Cisco Blogs


Cisco Blog > Threat Research

Vulnerability Spotlight: Total Commander FileInfo Plugin Denial of Service

Talos is releasing an advisory for multiple vulnerabilities that have been found within the Total Commander FileInfo Plugin. These vulnerabilities are local denial of service flaws and have been assigned CVE-2015-2869. In accordance with our Vendor Vulnerability Reporting and Disclosure policy, these vulnerabilities have been disclosed to the plugin author(s) and CERT.  This post serves as a summary of the advisory.

Credit for these discoveries belongs to Marcin Noga of Talos.

TALOS-2015-024/CVE-2015-2869

An attacker who controls the content of a COFF Archive Library (.lib) file can can cause an out of bounds read by specifying overly large values for the ‘Size’ field of the Archive Member Header or the “Number Of Symbols” field in the 1st Linker Member. The second half of the vulnerability concerns an attacker who controls the content of a Linear Executable file can cause an out of bounds read by specifying overly large values for the “Resource Table Count” field of the LE Header or the “Object” field at offset 0x8 from a “Resource Table Entry”. An attacker who successfully exploits this vulnerability can cause the Total Commander application to unexpectedly terminate.

These vulnerabilities has been tested against FileInfo 2.21 and FileInfo 2.22.

Product URL

http://www.totalcmd.net/plugring/fileinfo.html

Finding and disclosing zero-day vulnerabilities responsibly helps improve the overall security of the devices and software people use on a day-to-day basis.  Talos is committed to this effort via developing programmatic ways to identify problems or flaws that could be otherwise exploited by malicious attackers. These developments help secure the platforms and software customers use and also help provide insight into how Cisco can improve its own processes to develop better products.

For further zero day or vulnerability reports and information visit:
http://talosintel.com/vulnerability-reports/

Tags: , , , ,

Microsoft Patch Tuesday – July 2015

Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 14 bulletins being released which address 57 CVEs. Four of the bulletins are listed as Critical and address vulnerabilities in Windows Server Hyper-V, VBScript Scripting Engine, Remote Desktop Protocol (RDP) and Internet Explorer. The remaining ten bulletins are marked as Important and address vulnerabilities in SQL Server, Windows DCOM RPC, NETLOGON, Windows Graphic Component, Windows Kernel Mode Driver, Microsoft Office, Windows Installer, Windows, and OLE.

Read More »

Tags: , , , ,

Ding! Your RAT has been delivered

This post was authored by Nick Biasini

Talos is constantly observing malicious spam campaigns delivering various different types of payloads. Common payloads include things like Dridex, Upatre, and various versions of Ransomware. One less common payload that Talos analyzes periodically are Remote Access Trojans or RATs. A recently observed spam campaign was using freeware remote access trojan DarkKomet (a.k.a DarkComet). This isn’t a novel approach since threat actors have been leveraging tools like DarkKomet or Hawkeye keylogger for quite sometime.

Some interesting techniques in this campaign were used by the threat actor to bypass simplistic sandbox methods including use of sub folders, right to left override, and excessive process creation. This threat also had surprising longevity and ample variations, used over time, to help ensure the success of the attack.

What is DarkKomet?

dc_panel_controller

Read More »

Tags: , , ,

Vulnerability Spotlight: Apple Quicktime Corrupt stbl Atom Remote Code Execution

This post was authored by Rich Johnson, William Largent, and Ryan Pentney. Earl Carter contributed to this post.

Cisco Talos, in conjunction with Apple’s security advisory issued on June 30th,  is disclosing the discovery of a remote code execution vulnerability within Apple Quicktime. This vulnerability was initially discovered by the Talos Vulnerability Research & Development Team and reported in accordance with responsible disclosure policies to Apple.

There is a remote code execution vulnerability in Apple Quicktime (TALOS-CAN-0018, CVE-2015-3667). An attacker who can control the data inside an stbl atom in a .MOV file can cause an undersized allocation which can lead to an out-of-bounds read. An attacker can use this to create a use-after-free scenario that could lead to remote code execution.

There is a function within QuickTime (QuickTimeMPEG4!0x147f0) which is responsible for processing the data in an hdlr atom. There is a 16-byte memory region, allocated near the beginning of the function, if the hdlr subtype field in an mdia atom is set to ‘vide’, this reference is passed to a set of two functions.

apple-qt-stbl-0

Read More »

Tags: , , , , , , ,

Hook, Line & Sinker: Catching Unsuspecting Users Off Guard

This post was authored by Earl Carter.

Attackers are constantly looking for ways to monetize their malicious activity. In many instances this involves targeting user data and accounts. Talos continues to see phishing attacks targeting customers of multiple high profile financial institutions.  In the past couple of months, we have observed phishing attacks against various financial customers including credit card companies, banks, credit unions, and insurance companies, as well as online businesses such as Paypal and Amazon. These phishing attacks have gone old-school in that they either attach an HTML document or include HTML data in the actual email to present the user with official looking pages that appear to be from the actual businesses being targeted.

Read More »

Tags: , , ,