Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

MS Office buffer overflow vuln, still more botnets, and don't be a baddie, be a goodie!, 2004 SANS Top 20 List

Published: 2004-10-07
Last Updated: 2004-10-08 07:09:20 UTC
by George Bakos (Version: 1)
0 comment(s)
Office BOF - might be exploitable

Well, next week will bring another round of Microsoft patching goodness, a hint of which came from Secunia:

http://secunia.com/advisories/12758/

"HexView has discovered a vulnerability in Microsoft Word, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system."

"The vulnerability is caused due to an input validation error within the parsing of document files and may lead to a stack-based buffer overflow."

IMHO, the best part of the advisory is the recommended solution - "Open trusted documents only." Until details are made available, here are your options - choose any two:

A - Don't open documents that you can't establish a complete chain of custody within your trusted domain

B - Set your Internet Zone security to "High" and/or don't download files that would be rendered by MS Word

C - Don't use Word. There are alternatives (ie. OpenOffice.org) that haven't sufferred the same attention from exploit developers

D - Cross your fingers and shoot dice

Now, I have no knowledge of the existence of such an inclusion in next week's patches, nor would I be at liberty to discuss the details contained within that inclusion, if in fact, such an inclusion exists. Sir.

Botnets abound

As the ISC continues to work with network service providers to shut down large networks of compromised machines ( http://isc.sans.org/diary.php?date=2004-10-05 ) , new ones keep cropping up. Most of these "botnets" use IRC for communication, sometimes on public networks ( http://zine.dal.net/previousissues/issue22/botnet.php ), but often run on private servers installed on well-connected compromised hosts. These servers can be readily moved to another location and re-join the botnet with little effort, making it difficult to shut down the larger nets. One of the honeypots at ISTS http://www.ists.dartmouth.edu was compromised with a new SDbot variant and joined in the fray. The server it connected to reported:

There are 1 users and 10034 invisible on 17 servers

I counted over 900 unique hostnames joining one botnet channel on this network in the past 24 hours, but the only command issued was a simple scan request.

Folks, the variant of SDBot that hit the honeypot wasn't detected by 11 out of 13 antivirus programs I scanned it with. A/V alone won't defeat this rising tide. Please have a look at your perimeter sensors and keep an eye out for port 6667 traffic, especially at odd hours. If you see any that can't be attributed to deliberate user actions, capture some packets and shoot them off to us.

Vulnerable GDI dlls in unexpected places
One writer sent in:

I downloaded the GDI+ detection-tool from <http://isc.sans.org/gdiscan.php>
and it reported a vulnerable file:

Directory of C:\Program Files\Microsoft Works
06/20/2002 03:23 AM 1,708,036 gdiplus.dll

Compare to the "patched" file, in other folders:
08/04/2004 12:56 AM 1,712,128 gdiplus.dll

Microsoft Works 7, rather than Microsoft Office, is installed.

The Microsoft detection-tool did *NOT* identify that "Microsoft Works 7"
has this vulnerability. D'oh!<sic>

The Microsoft "home-page" for MS Works does not document this vulnerability.
D'oh!<sic>

So, it's time to check all your associates' computers,
looking to patch this vulnerability within that software,
because Microsoft is doing a sloppy job of identifying this vulnerability.

Thanks for that tasty tidbit!

Please be goodies, not baddies

We really appreciate all of the good information that the community (you!) provides the ISC. This is precisely why it works as well as it does. Please remember, however, that we, and many of you, are bound by implied and specific non-disclosure agreements (NDAs). If a vendor provides you with a limited-distribution notice, consider if it is worth your relationship with them (or your job, in some cases) to release that outside of your organization. Maintain your personal, professional and contractual trust relationships, please; we have to discuss this among ourselves at length whenever proprietary info is dropped on us.

Also on the topic of goodness, not badness - stop and think for a moment before breaking out your latest scanner-du-jour in response to an intrusion attempt. Many folks, when asking the ISC for assistance in dealing with an attacker, provide all kinds of scan output. I know it is often enlightening (and sometimes downright entertaining!) to learn about the systems that are throwing evil packets your way, but to the other side, you appear just as guilty of unauthorized activity.

Rule #1 in responding to an attack - Keep a low profile!

2004 SANS Top 20 List will be released on October 8th. Details at http://www.sans.org/top20/
Keep those cards and letters coming!

g
Keywords:
0 comment(s)
Diary Archives