A new infection vector for ransomware: malicious SVG images via Facebook Messenger

The campaign spreads the Nemucod downloader

If you receive any Facebook Message with an .SVG image file, just avoid clicking it: a malicious campaign is spreading a ransomware downloader (Nemucod) among Facebook users by taking advantage of innocent-looking SVG image file to infect computers.

The campaign was discovered by malware researchers Bart Blazen and Peter Kruse, and seems to be an evolution of the threat notified some months ago by AppRiver.

On his blog, Blazen writes:

Earlier today, a friend of mine notified me of something strange going on with his Facebook account; a message containing only an image (an .svg file in reality) had been sent automatically, effectively bypassing Facebook’s file extension filter

Why SVG file?

Scalable Vector Graphics (SVG) is an XML-based vector image format for two-dimensional graphics with support for interactivity and animation.
This means that this file format has the ability to contain embedded content such as JavaScript, and can be opened in any modern web browser.

In fact, the content of the ‘photo’ (here the analysis of a sample) is the following:

https://gist.github.com/andreafortuna/d318f2aad20bfcf3d86fdd7e9aaa25e5

an obfuscated javascript that starts the download of payload (the Locky ransomware) and opens a fake Youtube site that ask the user to download and install a browser extension required to see the videos:

If the victim installs the Chrome extension, the attack is spread further via Facebook Messenger to all user contacts.


I opened the link and installed the extension, how can I fix it?

from Bart Blazen’s post:

Remove the malicious extension from your browser immediately:

Additionally, run a scan with your antivirus and change your Facebook password afterwards.

Notify your friends you sent a malicious file, or in the other case, let your friend know he/she is infected. If you keep receiving the same message from your friend, you may want to temporarily block their messages.


References

https://bartblaze.blogspot.it/2016/11/nemucod-downloader-spreading-via.html

 

 

A bug in Apple’s WebView allow an attacker to initiate phone calls without user confirm

Twitter and LinkedIn iOS apps are vulnerable!

The security researcher Collin Mulliner has discovered an exploitable vulnerability in Apple’s WebView that could allow phone calls to a number of the attacker’s choosing.

iOS WebViews can be used to automatically call an attacker controlled phone number. The attack can block the phone’s UI for a short amount of time and therefore prevent the victim from canceling the call. The bug is an application bug that likely is due to bad OS/framework defaults. One major issue with this vulnerability is that it is really easy to exploit. App developers have to fix their code as soon as possible.

Mulliner said the vulnerability is trivial to exploit, requiring at a minimum one line of HTML code and iOS developers who have embedded Apple’s WebView into mobile apps need to be aware.

https://gist.github.com/andreafortuna/50d68e9d109c25bc2cb84abee42463fa

The risks to the user include calls to to premium numbers or denial-of-service against telephone numbers of public services:

About a week agoI read an news post about a guy who got arrested for accidentally DoSing 911 by creating a web page that automatically dialed 911 when visited it from an iPhone. This was most likely due to a bug with the handling of TEL URI. I immediately thought about a bug I reported to Apple in late October 2008 . I couldn’t believe this bug has resurfaced so I investigated. The article said something about posting links on Twitter.

The researcher has also published two video demonstration of the exploit:

 


References

https://www.mulliner.org/blog/blosxom.cgi/security/ios_webview_auto_dialer.html

 

Exploits released for two critical 0Day vulnerabilities on MySQL

These vulnerabilities could be exploited in shared hosting environments to gain access to all databases

Some weeks ago i have reported about 2 critical 0Day vulnerabilities of MySQL (and his forks MariaDB e PerconaDB).

At that time, the security researcher Dawid Golunski published only technical details and proof-of-concept exploit code for the first bug.
Now Golunski has released a POC exploits for all two vulnerabilities:

https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html

 

https://gist.github.com/andreafortuna/1bdc25021089be5344047b7ded433fc8

One is the previously promised critical privilege escalation vulnerability (CVE-2016–6663) that can allow a low-privileged account (with CREATE/INSERT/SELECT grants) with access to the affected database to escalate their privileges and execute arbitrary code as the database system user.

The other is a new root privilege escalation bug (CVE-2016–6664) that could allow attackers with ‘MySQL system user’ privilege to further escalate their privileges to root user, allowing them to fully compromise the system.

Both the vulnerabilities affect MySQL version 5.5.51 and earlier, MySQL version 5.6.32 and earlier, and MySQL version 5.7.14 and earlier.


Patchs and Mitigations

MySQL has already fixed the vulnerabilities and you are strongly advised to apply patches as soon as possible.

If you are unable to immediately apply patches, you can apply a temporary mitigation disabling symbolic link support within your database server configuration to this setting in my.cnf:

symbolic-links = 0

CVE-2016-6662: a critical MySQL Zero-Day

Oracle, are you there? We need you!

Dawid Golunski, a Polish security researcher discovered several security issues in the MySQL DBMS, including a vulnerability flaw (CVE-2016–6662) that can be exploited by a remote attacker to inject malicious settings into my.cnf configuration files.

The vulnerability that affect all currently supported MySQL versions as well as MariaDB and PerconaDB.

The vulnerability can be exploited via SQL injection attack, or by an attacker with valid credentials either locally or over the Web via phpMyAdmin:

“A successful exploitation could allow attackers to execute arbitrary code with root privileges which would then allow them to fully compromise the server on which an affected version of MySQL is running”

Golunski has also published a proof-of-concept exploit code:

https://gist.github.com/andreafortuna/7c6e6d8aa936ef459fdbd9298b77452e

More technical information on official advisory.

Patching?

From Golunski’s advisory:

The vulnerability was reported to Oracle on 29th of July 2016 and triaged
by the security team.
It was also reported to the other affected vendors including PerconaDB and MariaDB.

The vulnerabilities were patched by PerconaDB and MariaDB vendors by the end of
30th of August.
During the course of the patching by these vendors the patches went into
public repositories and the fixed security issues were also mentioned in the
new releases which could be noticed by malicious attackers.

As over 40 days have passed since reporting the issues and patches were already
mentioned publicly, a decision was made to start disclosing vulnerabilities
(with limited PoC) to inform users about the risks before the vendor's next 
CPU update that only happens at the end of October.

No official patches or mitigations are available at this time from the vendor. 
As temporary mitigations, users should ensure that no mysql config files are
owned by mysql user, and create root-owned dummy my.cnf files that are not in 
use.
These are by no means a complete solution and users should apply official vendor
patches as soon as they become available.

References

http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html

CVE-2016–1287: Cisco ASA Software IKEv1 / IKEv2 Buffer Overflow, proof of concept released

Exodus Intelligence have released the proof of concept code on their GitHub page

On February, 10 2016 a vulnerability related to the Internet Key Exchange (IKE) protocol implementation of Cisco devices (CVE-2016–1287) was ufficially released.

Yesterday, the researchers who found this bug, Exodus Intel, have released the proof of concept code on their GitHub page.


Affected Products

  • Cisco ASA 5500 Series Adaptive Security Appliances
  • Cisco ASA 5500-X Series Next-Generation Firewalls
  • Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • Cisco ASA 1000V Cloud Firewall
  • Cisco Adaptive Security Virtual Appliance (ASAv)
  • Cisco Firepower 9300 ASA Security Module
  • Cisco ISA 3000 Industrial Security Appliance

Cisco has already released a software updates that address the vulnerability.


The POC

https://gist.github.com/andreafortuna/657ed351b1231bfa43ffe8a603c3fb95


Links and resources