Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Quick plug: Netcat in the Hat

Published: 2006-09-06
Last Updated: 2006-09-06 21:15:41 UTC
by Tom Liston (Version: 1)
0 comment(s)
Over the past several months, several of the handlers have written up security-based, "themed" challenges.  This month, I wrote one entitled "Netcat in the Hat," a nod to every child's best friend, Dr. Seuss. (And trust me, having written the challenge in rhyme, I have a new-found respect for the good doctor...)  You can find it here.   Check it out and submit an answer!
Keywords:
0 comment(s)

DUNZIP32.dll Buffer Overflow

Published: 2006-09-06
Last Updated: 2006-09-06 20:21:02 UTC
by Michael Haisley (Version: 1)
0 comment(s)
Full-Disclosure had an interesting note about IBM's Lotus Notes and a new buffer overflow.  The vulnerability is due to a third party dll, DUNZIP32.dll.    IBM has issued a patch for versions 6, and 7 Users using version 5 are advised not to open zip files within lotus notes. This exploit does allow an attacker to execute arbitrary code should you open an infected zip file.

Many other software packages using old versions of DUNZIP32.dll are affected by this exploit.
Keywords:
0 comment(s)

Trojan.Mdropper.Q / Email Attachment Practices / Word 2000 0-day

Published: 2006-09-06
Last Updated: 2006-09-06 19:31:47 UTC
by Michael Haisley (Version: 4)
0 comment(s)
Thanks to frequent reader Juha-Matti Laurio for sending us a note about Trojan.Mdropper.Q and the previously undiscovered Microsoft Word 2000 vulnerability that comes with it.  Trojan.Mdropper.Q activates when a file containing it is opened, and then installs a backdoor on the machine.  Fortunatly as with most Office vulnerabilities a user has to actually open the file before the trojan can be activated.  Generally my advice to users is not to open files that they are not expecting even if they know the person that sent the file, but this one has made me curious, what do other system admins recommend to their users?   Do you have a policy on email attachments?  Is this policy automaticly enforced?

Update #1

It appears Symantec has updated their site to include the size of the Trojan: 79,265 bytes.    Happy Antivirus updating!

Update #2

Juha-Matti writes to tell us that Securiteam has posted an entry about this vulnerability on their blog.  Check out their post here.  Mcafee is calling this one W32/MoFei.worm.dr, and has a writeup about the Trojan here.  It is still unknown as to what vulnerability this is exploiting.

Update #3

Microsoft published some news about the "0-day" in MS Word here.  They offer two pieces of advice. 
1) Don't open Word files from people you don't know.  (This goes back to not eating candy until your parents look at it at Halloween, and not opening the door for strangers.)
2) Use Word 'viewer'

Of course Microsoft publishes great "Suggested Actions".

Protect your PC by enabling a firewall (which, btw, does not keep Word files out)

In fact one of Microsoft's suggested actions is: "Keep Windows Updated"...  we'd love to.  If there was a fix for the problem!

Let's hope they get it patched as soon as possible.
Keywords:
0 comment(s)

Internet Systems Consortium BIND Denial of Service Vulnerabilities

Published: 2006-09-06
Last Updated: 2006-09-06 17:39:28 UTC
by Joel Esler (Version: 2)
0 comment(s)
Internet Systems Consortium has stated there are a couple vulnerabilities in BIND (DNS server), that can be exploited to cause a DoS.

SIG Query Processing (CVE-2006-4095):
1) An assertion error within the processing of SIG queries can be exploited to crash either a recursive server when more than one SIG(covered) Resource Record set (RRset) is returned or an authoritative server serving a RFC 2535 DNSSEC zone where there are multiple SIG(covered) RRsets.

Excessive Recursive Queries INSIST failure (CVE-2006-4096):
2) An error within the handling of multiple recursive queries can be exploited to trigger an INSIST failure by causing the response to the query to arrive after all clients looking for the response have left the recursion queue.

So ensure you are patched to the current version:  BIND 9.3.3rc2, BIND 9.3.2-P1, BIND 9.2.7rc1, or BIND 9.2.6-P1.

Updates are available here.

As of this time we have not received any information on an exploit for either vulnerability.

Keywords:
0 comment(s)

Updated Packet Attack flash animation

Published: 2006-09-06
Last Updated: 2006-09-06 15:19:50 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
I updated the "Packet Attack" flash animation. It wasn't updating correctly and I added some hints on how to include it in your own page. You also have the choice between two different map images.

The animation shows a geographical representation of all reports received during the last 5 minutes.

(Thanks to Morgan Grant for helping with the update!)

Keywords: flash iscinternal
0 comment(s)
Diary Archives