Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-11-10 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

More 802.11 soup

Published: 2005-11-10
Last Updated: 2005-11-10 14:48:20 UTC
by Joshua Wright (Version: 1)
0 comment(s)
In February I posted a list of IEEE 802.11 working group projects with some descriptions on how these projects will impact administrators in the future.  It's time to update the list again with some new activity:

802.11w - Protection of Management Frames in 802.11 Networks
The 802.11w working group will define a mechanism to protect the confidentiality and integrity of management fames on wireless networks.  The 802.11i specification that introduces the TKIP and CCMP standards only provides protection for data frames, management frames have no protection on wireless networks.  This allows an attacker to transmit spoofed frames, impersonating legitimate stations on the network or the access point, typically resulting in DoS attacks.  This working group will protect these data frames, reducing the number of MAC-layer DoS attacks that 802.11 networks are vulnerable to.
Benefit: Reduces information disclosure about wireless networks, mitigates MAC-layer DoS attacks.  I question the benefit of MAC-layer DoS mitigation however, since all I need is a microwave and a fork to cause a DoS at layer 1 on a 2.4 GHz wireless network.

802.11y - Inclusion of 3.65-3.7 GHz bands for 802.11 networks
In July 2005, the FCC opened up the use of the 3.65-3.7 GHz band for public use, previously reserved for fixed satellite service networks.  The 802.11y working group will develop a standard to use this band for 802.11 wireless networking while introducing a standards-based mechanism to avoid interfering with existing use of this spectrum.
Benefit: More frequency space means more available channels, which is nice since 2.4 GHz is pretty crowded (one of my students recently found 960+ 802.11b/g AP's in downtown LA in 20 minutes of walking around the hotel).  A standardized interference avoidance mechanism will also streamline the adoption of new frequencies in the future.

With the addition of 802.11y as a physical layer option for wireless networks, we'll likely see some new combination cards within the next few years to support this frequency.  With the addition of 802.11n for MIMO, 802.11e for European 5 GHz networks and 802.11j cards for Japanese 4.9 GHz networks, we'll end up with 802.11a/b/e/g/j/n/y cards.  Awesome!

Speaking of 802.11n - MIMO is gaining speed again with a special working group called the Enhanced Wireless Consortium (EWC) whose goal is to accelerate the development of a joint-standard for MIMO networks, combining the drafts submitted by the WWiSE and TGnSYNC working groups.  Also, in case there was any confusion, the correct pronunciation of MIMO is "My-Moe", not "Mee-Moe".  We know this because it was subject to a September 2004 IEEE plenary vote - "My Moe" garnered 69 votes, "Mee Moe" only 24 with 35 voting members abstaining.
Keywords:
0 comment(s)

Problems with Bloodhound.Exploit.45 pattern in Symantec AV

Published: 2005-11-10
Last Updated: 2005-11-10 14:36:03 UTC
by Bojan Zdrnja (Version: 2)
0 comment(s)
We have several reports of issues with the latest definition files for Symantec AV (11/9/2005 rev. 25 at the time of writing), which added Bloodhound.Exploit.45 pattern. This definition should detect files which are exploiting MS05-053 vulnerability (Graphic Rendering Engine Vulnerability and the Windows Metafile Vulnerability).

As it turns out, this pattern seems to be generating a lot of false positives in almost any EMF files, certainly those generated by Excel (and in turn this prevents Excel from functioning properly).

The workaround at the moment is to exclude EMF files from scanning.


Update: Definition files 11/09/2005 Rev 35 and later include a fixed signature.
Keywords:
0 comment(s)

Trojan exploiting MS05-053 - TROJ_EMFSPLOIT.A (updated 2005-11-15)

Published: 2005-11-15
Last Updated: 2005-11-15 20:09:55 UTC
by Joshua Wright (Version: 3)
0 comment(s)
UPDATE: In a story reported yesterday (here), TrendMicro apparently now admits their analysts mis-anlyzed this trojan and that it does not actually exploit MS05-053.

Trend Micro is reporting a trojan in the wild (TROJ_EMFSPLOIT.A) that is exploiting the recent MS05-053 vulnerability announced on Tuesday.  The trojan causes EXPLORER.EXE to crash, which isn't so much fun for Windows users.

The Trend Micro notice is available at their site.  Fellow handler Pat Nolan did an excellent write-up of MS05-053 issues and recommendations at http://isc.sans.org/diary.php?storyid=831.

Thanks to the dutiful Juha-Matti for bringing this to our attention.


Keywords:
0 comment(s)

Phpbb include vuln scanning, via Google, generating new IRC botnet

Published: 2005-11-10
Last Updated: 2005-11-10 01:24:27 UTC
by Patrick Nolan (Version: 3)
0 comment(s)
We have received two reports of systems being exploited via a phpbb include vulnerability and a "new" IRC bot is installed. Please update your files now. Phpbb forum support guru "Techie-Micheal" points out that "running update_to_latest.php on their install only updates the database (and is clearly stated in the documentation), files need to be updated seperately for which there are several methods".

The scanning is for phpbb versions 2.0.10 and under. The latest version of phpbb is 2.0.18.

Micheal also notes "- In past bots, the bots would run as an "SSL'ed Apache. This one is a bit different;

my $processo = '/usr/local/firewall'".

The new IRC bot scans for vulnerable systems using Google, when successful it announces that "oopz and sirh0t and Aleks g0t pwned u!", and has UDP flooding and UDP/ICMP/TCP scanning capabilities.

The file phpbb_patch was found on exploited systems.

Responsible parties have been notified and acknowledged the issues.

Thanks Micheal, Reg, and anonymous!

strings;
xxxxxxxxxxxxxxx

#Shellbot by sirh0t & oopz a.k.a zer-0-day and Aleks PRIVATE!
#VERY FAST SPREADING!!!! NO JOKING

xxxxxxxxxxxxxxx

my $processo = '/usr/local/firewall';

xxxxxxxxxxxxxxx

servidor='forum.unixirc.pl'
porta='81'

xxxxxxxxxxxxxxx

}      } else {
           if ($funcarg =~ /^portscan (.*)/) {
use IO::Socket; $hostip="$1";
use IO::Handle; @portas=("21","23","25","80","113","135","445","1
use Socket;0","6660","6661","6662","6663","6665","6666","6667","
use IO::Select;,"7000","8080");
Keywords:
0 comment(s)

MS05-053 - More Graphic Rendering Buffer Overflow Vulnerabilities

Published: 2005-11-10
Last Updated: 2005-11-10 01:06:57 UTC
by Patrick Nolan (Version: 2)
0 comment(s)
Microsoft Security Bulletin MS05-053 has been released.

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

See Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424)
Published: November 8, 2005

Graphics Rendering Engine - CAN-2005-2123
Windows Metafile Vulnerability - CAN-2005-2124
Enhanced Metafile Vulnerability - CAN-2005-0803

The update replaces MS03-045 and MS05-002 on Windows XP Service Pack 1.

There is a workaround for "Microsoft Outlook 2002 users who have applied Office XP Service Pack 1 or a later version and Microsoft Outlook Express 6 users who have applied Internet Explorer 6 Service Pack 1 or a later version", MS says their workaround is "Read e-mail messages in plain text format" ... "to help protect yourself from the HTML e-mail attack vector", as outlined in Article ID:307594 - Description of a new feature that users can use to read non-digitally-signed e-mail or nonencrypted e-mail as plain text in Office XP SP-1

I'll also note here that in the many previous instances of this type of buffer overflow it was common for protection to already exist in many environments. If you cannot deploy the patches rapidly please consult with your individual AV and security software vendors and ask if their security solution provides generic buffer overflow protection against these vulnerabilities.
Keywords:
0 comment(s)
Diary Archives