Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-09-05 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

The Sleuth Kit (TSK) for Windows released

Published: 2006-09-05
Last Updated: 2006-09-05 22:20:55 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)
The Sleuth Kit (TSK) is a pretty famous forensic tools set. I've personally used this numerous times and I find it to be a great successor of the famous Coroner's Toolkit (TCT). The tools set consists of various command line applications that allow you to examine file systems. You can find more information about TSK at http://www.sleuthkit.org/sleuthkit/desc.php.

TSK has been finally released as Windows binaries, so you don't have to compile them manually anymore. You can download the tool kit from http://www.sleuthkit.org/sleuthkit/download.php.

Thanks to Edi for sending us a note about TSK.

Keywords:
0 comment(s)

Reports of Bots exploiting pmwiki and tikiwiki

Published: 2006-09-05
Last Updated: 2006-09-05 15:09:11 UTC
by Joel Esler (Version: 6)
0 comment(s)
We have received some anonymous reports of Botnets being created out of vulnerabilities found in Pmwiki and Tikiwiki software.

The Tikiwiki exploit is hitting versions that are <= 1.9, and the Pmwiki exploit is hitting version <= 2.1.19.  Both exploits were written and discovered by the same person, and both exploits have been worked into auto spreading bots.

We have no info on where these bots are attempting to connect to, yet.  However, they are being seen in the wild. 

The Pmwiki exploit can only be exploited if you have "Register_globals" turned to "On" in your php installation.  However, the Tikiwiki exploit can be exploited regardless of this setting.

Tikiwiki has published information on how to temporarily patch your systems to make them invulnerable: Click here for that info. From reading this webpage, it also appears that Tikiwiki is working on a permanent patch.

At the time of this posting Pmwiki had no temporary fixes or patches posted to their website.  So ensure that you turn "Register_globals" to off, and restart Apache.

So, if you are running either one of these two pieces of software, please, make sure you are fixed or patched up!

UPDATE

We've received some submissions about compromised machines through the vulnerabilities mentioned above. Botnets that we've seen all connect to Undernet IRC server and sit on 5 different channels.

Besides the IRC bot, intruders also put a whole variety of various exploits and attack tools on the compromised machines. Among the usual perl flood scripts there are also exploits for both 2.4 and 2.6 Linux kernels (the Linux kernel msync race condition exploit from the last year).

In any case, make sure that you are running a patched version as the bad guys are actively exploiting this.

UPDATE #2


Robin writes in to tell us that the admins of PmWiki have updated their code:  See the
Release notes here.

UPDATE #3

Snort.org has updated their Community Ruleset to include coverage for these two vulnerabilities.
Keywords:
0 comment(s)

More about the host based firewall on Windows XP SP2

Published: 2006-09-05
Last Updated: 2006-09-05 09:52:37 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)
Two weeks ago, as part of our "Security tip of the day" series, I wrote a diary about using the host based firewall provided with Windows XP.
We received some valuable submissions about this, so it's time to share them with everyone.

One of our readers also asked why I didn't write about any other (commercial or free) third party host based firewall. While other products indeed exist, and typically have more features than the host based firewall provided with Windows XP (which, as I noted in the first diary, lacks in several things), the idea of the original diary was to give you more information about a firewall that is already available. I've found that the integrated host based firewall in Windows XP is usually underestimated (or turned off because it became a problem) in corporate environments.

Now, let's see how our readers use this firewall. Iain Taylor described how he uses GPOs to manage the host based firewall on workstations which have to share printers. Iain uses WMI filtering in GPOs, which allows him some pretty cool deployments (his WMI kung-fu was obviously on a reasonable level).
Here's Iain's e-mail:

One common requirement on business networks is printer sharing from workstations.
Unfortunately the ports used are ones that would normally be closed on all workstations as they are also used for file sharing and are a very common target of attack by all forms of crudware..

To maintain as much protection as possible, we only want to open those ports on a targeted subset of machines - i.e. those that actually both have a printer attached AND share it. To achive this we have used a conditional group policy to open File & Printer sharing ports on the machines which are sharing printers.

Putting those machines into different OUs and applying a specialised GPO with the relaxed firewall settings to them would be one solution, however keeping track of which machines require this behaviour can be challenging. Instead, we use a slighly less-well known feature of GPOs - WMI filtering. This allows the clients to execute a WMI query before deciding to activate a GPO applied to them or not. Now the firewall rules can be 'intelligently' applied, only being relaxed if the Workstation requires the feature, whilst remaining locked-down otherwise.

To achive this there are two firewall rules GPOs. One is the default (restricted) configuration, applied to all systems without filtering. The other, applied afterwards has the WMI query attached to it and contains the same settings, except for the  File and Printer sharing ports being permitted. The query itself works as follows...

select * from Win32_Printer where Local = TRUE and Shared = TRUE

Using the windows built-in 'root\CIMv2' namespace the WMI query first finds whether

the machine has a local printer & then checks whether it is shared. If both are true, then the client will apply the GPO, opening the ports. Otherwise the query returns false, the Policy is not applied & the more restrictive default policy is in play.

Ray also wrote to remind us of a nice tool that Microsoft provides: Port Reporter. This tool installs as a service and logs all TCP and UDP port activity. When used with the Port Reporter Parser tool, it provides a very nice source of information about processes that used any ports on the machine.
You can find more information about Port Reporter at http://support.microsoft.com/?id=837243.

Keywords:
0 comment(s)
Diary Archives