Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Openssl patches ASN.1 flaw

Published: 2006-09-28
Last Updated: 2006-09-29 03:35:13 UTC
by Mike Poor (Version: 1)
0 comment(s)
Openssl released patched versions today to fix security flaws in the 0.9.7 and 0.9.8 branches of their code.  Read the full advisory here

You can test what version of Openssl you have by using the following command:

# openssl version

One thing to remember is that many distributions fail to follow the projects patching nomenclature, so refer to the distribution's openssl patch to test for vulnerability.

Mike Poor   ekim   #@#  intelguardians.com
Handler on Duty
Keywords:
0 comment(s)

MSIE: One patched, one pops up again (setslice)

Published: 2006-09-28
Last Updated: 2006-09-28 22:58:47 UTC
by Swa Frantzen (Version: 5)
0 comment(s)

If you remember the month of browser bugs series of exploits back in July, there was a denial of service there that appears to have code execution after all. Coincidence or not, it got publicly released after the out of cycle Microsoft patch for MSIE.

So: No, surfing with MSIE is still not safe.

References

Defenses

  • Use an alternate browser (yeah, we sound like a broken record). But diversity really helps make the bad guys' job harder.
  • Disable ActiveX (take care: windowsupdate needs it, so you need to trust those sites)
  • Set the killbits:
    {844F4806-E8A8-11d2-9652-00C04FC30871} and {E5DF9D10-3B52-11D1-83E8-00A0C90DC849}
  • Keep antivirus signatures up to date.
  • Keep an eye out for a patch from Microsoft.
  • ...

--
Swa Frantzen -- Section 66


0 comment(s)

OpenSSH 4.4 (and 4.4p1) released

Published: 2006-09-28
Last Updated: 2006-09-28 17:43:14 UTC
by Jim Clausing (Version: 2)
0 comment(s)
Version 4.4 (and 4.4p1) of OpenSSH was released yesterday.  Among other things, it fixed the vulnerability announced earlier this week (CVE-2006-4924) in the CRC compensation attack detector that allowed for a denial of service if using SSH protocol verion 1 (which hopefully no one is using anymore anyway due to the other weaknesses in the protocol).

See http://www.openssh.com for more details.
Keywords:
0 comment(s)

Setslice Killbit Apps

Published: 2006-09-30
Last Updated: 2006-09-30 15:17:50 UTC
by Tom Liston (Version: 4)
1 comment(s)
Well... here we are again...  seems like only last week, I was putting up killbit apps for "daxctle.ocx"... 

(and really, it was 10 days ago... sheesh, how time flies!)

Anyway, I've got two more for you, this time, setting the killbits on a couple versions of webvw.dll, and (as far as we can tell) shutting off access to the stuff that makes IE vulnerable to the "setslice" issue.  Note: we've tested these settings against the Metasploit project's test page, and they work.  Because MS hasn't released any information as of yet, we're sort of flying blind here...  However, that being said, the killbit method is great, because it is completely reversable.

There are two versions of the app, one a standard Windows program, the other a command-line version. 

The standard Windows app will tell you the status of the two killbits (ANDed together, for you programmer-types out there...) and give you the option to change them. (From SET to UN-SET, and vice versa...)

Standard Windows app: WEBVW.DLL_KillBit.exe - 2,560 bytes
MD5: f89b8896ed90f5387a57ed818294fe22

The command-line app will SET the killbits when run with no parameters, and UNSET them when run with any parameter (say "/r").  It will return 0 on success and 1 on failure.

Command line app: WEBVW.DLL_KillBit_cmd.exe - 3,548 bytes
MD5: ebc215850cd06b2de2d8e49428134271

UPDATE: Should anyone need to know, the CLSIDs that these apps are setting the killbit on are:

{844F4806-E8A8-11d2-9652-00C04FC30871} and
{E5DF9D10-3B52-11D1-83E8-00A0C90DC849}

(Thanks to Mark for pointing out that I forgot to put that in the diary entry...)

Tom Liston - ISC Handler
Senior Security Consultant - Intelguardians

New diary link: http://isc.sans.org/diary.php?storyid=1747

Keywords: killbit setslice
1 comment(s)

Powerpoint, yet another new vulnerability

Published: 2006-09-28
Last Updated: 2006-09-28 02:09:35 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
Microsoft confirms yet another powerpoint vulnerability that leads to code execution.

References

Detection

McAfee has a writeup of the exploit they detected against this vulnerability to connect back to http:// mylostlove1 .6600 .org/[CENSORED] but variants of this will most likely connect to other places.

Affected

It seems all supported versions of Office are affected. It's interesting to note that Microsoft also lists the Apple versions of Office as vulnerable.

Delivery vectors are basically all means to get the file to you, including web, email, thumb drives, CDs, ...

Defenses

  • Do not to open ... but we all know how easy it is to social engineer people into opening things anyway.
  • Use the PowerPoint Viewer 2003 (nah, not an option if you have a Mac).
  • Filter and/or quarantine powerpoint files in the perimeter (prevent powerpoint email attachments and getting powerpoint files on the web), but it's not easy as it has genuine uses and it has the potential of not needed the ".ppt" file extention.
  • Keep antivirus signatures up to date.
  • Keep an eye out for a patch from Microsoft.
  • ...
If you do run into a sample we're interested in obtaining one (to add to our collection ;-) )

--
Swa Frantzen -- Section 66

0 comment(s)
Diary Archives