Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-01-29 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Jabber.Org r00t discovered, Vulnerabilities affect Koffice, Kdegraphics, xpdf viewer, Gpdf, Cups, and Tetex

Published: 2005-01-29
Last Updated: 2005-01-31 10:47:41 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
Jabber hades server 0wned

"The machine (hades.jabber.org) was cracked approximately one year ago by means of an automated rootkit." "Developers who use JabberStudio for their projects MUST follow the instructions posted at http://www.jabberstudio.org/ in order to validate their code. Only validated code will be restored to JabberStudio!"

http://mail.jabber.org/pipermail/jdev/2005-January/020062.html

Vulnerabilities affect Koffice, Kdegraphics, xpdf viewer, Gpdf, Cups, and Tetex

Across the pond at the NISCC, a daily site to visit, they posted an Advisory with the name "Seven Mandrake Security Advisories", describing xpdf PDF code and viewer vulnerabilities, and some kernel vulns.
Operating Systems affected: Linux
Impact: Execute unprivileged code

http://www.uniras.gov.uk/niscc/docs/br-20050128-00079.html?lang=en
And Secunia had a Mandrake update for evolution item, Moderately critical, Impact: Privilege escalation

http://secunia.com/advisories/14055/

phpPgAds dest parameter cross-site scripting

There was actual informationa on the phppgads-dest-xss at ISS, you won't find much else posted, ISS labels it a Medium Risk, Secunia says Less critical, I vote for High Risk, and "Can I send you a link to the most recently published security book where you were quoted? I can also send a link to a used version for sale too.";

http://xforce.iss.net/xforce/xfdb/19136
"An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials."

Winamp Exploit (POC) Released

Advisory info;

http://secunia.com/advisories/13781/
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch

http://forums.winamp.com/showthread.php?s=&threadid=202799
Software: Winamp 5.x

Mailbag Malware

Thanks Kenneth for reporting the malware site! And thanks to Handler Daniel Wesemann for the quick follow-up work on the report! And thanks to Hurricane Electric Internet Services for taking steps to remove the site.

Thanks also, and again, to Micheal Cottingham for his malware submission. Every submission is appreciated!


Earlier in the week;

"Visio 2002 Service Pack 2 (SP2)" "contains significant security enhancements"

http://www.microsoft.com/downloads/details.aspx?FamilyID=00b9dfe4-ed08-4328-b355-4bc63d6267b2&DisplayLang=en

"Software Update for Web Folders" (WebDAV)

http://www.microsoft.com/downloads/details.aspx?FamilyID=17c36612-632e-4c04-9382-987622ed1d64&DisplayLang=en
"Support for additional security enhancements"

dejavu section, ymmv

Port 4664 - DDoS? Or just gamer (Novalogic) aftermath ....

http://isc.sans.org/port_details.php?port=4664

Port 3072, Could it be explained as simply as POWERHOME?

http://isc.sans.org/port_details.php?port=3072
"WHAT IS POWERHOME?

http://www.myx10.com/index.asp
PowerHome is a home automation software package that allows you to control your home's lighting and appliances as well as your Home Theater's infrared devices. Lighting and appliances are controlled via the following X-10 controllers: CM11A, CM17A, MR26A, PowerLinc (Serial and USB), W800RF32, and CPU-XA/Ocelot. Infrared control is achieved through the following IR controllers: CIR (Computerized Infrared Remote), Multi-CIR, RedRat2, RedRat3, CPU-XA/Ocelot, USB-UIRT, and Slink-e. With the CPU-XA/Ocelot and additional modules you also have access to digital inputs/outputs and analog inputs. With this programmable interface, control is achieved via keyboard, mouse, web, EMail, X-10, IR, Voice recognition, Socket communications, Windows Messaging, and even your internet enabled cellphone."

"The Adaptive Server Anywhere runtime engine opens port 3072 for remote access.
You must allow this port to open in order for PowerHome to function."

"Is the PowerHome database available to other programs or is it exclusive to PowerHome?

PowerHome uses an ODBC connection to communicate with the Sybase Adaptive Server Anywhere database. This database is also accessible to any other program capable of connecting to ODBC databases (Microsoft Access, etc). The userid/password for access to the database is ph/ph."

Bot WarZ

http://isc.sans.org/port_details.php?port=27374

http://isc.sans.org/port_details.php?port=12345

OT - Humor Section

Cisum.A virus writer supports "Accessibility" efforts.


If anyone successfully incorporates the linked mp3 at Panda into Awareness training and does _NOT_ get fired, please share how you did it ( ; ^ ).
Cisum.A mp3;

http://www.pandasoftware.com/img/enc/W32CisumA_mp3.mp3
A Cisum.A write-up is at;

http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=58233&sind=0

What next, Dancing Baby Trojans?

"Backdoor.Hebolani is a Trojan that exploits the Windows User32.DLL ANI File Header Handling Stack-Based Buffer Overflow Vulnerability (BID 12233). The Trojan exists as a malformed animated cursor (.ani)."

http://www.sarc.com/avcenter/venc/data/backdoor.hebolani.html

http://www.eeye.com/html/research/advisories/AD20050111.html

http://www.osvdb.org/displayvuln.php?osvdb_id=12842&print

http://www.microsoft.com/technet/security/bulletin/MS05-002.mspx

Patrick Nolan

"Thirty spokes are united in one hub, it is in its emptiness, where the usefullness of the cart is."
Lao Tsu, Tao Te Ching
Keywords:
0 comment(s)
Diary Archives