CVE-2017-8759: A new Zero-Day Used to Distribute FINSPY

As part of its September Patch Tuesday, Microsoft has released a large batch of security updates to patch a total of 81 CVE-listed vulnerabilities, on all supported versions of Windows and other MS products.
The latest security update addresses 27 critical and 54 important vulnerabilities in severity, of which 38 vulnerabilities are impacting Windows, 39 could lead to Remote Code Execution (RCE).

Affected Microsoft products include:

  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • .NET Framework
  • Skype for Business and Lync
  • Microsoft Exchange Server
  • Microsoft Office, Services and Web Apps
  • Adobe Flash Player

One of the flaw have been already been used in wild

Windows .NET Framework RCE (CVE-2017-8759)

Researchers at FireEye recently detected a malicious Microsoft Office RTF document that leveraged CVE-2017-8759, a SOAP WSDL parser code injection vulnerability. This vulnerability allows a malicious actor to inject arbitrary code during the parsing of SOAP WSDL definition contents. Researchers analyzed a Microsoft Word document where attackers used the arbitrary code injection to download and execute a Visual Basic script that contained PowerShell commands.

This vulnerability resides in the way Microsoft .NET Framework processes untrusted input data.

Microsoft says the flaw could allow an attacker to take control of an affected system, install programs, view, change, or delete data by tricking victims into opening a specially crafted document or application sent over an email.

This vulnerability can be exploited as:

This zero-day flaw has actively been exploited by a well-funded cyber espionage group to deliver FinFisher Spyware (FinSpy) to a Russian-speaking “entity” via malicious Microsoft Office RTF files in July this year.

FinSpy is a highly secret surveillance software that has previously been associated with British company Gamma Group, a company that legally sells surveillance and espionage software to government agencies.

Once infected, FinSpy can perform a large number of secret tasks on victims computer, including secretly monitoring computers by turning ON webcams, recording everything the user types with a keylogger, intercepting Skype calls, copying files, and much more.

“The [new variant of FINSPY]…leverages heavily obfuscated code that employs a built-in virtual machine – among other anti-analysis techniques – to make reversing more difficult,” researchers at FireEye said.

“As likely another unique anti-analysis technique, it parses its own full path and searches for the string representation of its own MD5 hash. Many resources, such as analysis tools and sandboxes, rename files/samples to their MD5 hash in order to ensure unique filenames.”

There are 3 more publicly disclosed vulnerabilities affecting Windows 10:
  • Device Guard Security Feature Bypass Vulnerability (CVE-2017-8746): This flaw could allow an attacker to inject malicious code into a Windows PowerShell session by bypassing the Device Guard Code Integrity policy.
  • Microsoft Edge Security Feature Bypass Vulnerability (CVE-2017-8723): This flaw resides in Edge where the Content Security Policy (CSP) fails to properly validate certain specially crafted documents, allowing attackers to trick users into visiting a website hosting malware.
  • Broadcom BCM43xx Remote Code Execution Vulnerability (CVE-2017-9417): this flaw exists in the Broadcom chipset in HoloLens, which could be exploited by attackers to send a specially crafted WiFi packet, enabling them to install programs, view, change, or delete data, even create new accounts with full admin rights.

There are more vulnerabilities that are patched like BlueBorne. So the best thing to protect is to update as soon as possible.



10 zero day vulnerabilities found in D-Link DIR 850L routers

The security researcher Pierre Kim has discovered ten critical zero-day vulnerabilities in routers from networking equipment manufacturer D-Link that open owners to cyber attacks.

The flawed devices are the D-Link DIR 850L wireless AC1200 dual-band gigabit cloud routers, the list of vulnerabilities includes the lack of proper firmware protection, backdoor access, command injection attacks resulting in root access and several cross-site scripting (XSS) flaws.

An attacker could exploit the vulnerabilities to intercept traffic, upload malicious firmware, and get full control over the affected routers.

Kim in a blog post wrote that  “the D-Link DIR 850L is a router overall badly designed with a lot of vulnerabilities. Basically, everything was pwned, from the LAN to the WAN. Even the custom MyDlink cloud protocol was abused.”

This isn’t the first time Kim spots flaws in D-Link products, in October 2016 he reported multiple vulnerabilities in D-Link DWR-932B LTE router, but the Taiwan-based firm ignored them.

For this reason, the experts this time decided to publicly disclose the zero-day vulnerabilities hoping that the company will fix them.

Below the list of zero-day vulnerabilities disclosed by Kim that affect D-Link DIR 850L revision A and revision B:

  1. Lack of proper firmware protection—the firmware images are not protected, an attacker could upload a malicious firmware version to the device and compromise it. While firmware for D-Link 850L RevA has no protection, the firmware for D-Link 850L RevB is protected with a hardcoded password.
  2. Cross-site scripting (XSS) Flaws—both LAN and WAN of D-Link 850L RevA is vulnerable to “several trivial” XSS vulnerability, allowing an attacker “to use the XSS to target an authenticated user in order to steal the authentication cookies.”
  3. Retrieve admin passwords—both LAN and WAN of D-Link 850L RevB are vulnerable, an attacker can retrieve the admin password and use the MyDLink cloud protocol to add the user’s router to the attacker’s account to gain full access to the device.
  4. Weak cloud protocol— both D-Link 850L RevA and RevB. are vulnerable. MyDLink protocol works via a TCP tunnel that use no encryption at all to protect communications between the victim’s router and the MyDLink account.
  5. Backdoor Access—D-Link 850L RevB routers have backdoor access via Alphanetworks, an attacker can get a root shell on the device.
  6. Private keys hardcoded in the firmware—the private encryption keys are hardcoded in the firmware of both D-Link 850L RevA and RevB. An attacker could extract them to perform man-in-the-middle attacks.
  7. No authentication check—An attacker could alter the DNS settings of a D-Link 850L RevA router via non-authenticated HTTP requests and hijack the traffic.
  8. Weak files permission and credentials stored in cleartext—local files are exposed in both D-Link 850L RevA and RevB.  Credentials are stored in clear text.
  9. Pre-Authentication RCEs as root—the internal DHCP client running on D-Link 850L RevB routers is vulnerable to several command injection attacks, allowing attackers to gain root access on the affected devices.
  10. Denial of Service (DoS) Flaw—An attacker could crash some daemons running in both D-Link 850L RevA and RevB remotely via LAN triggering DoS conditions.

Kim advised users to cut the connections with the affected D-Link router in order to be safe from such attacks.


Two Zero-Day vulnerabilities discovered in Foxit PDF reader

Security researchers have discovered two critical zero-day security vulnerabilities in Foxit PDF Reader that could allow attackers to execute arbitrary code on a targeted computer, if the Safe Reading Mode is not enabled.

The first vulnerability (CVE-2017-10951) is a command injection bug discovered by researcher Ariele Caltabiano, while the second bug (CVE-2017-10952) is a file write issue found by Security researcher Steven Seeley.

An attacker can exploit these bugs by sending a specially crafted PDF file to a Foxit user and leveraging them to open it.

Foxit refused to patch these vulnerabilities as they would not work with the “safe reading mode” feature that fortunately comes enabled by default in Foxit Reader however researchers believe building a mitigation doesn’t patch the vulnerabilities completely, which if remained unpatched, could be exploited if attackers find a way to bypass safe reading mode in the near future.

Both unpatched vulnerabilities can be triggered through the JavaScript API in Foxit Reader.

CVE-2017-10951: The command injection bug resides in an app.launchURL function that executes strings provided by attackers on the targeted system due to lack of proper validation, as demonstrated in the video given below.

CVE-2017-10952: This vulnerability exists within the “saveAs” JavaScript function that allows attackers to write an arbitrary file on a targeted system at any specific location, as demonstrated in the video given below.
“This vulnerability was exploited by embedding an HTA file in the document, then calling saveAS to write it to the startup folder, thus executing arbitrary VBScript code on startup,” reads the advisory published by the ZDI.
Ensure that you have the “Safe Reading Mode” feature enabled. Additionally, you can also uncheck the “Enable JavaScript Actions” from Foxit’s Preferences menu, although this may break some functionality.
Always be vigilant while opening any files they received via email like in the case of opening a malicious PowerPoint file which could compromise your computer with malware.