Tuesday, June 28, 2016

Vulnerability Spotlight: LibreOffice RTF Vulnerability

Vulnerability discovered by Aleksandar Nikolic of Cisco Talos.

Talos is disclosing the presence of CVE-2016-4324 / TALOS-CAN-0126, a Use After Free vulnerability within the RTF parser of LibreOffice. The vulnerability lies in the parsing of documents containing both stylesheet and superscript tokens. A specially crafted RTF document containing both a stylesheet and superscript element causes LibreOffice to access an invalid pointer referencing previously used memory on the heap. By carefully manipulating the contents of the heap, this vulnerability can be able to be used to execute arbitrary code. This vulnerability requires user interaction to open the file.

Rich Text Format (RTF) was designed as a cross platform format for interchanging documents. Although the format standard has not evolved since 2008, the format remains widely supported by word processing suites. Attackers have previously exploited RTF parser vulnerabilities in MS Office, and used RTF files as a vector for embedding other malicious objects. Exploiting vulnerabilities such as these requires the user to interact with and open the file in order to trigger the attack. Raising awareness of the existence of vulnerabilities such as these with users can help in reminding people not to open unexpected or suspicious emails or files. Although currently, we have no evidence to suggest that this vulnerability is being exploited in the wild.  We recommend that administrators upgrade systems to the latest version of LibreOffice to remove the vulnerability.

Snort rules: 39148, 39149

Tuesday, June 21, 2016

Vulnerability Spotlight: Pidgin Vulnerabilities

These vulnerabilities were discovered by Yves Younan.

Pidgin is a universal chat client that is used on millions of systems worldwide. The Pidgin chat client enables you to communicate on multiple chat networks simultaneously. Talos has identified multiple vulnerabilities in the way Pidgin handles the MXit protocol. These vulnerabilities fall into the following four categories.

  • Information Leakage
  • Denial Of Service
  • Directory Traversal 
  • Buffer Overflow

The following vulnerabilities were identified (listed numerically by CVE):

CVE-2016-2365 - Pidgin MXIT Markup Command Denial of Service Vulnerability
CVE-2016-2366 - Pidgin MXIT Table Command Denial of Service Vulnerability
CVE-2016-2367 - Pidgin MXIT Avatar Length Memory Disclosure Vulnerability
CVE-2016-2368 - Pidgin MXIT g_snprintf Multiple Buffer Overflow Vulnerability
CVE-2016-2369 - Pidgin MXIT CP SOCK REC TERM Denial of Service Vulnerability
CVE-2016-2370 - Pidgin MXIT Custom Resource Denial of Service Vulnerability
CVE-2016-2371 - Pidgin MXIT Extended Profiles Code Execution Vulnerability
CVE-2016-2372 - Pidgin MXIT File Transfer Length Memory Disclosure Vulnerability
CVE-2016-2373 - Pidgin MXIT Contact Mood Denial of Service Vulnerability
CVE-2016-2374 - Pidgin MXIT MultiMX Message Code Execution Vulnerability
CVE-2016-2375 - Pidgin MXIT Suggested Contacts Memory Disclosure Vulnerability
CVE-2016-2376 - Pidgin MXIT read stage Ox3 Code Execution Vulnerability
CVE-2016-2377 - Pidgin MXIT HTTP Content-Length Buffer Overflow Vulnerability
CVE-2016-2378 - Pidgin MXIT get_utf8_string Code Execution Vulnerability
CVE-2016-2380 - Pidgin MXIT mxit_convert_markup_tx Information Leak Vulnerability
CVE-2016-4323 - Pidgin MXIT Splash Image Arbitrary File Overwrite Vulnerability

The Poisoned Archives

Vulnerabilities discovered by Marcin “Icewall” Noga. Blog post authored by Marcin Noga and Jaeson Schultz.

libarchive is an open-source library that provides access to a variety of different file archive formats, and it’s used just about everywhere. Cisco Talos has recently worked with the maintainers of libarchive to patch three rather severe bugs in the library. Because of the number of products that include libarchive in their handling of compressed files, Talos urges all users to patch/upgrade related, vulnerable software.

Tuesday, June 14, 2016

Microsoft Patch Tuesday - June 2016

This post was authored by Warren Mercer.

Patch Tuesday for June 2016 has arrived where Microsoft releases their monthly set of security bulletins designed to address security vulnerabilities within their products. This month's release contains 17 bulletins addressing 44 vulnerabilities. Five bulletins resolve critical vulnerabilities found in MS DNS Server, Edge, Internet Explorer, JScript/VBScript, and Office. The remaining bulletins are rated important and address vulnerabilities in Active Directory, Exchange Server, Group Policy, SMB Server, Netlogon, Windows Graphics component, Windows Kernel-mode Drivers, Windows PDF, Window Search Component, and WPAD.

Bulletins Rated Critical

Microsoft bulletins MS16-063, MS16-068 through MS16-071, and MS16-083 are rated as critical in this release.

MS16-063 and MS16-068 are this month's bulletins for Microsoft Internet Explorer and Edge browsers. The IE security bulletin addresses vulnerabilities in Internet Explorer versions 9, 10, & 11. The IE bulletin covers 10 vulnerabilities in total and resolves eight memory corruption bugs, seven of which are critical, a XSS filter vulnerability, and a WPAD vulnerability. The Edge bulletin addresses eight vulnerabilities, consisting of four memory corruption bugs, two information disclosure, one security feature bypass and a PDF remote code execution vulnerability.

Thursday, June 9, 2016

TeslaCrypt: The Battle is Over

Talos has updated its TeslaCrypt decryptor tool, which now works with any version of this variant of ransomware. You can download the decryptor here.

When Talos first examined TeslaCrypt version 1.0 in April of 2015, we articulated how this ransomware operated and were able to develop a decryptor.  Soon thereafter, TeslaCrypt version 2.0 was released, improving the encryption process so our original decryptor no longer worked. 

Wednesday, June 8, 2016

Vulnerability Spotlight: PDFium Vulnerability in Google Chrome Web Browser

This vulnerability was discovered by Aleksandar Nikolic of Cisco Talos.

PDFium is the default PDF reader that is included in the Google Chrome web browser. Talos has identified an exploitable heap buffer overflow vulnerability in the Pdfium PDF reader. By simply viewing a PDF document that includes an embedded jpeg2000 image, the attacker can achieve arbitrary code execution on the victim’s system. The most effective attack vector is for the threat actor to place a malicious PDF file on a website and and then redirect victims to the website using either phishing emails or even malvertising.

Vulnerability Spotlight: ESnet iPerf3 JSON parse_string UTF Code Execution Vulnerability

This vulnerability was discovered by Dave McDaniel, Senior Research Engineer.


iPerf is a network testing application that is typically deployed in a client/server configuration and is used to measure the available network bandwidth between the systems by creating TCP and/or UDP connections. For each connection, iPerf reports maximum bandwidth, loss, and other performance related metrics. It is commonly used to evaluate and quantify the impact of network optimizations and for obtaining baseline metrics related to network performance.

iPerf3, developed by ESnet and Lawrence Berkeley National Laboratory, is a complete redesign of the original iPerf application and uses a forked cJSON library. Cisco Talos recently discovered that the forked version of the cJSON library contains a vulnerability that can lead to Remote Code Execution (RCE) on systems running the iPerf3 server daemon. This vulnerability is related to the way in which the forked cJSON library parses UTF-8/16 strings. There are currently several public iPerf3 servers that are accessible from the internet that may be susceptible to remote exploitation using this vulnerability. While the authors of the underlying cJSON library have since released a patch that resolves this vulnerability, the version of cJSON shipped with iPerf3 3.1-1 is vulnerable. The updated version of the iPerf3 application can be obtained here.

Wednesday, June 1, 2016

Research Spotlight: ROPMEMU - A Framework for the Analysis of Complex Code-Reuse Attacks

The post was authored by Mariano Graziano.

Executive Summary

Attacks have grown more and more complex over the years. The evolution of the threat landscape has demonstrated this where adversaries have had to modify their tactics to bypass mitigations and compromise systems in response to better mitigations. Code-reuse attacks, such as return-oriented programming (ROP), are part of this evolution and currently present a challenge to defenders as it is an area of research that has not been studied in depth. Today, Talos releases ROPMEMU, a framework to analyze complex code-reuse attacks. In this blog post, we will identify and discuss the challenges and importance of reverse engineering these code-reuse instances. We will also present the techniques and the components of the framework to dissect these attacks and simplify analysis.

Code-reuse attacks are not new or novel. They've been around since 1997 when the first ret2libc attack was demonstrated. Since then, adversaries have been moving towards code-reuse attacks as code injection scenarios have gotten much more difficult to successfully leverage due to the increasing number of software and hardware mitigations. Improved defenses have resulted in more complex attacks being developed to bypass them. In recent years, malware writers have also started to adopt return-oriented programming (ROP) paradigms to hide malicious functionality and hinder analysis. For readers who are not familiar with ROP and want to learn more, we invite you to please read Shacham's formulation.

Unfortunately, the analysis of code reuse attacks, such as ROP, has been completely overlooked. While there are a small number of publicly available examples that demonstrate how complex these attacks can be, the trend is clear that adversaries will continue to leverage these types of attacks in the future. For defenders, the general lack of tooling available to help dissect these threats was one of the primary motivations for developing ROPMEMU.

Tuesday, May 17, 2016

Making Friends By Proactive Notification

This blog post is authored by Tazz.

Talos has continued to observe ongoing attacks leveraging the use of JBoss exploits. Through our research efforts, we have identified an additional 600 or so compromised hosts which contain webshells due to adversaries compromising unpatched JBoss environments. In response to this, Talos has been working to notify victims of these compromised hosts so that appropriate remediation may take place.This blog post outlines the notification process and provides additional indicators which you can use to review your own JBoss environments, such as a list of the 500 most common webshells we have observed in the wild.

Why Did I Get Notified?

After identifying the IP address of the hosts with one or more webshells, we extracted the contact email addresses provided in the WHOIS record of the organizations identified as the owner. The notification email contains a link which you can use to view this information. We are sending notifications via email to all listed email addresses as we have found many organizations where the designated abuse contact email listed is no longer valid. By emailing all available contacts we maximize the chances of successful notification.

Wednesday, May 11, 2016

Multiple 7-Zip Vulnerabilities Discovered by Talos

7-Zip vulnerabilities were discovered by Marcin Noga.
Blog post was authored by Marcin Noga, and Jaeson Schultz.

Update 2016-05-12: Related advisories for the 7-Zip issues covered in this blog can be found here:

7-Zip is an open-source file archiving application which features optional AES-256 encryption, support for large files, and the ability to use “any compression, conversion or encryption method”. Recently Cisco Talos has discovered multiple exploitable vulnerabilities in 7-Zip. These type of vulnerabilities are especially concerning since vendors may not be aware they are using the affected libraries. This can be of particular concern, for example, when it comes to security devices or antivirus products. 7-Zip is supported on all major platforms, and is one of the most popular archive utilities in-use today. Users may be surprised to discover just how many products and appliances are affected.

TALOS-CAN-0094, Out-of-Bounds Read Vulnerability, [CVE-2016-2335]

An out-of-bounds read vulnerability exists in the way 7-Zip handles Universal Disk Format (UDF) files. The UDF file system was meant to replace the ISO-9660 file format, and was eventually adopted as the official file system for DVD-Video and DVD-Audio.

Central to 7-Zip’s processing of UDF files is the CInArchive::ReadFileItem method. Because volumes can have more than one partition map, their objects are kept in an object vector. To start looking for an item, this method tries to reference the proper object using the partition map’s object vector and the "PartitionRef" field from the Long Allocation Descriptor. Lack of checking whether the "PartitionRef" field is bigger than the available amount of partition map objects causes a read out-of-bounds and can lead, in some circumstances, to arbitrary code execution.