Threat Level: green Handler on Duty: Yee Ching Tok

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Important upgrade for Juniper routers

Published: 2007-12-14
Last Updated: 2007-12-15 00:14:07 UTC
by William Stearns (Version: 5)
0 comment(s)

  Juniper Networks has put out an important advisory related to their routers.  It appears that malformed BGP packets may induce BGP session flapping.

        JUNOS releases from 7.3 to 8.4 are vulnerable to crafted IPV6 messages that may crash the kernel.  Versions 8.5R1 and above have this memory issue fixed.

        If you're a registered user, please see this link for the BGP issue.

And this one for the IPv6 issue

        There's a discussion about the problems at:

        Because this crash can be remotely triggered, this issue should be addressed as soon as is practical.


0 comment(s)

QuickTime 7.3.1 released addresses RTSP vulnerability

Published: 2007-12-14
Last Updated: 2007-12-14 21:24:44 UTC
by donald smith (Version: 4)
0 comment(s)

A new version of Apple QuickTime, 7.3.1,  is available that addresses the RTSP vulnerability we covered here: and

“QuickTime 7.3.1
CVE-ID: CVE-2007-6166
Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2
Impact: Viewing a maliciously crafted RTSP movie may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in QuickTime's handling of Real Time Streaming Protocol (RTSP) headers. By enticing a user to view a maliciously crafted RTSP movie, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by ensuring that the destination buffer is sized to contain the data.”

The update is available here:
Thanks go out to Juha-Matti and Roger for sending this in.

0 comment(s)

SquirrelMail release 1.4.13

Published: 2007-12-14
Last Updated: 2007-12-14 20:22:46 UTC
by Stephen Hall (Version: 1)
0 comment(s)

The analysis of the Squirrelmail 1.4.12 code base is in, and it would look more serious than first thought. 1.4.11 would appear to have also been affected, so they have released 1.4.13 and have posted the following announcement:

Due to the package compromise of 1.4.11, and 1.4.12, we are forced to release 1.4.13 to ensure no confusions. While initial review didn't uncover a need for concern, several proof of concepts show that the package alterations introduce a high risk security issue, allowing remote inclusion of files. These changes would allow a remote user the ability to execute exploit code on a victim machine, without any user interaction on the victim's server. This could grant the attacker the ability to deploy further code on the victim's server.

Details, and the updated bundles (please remember to check those MD5's and PGP sig's) at


0 comment(s)

Frosty The Snowcrash

Published: 2007-12-14
Last Updated: 2007-12-14 18:22:16 UTC
by Mike Poor (Version: 3)
0 comment(s)

Ladies and Gentlemen, the end is near!... the end of the year that is.  During this wondrous time of winter cheer, what a better way to escape the holiday shopping madness than to fully immerse yourselves in Ed Skoudis' latest creative challenge:  Frosty the Snowcrash. 

As many of you already know, my good friend Ed's hacker challenges are an exciting and creative way to test your 1337 security kung fu skills.  You can find his latest masterpiece at

As is customary during this time of year, analysts that are good (well, they have to be very very good) will get presents (sometime known as prizes); those that are bad (well, in fact everyone else) will get a lump of coal (actually, they will receive an email with an ascii art drawing of a lump of coal).

So, you think you have good kung fu?  Head on over to see if you can solve the Frosty the Snowcrash Challenge.

Happy Holidays!

Mike Poor

0 comment(s)

Cisco password tricks

Published: 2007-12-14
Last Updated: 2007-12-14 18:14:23 UTC
by donald smith (Version: 1)
1 comment(s)

Jon, wrote in to tell us about this unusual cisco IOS “trick”.

Jon and several of the handlers discussed this in detail. I have included a summary of those discussions.
This describes a way to decode type 7 password without any additional software. There has been software available for many years that can do this but I believe this is the first time Cisco has provided a feature like this to display type 7 passwords in plain text directly on the router. In my opinion passwords should never be displayed in plain text. However some passwords and other “secrets” that are stored on a router or network element have to be stored in a reversible form of encryption as the plain text password is needed by the router due to the protocol specification. Many of the password protected by reversible encryption are also transmitted over the network in plain text so extensive work to secure them is probably not worth the effort. Cisco is not the only vendor who does this. Most network element vendors have reversible encryption algorithms. It may not be as well known as Cisco’s type 7 but when the router needs to reverse the password it can and the plain text password is stored in memory at least for a short period of time. 

So how does one go about ensuring their Cisco router meets minimum security requirements?
Cisco’s autosecure which is available in IOS version 12.2 and greater is a good easy to use tool that will assist you in securing their routers.
Cisco’s “tested and validated security solutions” which used to be called SAFE has lots of guidance for cisco elements.

Additionally I recommend the benchmark and tool from the benchmark is very detailed. It includes the commands needed to implement a security recommendation and explains why you might want to implement that feature.
It was recently upgraded and released in Nov 2007.

I also recommend reading rfc3871 “Operational Security Requirements for Large Internet Service Provider (ISP) IP Network Infrastructure “. Although targeted towards large ISPs many of the recommendations are worth understanding. It is not vendor specific and many of the ideas can be used in a mixed vendor environment.

1 comment(s)

SquirrelMail package compromise

Published: 2007-12-14
Last Updated: 2007-12-14 11:28:49 UTC
by Maarten Van Horenbeeck (Version: 1)
0 comment(s)

The SquirrelMail project has posted a notice on their website stating they have found an unofficial modification in the packages for version 1.4.12. They believe this change to have been made through a release maintainer's compromised account.

They are still investigating the changes, which appear to result in an error and do not seem to lead to system compromise. However, they have restored the original, verified packages to Sourceforge. Users having implemented version 1.4.12 of Squirrelmail after December 8th are strongly advised to redownload and reinstall the package.

Thanks to Peter for bringing this to our attention.

0 comment(s)
Diary Archives