Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-06-01 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Something new on Telnet?

Published: 2006-06-01
Last Updated: 2006-06-01 22:14:54 UTC
by Pedro Bueno (Version: 1)
0 comment(s)
We just got a report about a massive scans for Telnet (port 23).
Checking on Dshield ,something is odd there too...
My question is, are you observing something different on your IDS/FW logs on this port?

-----------------------------------------------------------------
Handler on Duty: Pedro Bueno ( pbueno && isc. sans. org)
Keywords:
0 comment(s)

More on Symantec vulnerabilities

Published: 2006-06-01
Last Updated: 2006-06-01 21:24:36 UTC
by Bojan Zdrnja (Version: 3)
0 comment(s)
UPDATE2:

Looks like the lastest Symantec/Norton AV definitions is causing some problems between Scriptlogic product and the AV. According some users that wrote to us, Symantec Av is detecting it as
adware.slagent.

"Problem: Symantec/Norton Anti-virus definitions update released May 31st may cause your Desktop Authority or ScriptLogic Enterprise system to fail.

Solution: Refer to this KB Article with the resolution. http://www.scriptlogic.com/support/kb/displayarticle.asp?UID=2324&Str=1529."

HOD: Pedro Bueno
------------------------------------------------------------------------------------------

The latest patches from Symantec are causing quite a bit of confusion. To reiterate again what Kevin wrote in his diary (http://isc.sans.org/diary.php?storyid=1368):

*ALL* versions of 10.0.x and 10.1.x of Symantec Antivirus Corporate Edition and 3.0.x and 3.1.x of Symantec Client Security seem to be vulnerable.
Symantec Antivirus Corporate Edition version 8.x and 9.x seem to be ok.

Symantec released 4 patches for each product (http://www.symantec.com/avcenter/security/Content/2006.05.25.html):

Symantec Antivirus Corporate Edition
10.1.0.394 -> 10.1.0.396 (there's a typo here on their web, it's not version 3)
10.1.0.400 -> 10.1.0.401
10.0.2.2010 -> 10.0.2.2011
10.0.2.2020 -> 10.0.2.2021

Symantec Client Security
3.1.0.394 -> 3.1.0.396
3.1.0.400 -> 3.1.0.401
3.0.2.2010 -> 3.0.2.2011
3.0.2.2020 -> 3.0.2.2021

Now, if you are running *ANY* other version that is affected, you will have to first upgrade to one of the versions that have the patch out and then install the patch. I hope this will clear the confusion.

There seem to be some mitigations to the problem though. As eEye stated, this is a remotely exploitable vulnerability. Symantec Antivirus Corporate Edition, when in managed mode, will have the service Rtvscan.exe listening on TCP port 2967. In case that your host based firewall is configured to block access to this port (effectively meaning that you can't manage the client from the centralized server, at least not until the client connects to it) you should be ok.
On our test machine, the unmanaged installation of Symantec Antivirus Corporate Edition didn't have any listeners so it looks like it's safe, at least from a remote exploit over the network (patch in any case!).

If we get more information we'll update the diary. Thanks to Gary for help with this.

UPDATE

Symantec finally posted a nice web page with details what you have to do regarding the version you're running at http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2006052609181248.


Keywords:
0 comment(s)

Snort bypass vulnerability

Published: 2006-06-01
Last Updated: 2006-06-01 16:28:10 UTC
by Jason Lam (Version: 2)
0 comment(s)
Update: (2006-06-01 16:10 UTC) Sourcefiree/snort.org has issued their statement on the issue (patches coming Monday, 5 June):
http://www.snort.org/pub-bin/snortnews.cgi#431

Demarc just released a vulnerability alert on Snort. The vulnerability leads to evasion of URI content rules. When a carriage return is added to the end of a URL (before HTTP protocol declaration), Snort detection can be evaded. According to the alert, this vulnerability will affect thousands of detection rules in the standard rule base. No need to panic at the moment though, as the folks at Sourcefire have fixed this in version 2.6.0 and we haven't seen this kind of traffic in the wild yet. Thanks to Blake Hartstein for reporting this to us.  Also, thanks to our friends at Sourcefire for info on the extent of the problem and about the upcoming patch.

Please refer to the vulnerability alert for more details,
http://www.demarc.com/support/downloads/patch_20060531

Keywords:
0 comment(s)

Invision Board being exploited

Published: 2006-06-01
Last Updated: 2006-06-01 16:26:06 UTC
by Pedro Bueno (Version: 1)
0 comment(s)
On May 21st we reported a vulnerability in Invision Power Board. To be honest I didnt know much about it, or about the amount of sites using it. Well, now I know at least a BIG one that was using it as a forum for its customers. We are still contacting the website owner, so I wont mention it here. But the case is that it was vulnerable and was exploited.
Now, when you visit it, it will try to push a .wmf exploit to you.
PLEASE, DO NOT CLICK ON THE FOLLOWING LINKS!

The iframes on that page were reditecting to HTTP : //  traffweb1.biz/dl/adv771.php and HTTP :   // 2-extreme.biz/traff.php?adv=54 .

Those websites, were redirecting to HTTP : // 85.255.116.234/11.htm  and HTTP : // 85.255.116.234/25.htm .

Which would try to push the .WMF exploit to you...

Fortunately, all AV vendors at Virustotal recognize the exploit, and at least McAfee and Symantec will trigger an alert when you are visiting this forum page.

---------------------------------------------------------------------
Handler on Duty: Pedro Bueno ( pbueno /&&/ isc. sans. org )



Keywords:
0 comment(s)

F-Secure web console buffer overflow

Published: 2006-06-01
Last Updated: 2006-06-01 15:07:31 UTC
by Jim Clausing (Version: 1)
0 comment(s)
The folks at F-Secure issued a bulletin today highlighting a buffer overflow in the web console feature of F-Secure Anti-Virus for Microsoft Exchange and F-Secure Internet Gatekeeper.  F-Secure rates this vulnerability as high in the cases where the web console is configured to only allow connections from localhost or specific trusted hosts and critical if configured to allow connections from all hosts.  They have released patches, the table below is taken directly from their advisory.

Patch availability:
Product Versions Hotfix ID Download
F-Secure Anti-Virus for Microsoft Exchange 6.40 Apply hotfix for F-Secure Anti-Virus for Microsoft Exchange 6.40:
ftp://ftp.f-secure.com/support/hotfix/fsav-mse/fsavmse640-05.zip
F-Secure Internet Gatekeeper 6.50 Upgrade to F-Secure Internet Gatekeeper 6.60
or
Apply hotfix for the F-Secure Internet Gatekeeper 6.50:
ftp://ftp.f-secure.com/support/hotfix/fsig/fsigk650-01.zip
F-Secure Internet Gatekeeper 6.42, 6.41, 6.40 Upgrade to F-Secure Internet Gatekeeper 6.60

---------------------------------
Jim Clausing, jclausing /at\ isc dot sans dot org
Keywords:
0 comment(s)
Diary Archives