Full Disclosure mailing list archives
CVE-2013-0634 Original sample can not be confirmed until now
From: アドリアンヘンドリック <unixfreaxjp22 () gmail com>
Date: Sat, 12 Oct 2013 13:16:46 +0900
-------------------------------------------------------------------------------------- CVE-2013-0634 Original sample can not be confirmed until now -------------------------------------------------------------------------------------- Expl: this is the communication between Researcher involved in investigation of the above CVE with the a member of an entity that claimed to be first to find the threat in the wild. -------------------------------------------------------------------------------------- Ah, Yes. FinalIy I expected this kind of reply on the issue, of course! why not! :-) Generally speaking, in this world, there are so many excuses that can be made & used to hide or to fake stuffs that actually doesn't even exist? no? Noted, generally speaking. That's why in vulnerability assessment and research, is not a mere request, but the term of PoC in vulnerability is badly needed, to confirm form of the threat, usually by performed by several researchers. The PoC itself, not only the explanation, but physical analysis of the threat, but also the nature of how the threat was spotted first time "and its sample". Our analysis was posted in MalwareMustDie post on: http://malwaremustdie.blogspot.jp/2013/02/cve-2013-0634-this-ladyboyle-is-not.html .. is actually research effort to confirm and PoC the threat itself, since that time the vendor's information was not enough to described the threat. We all should know that no one own a public threat, if you found it doesn't mean you are the owner of those threat's samples or codes. Adobe claimed to find CVE-2013-0634 in the wild in websites (is plural, not singular) which actually has no proof of concept on its existence that can be shown for public, when the time the threat was announced, until this day. For me, who breath in threat assessment in daily activity is a serious topic and responsibility. We trailed the fact and Adobe as vendor stated that the sample was first being found by Shadow Server as stand alone flash "LadyBoyle" coded file, during the era of CVE-2013-0633 was also firstly found. The security focus page of the first announce still show the "unchanged" snapshot when it was first released: http://www.securityfocus.com/bid/57787 If there are some samples of CVE-2013-0633 exists, which was claimed found by different entity and obviously shared to the public afterwards (with thank you so much!), but why there was not even one single sample of CVE-2013-0634 at all that was claimed "found and passed to Adobe" until now? ^^^^^^^^^^^^^^^ Even though Shadow Server passed it to the maker to be fixed, it is necessary also to publish those sample for research purpose. Of course not before the flaw fixed but after it fixed. And now, long months passed by ..but until this day there is still no sign of that original mentioned CVE-2013-0634 sample, of a stand alone flash file announced / posted /shared in anywhere. This is just so wrong. Why? What was the proof of the existence of stand alone "LadyBoyle" malicious SWF file in the wild that time? Sadly to say: None. On different communication subject, a member of Shadow Server was contacting us, and I brought this sample issue back into the communication. The reasoning for not sharing to us, with usage the wording of "your request behavior buff and Your request was not received...and so on.." is sounds like an excuse for the greater value of truth that is actually in demand here. A reasoning which scientifically ..how to say this.."inappropriate" for that will raise a doubt on the truth in advisory information of the threat itself. And for all of us researchers involved to this case, can't help to think that the existence probability of the initial sample reported found is "apparently" small, unless can be proved otherwise. If there's actually was no sample that was stated detected in "websites" (noted again, plural) in Adobe advisory below, this will be an abuse of security concept (read = a lie), which lead to what was written in the advisory statement below... http://www.adobe.com/support/security/bulletins/apsb13-04.html "Adobe is also aware of reports that CVE-2013-0634 is being exploited in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform" ..to be a completely wrong. So since the possibility of no samples is getting bigger, researchers and people indeed need to know about what's incorrect in this act. So I hereby post as Cc to Full Disclosure about this matter, for all of security gentlemen listed can read and judge by yourself. PS, moreover, we found that "someone" was "producing" a "pathetic attempt" to "fake" sample of CVE-2013-0634 which was posted in VT in below link which is actually a scrapped code from the flash embeded to CVE-2013-0633 msword files! Yes binary and its hash has "magic" which not allowing themself to lie! :-) https://www.virustotal.com/en/file/19a5e24e8c90e2d7f65729455c3fd8b89ebbfdc8d218db3ab4a3193100106267/analysis/ I am Hendrik Adrian one of the flock of researchers on CVE-2013-0634 reporting this matter and the end of communication to the counterparts that possibly can provide the specific "initial" sample requested. I hope this problem will not happen to the rest of the researchers for the future and on going threat, to make sure to see the sample as PoC exploit or vulnerability before someone hide its existence. Rgds -- Hendrik Adrian / @unixfreaxjp PGP/MIT.EDU: RSA 2048/0xEC61AB9 Query: 0xb9ad3d5bec61ab91 MalwareMustDie,NPO Research Group Web http://malwaremustdie.org Research blog: http://malwaremustdie.blogspot.com Wiki & Code: http://code.google.com/p/malwaremustdie/ Report Pastes: http://pastebin.com/u/MalwareMustDie On Sat, Oct 12, 2013 at 9:58 AM, Kjell Chr <kj...shadowserver.org> wrote:
Okay. Changing gears here. Some of this is actually pretty upsetting. I will respond in-line. I guess I may regret this response later. I mean no harm by it, so please do not read it as a personal attack on you. On 10/11/2013 01:47 AM, アドリアンヘンドリック wrote: Hello Kjell, I have idea about what shadow server does, but this matter is not related to that, with all due respect to your thorough complete explanation, I'll skip those. Okay. fair enough. from your reaction it seemed like it didnt. Especially the part where most of us are extremely busy. And Steven have been one of the very busiest of us. I think we do same kind of zero money charity, but in "different way" & but don't feel like mentioning things of what we actually did. actually we do different kind of stuff I think. just somewhat same goal I think. Again, the problem is: "ignoring fellow researcher's sample request to Shadow Server. All people do the best way to contact you guys and ignorance was all we got ", and we have a very good reason why requesting it, please see thee background section. Now this I have a problem with. You still did not tell me anything about how you tried to contact us. As far as I know nobody on the team noticed that you even tried to contact us (if this is incorrect, then of course, my deepest apologies!). Not once, and certainly not several times. I cannot apologise for us not responding to something we did not even see. And I do not understand what you mean by "All people do the best way to contact you guys". Presenting your background in an email could have definately have helped. Steven already gave you the responses as to why it could not necessarily be shared with anyone during that time. That said, he did not even get your request from what he could see. I mentioned that I will judge your heart, and I did. I expected a simple apology from Shadow Server for making us in the blank moment for very long that time - I have no problem apologising for anyone that is reaching out to us and not getting a response. Whenever that happens, it makes me sad. And I know that shadowserver at least in some circles are generally considered unresponsive. If you had asked around maybe you already would had known this. And leaving you hanging was not something anyone wanted. BUT you will have to reach out to us on some sort of medium where we actually can be reached, and are present, where twitter is not a good one. I cannot apologise for something we could not see. Email to our team mailboxes normally works well, but random and weird requests may be discarded as we may not always know if those reaching out are geniune researchers wanting to do good or if they are actually trying to target us (I am sure you guys have the same issues, or some of them at least). Vague hints to our twitter handle will not work. Sometimes we happen to respond on twitter as well, but there is no guarantee for that. And you said your concerned & apologized, apology is accepted. (period) Again, I apology for the inconveniences by burping this matter to different person. Sure. its unpleasant, but its fine. Case end. I hope we're good. Is your call. Next! For the pending research purpose, I have also another proposal. The cve-2013-0634 research is *currently* still open in MalwareMustDie. Because of the mentioned sample was not even exist until now. ( FYI, this is the case: http://malwaremustdie.blogspot.jp/2013/02/cve-2013-0634-this-ladyboyle-is-not.html) So if Shadow Server would be kind to show us the good will by sharing us of the sample of CVE-2013-0634 that had been passed to Adobe that time, I will be happy to share the archive password of PowerZeus Source Code. I would not mind sharing the sample at all. But I am not sure of the details of this since I was not involved. Based on your behaviour in this thread and on twitter though, those that have been involved have chosen not to share it. They had expected an apology based on the context I provided in the previous email, but as this did not happen, they are not interested in handing any of their work over. For me, it was important to get this resolved with you, but I do not feel like I am getting through. As I explained in the previous email, the password is not that important to me. But as a favor for a trusted friend I decided to ask. In the meantime I believe he has already found what he is looking for elsewhere. I am sure that Shadow Server who found the sample in the wild at that time has the mentioned sample in possession, so sharing the past exploit sample would not be a burden, isn't it? Old sample to get Malware Source code. looks like a good deal to me. again - this is about mutual respect. We generally share, share, share and share without expecting too much back. But in this case your disrespect to us did not help. If it helps, you can disregard my request for the source code please. *The background why we had problem is..* Just for all people and researchers I enclosed and if you don't know, following are the fact of what happened then, and why it is still open until now. *CVE-2013-0634* The Vulnerability info is: http://www.adobe.com/support/security/bulletins/apsb13-04.html I am talking about the sample of CVE-2013-0634 It is *clearly written *in the vulnerability page that the sample was found by *Shadow Server *and written *name of Steven Adair*, Ref: http://www.securityfocus.com/bid/57787 Not only that, of course the same request was asked by some of us that time to the vendor and Adobe as maker replied never share their research materials. The CVE-2013-0634 requests were not coming by only me but several researchers, with the different purpose, were gathered and working together for this CVE at that time. I think many of gentlemen I enclosed are involved or remember about what happened. *Why we did it? Why we just not leave it to the Adobe?* We all know sometimes Adobe released patches which doesn't actually "fix the flaw". I have no idea what you are referring to here. And in this reported CVE-2013-0633/CVE-2013-0634, the flaw itself was so sophisticated, we didn't think that Adobe understanding the whole point well, and the silence of the maker was really not giving any help. Even many researchers gathered at that time really took time to figure the correct exploitation. Moreover, we noticed that as ZERO DAY, which we found CVE-2013-0633 under an infection scheme, which needed to be fixed correctly and swiftly. Naturally, I cannot speak for Adobe. And I personally am (still do) one of security expert in my country, and have task to be in charge in project on [snipped for privacy purpose] So it was also my professional duty to investigate what is right and and what is wrong on the subject. Right. So you could have reached out through JPCERT for the national duty part perhaps (Shadowserver works with a lot of national CERTs, and they can be the bridge when it comes to knowing if a contact can be trusted or not). We have worked a bit with them before. But again, we did not even see your request, and as such it is hard to respond to what we do not see. *Clarification* *to be made* Why we asked? Because we need clarification of: 1) Adobe AIR vulnerability wasn't mentioned at the time first bulletin released. (After I added video showing AIR was affected in MalwareMustDie blog then the vendor added in their description) Cool. not familiar with it, but cool. 2) The confusion between CVE-2013-0633 and CVE-2013-0634 in definition, explained that the malicious flash object is embedded in the word file (33) or not embedded but as stand alone file (34). The problem is* all samples exists that time were all (**CVE-2013-0633) embedded one*, *there was NO SAMPLE for CVE-2013-0634 exist in the web...*, Nevertheless was stated by the maker: *Adobe is also aware of reports that CVE-2013-0634 is being exploited in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform,* *...Something just is not fit, big question..... * 3) Later on, we found out in Virus total that someone is faking the stand alone sample which actually was stripped from the Word File that has the embedded codes, and call it as the stand alone sample, which is a BIG lie... I still wonder who posted this to VT & why...hmm.. URL: https://www.virustotal.com/en/file/19a5e24e8c90e2d7f65729455c3fd8b89ebbfdc8d218db3ab4a3193100106267/analysis/ I have not worked on the specific case, and as such I cannot make comments to this point. It is perfectly understandable that you wanted to get your hands on the sample, and its reasonable to ask for it. But there may, as Steven stated, be reasons why it cannot be shared with anyone just because they ask. And when we dont even see the question, it gets hard to respond to it. *The solution expected is Sample or hash* The clarification above would be clear, if Shadow Server would share us sample / hash of what passed to Adobe (that time) which was claimed as CVE-2013-0634. What would be so hard to share a malware sample by uploading it into Virus Total? Even after the patch was released? Why still there is no share of the sample until now? The FACT is, actually when the time that vulnerability was announced by the maker, and then FIXED by the maker, there is no sample of CVE-2013-0634 that can be confirmed. Vulnerability is a subject that "maybe" can be confirmed by small party , but the *ZERODAY attack patch / bugfix *needs to be confirmed to check whether actually fix problems. And the sample for that purpose is not exist. So, no one knows what had really happened during the released of CVE-2013-0634 until now. I personally and professionally think this is not right. Even now. And my reports related to the matter stays as per it is: Maker doesn't want to share the sample, and Shadow Server as the entity that found the sample was not cooperating to share the sample. Naturally we will work with the vendor when we see an issue that is affecting a LOT of users around the globe, and that will be the primary concern. If you had pointed out that you tried reaching out to us before and not gotten a response, and politely asked for the sample, I am sure Steven would had been most helpful with regards to sharing it. Demanding to get the sample and shaming us on twitter is a good way to show respect in my opinion, and not a good way to start a collaboration. I do NOT want a war or any sort of disagreement between MMD and Shadowserver. There are more than enough badness on the internets anyway, and this is already starting to take up very valuable time. But at the same time we will not take shit for something we did not do because we did not see it. -- Kjell Chr
---------- original message ---------- From: アドリアンヘンドリック <u...gmail.com> Date: Fri, Oct 11, 2013 at 8:47 AM Subject: Re: request for KINS password To: Kjell Chr <k....shadowserver.org> Cc: "Tom U. @c_APT_ure" <...gmail.com> Hello Kjell, I have idea about what shadow server does, but this matter is not related to that, with all due respect to your thorough complete explanation, I'll skip those. I think we do same kind of zero money charity, but in "different way" & but I don't feel like mentioning things of what we actually did. Again, the problem is: "ignoring fellow researcher's sample request to Shadow Server. All people do the best way to contact you guys and ignorance was all we got ", and we have a very good reason why requesting it, please see thee background section. I mentioned that I will judge your heart, and I did. I expected a simple apology from Shadow Server for making us in the blank moment for very long that time - And you said your concerned & apologized, apology is accepted. (period) Again, I apology for the inconveniences by burping this matter to different person. Case end. I hope we're good. Is your call. Next! For the pending research purpose, I have also another proposal. The cve-2013-0634 research is currently still open in MalwareMustDie. Because of the mentioned sample was not even exist until now.( FYI, this is the case: http://malwaremustdie.blogspot.jp/2013/02/cve-2013-0634-this-ladyboyle-is-not.html) So if Shadow Server would be kind to show us the good will by sharing us of the sample of CVE-2013-0634 that had been passed to Adobe that time, I will be happy to share the archive password of [ snipped for confidentiality ]. I am sure that Shadow Server who found the sample in the wild at that time has the mentioned sample in possession, so sharing the past exploit sample would not be a burden, isn't it? Old sample to [snipped for confidentiality] The background why we had problem is.. Just for all people and researchers I enclosed and if you don't know, following are the fact of what happened then, and why it is still open until now. ** CVE-2013-0634 ** The Vulnerability info is: http://www.adobe.com/support/security/bulletins/apsb13-04.html I am talking about the sample of CVE-2013-0634 It is clearly written in the vulnerability page that the sample was found by Shadow Server and written name of Steven Adair, Ref: http://www.securityfocus.com/bid/57787 Not only that, of course the same request was asked by some of us that time to the vendor and Adobe as maker replied never share their research materials. The CVE-2013-0634 requests were not coming by only me but several researchers, with the different purpose, were gathered and working together for this CVE at that time. I think many of gentlemen I enclosed are involved or remember about what happened. ** Why we did it? Why we just not leave it to the Adobe? ** We all know sometimes Adobe released patches which doesn't actually "fix the flaw". And in this reported CVE-2013-0633/CVE-2013-0634, the flaw itself was so sophisticated, we didn't think that Adobe understanding the whole point well, and the silence of the maker was really not giving any help. Even many researchers gathered at that time really took time to figure the correct exploitation. Moreover, we noticed that as ZERO DAY, which we found CVE-2013-0633 under an infection scheme, which needed to be fixed correctly and swiftly. And I personally am (still do) one of security expert in my country, and have task to be in charge in project on [snipped for privacy purpose] So it was also my professional duty to investigate what is right and and what is wrong on the subject. Clarification to be made Why we asked? Because we need clarification of: 1) Adobe AIR vulnerability wasn't mentioned at the time first bulletin released. (After I added video showing AIR was affected in MalwareMustDie blog then the vendor added in their description) 2) The confusion between CVE-2013-0633 and CVE-2013-0634 in definition, explained that the malicious flash object is embedded in the word file (33) or not embedded but as stand alone file (34). The problem is all samples exists that time were all (CVE-2013-0633) embedded one, there was NO SAMPLE for CVE-2013-0634 exist in the web..., Nevertheless was stated by the maker: Adobe is also aware of reports that CVE-2013-0634 is being exploited in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform, ...Something just is not fit, big question..... 3) Later on, we found out in Virus total that someone is faking the stand alone sample which actually was stripped from the Word File that has the embedded codes, and call it as the stand alone sample, which is a BIG lie... I still wonder who posted this to VT & why...hmm.. URL: https://www.virustotal.com/en/file/19a5e24e8c90e2d7f65729455c3fd8b89ebbfdc8d218db3ab4a3193100106267/analysis/ The solution expected is Sample or hash The clarification above would be clear, if Shadow Server would share us sample / hash of what passed to Adobe (that time) which was claimed as CVE-2013-0634. What would be so hard to share a malware sample by uploading it into Virus Total? Even after the patch was released? Why still there is no share of the sample until now? The FACT is, actually when the time that vulnerability was announced by the maker, and then FIXED by the maker, there is no sample of CVE-2013-0634 that can be confirmed. Vulnerability is a subject that "maybe" can be confirmed by small party , but the ZERODAY attack patch / bugfix needs to be confirmed to check whether actually fix problems. And the sample for that purpose is not exist. So, no one knows what had really happened during the released of CVE-2013-0634 until now. I personally and professionally think this is not right. Even now. And my reports related to the matter stays as per it is: Maker doesn't want to share the sample, and Shadow Server as the entity that found the sample was not cooperating to share the sample. That is the background of all this communication. regards, ---
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- CVE-2013-0634 Original sample can not be confirmed until now アドリアンヘンドリック (Oct 11)