Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-09-21 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Apple updates Airport Drivers

Published: 2006-09-21
Last Updated: 2006-09-21 21:29:15 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
Apple today released an urgent update for OS X, fixing arbitrary code executing issues with its airport drivers. This is likely going to fix the issues demoed at Blackhat. This demo ignited a controversy as Apple never actualy acknowledged that such a vulnerability exists. The researchers at the time where careful not to demo the exploit outside of a controlled lab in order to not release the exploit (after all... its "wireless").

The full advisory notes 3(!) arbitrary code execution issues fixed by this patch. The advisory mentions that there is no known exploit, and does not give credit to anyone for discovering the vulnerability.

I recommend applying the patch ASAP. However, you will only be able to download the full patch "as is". Patches for the individual vulnerabilities are not provided. Interestingly, OS-X update labels the patch a "wireless network reliability fix".

For more background from Brian Krebs, see his latest blog.




Keywords: airport apple osx
0 comment(s)

2222/tcp Probes

Published: 2006-09-21
Last Updated: 2006-09-21 21:12:28 UTC
by Chris Carboni (Version: 1)
0 comment(s)

In yesterday's diary  Jim showed Dshield data pointing to a drastic increase in probes to tcp port 2222.

Today, the data drops back down to 'normal' levels



We did recieve quite a few e-mails listing applications that use tcp 2222 by default including, Allen-Bradley SLC-505 PLCs, Direct Admin, Ethernet connected Allen Bradley Programmable Logic Controllers, and the pubcookie key server among them.

That port is also a known to be used by a couple of trojans.

We've also received a few packets, and based on what we can see, it is a syn packet that may be crafted.  One of the handlers noticed some irregularities in the source port and sequence numbers.

I'll post the packets as soon as I can properly anonymize them to protect the innocent.  ;)

We'll keep an eye on this over the next few days.

Keywords:
0 comment(s)

More 'sploit code released

Published: 2006-09-21
Last Updated: 2006-09-21 20:53:26 UTC
by Chris Carboni (Version: 3)
0 comment(s)
Juha-Matti sent a note telling us that exploit code for the Internet Explorer VML Remote Buffer Overflow vulnerability Swa reported on in Tuesday's diary has been released on one of the usual sites.

The site contains a modified version of the code that was originally released on Tuesday that has now been tested on:
  • Windows XP SP1 + IE6 SP1
  • Windows XP SP0 + IE6
  • Windows 2000 SP4 + IE6 SP1
  • Windows 2000 SP4 + IE6

He also mentions that exploit code for the Windows Kernel Privilege Escalation vilnerability fixed by MS06-049
has been been released.

This code is said to have been tested on:
  • Windows 2000 PRO SP4 Chinese
  • Windows 2000 PRO SP4 Rollup 1 Chinese
  • Windows 2000 PRO SP4 English
  • Windows 2000 PRO SP4 Rollup 1 English
Joel:  Snort's VRT team published rules today that catches the new VML vulnerabilities.  At this time, in tune with the VRT license, they are subscription only.  They will be public in 5 days.  Read the news release: here.

Keywords:
0 comment(s)

MS Desktop Search add-on vulnerabilities - Trustworty Computing gone too far

Published: 2006-09-21
Last Updated: 2006-09-21 16:26:38 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
  So I'm checking the usual vulnerability announcement sources and once again the folks at NISCC have posted info on a beauty. Their NISCC Vulnerability Advisory 693564/NISCC/FOLDERSHARE - Security Implications of the FolderShare Program details huge vulnerabilities (https tunnel, EFS bypassing, and more) in FolderShare, an "add-in tool for Microsoft Desktop Search" which enables "remote access to files stored on Windows and Mac OS X based computers.".

MS's KB "Best practices and security issues to consider when you use FolderShare" is weak, it's only useful recommendation is;

"you can effectively block outgoing traffic to FolderShare. To permanently block the FolderShare satellite from running in a particular environment, block access to the following host name on port TCP/443:
redir1.foldershare.com ".

The folks at NISCC credit "Ben Rexworthy of Securinet UK and white-hats.co.uk for reporting these issues to NISCC".

Keywords:
0 comment(s)
Diary Archives