists in the RSRC segment parsing functionality of LabVIEW. A specially crafted VI file can cause an attacker controlled looping condition resulting in an arbitrary null write. An attacker controlled VI file can be used to trigger this vulnerability and can potentially result in code execution.”

Talos researchers have successfully tested the vulnerability on LabVIEW 2016 version 16.0, but National Instruments has refused to consider this issue as a vulnerability in their product and had no plans to release any patch to address the flaw.
However, the issue should not be ignored, because the threat vector is almost similar to many previously disclosed Microsoft Office vulnerabilities, in which victims got compromised after opening malicious MS Word file received via an email or downloaded from the Internet.
Since there is no patch available, the LabVIEW users are left with only one option—be very careful while opening any VI file you receive via an email.
Full technical analysis is available here.

Critical RCE Vulnerability Discovered in Cisco WebEx Browser Extension

A highly critical remote code execution vulnerability, tracked as CVE-2017-6753, was discovered in the Cisco Systems WebEx browser extension for Chrome and Firefox which  has ~20M active users, and is part of Cisco’s popular web conferencing software.

This is the second time this year a critical vulnerability has been discovered in this product which even led to Google and Mozilla temporarily removing the add-on from their stores the first time.

“The vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system. This vulnerability affects the browser extensions for Cisco WebEx Meetings Server, Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center), and Cisco WebEx Meetings when they are running on Microsoft Windows.” stated by the security advisory published by CISCO.

The vulnerability is due to a design defect in the extension. An attacker who can convince an affected user to visit an attacker-controlled web page or follow an attacker-supplied link with an affected browser could exploit the vulnerability. If successful, the attacker could execute arbitrary code with the privileges of the affected browser.

The vulnerability was discovered by the popular Google Project Zero hacked Tavis Ormandy and Cris Neckar of Divergent Security.

Cisco acknowledged the RCE flaw and has already patched it in the “Cisco WebEx Extension 1.0.12” update for Chrome and Firefox browsers.

There are no workarounds that address this vulnerability. However, Mac users may use Safari to join WebEx meetings because Safari is not affected by this vulnerability. Windows users may use Internet Explorer and administrators and users of Windows 10 systems may use Microsoft Edge to join and participate in WebEx sessions because Microsoft Internet Explorer and Microsoft Edge are not affected by this vulnerability.

New Apache Struts Remote Code Execution Vulnerability Discovered

A new vulnerability has been discovered in Apache struts dubbed as CVE-2017-9791.

The Apache Struts framework is useful for building modern Java-based web applications, with two major versions, Apache Struts 1 and Apache Struts 2.  According to the research published here, a Struts 1 plugin is available that allows developer to use existing Struts 1 Actions and ActionForms in Struts 2 web applications. A vulnerability has been found in this plugin that could allow remote code execution on the affected server, if used with Struts 2.3.x. (Versions 2.5.x are not affected.)

The previous vulnerability i.e. CVE-2016-5638 has shown that remote code execution (RCE) vulnerabilities in Apache Struts used Object Graph Navigation Language (OGNL) expressions. The use of OGNL makes it easy to execute arbitrary code remotely because Apache Struts uses it for most of its processes. A recently disclosed Struts vulnerability, CVE-2017-9791 (covered in S2-048) also uses OGNL expressions for Remote Code Execution.

For a remote code execution to be successful, the attacker needs to send a specially crafted request with a malicious value in the vulnerable parameter to the vulnerable server, which is using the Struts 2 – Struts 1 plugin and a Struts 1 action with the value part of a message being presented to the user.

The attacker can then send malicious code in the HTTP request or body as a parameter value that will be run on the targeted server hosting a vulnerable application. A proof of concept that demonstrates the attack scenario is publicly available.

The POC code in python is also available here.


Apache Struts versions 2.3.x with Struts 1 plugin and Struts 1 action are reported to be Vulnerable. If you are using such configuration, to fix this issue, the vendor has suggested always using resource keys instead of passing a raw message to the ActionMessage or use Apache Struts 2.5.x series.