Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-04-11 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

University Security Problems and Another CHM exploit in the Wild

Published: 2004-04-11
Last Updated: 2004-04-12 06:42:17 UTC
by Scott Fendley (Version: 1)
0 comment(s)


Despite a mostly quiet weekend, the Internet Storm Center has seen some notable activity. The activity noted for the most part falls in the category of old news to most, but I believe is worth exploring further.
University Security Problems - Solaris and Linux

It was brought to my attention that several University environments have been getting attacked and compromised in the past week. This is a daily occurrence for most of us working in the academic world, except recently it has been primarily tied to Microsoft based operating systems. The recent activity being noted is that the trend has started to push toward Solaris and Linux based systems. These systems tend be better connected on most academic networks and are much more capable systems for launching larger scale attacks without needing to distribute the Denial of Service attack vector of choice. Additionally, many of these systems are connected to "instrumentation" machines used in research and are not heavily patched due to patch clusters that adversely affect research software. A security breach on one of these machines can have numerous effects on the research, including loss of time and data, potential leaks of confidential data and potential use of the systems for causing more security problems locally or outside the local network.



Over the weekend, it came to my attention that Stanford University has had a number of security incidents from these Unix systems, reversing the trend of the recent past. From Stanford's security alert it appears that the attacks have been local accounts being used for privilege escalation to root account. And that the local exploits have included "do_brk() and mremap() exploits on Linux and the sadmind, arbitrary kernel loading modules and passwd vulnerabilities on Solaris."



It is highly recommended that everyone, especially those in academic settings, take the time to audit your Unix based systems for rootkits, unnecessary services, and prepare for a continued trend of hacker activity in the Unix world. For more information on the Stanford security announcement please see the following URL:

http://securecomputing.stanford.edu/alerts/multiple-unix-6apr2004.html
I also recommend that those academic security people please participate in the unisog mailing list hosted by SANS, or the Educause Security list ( http://www.educause.edu/security ).


Another CHM Exploit in the Wild (?)



<I>[ The below information is very vague purposefully as analysis has not proved concretely whether the below is coincidental, or is truly another CHM Exploit in production via an ad server. It is believed that the below should be noted to raise awareness to a potential place of exploiting web browser vulnerabilities. ]</i>


A concerned end user today stumbled across a very odd error while browsing a very normal scifi website. The website in question has a number banner ads throughout their site from a variety of science fiction and technology areas. One particular banner ad caused an error message for this end user that is somewhat suspicious in nature. The error message from the ad reported via Internet Explorer as a scripting error involving a file called "exploit.chm". At the present time, it has not been confirmed that this is not just a coincidence in names or is consistently reproducible. However, the ad company which owns the particular server has had some some bad press for a number of years for questionable activity web page marketing tactics. As the exploit.chm file is being analyzed, it is worthwhile to note that the CHM vulnerability has seemingly showed up in 2 or 3 different places in the last week. As such, if Microsoft releases an appropriate patch on Tuesday, it is the Internet Storm Center's recommendation that you patch quickly. More details on the banner ad with exploit.chm will be detailed later as more analysis has been permitted.
----
Scott Fendley, Internet Storm Center - Handler on Duty
Easter Sunday 2004
Keywords:
0 comment(s)
Diary Archives