Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

* 0-Day Win32 holes, Oracle&DB2 Revisited, Snort DoS Update, IRC over SMTP, Santy Poll Results

Published: 2004-12-23
Last Updated: 2004-12-24 03:16:43 UTC
by Erik Fichtner (Version: 1)
0 comment(s)
I'm not dreaming of a 0-day Xmas



The holiday news continues to be bleak, with a pair of critical vulnerabilities
for Windows NT/2000/2003/XP. First, unless you're running XP SP2, there is
a buffer overflow in the LoadImage API, resulting in bitmaps, icons, and
animated cursor data files (.bmp, .cur, .ico, and .ani) that can be exploited
via HTML delivered either via email or a website. This vulnerability can be
used to execute code. Secondly, there is a heap overflow in winhlp32.exe
while processing help files on Windows, including XP SP2, apparently. Try not
to install help files until some Tuesday in, we hope, January.




Irresponsible Disclosure




On 31 August 2004, Oracle released patch number 68 to correct a large number of vulnerabilities in nearly all production versions of the Oracle
database software. In conjunction with this, the discoverer of these vulnerabilities released a notification that the flaws existed, that they
deserved your attention, and that he was going to withhold details of the vulnerabilities for three months; until 31 November 2004, to give
Oracle administrators ample time to patch, and the rest of the InfoSec community time to twiddle their thumbs aimlessly.



Likewise, said discoverer also found flaws in the IBM DB2 database, and released information on them with similar time parameters. 9 September 2004
to 1 December 2004.



1 December 2004 came and went with nary a mention of the details of any of these vulnerabilities.



Today, 23 December 2004; a time when many database administrators who have not already left on holiday vacation are starting to plan their extended
holiday weekend, this "responsible discloser" lets the other shoe drop on these vulnerabilities. Pardon me, but exactly what message is
this action trying to send? That if you failed to get your patching done before details of these flaws were released, you apparently deserve to
have your holiday plans potentially ruined? For the record, I'm personally partial to the "full disclosure" method, but releasing exploit
details immediately prior to a major holiday is mean, spiteful, and rude.



You could have waited until 1 January 2005 with no further ill effect, or released the information on 1 December 2004 as you originally promised.



David Litchfield, you sir, are a grinch. Nice going.



By the way, if you haven't already patched; yes, they're serious vulnerabilities. http://metalink.oracle.com/ , http://www-306.ibm.com/software/data/db2/udb/support/downloadv7.html ,and http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html



The opinions contained within this diary entry are personal opinions, and not representative of the entire Internet Storm Center, or the SANS Institute, or really anyone else, for that matter.



Further information on the Snort DoS



We're getting reports that the DoS tool only sometimes works, and it turns
out that the vulnerability only manifests itself in verbose mode or when
using the "-A fast" output plugin; neither of which are popular or reccomended
for production use. If you're using snort this way, it is suggested that
you switch to using the unified output plugin, or simply upgrading to 2.3.0RC2;
which works pretty well. (If a sketchy DoS vulnerability isn't enough
of a carrot, they've also made some engine changes to 2.3.0RC2 to allow for
better WINS signatures and some performance enhancements.)



IRC over SMTP



A few more people have reported that they've seen IRC traffic to their SMTP
services. Keep looking!



ISC Poll Summary



Our first reader poll http://isc.sans.org/poll.php indicates that Santy.A
wasn't much of an issue for our readers. The majority of those running phpBB
had either already patched their phpBB code, or had an effective workaround
already in place. Good for you! Between effective file permissions and
the mod_security module http://www.modsecurity.org/ Santy.A was mostly harmless.
(although, some 30,000 site administrators would probably disagree with that
assessment.) Only 1% of our readers that answered the poll were compromised by
this one. Those are pretty good numbers.



Keywords:
0 comment(s)
Diary Archives