Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

New MS SQL Server vulnerability

Published: 2008-12-15
Last Updated: 2008-12-16 01:21:55 UTC
by Toby Kohlenberg (Version: 2)
2 comment(s)

A slightly belated entry to make sure everyone is aware that last week we saw a new vulnerability announced for MS SQL Server 2000, 2005 & 2005 Express Edition by Bernhard Mueller from SEC Consult. Here is the original announcement: http://www.sec-consult.com/files/20081209_mssql-sp_replwritetovarbin_memwrite.txt

The above link does include a simple test script (not a full PoC) for the vulnerability.

There is a mitigation available - you can remove the vulnerable stored procedure - Correction below for SQL Server 2005. Microsoft hasn't provided a patch yet and hasn't provided a timeframe for delivery either.

Update: We've had a report that this works against 64bit as well as 32bit versions of SQL Server 2005 (no reports on SQL Server 2000 yet)

Also, thanks for the comments from Brian and Hacktheplanet pointing out that in SQL Server 2005 you can't remove a Stored Procedure, all you can do is deny execute permission to the public role: http://msdn.microsoft.com/en-us/library/ms164755(SQL.90).aspx

 

Keywords: MS SQL Server
2 comment(s)

W32.Delezium/Impair.A virus being seen

Published: 2008-12-15
Last Updated: 2008-12-15 20:40:10 UTC
by Toby Kohlenberg (Version: 1)
0 comment(s)

We've gotten reports that the W32.Delezium (from Symantec)/Impair.A (from Sophos) virus is floating around and being a general pain in the neck. The detection from Symantec (as "W32.Delezium/inf") only catches infected files, not the virus itself.

The Symantec report is more detailed than the Sophos report, there are some contradictions between the two on how the virus is spreading. The virus is a standard file infector but will also insert a registry entry to enable it to run every startup.

From the Symantec report-

"Next, the virus searches all local, removable and network drives for files with the following extensions, which it subsequently deletes:

  • .3dx
  • .3gp
  • .app
  • .as
  • .asp
  • .aspx
  • .avi
  • .cad
  • .css
  • .doc
  • .fla
  • .frm
  • .gif
  • .jar
  • .java
  • .jpg
  • .jsp
  • .mdb
  • .mp3
  • .mpg
  • .pdf
  • .ppt
  • .psd
  • .rar
  • .sis
  • .vb
  • .wmv
  • .xls
  • .zip

The virus then searches all removable drives for .exe files, which it then infects."

Keywords:
0 comment(s)

Apple Releases OSX 10.5.6/Security update 2008-008

Published: 2008-12-15
Last Updated: 2008-12-15 18:25:13 UTC
by Toby Kohlenberg (Version: 1)
0 comment(s)

Apple's released an update for OSX, you can now download 10.5.6 through the Software Update app.

It patches a large number of vulns, here are just the CVEs:

  • CVE-2008-4236 - Apple Type Services malicious PDF font DoS
  • CVE-2008-4217 - BOM CPIO archive code execution
  • CVE-2008-3623 - CoreGraphics heap overflow via malicious image
  • CVE-2008-3170 - CoreServices/Safari user credential disclosure
  • CVE-2008-4234 - CoreTypes failure of Download Validation (no warning when you launch downloaded content)
  • CVE-2008-4818 - Flash Player plug-in issues (as per previous entries earlier in the summer)
  • CVE-2008-4819 - Flash Player plug-in issues
  • CVE-2008-4820 - Flash Player plug-in issues
  • CVE-2008-4821 - Flash Player plug-in issues
  • CVE-2008-4822 - Flash Player plug-in issues
  • CVE-2008-4823 - Flash Player plug-in issues
  • CVE-2008-4824 - Flash Player plug-in issues
  • CVE-2008-4218 - Kernel integer overflow allowing local priv escalation
  • CVE-2008-4219 - Kernel - system crash when you use dynamic libraries on an NFS share
  • CVE-2008-4220 - Libsystem integer overflow in the inet_net_pton API (gives code execution)
  • CVE-2008-4221 - Libsystem "memory corruption" via the strptime API (gives code execution)
  • CVE-2008-1391 - Libsystem - a whole pile of integer overflows in  the strfmon API (gives code execution)
  • CVE-2008-4237 - Managed Client doesn't apply managed screen saver settings correctly
  • CVE-2008-4222 - network_cmds - DoS via custom TCP packet when Internet Sharing is enabled
  • CVE-2008-4223 - Podcast Producer auth bypass allows a remote attacker access to the admin functions
  • CVE-2008-4224 - UDF - a specially built ISO file can cause a system crash.

You can get the update via Software Update or from: http://www.apple.com/support/downloads/

The hashes are as follows:

For Mac OS X v10.5.5
The download file is named: "MacOSXUpd10.5.6.dmg"
Its SHA-1 digest is: 684f67524a92b4314a4bdd52498fb3b6af8f9ded

For Mac OS X v10.5 - v10.5.4
The download file is named: "MacOSXUpdCombo10.5.6.dmg"
Its SHA-1 digest is: 09de4ac2c5591ab75d51ef37dc70f9e5630150d4

For Mac OS X Server v10.5.5
The download file is named: "MacOSXServerUpd10.5.6.dmg"
Its SHA-1 digest is: bd14ab94b9bcc896da1613ac761171b54286bcac

For Mac OS X Server v10.5 - v10.5.4
The download file is named: "MacOSXServerUpdCombo10.5.6.dmg"
Its SHA-1 digest is: e20d8d458be3ec51b0083ff823ce27def00dbca7

For Mac OS X v10.4.11 (Intel)
The download file is named: "SecUpd2008-008Intel.dmg"
Its SHA-1 digest is: 651e592fad1bd158a76459a81d2ebede1f3bedea

For Mac OS X v10.4.11 (PowerPC)
The download file is named: "SecUpd2008-008PPC.dmg"
Its SHA-1 digest is: 9bb2aa7fcc924715b6442e808fc778789f359906

For Mac OS X Server v10.4.11 (Universal)
The download file is named: "SecUpdSrvr2008-008Univ.dmg"
Its SHA-1 digest is: 21702064037150cdeb9d708304ee91eb254c7371

For Mac OS X Server v10.4.11 (PowerPC)
The download file is named: "SecUpdSrvr2008-008PPC.dmg"
Its SHA-1 digest is: d0e4720051ea27b8edf0ab2a124d6e9f0e16534c

We'll be updating as we have any additional information about the update

Keywords:
0 comment(s)
Diary Archives