Hacking the Malware– A reverse-engineer’s analysis
ABSTRACT
This paper attempts to document an approach on how the hackers make use of the vulnerabilities to install malicious software on the vulnerable machine. A comprehensive reverse code engineered analysis of the malicious software (Win32.Qucan.a) and the various protection schemes against the worm by various security products are also discussed.
I hope this document will help the Malware researchers, Intrusion Analysts and other Security professionals to conduct a more viable and comprehensive research.
RockLiffe MailSite wconsole.dll Denial of Service/Script Injection Vulnerability
OS2A ID: OS2A_1004 Status 01/06/2006 Issue Discovered 01/06/2006 Reported to the vendor 01/19/2006 Patch Released 01/20/2006 Advisory Released
Class: Denial of Service / Script Injection Severity: CRITICAL
Overview: Rockliffe's MailSite is a program for providing access to email accounts on Microsoft Windows operating systems. MailSite HTTP Mail management agent could allow a remote attacker to cause a denial of service or execute arbitrary script code.
Description: 1. MailSite HTTP Mail management agent 7.0.3.1 version could allow a remote attacker cause a denial of service. A bug in the input validation routine in httpma causes the svchost process to consume more CPU cycles thus impacting Mailsite HTTP Management agent and ultimately crashing the service.
2. MailSite HTTP Mail management agent 6.x and 5.x could allow a remote attacker to inject arbitrary script code. This vulnerability is caused due to a design error in the wconsole.dll. This dll file contains html code embedded in it which is not properly sanitizing the user-input.
Impact: 1. Remote attackers can exploit this issue to trigger a denial of service condition. 2. An attacker may leverage this issue to have arbitrary script code executed in the browser in the context of the affected site.
Affected Software(s): MailSite 7.0.3.1 and prior MailSite 6.1.22 and prior MailSite 5.x
Affected platform(s): Windows (Any)
Exploit/Proof of Concept: For 7.x series http://www.example.com:90/CGI-BIN/WCONSOLE.DLL?Authenticate|cmd Any special characters passed to the parameters in the wconsole.dll triggers denial of service.
For 6.x & 5.x series http://www.example.com:90/CGI-BIN/WCONSOLE.DLL?%3Cscript%3Ealert (document.cookie)%3C/script%3E
Solution: For 7.x series apply the following patch. ftp://ftp.rockliffe.com/MailSite/Latest/Hotfixes/
For 6.x series apply the following patch ftp://ftp.rockliffe.com/MailSite/6.1.22/Hotfixes/
Status 9/1/2005 Issue Discovered 9/2/2005 Reported to the vendor 9/3/2005 Patch Released 9/5/2005 Advisory Released
Class: SQL Injection Severity: CRITICAL
Overview: myBloggie is a Weblog system built using PHP & mySQL. myBloggie versions2.1.3-beta and prior are vulnerable to SQL injection vulnerability causedby improper validation of user-supplied inputs. This vulnerability can be exploited to bypass authentication mechanism, escalate the privileges toadministrator level and also made to reveal system specific information.
Description: User supplied credential inputs ('$username' and '$passwd') are not sanitized in login.php before subjecting them to SQL query.
This can be exploited in multiple ways, 1. Authentication Bypass A malicious user can log on to the weblog system without submitting thepassword by placing queries such as this "admin' OR 'x'='x" in the User Name field.
2. Privilege Escalation. When a non-administrative user submits, for example "user1' OR 'x'='x" into the User Name field, administrative privileges will be granted.
3. Path Disclosure. Path information can be made to disclose in error pages by passing invalid query to User Name field of login.php.
Impact: Successful exploitation can result in a compromise of the application, disclosure of system specific information, or permit an attacker to exploit vulnerabilities in the underlying database implementation. An attacker can also exploit this vulnerability to elevate privileges within the affected system.
Affected Systems: myBloggie 2.1.3-beta and prior. Linux (Any), Unix (Any), Windows (Any)
OS2A ID: OS2A_1003 Status 9/13/2005 Issue Discovered 9/14/2005 Reported to the vendor 9/18/2005 Patch Released 9/20/2005 Advisory Released
Class: Authentication Bypass Severity: CRITICAL
Overview: Hesk is a PHP based help desk software that runs with a MySQL database. It allows to setup a ticket based support system (helpdesk) for websites. Hesk versions 0.93 and prior are vulnerable to authentication bypass and path disclosure vulnerabilities caused due to improper validation of the HTTP header. This vulnerability can be exploited to bypass authentication mechanism, and also made to reveal system specific information.
Description: Multiple vulnerabilities exist in Hesk ticket based support system.
1. Authentication Bypass The 'PHPSESSID', Session ID parameter in the HTTP header is not properly validated. A malicious user can log in to the Administrator account by sending a random value to 'PHPSESSID' parameter and posting it to admin.php. This Session ID can then be utilized to access administrative control panel.
This is similar to a previously reported vulnerability where invalid User ID and Password were submitted. In this case, a randomly chosen Session ID is sent along with the login request.
2. Path Disclosure. Path information can be made to disclose in error pages by passing invalid metacharacters such as "'" or "<" to 'PHPSESSID' field of the HTTP header.
Impact: Successful exploitation can result in a compromise of the application, disclosure of system specific information.
Affected Systems: Hesk 0.93 and prior. Linux (Any), Unix (Any), Windows (Any)
Overview: ePing is a ping utility plugin for e107, a PHP-based content management system that uses a MySQL backend database. ePing versions 1.02 and prior are vulnerable to a file creation vulnerability caused by improper validation of user-supplied input in the doping.php script. A remote attacker exploiting this vulnerability could then create an arbitrary file in the webserver, pipe multiple system commands in the eping_host or the eping_count parameters of the doping.php script, which would be executed within the security context of the hosting site.
eTrace, another utility plugin for e107 has similar vulnerabilities.
Description: e107 portal's eping plugin 1.02 and prior is prone to remote command execution vulnerability. This vulnerability exists due to output redirection operators like '>', '|', '&' are not being sanitized in eping_host,eping_count parameters in the doping.php script.
eping_host has a validate function in functions.php which does not consider the above mentioned case.
eping_count has no validation logic. It accepts the above mentioned system meaningful characters.
Impact: A remote user can execute any command using '|' character or create a file with malicious executable code with '>' character. Execution of arbitrary command or creation of arbitrary files can lead to, Denial of service, Disclosure or modification of system information or Execution of arbitrary code.
Affected Systems: ePing version 1.02 and prior Linux (Any), Unix (Any), Windows (Any)