Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Tip of the Day - If you don't need it on, turn it off.

Published: 2006-08-17
Last Updated: 2006-08-17 23:25:31 UTC
by Chris Carboni (Version: 1)
0 comment(s)
The release of MS06-040 serves as the inspiration for today's Tip Of the Day.

Disable any and all un-needed services.

Removing any un-needed services greatly reduces your exposure to vulnerabilities as you now have fewer items running that could be vulnerable to attack.

Let's use the server service aka File and Printer Sharing as an example.

Chapter 7 of the Windows XP Threats and Countermeasures Guide (a must read for sysadmins IMHO) has a list of XP and Server 2003 services and a description of what each one does.

Threats and Countermeasures says the following about the Server service

"The Server service provides RPC support, file, print, and named pipe sharing over the network. It allows local resources to be shared, such as disks and printers, so that other users on the network can access them. It also allows named pipe communication between applications that run on other computers and your computer, which is used to support RPC. Named pipe communication is memory that is reserved for the output of one process to be used as input for another process. The input-acceptance process does not need to be local to the computer. This service is installed and runs automatically by default on Windows XP and Windows Server 2003.

If the Server service stops or if you disable it, the computer will not be able to share local files and printers with other computers on the network, and it will not be able to satisfy remote RPC requests."

Ok, so, why would you need this service enabled on your system?  That depends on what role the system is playing.

If the system is a file and/or print server you need the server service running or you have nothing but  an energy gulping, heat generating paperweight.

If the system is a web server only, you don't need the server service enabled.  Other types of application servers may or may not need the service enabled depending on the nature of the application.

Corporate laptops and desktops typically don't need the server service enabled. 

Corporate users/admins take note - disabling the server service will make some forms of remote administration and management difficult, if not impossible so carefully evaluate the risks before taking any action.

If you are a home user with no other systems on your local LAN, you don't need the server service enabled.

If you are a home user with other systems on your internal LAN, then you only need the server service enabled if you are sharing folders or printers with the other system(s) on your LAN.

Ok, so you've realized that you don't need the service ruinning and you want to know how to stop it.

**Warning - the changes described below could cause a negative impact on production systems.  Testing is required to determine whether the server service and/or any dependant services can / should be stopped.

You can either manage the service through the GUI (right click 'My Computer', manage, Services and Applications, Services) or ...

From a command shell on the target machine.:

C:>net stop lanmanserver

The system may respond:

Stopping the Server service will also stop these services.

[List of Services Here]

Do you want to continue this operation? (Y/N) [N]:


These are services that are dependent on the server service.  You should carefully evaluate the need for any listed services before stopping the server service.

Ok, so the server service is stopped and the network is still functioning.  Unless you change the way the service starts up (it is set to start automatically), the next time the system is rebooted, the server service will start again.

From the same command shell:

C:>sc config lanmanserver start= disabled
(Make sure the there is no space between 'start' and '=')

Which when successfull will return:

[SC] ChangeServiceConfig SUCCESS


For those unfamilliar with sc.exe, a full description can be found here.

sc.exe (and Netsvc.exe) can also be used to stop services but  I prefer net stop for local use as it provides (again IMHO) a cleaner method of stopping dependant services.  SC and Netsvc are excellent tools (as are some of the free offerings available from reputable vendors) for use in scripting remote service management.

This is just one example of a service that is enabled by default that many users keep enabled thinking they need it, when in many cases, they do not.

Home users: Take a few minutes and look through your list of running services and compare them with the descriptions in the Threats and Countermeasures Guide.  Turn off and disable whatever you don't need.

Administrators:  Take some time and look at your systems.  Determine what is running, and what needs to be running.  Develop a plan (including testing) to make any needed changes, get the approval you need and implement your plan.
Keywords: ToD
0 comment(s)

MS06-042 and CA Unicenter Service Desk - Hotfix available

Published: 2006-08-17
Last Updated: 2006-08-17 22:42:22 UTC
by Chris Carboni (Version: 3)
0 comment(s)
We've recieved a few reports (and independantly confirmed the problem) of IE crashing on systems with MS06-042 installed when accessing Unicenter Service Desk.

Microsoft updated  MS06-042 (KB 918899) as follows:

Caveats:
For some Internet Explorer 6.0 Service Pack 1 users, Internet Explorer may exit unexpectedly while attempting to access Web Sites using both the HTTP 1.1 protocol and compression. A hotfix and workaround for this issue is available, please see Knowledge Base Article 923762 for more information. A new version of KB918899 is currently in development and will be released to all Internet Explorer 6 Service Pack 1 customers on the Download Center and Windows Update by August 22nd, 2006. Customers not experience the issue described above are recommended to continue deploying MS06-042 in their environments to receive protection from the vulnerabilities documented in the Security Bulletin. The hot fix will be included in future Cumulative Security Updates for Internet Explorer 6.0 Service Pack 1. Microsoft Knowledge Base Article 918899 documents this and any other currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues. For more information, see Microsoft Knowledge Base Article 918899.

UPDATE:

It seems as though this is not limited to IE6SP1.

We have two confirmed reports of the problem occurring in fully patched IE6 SP2 systems.

In those systems:

If MS06-042 is installed, IE locks up when in Service Desk.

If MS06-042 is uninstalled from a previously problematic system, the problem stops.

So, what are your options at this point?

You have to assess the risk in your environment as none of these options are anywhere near ideal and should in no way be considered a recommendation.

1.         Leave it patched and non functional.  Not an attractive option, but paper calls are a possibility in many enterprises. (Why do I see the hate mail flooding in already?)

2.         Install the IE7 beta.  Yes, installing an unsupported beta to fix a problem is a bad solution, but at least you can log calls.

3.         Uninstall MS06-042.  Leaves you vulnerable to everything that exploits these vulnerabilities, but you can log calls.

4.         Use a different browser.  We have an e-mail in to CA to find out if it's supported or not.  Again, not pretty but it may work.

5.         You could also try leaving the system un-patched, use it only for Service Desk, and install an alternate browser for your normal browsing needs.  This eliminates your exposure to web based attacks and still allows you to log calls.


Keywords:
0 comment(s)

Microsoft August 2006 Patches: STATUS

Published: 2006-09-11
Last Updated: 2006-09-11 23:05:04 UTC
by Swa Frantzen (Version: 13)
0 comment(s)
Overview of the known problems and publicly known exploits ofthe August 2006 Microsoft patches.

# Known Problems with this patch
Known Exploits
client rating server rating
MS06-040 Issue with:
  • Huge memory allocations on Windows 2003 server SP1 (32bit & 64bit), XP (64bit) and 32bit application.
  • Microsoft Business Solutions–Navision 3.70 on above platform.
  • Websense Manager when using terminal services
Fix:
  • Hotfix available by calling Microsoft.
More information:
Botnets actively exploiting this in  the WILD

Exploit available in easy to use package



read more...
PATCH NOW
PATCH NOW
MS06-041 No reported problems

Critical Critical
MS06-042 Critical issue:
  • This patch introduces a new arbitrary code execution vulnerability on MSIE 6 SP1.
Fix:
  • Microsoft re-released MS06-042 on Aug 24th 2006.
  • It is unclear if the hotfix that was available earlier fixes this problem as well.

More info:

Issue #1:
  • MSIE 6 SP1 crashes while using multiple application such as Peoplesoft, Siebel, Sage CRM and websites using HTTP 1.1 and compression such as the register.
  • Roll-up patch so it has all older issues as well.
Workaround:
  • Workaround to disable HTTP/1.1
  • Use alternate browser (for problem sites)
Fix:
  • Upgrade to MSIE 6 SP2
  • The re-release of the August 24th is intended to fix this. The fix was supposed to be published by Microsoft on August 22nd, 2006 but was delayed.
More Information:
Issue #2:
  • CA Unicenter Service Desk can cause MSIE to crash, on XP SP2 and Windows 2003 SP1
Workaround:
  • Use the supported Firefox or Mozilla browsers
  • KB923996
Fix:
  • The re-release of MS06-042 is not fixing this problem as far as we know.
More information:

Original MS06-42: fixes a.o. a  FTP vulnerability that;s well-known since 2004

First revision of the MS06-042  patch's buffer overglow has details public.
  • Microsoft released it first on the 22nd
  • actual code fragments were publicly released on the 24th after the patch was updated
PATCH NOW
Important
MS06-043 No reported problems
Important Less urgent
MS06-044 No reported problems
Critical Critical
MS06-045 No confirmed problems
Critical Less urgent
MS06-046 No reported problems
Critical Important
MS06-047 No reported problems Trojan dropper reported in word document by Symantec, Trendmicro(1) and Trendmicro(2).  The dropper loads a backdoor: Trendmicro, Symantec

See also diary.
Critical Less urgent
MS06-048 No reported problems Trojan dropper in Powerpoint Critical Less urgent
MS06-049 Unconfirmed reports about corruption of files on compressed volumes.
[Windows 2000 only patch]

Important
Less urgent
MS06-050 No reported problems
Critical Important
MS06-051 Although unconfirmed by Microsoft so far, there seem to be problems related to Terminal Services and multiple users loading certain DLLs as part of some applications. Details and fixes or workarounds are too sketchy so far.

See also the problem with .ini files and citrix at the citrix support forum.

We're still lookign for a more detailed discription of the problems.

Critical Critical

We will update issues on this page as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
0 comment(s)

New Malware for MS06-047

Published: 2006-08-17
Last Updated: 2006-08-17 15:04:40 UTC
by Chris Carboni (Version: 1)
0 comment(s)
Juha-Matti dropped us a note regarding some new malware and the links for the Symantec and Trend Micro descriptions.

Shortly after, we heard from Sergio de los Santos from Virustotal who gave us some additional information:

We have detected a new malware for MS06-047 vulnerability.

It comes with a name syosetu.doc with 107.520 bytes. Hash MD5 is
7443358555983341CB9BB12BB0A0A191

Today, only a few AV can detect it (via virustotal):

W97M/ProjMod!exploit (eTrust-Vet), W32/Bgent.ZE!tr (Fortinet ),
Exploit-OleModule (McAfee), Exploit:Win32/Ponaml.gen (Microsoft),
Trojan.Mdropper (Symantec), TROJ_MDROPPER.BK (TrendMicro).

Thanks Juha-Matti and Sergio!
Keywords:
0 comment(s)

Vacation Rental Property Scam

Published: 2006-08-17
Last Updated: 2006-08-17 14:26:52 UTC
by Chris Carboni (Version: 1)
0 comment(s)
From the mailbag


Dear ISC,

I run a vacation rental business whereby I represent approximately 600 vacation homes.  We are often subject to phishing scams where the perpetrator appears to be a legitimate renter and does a last minute booking.  Sometimes they claim to be making reservations for a friend as a gift or they are a bunch of doctors traveling to a convention and any property we pick for them would be wonderful, etc, etc.  The story usually goes that the car rental company won't take credit cards so could we please charge $200 extra to the card and add $100 for our trouble and could we please send the car rental payment to the company directly.  Then, something happens and they don't need the car rental so could we please just send them a return check for the money, and please take another $50 out for our trouble.  The idea, obviously, is that the charge fails or gets contested, but we've sent them a legitimate check that can be cashed and not recovered.

Yesterday, I discovered a new one, and was alerted to this by a legitimate renter who found a listing of the property that they wanted to rent from my firm on a different website, only the pictures didn't match.  What the bad guys had done was spliced together several pieces of copyrwritten material along with several pictures from several different ads and had taken out their own false ad that I assume they paid for.  I purposely tried to flush them out, and contacted them to rent *their* property.  The response I got back from <email address deleted> had no answers to any questions that I asked, and they urged me to send a check for the deposit immediately and they would courier the keys to my address.  This is obviously a ruse since noone in the industry conducts business this way.  I tried to coerce them into releasing something other than their bogus yahoo mail account such as a phone number or mailing address, but they wouldn't.  I suspect they will disappear as soon as I report the ad as being fraudulent.

I don't know if this story is relevant to your audience, but this is the first time I've seen the bad guys trying to bilk larger sums of money out of legitimate renters instead of them trying to mess with the agencies.  Obviously, this causes much damage to my business since renters aren't sure who they can trust since anyone can seemingly take an ad out for anything.  I think it behooves these advertising companies to do a little more due diligence to verify the accuracy of the information they are displaying rather than just slapping up anything for anybody who has some cash.



Keywords:
0 comment(s)

Tip of the Day - Turn the NICs off during installation

Published: 2006-08-17
Last Updated: 2006-08-17 00:14:34 UTC
by Pedro Bueno (Version: 1)
0 comment(s)
During one of those past weekends I was installing and configuring some honeypots.

I decided to try different Operating Systems to see which one would fit better for my needs.

As I already had a perfect NAT for one IP, nothing more natural that I already put the IP address on the OS during installation, right?
Yep, WRONG! The reason is that if you install an internet facing OS (like my NAT was providing me), maybe there will be not enough time to apply the patches (even offline patches, from CDs or Pen Drivers).

So, my Tip of the Day, is for whatever OS that you are installing, if you can't unplug physically the network, choose to not configure the NICs during installation. In this way, you will have enough time to check which Services will be running in your machine, and turn it down before someone explore your unpatched OS, because if you are installing a fresh OS, chances are that some applications/services are already outdated and you may be a victim of some bot of the day...
Don't trust me? Check this out...

-------------------------------------------------------------------------------------------------
Handler on Duty: Pedro Bueno ( pbueno //&&// isc .sans .org )
Keywords: ToD
0 comment(s)
Diary Archives