Document Title: =============== Trojan Poison Ivy 2.3.2 - Critical Null Pointer Vulnerability Release Date: ============= 2011-08-08 Vulnerability Laboratory ID (VL-ID): ==================================== 113 Product & Service Introduction: =============================== Poison Ivy is an advanced remote administration tool for Windows (the client is reported to run on WINE or other emulators on various Linux/UNIX flavors), written in pure assembly (server), and Delphi (client). The server contains no dependencies of any kind, and runs on 2000/XP/2003/Vista.Since version 2.3.0, the server size is dependent on the settings, which means additional features (like key logger, etc.), will make the final server larger. Even so, the maximum size of the server is around 7KiB, unpacked. Being independent code, the server builder can produce PEs, or shellcode(in the form of arrays for C, Delphi, Python, or raw binary), depending on your needs. The most important features are encrypted communications (256bit Camellia), compressed communications, full-featuredfile manager, registry manager, key logger, services manager, relay server, process manager, remote audio capture, screen capture, web cam capture, multiple simultaneous transfers, password manager, and the ability to share servers, based on privilege levels, and various other things that you will find useful. Poison Ivy is also special compared to other similar tools, because the server doesn\'t need to be updated, even if new features are added. Even though the server supports 3rd party plugins, it\'s important to know that all the features not listed in the “Plugins” section are self-contained in the server, and no additional files are used at any time. The plugins (as well as the server and key logger file) are stored encrypted in ADS (Alternative Data Stream) on NTFS partitions (they are stored normally on FAT32). (Copy of the Vendor Homepage: http://www.poisonivy-rat.com/index.php?link=dev/) Abstract Advisory Information: ============================== Vulnerability-Lab discovered a Null Pointer dereference vulnerability on Poison Ivy 2.3.2 Trojan/Rat kit. Vulnerability Disclosure Timeline: ================================== 2011-08-06: Public or Non-Public Disclosure Discovery Status: ================= Published Affected Product(s): ==================== Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ Attackers can crash(AppCrash) or violate(access-violation) the software(Client & later Server) via null pointer write. A remote attacker can crash the client software with zer0 or negative integer string when generating a server over gernal settings. Later the corrupt generated file can be used to crash the poison ivy server on an infected system :) WRITE_ADDRESS to any other Address. Vulnerable Module(s): [+] General Seetings --- Debug Logs --- 0:000> g (a00.b40): Access violation - code c0000005 (first chance) eax=00000000 ebx=7efde000 ecx=00000000 edx=00611060 esi=00000000 edi=00000000 eip=0061107d esp=0018ff6c ebp=0020d509 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 image00400000+0x21107d: 0061107d 8700 xchg eax,dword ptr [eax] ds:002b:00000000=???????? 0:000> g (a00.b40): Access violation - code c0000005 (!!! second chance !!!) eax=00000000 ebx=7efde000 ecx=00000000 edx=00611060 esi=00000000 edi=00000000 eip=0061107d esp=0018ff6c ebp=0020d509 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 image00400000+0x21107d: 0061107d 8700 xchg eax,dword ptr [eax] ds:002b:00000000=???????? 0:000> !exchain 0018ffc4: +31 (772e041d) FAULTING_IP: image00400000+21107d 0061107d 8700 xchg eax,dword ptr [eax] EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 0061107d (image00400000+0x0021107d) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000001 Parameter[1]: 00000000 Attempt to write to address 00000000 FAULTING_THREAD: 00000b40 PROCESS_NAME: image00400000 FAULTING_MODULE: 76a90000 kernel32 DEBUG_FLR_IMAGE_TIMESTAMP: 2a425e19 MODULE_NAME: image00400000 ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden. EXCEPTION_PARAMETER1: 00000001 EXCEPTION_PARAMETER2: 00000000 WRITE_ADDRESS: 00000000 FOLLOWUP_IP: image00400000+21107d 0061107d 8700 xchg eax,dword ptr [eax] BUGCHECK_STR: APPLICATION_FAULT_NULL_POINTER_WRITE_ PRIMARY_PROBLEM_CLASS: NULL_POINTER_WRITE DEFAULT_BUCKET_ID: NULL_POINTER_WRITE LAST_CONTROL_TRANSFER: from 76aa3677 to 0061107d STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 0018ff88 76aa3677 7efde000 0018ffd4 772a9d72 image00400000+0x21107d 0018ff94 772a9d72 7efde000 71eae27e 00000000 kernel32!BaseThreadInitThunk+0x12 0018ffd4 772a9d45 00611060 7efde000 00000000 ntdll!RtlInitializeExceptionChain+0x63 0018ffec 00000000 00611060 7efde000 00000000 ntdll!RtlInitializeExceptionChain+0x36 SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: image00400000+21107d FOLLOWUP_NAME: MachineOwner STACK_COMMAND: ~0s ; kb BUCKET_ID: WRONG_SYMBOLS IMAGE_NAME: C:\\Users\\Rem0ve\\Desktop\\PI2.3.2\\Poison Ivy 2.3.2.exe FAILURE_BUCKET_ID: NULL_POINTER_WRITE_c0000005_C:_Users_Rem0ve_Desktop_PI2.3.2_Poison_Ivy_2.3.2.exe!Unknown Pictures: ../1.png ../2.png Proof of Concept (PoC): ======================= The vulnerability can be exploited by local attackers/cleaners. For demonstration or reproduce ... Manually reproduce ... 1. Open program: Start Client & a generated running Server 2. Run Debugger on both executables 3. After: Switch to General Settings 4. Use an emtpy string on Save Path; Screen-Webcam capture path 5. Generate the server 6. Client crashs but generate the file 7. Start generated file on poison ivy infected server :) (a00.b40): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=7efde000 ecx=00000000 edx=00611060 esi=00000000 edi=00000000 eip=0061107d esp=0018ff6c ebp=0020d509 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 *** WARNING: Unable to verify checksum for image00400000 *** ERROR: Module load completed but symbols could not be loaded for image00400000 image00400000+0x21107d: 0061107d 8700 xchg eax,dword ptr [eax] ds:002b:00000000=???????? 0:000> g (a00.b40): Access violation - code c0000005 (!!! second chance !!!) eax=00000000 ebx=7efde000 ecx=00000000 edx=00611060 esi=00000000 edi=00000000 eip=0061107d esp=0018ff6c ebp=0020d509 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 image00400000+0x21107d: 0061107d 8700 xchg eax,dword ptr [eax] ds:002b:00000000=???????? 0:000> !exchain 0018ffc4: +31 (772e041d) Credits & Authors: ================== Vulnerability Research Laboratory Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory