Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-07-14 InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

0-day exploit for Microsoft PowerPoint

Published: 2006-07-15
Last Updated: 2006-07-15 00:03:53 UTC
by Bojan Zdrnja (Version: 3)
0 comment(s)
Our readers Juha-Matti and Gennaro informed us about a new, undocumented vulnerability in Microsoft PowerPoint. It looks like the same group of Chinese hackers decided to take Office applications for a good test. And the fact that they are releasing their stuff immediately after Microsoft released the patches certainly doesn't help.

Symantec has a write-up of this; it doesn't look like it's wide spread at all at the moment.

UPDATE 07/14/2006

Microsoft is working on this issue and they've posted some information on their blog.
Most of the major AV vendors received samples of the infected PPT file and added detection for it so far. However, this doesn't mean that you can completely relax now ? while we don't know what part of the infected PPT file they use for detection, it is quite possible that new exploits for this same vulnerability (once and if they are released) will not be detected properly (we've seen this before with other vulnerabilities in Microsoft Office product, Excel for example).

At this moment we are not sure exactly which versions of Microsoft PowerPoint are affected by this vulnerability. It looks like all versions 2000 through to 2003 are vulnerable.
We also can't confirm whether the PowerPoint Viewer utility is or isn't affected.

There is a CVE entry for this vulnerability,

Juha-Matti created a nice FAQ about this vulnerability (similarly to his previous Excel vulnerability FAQ). You can find it at

It is worth reminding you that, as with previous vulnerabilities in Microsoft Office applications, there are not many options you have in protecting your networks. If you can, apply strict filtering of PPT files (maybe at least quarantine them, so they can be scanned and reviewed later). Users should be extra careful when opening PowerPoint files until Microsoft releases a patch (or some workaround is available).
While we can't confirm that this would stop the exploit from executing, it is a good idea to turn on memory-based security mechanisms (Data Execution Prevention).

If you went to Symantec's web site with the description of the Trojan being dropped, you probably saw the screen shot of the PowerPoint slide which is displayed once the file is opened in PowerPoint. One of our readers, Vince, sent us the translation of this:

"What is love? Sending her 999 roses knowing she doesn't love him.
What is waste? Sending her 999 roses know she loves him."

Interesting, isn't it? If this was displayed with all infected documents, it makes us wonder who was targeted with this. It is quite possible that that the original exploit was written by some other author who then maybe sold it to bad guys ? this sounds to me like a typical "I'm in love, here's my worm/virus/exploit dedicated to her" thing; we've seen such worms/viruses many times before.

UPDATE 2 07/14/2006

Three (!!!) PoCs for this vulnerability(ies) have just been publicly posted.
From what we can tell at the moment, they all just crash PowerPoint, but they show where the vulnerabilities are, so a full exploit can be written.
This is a first step to remote exploitation so we can unfortunately expect to see some malware using this very soon (and we though it will be another quiet weekend).

Again, stress out to users how important it is to be very careful when opening PowerPoint files (and if possible, don't open them at all until the patch is out). Otherwise you'll have to rely on your desktop anti-virus product to catch the dropped component, and we all know how (un)reliable this can be.

0 comment(s)

Linux kernel PRCTL local privilege escalation

Published: 2006-07-14
Last Updated: 2006-07-14 20:14:01 UTC
by Bojan Zdrnja (Version: 2)
0 comment(s)
This vulnerability enables an attacker to get elevated privileges on a local machine. There have been several exploits released and we can confirm that they work. We've tested this on unpatched SuSE and RedHat Enterprise Linux machines:

$ ./a.out

prctl() suidsafe exploit

(C) Julien TINNES

[+] Installed signal handler
[+] We are suidsafe dumpable!
[+] Malicious string forged
[+] Segfaulting child
[+] Waiting for exploit to succeed (~28 seconds)
[+] getting root shell

Debian also confirmed that this exploit was used on their recently compromised machine (

As all kernels 2.6.13 up to version and 2.6.16 before are affected, you should patch as soon as possible, even if you don't allow any local users on your machines. Remember that even a small vulnerability in a PHP script can allow local access, which then can be escalated with this exploit.

CVE for this vulnerability has also been issued:

Thanks to David Taylor for sending information about this to us.

Update: (2006-07-14 20:13UTC) In a posting over on Bugtraq, Ronald Timmerman suggests the following as a possible work-around for those that can't patch immediately.

# echo /root/core > /proc/sys/kernel/core_pattern
0 comment(s)

Perl bot exploiting vulnerabilities in Joomla and Mambo components

Published: 2006-07-14
Last Updated: 2006-07-14 03:02:03 UTC
by Bojan Zdrnja (Version: 2)
0 comment(s)
Yesterday fellow handler Chris wrote about a possible phpBB worm exploiting a 0-day vulnerability ( If you're using phpBB you can relax ? the worm we've analyzed doesn't exploit any vulnerabilities in phpBB.

We've received two samples from the Nepenthes Development team and analyzed them. Both samples contain practically the same bot written in perl. The only difference between them is the vulnerability which is being exploited.

Both bots exploit remote file inclusion vulnerabilities in components that are typically used with Joomla and Mambo, popular CMS packages. In first case the bot is exploiting a vulnerability in the perForms component that is used to create dynamic forms.
The second perl bot exploits an unpatched vulnerability in Joomla/Mambo CNS component SimpleBoard (there is a CVE for this vulnerability, It looks like even the latest RC version of the SimpleBoard component is affected by this vulnerability so be sure to disable it if you have it installed on your machine.
In both cases exploits for these vulnerabilities have been published previously.

Besides the attack part, the perl bot also contains couple of "extra features". The bot will report to a hard coded IRC server. Besides the attack component, the bot can also perform a poor TCP portscan (the destination ports are also hard coded in the bot and can not be changed), UDP, TCP and HTTP floods.
The bot will use Google to search for vulnerable sites and offers the possibility of executing any commands through the remote shell.

If you have been following our diaries you probably noticed a trend of exploiting vulnerabilities in third party components for Joomla and Mambo packages. While there were some vulnerabilities in the core packages as well, one can expect that there is a whole new world of vulnerabilities in third party components, so be careful on what you install. Install and enable only components that you really need and be sure that you subscribe to all the relevant mailing lists so you can keep track of what's going on with them.

0 comment(s)
Diary Archives