Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2007-01-11 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Port 2968 update - Same as 2967 ever was

Published: 2007-01-11
Last Updated: 2007-01-12 21:51:43 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)
Update: The Novell Clients will have Symantec AV listening on port 2968 as well. Not just the server!
This may explain the rise as it exposes a much larger population of systems.

We have captured a fair number of attacks against ports 2968 and 2967 over the past 24 hours and they appear to be identical in payload. The attack is effective against Symantec Antivirus version 10.0.2.2000 and below. The shellcode opens a bindshell on port 8555, which is then connected to and either ftp.exe or tftp.exe are used to download what appears to be a botnet client.

One submitter tells us:
Symantec has widely reported vulnerabilities in clients 10.0.2.2000 and below.  It is a remotely exploitable vulnerability that does not require user intervention.  10.0.2.2002 remediates the problem.

Over the last several days, we've experienced a significant number of systems (missing the Symantec patch) that have been exploited by a worm.  The worm spreads by a number of mechanisms, but namely the Symantec vulnerbility over port TCP 2967.   I was able to capture traffic from an infected host, see attached file.  The worm tries to phone home to 89.163.145.15:6667.  By blocking this on the outbound firewall or router, the worm will stop attempting to spread.  Long story short, be sure to patch your systems!
The question remains, why the port 2968 variant? Since the attack is using Windows shellcode, and running Windows commands for backchannel propagation, why go after the port used on Novell Netware versions of Symantec Live Update?

Your thoughts are welcome, as always.
Keywords:
0 comment(s)

Computer Associates Arcserve Buffer Overflow Vulnerability

Published: 2007-01-11
Last Updated: 2007-01-11 21:51:28 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)
Computer Associates today released an advisory and patch that deals with a remotely exploitable bug in CA BrightStor ARCserve Backup tape engine.  From TippingPoint's Zero Day Initiative site:
This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Computer Associates BrightStor ARCserve Backup. User interaction is not required to exploit this vulnerability.

The specific flaw exists in the Tape Engine RPC service which listens by default on TCP port 6503 with the following UUID:

    2b93df0-8b02-11ce-876c-00805f842837

The service exposes a buffer overflow in the handler for RPC opnum 0xCF that allows for arbitrary code execution when handling user-supplied data from the RPC request.
Since the service runs on Windows as LOCAL_SYSTEM, an attacker exploiting this vuln could have complete unrestricted control over the victim.

Versions of Arcserve up to and including version 11.5 are vulnerable and admins should visit http://supportconnectw.ca.com/public/storage/infodocs/babimpsec-notice.asp to pull down the vendor supplied fix.

Question for the community: Is anyone running Arcserve in an enterprise environment *without* running the service as LOCAL_SYSTEM?
Keywords:
0 comment(s)
Diary Archives