Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

MS10-070 OOB Patch for ASP.NET vulnerability

Published: 2010-09-28
Last Updated: 2010-09-30 00:20:37 UTC
by Daniel Wesemann (Version: 5)
27 comment(s)

Microsoft Bulletin MS10-070 has been released. An update is now available that addresses the ASP.NET "information disclosure" vulnerability (CVE-2010-3332) that we reported on earlier 

The core pieces in the advisory are probably in the sections that read

"In Microsoft .NET Framework 3.5 Service Pack 1 and above, this vulnerability can be used by an attacker to retrieve the contents of any file within the ASP.NET application, including web.config"   and  "This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server." 

Translated, this means that the vulnerability undermines basic web application security. I suspect that online shops and such might rate the risk that "an attacker can read any file" on their web application server a bit higher than just "important".

According to the bulletin, MSFT are aware of "active attacks".

In combination, this sure sounds like PATCH NOW! to me.

 

Update 1800UTC: If you're wondering what a "Padding Oracle" is, the original attack is described very well in this research paper .

Update 1830UTC: Changing InfoCon to YELLOW, to raise awareness for this problem and patch. We'll go back to GREEN in 24hrs unless significant new information develops.

Update 00:13 UTC: Changing InfoCon back to Green. Most people should be well and truly aware of the issue. We may raise it again if we receive reports of widespread use or other changes.  

27 comment(s)

Strange packet: "daylight rekick", anyone?

Published: 2010-09-28
Last Updated: 2010-09-28 22:56:11 UTC
by Daniel Wesemann (Version: 1)
9 comment(s)

ISC reader Keith reports a "strange packet" on his network. He gets the following alert

9/28/2010 2:09 PM : C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET 272: Sep 28 19:09:41: %C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET: (Suppressed 5 times)Packet received with invalid source MAC address (45:42:55:47:3D:57) on port Po1 in vlan 24

and the following packet to go with it:

0000 3d 3d 4b 56 3d 44 45 42 55 47 3d 57 26 4c 3d 3d
0010 64 61 79 6c 69 67 68 74 20 72 65 6b 69 63 6b 21
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0030 00 00 00 00 00 00 00 00 00 00 00 00

No surprise really that this packet is "illegal". When parsed into plain ASCII, it reads

==KV=DEBUG=W&L==
daylight rekick!

Has anyone seen this before and might know what sort of device could be burping out these non-IP packets directly onto the VLAN?

Keywords: packet
9 comment(s)

Supporting the economy (in Russia and Ukraine)

Published: 2010-09-28
Last Updated: 2010-09-28 09:38:37 UTC
by Daniel Wesemann (Version: 1)
12 comment(s)

While the media at large is all agog at Stuxnet, they probably would do better to keep their writers looking at Zeus. Zeus/Zbot must be one of the most successful banking trojans ever. It's been around for three (four?) years, and no doubt has made some of its originators very very rich. McAfee last week published a write-up on the capabilities that come with the recent Zeus Build-kit. Yes, there's an actual application that allows to create custom versions of Zeus. If you're an online banking user who feels safe because your online bank uses one-time passwords, or because it sports one of these cute "on-screen keyboards", think again: Zeus got them all in the bag. Brian Krebs regularly reports about the latest frauds linked to this family of malware. Recently, he wrote about a church that lost 600k$ from their accounts to key-logging malware. 

Somehow, it looks like the banks either don't care, or don't grasp the concept of "defense in depth", or both. Here's four simple measures that would make online banking fraud a whole lot harder:

* Changing my email address / mobile phone number on file can only be done by visiting my bank branch in person
* Changing them triggers an email/SMS to the old address
* Adding a new payee that was never before used triggers an email/SMS
* A new payee can only be used for a payment or transfer 7 days after it has been added

There, dear banks: All of this can be implemented basically for free. You can even allow your customers to opt-in voluntarily. You'll be surprised how many of them do so - you know, folks and organizations who actually earn their money the hard way seem to oddly enough care a whole lot about keeping it safe.  

I have no doubts that a new Zeus version would find a way around these measures eventually. But if you don't fight, you already lost. Banks, get off your collective behinds, and evolve, please.

Keywords: fraud keylogger zeus
12 comment(s)
Diary Archives