Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-04-27 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

and little flaws in IVE

Published: 2006-04-28
Last Updated: 2006-04-28 19:01:24 UTC
by donald smith (Version: 2)
0 comment(s)
Juniper Networks released a vulnerability announcement today.
From: http://www.juniper.net/support/security/alerts/PSN-2006-03-013.txt
"Title: IVE ActiveX client vulnerability
Date: 25 April 2006
Version: 1.0
Impact: Client side code execution in context of Internet Explorer
Affected Products: IVE OS 1.x to 5.x
Max Risk: High
Recommended Actions: Upgrade the IVE software to any of the following fixed versions: 5.3r2.1, 5.2r4.1, 5.1r8, 5.0r6.1, 4.2r8.1"

It appears that an activeX control that is installed when using IVE can be remotely exploited.
The exploit described by eeye looks fairly trivial.

IVE is  Instant Virtual Extranet which provides SSL VPN control with centralized reporting, monitoring and configuration management. It is basically a host security auditor and can be used as an element of their netscreen remote client. It can verify things like recent virus signatures and scans. Which  is important before letting some machine on to your corporate network!

eeye has published the details here:
http://www.eeye.com/html/research/advisories/AD20060424.html


Bleeding Edge Snort team has developed a signature for this.
http://blog.gmane.org/gmane.comp.security.ids.snort.bleedingsnort

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE WEB CLIENT JuniperSetup Control Buffer Overflow"; flow:established,from_server; content:"E5F5D008-DD2C-4D32-977D-1A0ADF03058B"; nocase; content:"ProductName"; nocase; content:"PARAM "; nocase; content:"NAME"; nocase; distance:0; content:"ProductName"; nocase; pcre:"/value[\s'"]*=[\s'"]*[^'"]{100}/i"; reference:
www.eeye.com/html/research/advisories/AD20060424.html; classtype:attempted-user; sid:515151515; rev:1; )

Keywords:
0 comment(s)

MSIE 'Sploit du Jour

Published: 2006-04-27
Last Updated: 2006-04-27 19:36:57 UTC
by Tom Liston (Version: 1)
0 comment(s)
Yesterday's.
Today's.

#!/bin/sh
cat /usr/home/tliston/diaryheader.html > diary.html
echo "$1 has discovered a vulnerability in Internet Explorer," >> diary.html
echo "which can be exploited by $2 to compromise a user's system." >> diary.html
echo "The vulnerability is caused by an error in $3 " >> diary.html
echo "that can be exploited to $4, by tricking a user into visiting" >> diary.html 
echo " a malicious web site. Successful exploitation allows $5." >> diary.html
cat /usr/home/tliston/diaryfooter.html >> diary.html
mv diary.html /www/htdocs

tommy: tom$: ./ie_dujour.sh
MATTHEW MURPHY has discovered a vulnerability in Internet Explorer, which can be exploited by EVIL HACKERS to compromise a user's system. The vulnerability is caused by an error in A RACE CONDITION IN THE DISPLAY AND PROCESSING OF SECURITY DIALOGS RELATING TO THE INSTALLATION/EXECUTION OF ACTIVEX CONTROLS that can be exploited to CONVINCE A USER TO INSTALL A MALICIOUS ACTIVEX COMPONENT, by tricking a user into visiting a malicious website.  Successful exploitation allows THE ABILITY TO EXECUTE ARBITRARY CODE ON THE TARGET MACHINE.

Sigh...

Handler on Duty: Tom Liston - Intelguardians
Keywords:
0 comment(s)

Confessions of a Spyware Author

Published: 2006-04-27
Last Updated: 2006-04-27 19:08:41 UTC
by Tom Liston (Version: 1)
0 comment(s)
I was sitting next to Ed Skoudis in the front row of the Anti-Spyware Coalition Workshop in Washington, D.C. this past February 9th.  Ed and I had been working together during the previous days, testing enterprise anti-spyware applications for a "shootout" article that we were co-authoring for Information Security magazine.  In preparing the various tests for that article, I had developed 25 small applications that each performed a single "spyware-like" behavior - dropping an executable and installing a key in the Windows registry to launch it on boot, changing the user's wallpaper, changing the user's homepage, etc...

Ed was scheduled to speak on one of the many panels that presented that day, and right before he took the stage, he turned to me and said, "Whatever I say, just go with it..."  

More frightening words have seldom been uttered.

When Ed's turn to speak came, he stood before an assembly of several hundred lawmakers, policy professionals, and anti-spyware vendors and asked a simple question: by a show of hands, how many in the audience were "spyware authors"?

"Come on," he continued, "I know that there is at least SOMEONE here who has written spyware."

Then he turned and stared at me.

Thanks, Ed.

Hello.  My name is Tom, and I'm a spyware author.

Unlike the truly Evil spyware authors who want to steal your private information or monitor your surfing habits, I'm here to help.  The 25 mini spyware-like applications that I wrote are designed to test the effectiveness of your anti-spyware solution at detecting and alerting you to behaviors that can indicate that software may not be on the up-and-up.  While most anti-spyware applications have some signature based capabilities, as the spyware menace grows, behavior based detection and blocking are a must.

The suite of test applications will be released in conjunction with our article on May 1st, and is dubbed SPYCAR -- an homage to the European Institute for Computer Antivirus Research (EICAR) antivirus test file.  While it won't be available until May 1st, SPYCAR will be located here.

Tom Liston
Intelguardians
Keywords:
0 comment(s)
Diary Archives