JPCERT-AT-2007-0016
JPCERT/CC
June 28, 2007
<<< JPCERT/CC Alert 2007-06-28 >>>
MPack: Web Site Exploit Tool Targets Web Browsers and Applications
http://www.jpcert.or.jp/at/2007/at070016.txt
I. Overview
Damages caused by attacks using an attack tool called MPack have
been increasing, mostly overseas.
When compared to the existing attack tools, MPack has a number of
management program functions, allowing injection of attack code to
exploit the latest vulnerabilities. As MPack is sold by foreign
websites and easily available, there is concern that attacks using
MPack will also rapidly increase in Japan.
Server administrators should confirm that their websites are not
used as launching points by attackers and end users should take
measures against known vulnerabilities.
II. Details
1. MPack program configuration
The MPack program mainly consists of the following two programs:
A: MPack management program that runs on a web server
B: Attack code executed on a victim's computer
An attacker deploys the attack code (B) on a web server and leads
the victim to the web server in some way.
2. Scenario of attack
The following is a representative scenario of an attack using
MPack:
Step 1: An attacker breaks into a web server using various
techniques.
Step 2: The attacker includes an iframe to load the MPack attack
code into an HTML document.
Step 3: When a victim views the HTML document containing the
iframe written in Step 2, the MPack attack code will
execute automatically.
Step 4: When the victim accesses the MPack attack code, it
distinguishes the OS and browser type and exploits
vulnerabilities in the victim's computer.
Step 5: If the victim's computer contains a vulnerability that
can be exploited by MPack, a malicious program created by
an attacker could be executed.
Other than the above scenario, attacks using spam leading to
hostile websites or exploiting a cross-site scripting
vulnerability on a website can be expected.
3. Vulnerabilities exploited by MPack
As a result of the analysis by JPCERT/CC, MPack can exploit the
following vulnerabilities:
- MS06-014, CVE-2006-0003
Vulnerability in the Microsoft Data Access Components (MDAC)
- MS06-006, CVE-2006-0005
Vulnerability in Windows Media Player
- MS06-044, CVE-2006-3643
Vulnerability in Microsoft Management Console (MMC)
- MS06-071, CVE-2006-5745
Vulnerability in Microsoft XML Core Services
- MS06-057, CVE-2006-3730
Windows Shell Remote Code Execution Vulnerability
- CVE-2006-5198, VU#512804
WinZip FileView ActiveX Control Multiple Vulnerabilities
- CVE-2007-0015, JVNTA07-005A, VU#442497
Apple QuickTime Vulnerabilities
- MS07-017, CVE-2007-0038
Windows Animated Cursor Vulnerability
Addition of modules to MPack could cause other vulnerabilities to
be exploited in the future.
III Solution
JPCERT/CC recommends the following measures to be taken agains
MPack:
[Server administrators]
Please ensure that the integrity of content published on your
website is not compromised. If you find such a compromise, please
conduct an investigation as to the possibility that an attacker has
broken into the server, etc.
An attack using MPack can insert an iframe with the following
characteristics into HTML documents on a managed web server. Such
cases have already been reported in Japan.
Characteristic 1: An iframe referencing an unknown domain or IP
address
Characteristic 2: An iframe that is not displayed in a browser,
using style='visibility: hidden;'
[End users]
MPack attempts to exploit vulnerabilities that have already been
patched. Therefore the possibility of being a victim can be
reduced by applying the following measures:
- Keep your OS and applications up-to-date.
- Use anti-virus software
IV Reference Information
About iframe:
Frames in HTML documents
http://www.w3.org/TR/html401/present/frames.html
MS06-014, CVE-2006-0003
Vulnerability in the Microsoft Data Access Components (MDAC)
Function Could Allow Code Execution
http://www.microsoft.com/japan/technet/security/Bulletin/MS06-014.mspx
MS06-006, CVE-2006-0005
Vulnerability in Windows Media Player Could Allow Remote Code
Execution
http://www.microsoft.com/japan/technet/security/Bulletin/MS06-006.mspx
MS06-044, CVE-2006-3643
Vulnerability in Microsoft Management Console (MMC) Could Allow
Remote Code Execution
http://www.microsoft.com/japan/technet/security/Bulletin/MS06-044.mspx
MS06-071, CVE-2006-5745
Vulnerability in Microsoft XML Core Services Could Allow Remote
Code Execution
http://www.microsoft.com/japan/technet/security/Bulletin/MS06-071.mspx
MS06-057, CVE-2006-3730
Window Shell Remote Code Execution Vulnerability
http://www.microsoft.com/japan/technet/security/Bulletin/MS06-057.mspx
CVE-2006-5198, VU#512804
WinZip FileView ActiveX Control Multiple Vulnerabilities
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5198
CVE-2007-0015, JVNTA07-005A, VU#442497
Buffer Overflow Vulnerability in Apple QuickTime Real Time
Streaming Protocol (RTSP) Processing
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0015
MS07-017, CVE-2007-0038
Windows Animated Cursor Remote Code Execution Vulnerability
http://www.microsoft.com/japan/technet/security/bulletin/ms07-017.mspx
If you have any information regarding this matter, please contact us.
======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: 03-3518-4600 FAX: 03-3518-4602
http://www.jpcert.or.jp/
Top