Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

*Intel Centrino Vulnerabilities

Published: 2006-08-01
Last Updated: 2006-08-02 22:13:46 UTC
by Johannes Ullrich (Version: 2)
0 comment(s)

Intel has released driver security updates for Centrino device drivers for Windows and for the PROSet management software.
http://support.intel.com/support/wireless/wlan/sb/CS-023068.htm

There are three issues identified:
Intel® Centrino Wireless Driver Malformed Frame Remote Code Execution
http://support.intel.com/support/wireless/wlan/sb/CS-023065.htm
Intel® PROSet/Wireless Software Local Information Disclosure
http://support.intel.com/support/wireless/wlan/sb/CS-023066.htm
Intel® Centrino Wireless Driver Malformed Frame Privilege Escalation
http://support.intel.com/support/wireless/wlan/pro2100/sb/CS-023067.htm

The first and the third seem to be most severe. At this point we don't know of any public exploits for these vulnerabilities. The second one (PROSet info disclosure) has been around for a while and is known but local only.

The announcements contain details on which drivers are vulnerable as well as links to patches and a tool to determine which version you have-
http://support.intel.com/support/wireless/wlan/sb/cs-005905.htm

Below are the summaries of the affected platforms
Intel® Centrino Wireless Driver Malformed Frame Remote Code Execution
    * Intel® PRO/Wireless 2200BG Network Connection
    * Intel® PRO/Wireless 2915ABG Network Connection

Intel® PROSet/Wireless Software Local Information Disclosure
    * Intel® PRO/Wireless 2100 Network Connection
    * Intel® PRO/Wireless 2200BG Network Connection
    * Intel® PRO/Wireless 2915ABG Network Connection
    * Intel® PRO/Wireless 3945ABG Network Connection

Intel® Centrino Wireless Driver Malformed Frame Privilege Escalation
    * Intel® PRO/Wireless 2100 Network Connection

The details of which drivers are listed on the pages and we recommend you look there.

As far as we know, these will not be delivered via the Microsoft Update tool. You will need to download and install them manually unless your system vendor (the folk who make your laptop) provides an automated tool for you. Before you download and install these, we strongly suggest you talk to your system vendors and see if they are coming out with custom versions of the patches.

On a related note- there will be a talk on exploiting device drivers on Wednesday 8/2/06 at Blackhat Vegas. Anyone who can make it should go.
Update 8/2/06: Brian Krebs has added a nice article on MacBook "wireless driver fu" to his SecurityFix blog, see http://blog.washingtonpost.com/securityfix/2006/08/hijacking_a_macbook_in_60_seco_1.html

Keywords:
0 comment(s)

Heads Up: new flaw in McAfee

Published: 2006-08-01
Last Updated: 2006-08-02 01:56:32 UTC
by Arrigo Triulzi (Version: 3)
0 comment(s)
The ISC has received several notifications of an upcoming security advisory regarding McAfee products.  The flaw provides remote execution of code in the following software:
  • McAfee Internet Security Suite 2006
  • McAfee Wireless Home Network Security
  • McAfee Personal Firewall Plus
  • McAfee VirusScan
  • McAfee Privacy Service
  • McAfee SpamKiller
  • McAfee AntiSpyware
Apparently 2007 editions of the products, released this past Saturday, are not affected.  There is also an article on the Toronto Globe and Mail covering the issue.

Thanks to Jacques and Bruce for drawing our attention to the issue.

Update: a reader (thank you Juha-Matti) reports that an official McAfee security bulletin including a fixed McAfee Security Center is already available from the support website.

Update 2: (2006-08-02 01:50 UTC)  We've received reports that some users are having problems with the update causing issues with other software.  If you encounter problems, you may want to check the McAfee help forums at http://forums.mcafeehelp.com/.
Keywords:
0 comment(s)

GnuPG 1.4.5 released - remote execution possible

Published: 2006-08-01
Last Updated: 2006-08-01 23:40:00 UTC
by Arrigo Triulzi (Version: 1)
0 comment(s)
A new version of GnuPG has been released addressing memory allocation problems.

From the ChangeLog:
 *    Fixed 2 more possible memory allocation attacks.  They are
similar to the problem we fixed with 1.4.4. This bug can easily
be be exploted for a DoS; remote code execution is not entirely
impossible.
At the time of writing this version was still trickling down to mirrors.
Keywords:
0 comment(s)

Apple OS X patches out

Published: 2006-08-01
Last Updated: 2006-08-01 23:28:47 UTC
by Arrigo Triulzi (Version: 2)
0 comment(s)
Time to run Software Update for OS X users... Security update 2006-004 is out!

The patch clocks in at around 8.5 Mbyte (Intel) or 5.5 Mbyte (PPC) and covers a lot of vulnerabilites. The bold ones are critical (remote code execution):
  • more authentication issues with AFP (the good ol' Mac file-sharing protocol),
  • an interesting increase in the length of the Bluetooth auto-generated passkey for pairing (from six to eight characters),
  • dynamic linker update (probably the "usual" trickery involving LD_PRELOAD which has been applied successfuly to many Unix systems in the past)
  • gunzip file permission issues and overwriting files with the -N option,
  • Bom decompression executing malicious code,
  • more image viewer trouble with Canon RAW format (malicious code execution, again),
  • same as above but with GIFs,
  • same as above but with TIFFs,
  • Safari troubles with Javascript,
  • OpenSSH DoS attack when someone tries brute-forcing usernames (this is a regression bug since apparently it only affects 10.4 upwards),
  • the good ol' "telnet hands out environment variables to servers" now hitting OS X's telnet client,
  • Webkit giving access to de-allocated objects,
  • fetchmail with lots of stuff including arbitrary code execution when downloading from a malicious POP3 server,
  • and finally DHCP (bootpd actually) giving nice access with a malformed query.
My initial reaction to most of this is "haven't we seen this before?" because quite frankly most of the holes above have been seen in older *nixes a while back (the telnet one was a classic, not to mention the LD_PRELOAD trickery).

Although we aren't aware of any exploits we recommend upgrading immediately since there are so many remote code execution vulnerabilities.

Now the problem is that your Handler on Duty can't apply the patches until he's done with the shift...

Update: exploits for the fetchmail vulnerability are already available.
Keywords:
0 comment(s)

Bleeding Snort Domain.

Published: 2006-08-01
Last Updated: 2006-08-01 18:08:04 UTC
by Kevin Hong (Version: 2)
0 comment(s)
The folks over at Bleeding Snort have released an alert titled "Domain Gone."  They owned the "bleedingsnort.org" domain, but the domain was inadvertantly allowed to expire and someone else purchased it and may be using it to distribute malware or other unwanted programs. The Bleeding Snort team provides lots of SNORT signatures and other useful security information. Their official web site is (and always has been) http://www.bleedingsnort.com.
 
Please, until we know more about what's behind it, do not visit the "bleedingsnort.org" site (or, if you do, be very careful).

Update:  We have confirmed that the .org site has been dropping malware (not identified by all A/V) in the last 24 hours, so chalk one up for the bad guys and cybersquatters. :(
Keywords:
0 comment(s)

MySQL MERGE Table Privilege Revoke Bypass

Published: 2006-08-01
Last Updated: 2006-08-01 16:58:29 UTC
by Arrigo Triulzi (Version: 1)
0 comment(s)
Secunia published today an advisory regarding MySQL, in their words:

"The vulnerability is caused due to a design error in the user privilege verification for MERGE tables. This can be exploited to keep access to a table via an in advance created MERGE table even after the privileges has been revoked for the table."

They rate the vulnerability as "not critical".

Keywords:
0 comment(s)

Tip of the Day: Strong Passwords

Published: 2006-08-01
Last Updated: 2006-08-01 10:59:49 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
This is the first in our "Security tip of the day" series. Guess since I mentioned strong passwords, I got a lot of tips about how to pick them. So lets get that out of the way with our tip #1:

Probably the easiest way to pick a better password is to move to pass-phrases. Instead of a word, a pass-phrase is a sentence. For example: "This is a good password" vs. "password". Obviously, passphrases are much harder to brute force. The can still be guessed. But "My favorite pet's name is Fluffy" is much harder to guess then just "Fluffy".

You may still play the usual tricks and substitute certain letters with "leet speak". "My f@vorit3 pet's name is Fluffy".

In some cases the size of your password may be limited by the system. In these cases, you can use just the first letter of each word in your passphrase.

Not everybody agrees with it, but I do recommend to use a set of passwords for different uses. Use a throw away password for all the random web sites you have to register (e.g. your favorite news paper and such). A second password for things like online forums you contribute to (a bit more tricky as if someone gets that password, they could damage your reputation by posting in your name). Lastly: Be careful what you allow the web site to store. You may not care if anybody knows your order history for an online store. If so, you could chose one of your commodity passwords. But its different if you allow the site to keep your credit card number.

How to store passwords: There are a number of "password safe" applications that are usually pretty good. I am not too concerned about how well they protect your password once a person broke into your system (either physically or remotely). If they do, then its usually "game over" anyway as they will not get the info they need via keyloggers and means like that. Same for writing down passwords. You probably don't want to use Post-It notes at work. Too many people usually have easy access to your desk. But at home: Write your passwords down and keep the sheet close to the PC. Maybe obfuscate them a bit by writing them down backwards. But if a burglar breaks into your house, a lost online banking password is probably not a huge deal compared to the other damage and easily changed.

For your awareness program: A couple universities came out with nice "Passwords are like Underwear" posters. (a Google search will reveal others if you don't like this particular version).

Fellow handler Don Smith also noted that in the Denver area a number of car break ins have been linked back to identity theft.

With that: No more tips on strong passwords! I want tips on how to avoid using passwords ;-). Or if you got an other security tip, please let us know via the contact form. After all: August is security tip month!

I would like to thank for contributions for this tip:
Micha Pekrul, Frank Hieber, Dan Kirk, Christopher Vera and my fellow handlers.
Keywords: ToD
0 comment(s)
Diary Archives