Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Are you a security pirate?

Published: 2006-09-19
Last Updated: 2006-09-20 00:40:21 UTC
by William Salusky (Version: 1)
0 comment(s)
While not of any particular security significance, I do enjoy my low brow humour maybe a little more than the next person.

It has been reported that September 19th is International (talk like a) Pirate Day!  Arrr!

If you have any need to don your Security BoFH hat for the remainder of your day to speak with anyone regarding actual significant security matters, I am informing you that you do have the option to do so with a new hook in your voice.  Just think of the fun you can have while you speak with the next individual reported to have unleashed a botnet on your internal networks:

"Arrr!  Did ya click on that URL sent in IM, Matey!!!  Grrr... Now why'd ya go and do that!  Now yee'll be walkin' the plank!"

I consider myself to be of the disco bandit pirate variety, and just what kind might you be matey!

W


Keywords:
0 comment(s)

PDF vulnerabilities

Published: 2006-09-19
Last Updated: 2006-09-20 00:01:15 UTC
by donald smith (Version: 1)
0 comment(s)
Several new Adobe pdf vulnerabilities were recently announced.
The author claims these are basic vulnerabilities in the pdf api or architecture. The author tested his poc's against Acrobat reader and Adobe professional.
 
The details are available here.
http://michaeldaw.org/
http://www.eweek.com/article2/0,1895,2016606,00.asp

Here is a quick risk assessment.

How widely deployed is the application?
Adobe reader is widely used and deployed. (9)

Are vendor patches available?
No patches currently available (10)

Is mitigation available and if so how complete is the mitigation?
No mitigation is currently available. (10)

Is user participation required?

Yes. The user first has to download or click the link to a pdf. (5)
So some user interaction takes place.
I have not tested the POCs but several people have and their results do not match. Depending on who tested it you may have to click allow.
See this discussion on who tested the pocs and their results.
http://www.networksecurityarchive.org/html/FullDisclosure/2006-09/msg00252.html

Is the vulnerability cross platform?

Yes. Any exploits will still have to run system dependant malware on the end host but there are plenty of malware binaries that could be used. (8)

Is proof of concepts or exploit code available?
The poc for two of the vulnerabilities are publicly available (10)

Overall risk score 8.7 on a scale of 0 ľ 10 with 10 being the highests.
This is based on the numbers I assigned.
Your risk might be slightly higher or lower depending on the numbers you would assign and any mitigation factors. In most risk assesments I do I include the value of the system that is vulnerable. In this case that is difficult to do so I have left that out.

 

Keywords:
0 comment(s)

Yet another MSIE 0-day: VML

Published: 2006-09-20
Last Updated: 2006-09-20 14:10:28 UTC
by Swa Frantzen (Version: 8)
0 comment(s)
We got multiple readers telling us in they noticed reports about a new MSIE 0-day "actively exploited unpatched vulnerability" against VML. VML stands for Vector Markup Language and is basically a XML file delivered to your browser containing a vector drawing. It was submitted to W3C in 1998.

This 0-day apears to be different from last week's 0-day abusing daxctle.ocx (BTW: it's still unpatched).

The CVE candidate number CVE-2006-3866 initially promoted has been rejected, CVE-2006-4868 is the right one.

Detection:

Antivirus Version Update Result
AntiVir 7.2.0.16 09.19.2006 no virus found
Authentium 4.93.8 09.19.2006 no virus found
Avast 4.7.844.0 09.19.2006 no virus found
AVG 386 09.19.2006 no virus found
BitDefender 7.2 09.19.2006 no virus found
CAT-QuickHeal 8.00 09.18.2006 no virus found
ClamAV devel-20060426 09.19.2006 no virus found
DrWeb 4.33 09.19.2006 no virus found
eTrust-InoculateIT 23.72.128 09.19.2006 no virus found
eTrust-Vet 30.3.3086 09.19.2006 no virus found
Ewido 4.0 09.19.2006 no virus found
Fortinet 2.82.0.0 09.19.2006 no virus found
F-Prot 3.16f 09.19.2006 no virus found
F-Prot 44.2.1.29 09.19.2006 no virus found
Ikarus 0.2.65.0 09.19.2006 no virus found
Kaspersky 4.0.2.24 09.19.2006 no virus found
McAfee 4855 09.19.2006 no virus found
Microsoft 1.1560 09.19.2006 Exploit:HTML/Levem.C
NOD32 v21.1763 09.19.2006 no virus found
Norman 5.90.23 09.19.2006 no virus found
Panda 9.0.0.4 09.19.2006 no virus found
Sophos 4.09.0 09.19.2006 no virus found
Symantec 8.0 09.19.2006 no virus found
TheHacker 6.0.1.073 09.19.2006 no virus found
UNA 1.83 09.19.2006 no virus found
VBA 323.11.1 09.19.2006 no virus found
VirusBuster 4.3.7:9 09.19.2006 no virus found

This was for a sample on the 19th, detection will obviously improve as Virustotal shares samples with the antivirus vendors involved.

Solutions:

  • Looking into alternate browsers isn't the worst way to spend the next half hour.
    One of the easiest ways to make it work might be to use Firefox with a plugin to allow certain sites (such as windowsupdate.com) to transparently use MSIE to get back the ActiveX functionality without bothering the user over the choice and differences. If you do go that road, also add noscript, and a toolbar to block funny sites.
    See also the diary on diversity.
  • There is some posibility to lessen the impact by reducing the rights the user has but it'll only mitigate drive-by shootings at best. The targeted attacker is probably more than happy to get the rights (and access to information) the user has as part of his/her daily tasks.
    Less rights are good, even critical to have. But they are not enough to take away all danger.
  • Unregister the vgx.dll:
    regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
    To reverse this: run the command without the -u. Ever since the WMF issue around new year we know unregistering DLLs isn't for the faint of heart. Even if Microsoft recommends it.
  • Also: Restrictive ACL on VGX.DLL, disabling scripting in MSIE (hard to determine how effective that is against content that is basically XML)  and reading email in text only are alternate mitigations from Microsoft.

Exploits

There are a number of exploits circulating, they come from multiple domains and currently use javascript to obfuscate the code itself. However the exploit itself does not need javascript it seems.

The exploits load a truckload of other malware (for profit of course). One of the main domains involved is "insorg.org" but other more adult entertainment related sites are involved in exploiting victims as well.

Since this exploit seems to be rather easy to recreate once there is a sample, there is no end to how and where it can and will be used. We'd not be surprised to see it appear soon in more mainstream public sources of exploits.

URLs

Please note that Microsoft claims to be going to release a fix October 10th (in cycle) or earlier depending on customer need. Perhaps it's time to let them hear your need.

Thanks to all who sent in a note about this.

--
Swa Frantzen -- Section 66
0 comment(s)

0day this, 0day that, I've got the 0day blah's, and Microsoft Office 2000 PPT *DOES NOT*

Published: 2006-09-19
Last Updated: 2006-09-19 22:52:43 UTC
by William Salusky (Version: 2)
0 comment(s)
In today's storm of email announcing vulnerabilities (*Yes, pun intended*), we have received multiple forwards of a new Power Point vulnerability currently focused on the Chinese localization of the Microsoft Office 2000 product.  It is unconfirmed at this time whether later versions of Power Point are vulnerable.  There has been no notice disclosed regarding active exploit of other localized versions of Power Point, but safe money says that they are.  One AV vendor is classifying a discovered variant as "Trojan.PPDropper.E".  update: While earlier reports alluded to the possibility that this was a new null day exploit against PowerPoint, an AV vendor contact had written in to provide us with the notice that this vulnerability as disclosed elsewhere was likely not a zer* day vulnerability, and that further investigation was under way to confirm that this was addressed by updates in MS06-012.

Let me ask.  Do I even have to state the following among this readership?  Though it may be up to you to educate others.

* Don't open untrusted, unvetted or otherwise unexpected attachments. *  Especially not if they were found on a usb stick that was laying on the ground outside your office!

Personally, I have instructed my parents to stop using the internet altogether, since they seem unable to stop browsing strange websites and opening attachments from strange sources. </sarcasm>


Have I mentioned that I'm tired of using terms that have lost their meaning?

0day it to the front, uh-uh-uh
0day it to the back,  uh-uh-uh
0day to the right, 0day to the left
0day it up, up all night, uh-uh-uhá 
</REALLY /sarcasm>
Handler on Duty (who solemnly swears NEVER to use the term '0day' ever again)
W

Keywords:
0 comment(s)

Rant-of-the-day: on the dangers of orphaned software (the dark side of open source)

Published: 2006-09-19
Last Updated: 2006-09-19 20:55:20 UTC
by Jim Clausing (Version: 2)
0 comment(s)
Earlier today, one of our readers (who asked not to be identified) alerted us that a number of Linux and BSD distros were releasing new versions of gzip which address several new vulnerabilities (CVE-2006-4334 through 4338).  A quick look at the Mitre site shows those vulnerabilities as still 'under review' so there are no details as to what underlying problems are being fixed.  I decided to take a look at the "official" site for gzip to see if there was any info there.  I first went to www.gnu.org and found info on gzip.  They said the "official" site was www.gzip.org, so I went over there for a look.  That is when I became very discouraged.  The last official version of gzip listed on that site is 1.2.4 (dated Aug 1993, well 1.2.4a is on the FTP server dated Feb 1999) and the latest "beta" listed is 1.3.3, but all of the Linux distros, FreeBSD, even Sunfreeware are on 1.3.5 (I finally found the 1.3.5 source on the alpha.gnu.org FTP server, dated Sep 2002).  Looking at the bottom of the page, I see that the page itself hasn't been updated in over 3 years.  Is there someplace that one can find the current definitive source for gzip?  I don't know.  I found a Windows version on Sourceforge.  I know there have been vulnerabilities in both gzip and zlib over the last 3 or 4 years and I know that most vendors have patched them, but if there is no authoritative owner for the software, are the vendors patching the same way?  Do all the patches actually work?  How have the various vendor versions diverged over the last 3+ years?  This is the downside of open source software.  What happens to it when the original maintainers tire of it, move on to other things, get hit by the proverbial bus,...?  I admit that I have not yet tried contacting support@gzip.org or the original authors of this excellent tool to find out if they have passed maintenance on to anyone else.  I am reasonably certain that the various vendor versions could be reconciled and an official version could be produced again, but who should/would take ownership of it?

Anyway, from what I can tell from the FreeBSD and Ubuntu bulletins, these issues can result in gzip (or, I believe more accurately, gunzip/gzip -d) crashing, causing high CPU utilization, and possible code execution from a properly crafted .gz file, so you'll probably want to update your gzip as soon as your favorite distro provides the update.

Update:  (2006-09-19 20:52 UTC) These vulnerabilities collectively now have Bugtraq ID 20101 and the RedHat notice gives a little more hint at what the various CVE's are about.
----------------------------
Jim Clausing, jclausing /at\ isc dot sans dot org
Keywords:
0 comment(s)

Malware analysts rejoice! A public submission interface for the CWSandox

Published: 2006-09-19
Last Updated: 2006-09-19 19:29:01 UTC
by William Salusky (Version: 1)
0 comment(s)
The public availability of a submission interface into the CWSandbox is finally at hand.

The CWSandbox has been a somewhat closely held tool in the professional security and AV researcher community for many months now.  The CWSandbox results offer near immediate insight into the actions of malicious code execution on win32 based systems which in turn offers you, the affected party some quick intel on what might be happening on your network!

Please be kind and submit samples that you have vetted in some way as malicious.  I'm sure this project would not be interested in receiving copies of your %SYSTEM% directory.

You can submit your malicious code samples via the sample web submission form at:
https://luigi.informatik.uni-mannheim.de/submit.php

CWSandbox results containing the sandbox/AV results are emailed to the submitter address.

This sandbox environment currently tracks malicious code variants against only three free/unnamed AV products at the moment.  I'm confident that this project would be interested in hearing from commercial AV vendors willing to offer unix based solutions to further their detection effort.

Handler on duty
W

Keywords:
0 comment(s)
Diary Archives