Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2013-0634 Original sample can not be confirmed until now

From: アドリアンヘンドリック <unixfreaxjp22 () gmail com>
Date: Sat, 12 Oct 2013 13:16:46 +0900
--------------------------------------------------------------------------------------
CVE-2013-0634 Original sample can not be confirmed until now
--------------------------------------------------------------------------------------
Expl: this is the communication between Researcher involved in
        investigation of the above CVE with the a member of an
        entity that claimed to be first to find the threat in the wild.
--------------------------------------------------------------------------------------

Ah, Yes. FinalIy I expected this kind of reply on the issue, of course! why
not!  :-)
Generally speaking, in this world, there are so many excuses that can be
made & used to hide or to fake stuffs that actually doesn't even exist? no?
Noted, generally speaking.

That's why in vulnerability assessment and research, is not a mere request,
but the term of PoC in vulnerability is badly needed, to confirm form of
the threat, usually by performed by several researchers. The PoC itself,
not only the explanation, but physical analysis of the threat, but also the
nature of how the threat was spotted first time "and its sample".

Our analysis was posted in MalwareMustDie post on:
http://malwaremustdie.blogspot.jp/2013/02/cve-2013-0634-this-ladyboyle-is-not.html
.. is actually research effort to confirm and PoC the threat itself, since
that time the vendor's information was not enough to described the threat.

We all should know that no one own a public threat, if you found it doesn't
mean you are the owner of those threat's samples or codes.

Adobe claimed to find CVE-2013-0634 in the wild in websites (is plural, not
singular) which actually has no proof of concept on its existence that can
be shown for public, when the time the threat was announced, until this
day. For me, who breath in threat assessment in daily activity is a serious
topic and responsibility.

We trailed the fact and Adobe as vendor stated that the sample was first
being found by Shadow Server as stand alone flash "LadyBoyle" coded file,
during the era of CVE-2013-0633 was also firstly found. The security focus
page of the first announce still show the "unchanged" snapshot when it was
first released:
http://www.securityfocus.com/bid/57787

If there are some samples of CVE-2013-0633 exists, which was claimed found
by different entity and obviously shared to the public afterwards (with
thank you so much!), but why there was not even one single sample of
CVE-2013-0634 at all that was claimed "found
and passed to Adobe" until now?
                                ^^^^^^^^^^^^^^^
Even though Shadow Server passed it to the maker to be fixed, it is
necessary also to publish those sample for research purpose. Of course not
before the flaw fixed but after it fixed.
And now, long months passed by ..but until this day there is still no sign
of that original mentioned CVE-2013-0634 sample, of a stand alone flash
file announced / posted /shared in anywhere.
This is just so wrong. Why? What was the proof of the existence of stand
alone "LadyBoyle" malicious SWF file in the wild that time? Sadly to say:
None.

On different communication subject, a member of Shadow Server was
contacting us, and I brought this sample issue back into the communication.
The reasoning for not sharing to us, with usage the wording of "your
request behavior buff and Your request was not received...and so on.." is
sounds like an excuse for the greater value of truth that is actually in
demand here. A reasoning which scientifically ..how to say
this.."inappropriate" for that will raise a doubt on the truth in advisory
information of the threat itself.  And for all of us researchers involved
to this case, can't help to think that the existence probability of the
initial sample reported found is "apparently" small, unless can be proved
otherwise.

If there's actually was no sample that was stated detected in "websites"
(noted again, plural)  in Adobe advisory below, this will be an abuse of
security concept (read = a lie), which lead to what was written in the
advisory statement below...

http://www.adobe.com/support/security/bulletins/apsb13-04.html
"Adobe is also aware of reports that CVE-2013-0634 is being exploited in
the wild in attacks delivered via malicious Flash (SWF) content hosted on
websites that target Flash Player in Firefox or Safari on the Macintosh
platform"

..to be a completely wrong. So since the possibility of no samples is
getting bigger, researchers and people indeed need to know about what's
incorrect in this act.  So I hereby post as Cc to Full Disclosure about
this matter, for all of security gentlemen listed can read and judge by
yourself.

PS, moreover, we found that "someone" was "producing" a "pathetic attempt"
to "fake" sample of CVE-2013-0634 which was posted in VT in below link
which is actually a scrapped code from the flash embeded to CVE-2013-0633
msword files! Yes binary and its hash has "magic" which not allowing
themself to lie! :-)
https://www.virustotal.com/en/file/19a5e24e8c90e2d7f65729455c3fd8b89ebbfdc8d218db3ab4a3193100106267/analysis/

I am Hendrik Adrian one of the flock of researchers on CVE-2013-0634
reporting this matter and the end of communication to the counterparts that
possibly can provide the specific "initial" sample requested. I hope this
problem will not happen to the rest of the researchers for the future and
on going threat, to make sure to see the sample as PoC exploit or
vulnerability before someone hide its existence.

Rgds

-- 
Hendrik Adrian / @unixfreaxjp
PGP/MIT.EDU: RSA 2048/0xEC61AB9
Query: 0xb9ad3d5bec61ab91

MalwareMustDie,NPO Research Group
Web http://malwaremustdie.org
Research blog: http://malwaremustdie.blogspot.com
Wiki & Code: http://code.google.com/p/malwaremustdie/
Report Pastes: http://pastebin.com/u/MalwareMustDie


On Sat, Oct 12, 2013 at 9:58 AM, Kjell Chr <kj...shadowserver.org> wrote:


 Okay. Changing gears here. Some of this is actually pretty upsetting. I
will respond in-line. I guess I may regret this response later. I mean no
harm by it, so please do not read it as a personal attack on you.


On 10/11/2013 01:47 AM, アドリアンヘンドリック wrote:

  Hello Kjell,

 I have idea about what shadow server does, but this matter is not
related to that, with all due respect to your thorough complete
explanation, I'll skip those.

  Okay. fair enough. from your reaction it seemed like it didnt.
Especially the part where most of us are extremely busy. And Steven have
been one of the very busiest of us.

  I think we do same kind of zero money charity, but in "different way" &
but don't feel like mentioning things of what we actually did.

  actually we do different kind of stuff I think. just somewhat same goal
I think.

  Again, the problem is: "ignoring fellow researcher's sample request to
Shadow Server. All people do the best way to contact you guys and ignorance
was all we got ", and we have a very good reason why requesting it, please
see thee background section.

Now this I have a problem with. You still did not tell me anything about
how you tried to contact us. As far as I know nobody on the team noticed
that you even tried to contact us (if this is incorrect, then of course, my
deepest apologies!). Not once, and certainly not several times. I cannot
apologise for us not responding to something we did not even see. And I do
not understand what you mean by "All people do the best way to contact you
guys". Presenting your background in an email could have definately have
helped. Steven already gave you the responses as to why it could not
necessarily be shared with anyone during that time. That said, he did not
even get your request from what he could see.


 I mentioned that I will judge your heart, and I did.
 I expected a simple apology from Shadow Server for making us in the
blank moment for very long that time -

  I have no problem apologising for anyone that is reaching out to us and
not getting a response. Whenever that happens, it makes me sad. And I know
that shadowserver at least in some circles are generally considered
unresponsive. If you had asked around maybe you already would had known
this. And leaving you hanging was not something anyone wanted. BUT you will
have to reach out to us on some sort of medium where we actually can be
reached, and are present, where twitter is not a good one. I cannot
apologise for something we could not see. Email to our team mailboxes
normally works well, but random and weird requests may be discarded as we
may not always know if those reaching out are geniune researchers wanting
to do good or if they are actually trying to target us (I am sure you guys
have the same issues, or some of them at least). Vague hints to our twitter
handle will not work. Sometimes we happen to respond on twitter as well,
but there is no guarantee for that.

 And you said your concerned & apologized, apology is accepted. (period)
 Again, I apology for the inconveniences by burping this matter to
different person.

  Sure. its unpleasant, but its fine.

  Case end. I hope we're good. Is your call.

 Next!

For the pending research purpose, I have also another proposal. The
cve-2013-0634 research  is *currently* still open in MalwareMustDie.
Because of the mentioned sample was not even exist until now.
( FYI, this is the case:
http://malwaremustdie.blogspot.jp/2013/02/cve-2013-0634-this-ladyboyle-is-not.html)

So if Shadow Server would be kind to show us the good will by sharing us
of the sample of CVE-2013-0634 that had been passed to Adobe that time, I
will be happy to share the archive password of PowerZeus Source Code.

  I would not mind sharing the sample at all. But I am not sure of the
details of this since I was not involved. Based on your behaviour in this
thread and on twitter though, those that have been involved have chosen not
to share it. They had expected an apology based on the context I provided
in the previous email, but as this did not happen, they are not interested
in handing any of their work over. For me, it was important to get this
resolved with you, but I do not feel like I am getting through. As I
explained in the previous email, the password is not that important to me.
But as a favor for a trusted friend I decided to ask. In the meantime I
believe he has already found what he is looking for elsewhere.

  I am sure that Shadow Server who found the sample in the wild at that
time has the mentioned sample in possession, so sharing the past exploit
sample would not be a burden, isn't it? Old sample to get Malware Source
code. looks like a good deal to me.

  again - this is about mutual respect. We generally share, share, share
and share without expecting too much back. But in this case your disrespect
to us did not help. If it helps, you can disregard my request for the
source code please.

  *The background why we had problem is..*

Just for all people and researchers I enclosed and if you don't know,
following are the fact of what happened then, and why it is still open
until now.

*CVE-2013-0634*

 The Vulnerability info is:
http://www.adobe.com/support/security/bulletins/apsb13-04.html
 I am talking about the sample of CVE-2013-0634

It is *clearly written *in the vulnerability page that the sample was
found by *Shadow Server *and written *name of Steven Adair*,  Ref:
http://www.securityfocus.com/bid/57787

Not only that, of course the same request was asked by some of us that
time to the vendor and Adobe as maker replied never share their research
materials.

The CVE-2013-0634 requests were not coming by only me but several
researchers, with the different purpose, were gathered and working together
for this CVE at that time.
 I think many of gentlemen I enclosed are involved or  remember about
what happened.

 *Why we did it? Why we just not leave it to the Adobe?*

We all know sometimes Adobe released patches which doesn't actually "fix
the flaw".

I have no idea what you are referring to here.

  And in this reported CVE-2013-0633/CVE-2013-0634, the flaw itself was
so sophisticated, we didn't think that Adobe understanding the whole point
well, and the silence of the maker was really not giving any help. Even
many researchers gathered at that time really took time to figure the
correct exploitation. Moreover, we noticed that as ZERO DAY, which we found
CVE-2013-0633 under an infection scheme, which needed to be fixed correctly
and swiftly.

Naturally, I cannot speak for Adobe.


And I personally am (still do) one of security expert in my country, and
have task to be in charge in project on [snipped for privacy purpose] So it
was also my professional duty to investigate what is right and and what is
wrong on the subject.

  Right. So you could have reached out through JPCERT for the national
duty part perhaps (Shadowserver works with a lot of national CERTs, and
they can be the bridge when it comes to knowing if a contact can be trusted
or not). We have worked a bit with them before. But again, we did not even
see your request, and as such it is hard to respond to what we do not see.

  *Clarification* *to be made*

 Why we asked? Because we need clarification of:

1) Adobe AIR vulnerability wasn't mentioned at the time first bulletin
released. (After I added video showing AIR was affected in MalwareMustDie
blog then the vendor added in their description)

   Cool. not familiar with it, but cool.

  2) The confusion between CVE-2013-0633 and CVE-2013-0634 in definition,
explained that the malicious flash object is embedded in the word file (33)
or not embedded but as stand alone file (34).
The problem is* all samples exists that time were all (**CVE-2013-0633)
embedded one*, *there was NO SAMPLE for CVE-2013-0634 exist in the web...*,
Nevertheless was stated by the maker: *Adobe is also aware of reports
that CVE-2013-0634 is being exploited in the wild in attacks delivered via
malicious Flash (SWF) content hosted on websites that target Flash Player
in Firefox or Safari on the Macintosh platform,*

 *...Something just is not fit, big question.....
*

3) Later on, we found out in Virus total that someone is faking the stand
alone sample which actually was stripped from the Word File that has the
embedded codes, and call it as the stand alone sample, which is a BIG
lie...
I still wonder who posted this to VT & why...hmm..
URL:
https://www.virustotal.com/en/file/19a5e24e8c90e2d7f65729455c3fd8b89ebbfdc8d218db3ab4a3193100106267/analysis/

   I have not worked on the specific case, and as such I cannot make
comments to this point. It is perfectly understandable that you wanted to
get your hands on the sample, and its reasonable to ask for it. But there
may, as Steven stated, be reasons why it cannot be shared with anyone just
because they ask. And when we dont even see the question, it gets hard to
respond to it.

  *The solution expected is Sample or hash*

 The clarification above would be clear, if Shadow Server would share us
sample / hash of what passed to Adobe (that time) which was claimed as
CVE-2013-0634.
What would be so hard to share a malware sample by uploading it into Virus
Total? Even after the patch was released? Why still there is no share of
the sample until now?

 The FACT is, actually when the time that vulnerability was announced by
the maker, and then FIXED by the maker, there is no sample of CVE-2013-0634
that can be confirmed.

 Vulnerability is a subject that "maybe" can be confirmed by small party
,
 but the *ZERODAY attack patch / bugfix *needs to be confirmed to check
whether actually fix problems. And the sample for that purpose is not exist.

 So, no one knows what had really happened during the released of
CVE-2013-0634 until now. I personally and professionally think this is not
right. Even now. And my reports related to the matter stays as per it is:
Maker doesn't want to share the sample, and Shadow Server as the entity
that found the sample was not cooperating to share the sample.

Naturally we will work with the vendor when we see an issue that is
affecting a LOT of users around the globe, and that will be the primary
concern. If you had pointed out that you tried reaching out to us before
and not gotten a response, and politely asked for the sample, I am sure
Steven would had been most helpful with regards to sharing it. Demanding to
get the sample and shaming us on twitter is a good way to show respect in
my opinion, and not a good way to start a collaboration.

I do NOT want a war or any sort of disagreement between MMD and
Shadowserver. There are more than enough badness on the internets anyway,
and this is already starting to take up very valuable time.

But at the same time we will not take shit for something we did not do
because we did not see it.

-- Kjell Chr



---------- original message ----------
From: アドリアンヘンドリック <u...gmail.com>
Date: Fri, Oct 11, 2013 at 8:47 AM
Subject: Re: request for KINS password
To: Kjell Chr <k....shadowserver.org>
Cc: "Tom U. @c_APT_ure" <...gmail.com>

Hello Kjell,

I have idea about what shadow server does, but this matter is not related
to that, with all due respect to your thorough complete explanation, I'll
skip those.

I think we do same kind of zero money charity, but in "different way" & but
I don't feel like mentioning things of what we actually did.

Again, the problem is: "ignoring fellow researcher's sample request to
Shadow Server. All people do the best way to contact you guys and ignorance
was all we got ", and we have a very good reason why requesting it, please
see thee background section.
I mentioned that I will judge your heart, and I did.
I expected a simple apology from Shadow Server for making us in the blank
moment for very long that time -

And you said your concerned & apologized, apology is accepted. (period)
Again, I apology for the inconveniences by burping this matter to different
person.

Case end. I hope we're good. Is your call.

Next!

For the pending research purpose, I have also another proposal. The
cve-2013-0634 research  is currently still open in MalwareMustDie. Because
of the mentioned sample was not even exist until now.( FYI, this is the
case:
http://malwaremustdie.blogspot.jp/2013/02/cve-2013-0634-this-ladyboyle-is-not.html)

So if Shadow Server would be kind to show us the good will by sharing us of
the sample of CVE-2013-0634 that had been passed to Adobe that time, I will
be happy to share the archive password of [ snipped for confidentiality ].
I am sure that Shadow Server who found the sample in the wild at that time
has the mentioned sample in possession, so sharing the past exploit sample
would not be a burden, isn't it? Old sample to [snipped for confidentiality]
The background why we had problem is..

Just for all people and researchers I enclosed and if you don't know,
following are the fact of what happened then, and why it is still open
until now.

** CVE-2013-0634 **

The Vulnerability info is:
http://www.adobe.com/support/security/bulletins/apsb13-04.html
I am talking about the sample of CVE-2013-0634

It is clearly written in the vulnerability page that the sample was found
by Shadow Server and written name of Steven Adair,  Ref:
http://www.securityfocus.com/bid/57787

Not only that, of course the same request was asked by some of us that time
to the vendor and Adobe as maker replied never share their research
materials.

The CVE-2013-0634 requests were not coming by only me but several
researchers, with the different purpose, were gathered and working together
for this CVE at that time.
I think many of gentlemen I enclosed are involved or  remember about what
happened.

** Why we did it? Why we just not leave it to the Adobe? **

We all know sometimes Adobe released patches which doesn't actually "fix
the flaw".
And in this reported CVE-2013-0633/CVE-2013-0634, the flaw itself was so
sophisticated, we didn't think that Adobe understanding the whole point
well, and the silence of the maker was really not giving any help. Even
many researchers gathered at that time really took time to figure the
correct exploitation. Moreover, we noticed that as ZERO DAY, which we found
CVE-2013-0633 under an infection scheme, which needed to be fixed correctly
and swiftly.

And I personally am (still do) one of security expert in my country, and
have task to be in charge in project on [snipped for privacy purpose] So it
was also my professional duty to investigate what is right and and what is
wrong on the subject.
Clarification to be made
Why we asked? Because we need clarification of:

1) Adobe AIR vulnerability wasn't mentioned at the time first bulletin
released. (After I added video showing AIR was affected in MalwareMustDie
blog then the vendor added in their description)

2) The confusion between CVE-2013-0633 and CVE-2013-0634 in definition,
explained that the malicious flash object is embedded in the word file (33)
or not embedded but as stand alone file (34).
The problem is all samples exists that time were all (CVE-2013-0633)
embedded one, there was NO SAMPLE for CVE-2013-0634 exist in the web...,
Nevertheless was stated by the maker: Adobe is also aware of reports that
CVE-2013-0634 is being exploited in the wild in attacks delivered via
malicious Flash (SWF) content hosted on websites that target Flash Player
in Firefox or Safari on the Macintosh platform,

...Something just is not fit, big question.....

3) Later on, we found out in Virus total that someone is faking the stand
alone sample which actually was stripped from the Word File that has the
embedded codes, and call it as the stand alone sample, which is a BIG lie...
I still wonder who posted this to VT & why...hmm..
URL:
https://www.virustotal.com/en/file/19a5e24e8c90e2d7f65729455c3fd8b89ebbfdc8d218db3ab4a3193100106267/analysis/
The solution expected is Sample or hash
The clarification above would be clear, if Shadow Server would share us
sample / hash of what passed to Adobe (that time) which was claimed as
CVE-2013-0634.
What would be so hard to share a malware sample by uploading it into Virus
Total? Even after the patch was released? Why still there is no share of
the sample until now?

The FACT is, actually when the time that vulnerability was announced by the
maker, and then FIXED by the maker, there is no sample of CVE-2013-0634
that can be confirmed.
Vulnerability is a subject that "maybe" can be confirmed by small party ,
but the ZERODAY attack patch / bugfix needs to be confirmed to check
whether actually fix problems. And the sample for that purpose is not exist.
So, no one knows what had really happened during the released of
CVE-2013-0634 until now. I personally and professionally think this is not
right. Even now. And my reports related to the matter stays as per it is:
Maker doesn't want to share the sample, and Shadow Server as the entity
that found the sample was not cooperating to share the sample.
That is the background of all this communication.

regards,
---

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: