Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-06-13 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft patch day

Published: 2006-06-13
Last Updated: 2006-06-14 10:18:05 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
Microsoft is releasing today 12 new security bulletins:
  • MS06-021 Cumulative patch for Internet Explorer - Critical
  • MS06-022 ART image library buffer overflow - Critical
  • MS06-023 Microsoft JScript memory corruption - Critical
  • MS06-024 Windows media player - Critical
  • MS06-025 RRAS - Critical
  • MS06-026 Graphics rendering engine remote code execution - Critical
  • MS06-027 Word remote code execution - Critical
  • MS06-028 Powerpoint remote code execution -Critical
  • MS06-029 Exchange - Important
  • MS06-030 SMB privilege escalation - Important
  • MS06-031 RPC mutual authentication spoofing - Moderate
  • MS06-032 IP source routing allows remote code execution - Important
and re-released one:
Handlers actively working on these include Arrigo, John, Kyle, Lorna, Johannes, Scott and Swa.
Keywords:
0 comment(s)

MS06-029: Script injection through Exchange/OWA

Published: 2006-06-13
Last Updated: 2006-06-13 20:58:19 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
MS06-029 - KB 912442

Affected Software:
  • Microsoft Exchange 2000 Server Pack 3 with the August 2004 Exchange 2000 Server Post-Service Pack 3 Update Rollup
  • Microsoft Exchange Server 2003 Service Pack 1
  • Microsoft Exchange Server 2003 Service Pack 2
Impact:  Remote Code Execution
Severity:  Important
Description:  Microsoft Exchange servers running Outlook Web Access (OWA) to allow clients to remotely check emails are placing their clients at risk to a script injection vulnerability.  A specially crafted email sent to the user and opened with OWA would allow the script to run.  According to Microsoft "A script injection vulnerability exists that could allow an attacker to run a malicious script. If this malicious script is run, it would run in the security context of the user on the client."  If you are running Microsoft Exchange OWA service, it is very important that you patch ASAP. 

If  you have been tracking the issue with Yahoo web mail, this should sound very familiar.
The vulnerability is covered in CVE-2006-1193.

--
Lorna Hutcheson
Keywords:
0 comment(s)

MS06-025: RRAS arbitrary code execution

Published: 2006-06-13
Last Updated: 2006-06-13 20:35:51 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
MS06-025 - KB 911280

A CRITICAL vulnerability in Microsoft's Routing and Remote Access Services (RRAS). A successful exploit could allow an attacker to execute arbitrary code. In order to exploit the vulnerability remotely, an                
attacker has to be able to log in to a system first.                              
                                                                                  
The RRAS is used to connect to Microsoft networks remotely via dial up modems. With RRAS, a user can dial up to a remote network (e.g. corporate network) and access all services on the remote network like             
connected locally. In addition, RRAS is used for various multi-protocol LAN/WAN connections via VPNs.                                                     
                                                                                  
It is not clear how exactly the exploit would occur over a network, or what the traffic will look like. We will update this diary later once we figured it out. According to this list, RRAS uses port 1701/UDP (L2TP), 1723/TCP (PPTP), as well as protocols 47 (GRE), 51 (AH) and 50 (ESP). In particular the protocols other then TCP/UDP may not be blocked by all firewalls.                                      
                                                                                  
For most users, the best option is to disable the service. See the bulletin on how to do this. Double check that you disabled all guest accounts or other accounts that allow connections with no or weak passwords.

--
Johannes Ullrich


Keywords:
0 comment(s)

MS06-021: Internet Explorer patch

Published: 2006-06-13
Last Updated: 2006-06-13 20:18:58 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
MS06-021 - KB 916281

Fixes memory corruption that can lead to remote code execution, disclosure of sensitive information and creation of additional accounts on the host operating system.

Microsoft rates this patch as critical and considering an impact of remote code execution in the client system, for a browser we woould rate such a thing as very critical.

Microsoft claims the attack vector has to be web based, the use of it through outlook should not be possible.

Please note that this patch affects the issues in kb 917425 by terminating the compatibility period.

This includes a fix for publicly known bugs: CSS cross domain information disclosure (CVE-2005-4089) and  address bar spoofing (CVE-2006-1626).

--
Swa Frantzen -- section 66


Keywords:
0 comment(s)

MS06-031: RPC Mutual Authentication Vulnerability

Published: 2006-06-13
Last Updated: 2006-06-13 20:13:30 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
MS06-031 - KB 917736

This looks to be an obscure bug that only affects Windows 2000.  In               
reality, the conditions for exploitation seem rare and no code execution          
is possible.  The bug only affects custom RPC applications using SSL              
with mutual authentication, which probably doesn't amount to many                 
applications out there.  Finally, the impact of this bug only                     
allows the attacker to impersonate a trusted RPC server - it doesn't              
allow code execution.                                                             
                                                                                  
For all the overworked sysadmins, you can probably leave this at the              
bottom of your patch list. 

this vulnerability is also covered in CVE-2006-2380.

--
Kyle Haugsness


Keywords:
0 comment(s)

MS06-030: Microsoft SMB Vulnerabilities

Published: 2006-06-13
Last Updated: 2006-06-13 19:42:32 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
MS06-030 - KB 914389

MS06-030 covers two vulnerabilities. The more severe one ("SMB Driver Elevation of Privilege Vulnerability") will allow an attacker who has regular user access to a system to gain administrator access. The attack requires some form of regular access, for example valid login credentials or an exploit against a regular user on the system.                   
                                                                                  
You could disable the Workstation service to mitigate this vulnerability. However, this is probably only going to work for stand alone workstations. Disabling the Workstation service will break file and printer sharing.                                                              
                                                                                  
The second vulnerability ("SMB Invalid Handle Vulnerability") results in a Denial of Service condition, but as the first vulnerability it requires valid login credentials. 

This vulnerability is covered in CVE-2006-2373.

--
Johannes Ullrich


Keywords:
0 comment(s)

Barracuda Networks outage statement

Published: 2006-06-13
Last Updated: 2006-06-13 19:23:32 UTC
by William Stearns (Version: 1)
0 comment(s)
    A number of readers have written in about problems with their Barracuda Networks mail appliances.  Barracuda networks sent in their public statement:

    "Outage on 6/13/2006 for Barracuda Spam Firewall Customers

Barracuda Networks remains committed to open communications with our customer base.  This morning, we had an outage that affected a large number of Barracuda Spam Firewall customers.  The affected customers were Barracuda Spam Firewall customers employing the virus scan feature of the Barracuda Spam Firewall using virus definition 1.5.144.  The outage resolved itself with a subsequent Energize Update to virus definition 1.5.145.
 
Details:
 
Beginning at 4:53 AM PST today, a faulty virus definition was released that had an incomplete virus database (virus definition 1.5.144).  To protect our customers in the event such a circumstance occurred, the Barracuda Spam Firewall has a built in precautionary feature which automatically prevents email from being sent through in order to keep potentially infected emails from being delivered.  Any Barracuda Spam Firewall in the field that had received virus definition 1.5.144 immediately began to queue all incoming messages until the complete virus database became available.
 
At 7:02 AM PST, the majority of Barracuda Spam Firewalls automatically received virus definition 1.5.145 containing the complete virus database, and email began to process normally for those customers previously affected.
 
The cause of the incomplete virus definition has been identified and resolved, and additional measures have been put in place to prevent this issue from occuring in the future.
 
Due to the volume of calls to our Technical Support department during this period, we did experience a phone system malfunction which caused many customers to have to wait for longer periods of time than what they have come to expect.  We apologize for any delay or inconvenience this may have caused and feel confident that our support department is back online and ready to assist customers right away.
 
Thank you for your patience.  We look forward to continuing to provide all our customers with the same high quality service and support that they have come to rely on.
 
Sincerely,
Barracuda Networks Support and Operations Teams"

Keywords:
0 comment(s)

MS06-032: Source routing buffer overflow

Published: 2006-06-13
Last Updated: 2006-06-13 19:22:16 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
MS06-032 - KB 917953

While Microsoft rates this as important only, we at the Internet Storm Center feel that it is very critical. It is easy to exploit this. One (spoofed) packet could allow an attacker to "own" a vulnerable system. The TCP/IP stack is vulnerable to a buffer overflow in the handling of source routed packets.

While some firewalls might protect from this, consider systems that are used on the road such as in airport, hotels, ... so they must be protected now.

Workarounds:
  • Block packets with source routing options in the firewall. According to Microsoft "IP source route options 131 and 137" are the dangerous ones, but why would you allow source routing through your firewall anyway?
  • Personal firewall might help as well
  • Disable source routing in windows by setting a registry key (see the Microsoft bulletin for details) [highly recommended action, even if you patched already]
This vulnerability is covered in CVE-2005-2379.

--
Swa Frantzen -- section 66


Keywords:
0 comment(s)

MS06-027: MS Word object pointer / Remote Code Execution

Published: 2006-06-13
Last Updated: 2006-06-13 18:31:08 UTC
by John Bambenek (Version: 1)
0 comment(s)
MS06-027 - KB 919637

Vulnerable: Word 2000 (including Word Viewer 2003) and better and Works 2000 and better
Not Vulnerable: Word for Mac

This is a remote code execution vulnerability that uses a malformed object pointer to corrupt system memory and can be used to execute arbitrary code.  If the user logged in has administrative privileges, the exploit will run with those same privileges and could take complete system control.

In order to successfully exploit this vulnerability, an attacker would have to persuade a user to open a malicious Word document, either through e-mail or a web page.  This vulnerability is marked critical and Microsoft Office users should apply the patch immediately.

It is possible to not log in with an administrator-level account, but that would not prevent "spyware" classes of attacks.

--
John Bambenek -- University of Illinois
Keywords:
0 comment(s)

MS06-011 Updated

Published: 2006-06-13
Last Updated: 2006-06-13 18:20:20 UTC
by Scott Fendley (Version: 1)
0 comment(s)
MS06 - 011 - KB 914798

This update was originally released in March.  Our analysis at the time is located here.

The bulletin was re-released today with a number of tweaks.  "This update has been revised to include updated registry key values for the NetBT, RemoteAccess, and TCPIP services. These values have been modified to be the same as Windows XP Service Pack 2 on Windows XP Service Pack 1 systems, and the same as Windows 2003 Service Pack 1 on Windows 2003 systems with no service pack applied. Customers are encouraged to apply this revised update for additional security from privilege elevation through the these services as described in the Vulnerability Details section of this security bulletin."

Scott Fendley - Univ of Arkansas
Keywords:
0 comment(s)

MS06-028: PowerPoint malformed record / Remote Code Execution

Published: 2006-06-13
Last Updated: 2006-06-13 18:08:49 UTC
by John Bambenek (Version: 1)
0 comment(s)
MS06-028 - KB 916768

Vulnerable: Office 2000, XP, 2003 for Windows and Office v.X and Office 2004 for Mac (yes, this vulnerability is present on Mac systems)

This vulnerability affects PowerPoint documents and allows for remote code execution with the privileges of the logged in user.  A malicious PowerPoint document with a malformed record can corrupt system memory and be used to execute code.  This patch replaces MS06-010 for PowerPoint 2000.

An attacker would have to somehow convince a victim to open a malicious PowerPoint file to exploit this vulnerability (either by e-mail or web download, for instance).  If the user is logged in as administrator, an attacker would gain full control of the system.  Presumably, different malicious PowerPoint files would have to be created to exploit Windows and Mac (i.e. the same PowerPoint file would likely not be able to exploit both operating systems).

This patch is classified critical for PowerPoint 2000 only, and important for all other versions (including Mac).  This patch fixes the vulnerability detailed in CVE-2006-0022.  Users are advised to apply this patch if they use Microsoft PowerPoint.

John Bambenek -- University of Illinois
Keywords:
0 comment(s)

MS06-026: Graphics Rendering Engine / Remote Code Execution

Published: 2006-06-13
Last Updated: 2006-06-13 18:03:46 UTC
by John Bambenek (Version: 1)
0 comment(s)
MS06 - 026 - KB 918547

** This vulnerability ONLY applies to Windows 98, 98SE, and ME (We aren't still running these, are we?).  Windows 2000, XP and beyond are not vulnerable **

This is a critical vulnerability in the Graphics Rednering Engine that allows remote code execution of the target system using specifically crafted WMF files.  When successfully exploited, the target system can be completely compromised.  This is a new vulnerability not associated with the WMF vulnerabilities from earlier this year.  An attacker can exploit this vulnerability by using a specifically crafted webpage (and getting the victim to view that page) or by sending an exploit in email (where the email reader renders images).

If you are running Windows 98, 98SE, or ME, you should upgrade your operating system to Windows 2000, XP or later.  If you cannot upgrade, this patch should be installed immediately.

John Bambenek -- University of Illinois


Keywords:
0 comment(s)

MS06-023: Microsoft's JScript remote code execution

Published: 2006-06-13
Last Updated: 2006-06-13 17:58:24 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
MS06-023 - KB 917344

A problem in JScript where it releases memory too soon can cause memory corruption and lead to remoee code execution.

The attack vector is web based where visiting malicious contant is sufficint to exploit the browser. This is strongly linked with MS06-021 and Microsoft recommends to install both at the same time.

Obviously it's better not to log in with administrative rights as it makes the impact of these vulnerabilities a lot worse.

--
Swa Frantzen -- section 66


Keywords:
0 comment(s)

MS06-022: buffer overflow in ART image rendering library

Published: 2006-06-13
Last Updated: 2006-06-13 17:56:17 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
MS06-022 - KB 918439

ART is an image file format (yep, image formats are still popular reasearch topics for hackers it seems). The format is used by AOL.

The impact of this is that users logged in with administrative rights can be exploited with remote code execution.

Microsoft rates this vulnerability as critical.

The patch removes support for ART image files from MSIE, as such they will not be rendered any longer.

It's interesting to note that the image library is an optional install on windows 2000.

Workarounds:
  • Do not login as administrator or with an account with administative rights, it's dangerous.
  • Consider switching to an alternative browser, they work really well and it makes the lives of the hackers harder is not all of us use the same browser with the same vulnerabilities.

--
Swa Frantzen -- section 66


Keywords:
0 comment(s)

MS06-024: buffer overflow in windows media player

Published: 2006-06-13
Last Updated: 2006-06-13 17:51:30 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
MS06-024 - KB 917734

Windows Media player is vulnerable in it's handling of PNG images.

Microsoft rates his vulnerability as critical. It allows remote code execution.
Attack vectors of both email and web are possible through the use of .wmz files.

Workarounds will be based on content filetring in gateways, but might be below par on effectiveness if you count encrypted messages and the like as possible exploit vectors.

--
Swa Frantzen -- section 66


Keywords:
0 comment(s)

Javascript/AJAX/Worm Like Behavior

Published: 2006-06-13
Last Updated: 2006-06-13 09:27:19 UTC
by Michael Haisley (Version: 1)
0 comment(s)
We have seen the Yamanner worm spread throughout Yahoo over the past few days.  This worm manages to spread without the user doing anything other than viewing a malicious email.  Yahoo to its credit had already
fixed the exploit in it's new beta client.

Software developers, and webmasters alike should take this as a warning, new exploits will be coming that will use javascript and Ajax-like behavior to spread.  The current worm could be readily modified to spread across many systems that do not escape javascript when displaying data from a foreign source. Many web developers should reexamine their code, and make sure that display functions do not deliver potentially malicious code.

After testing several popular web applications, we have found that several are in fact vulnerable to the very same type of exploit. Good coding practices, verifying that users are coming from an authorized form and that they are not submitting malicious code can protect developers against this type of exploit.

We will be sending notice to affected software vendors that we have identified at this time, however we currently do not have plans to publish specific applications until new releases/patches are available.
Keywords:
0 comment(s)
Diary Archives