Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft Security Advisory 975191 Revised

Published: 2009-09-08
Last Updated: 2011-02-08 23:52:14 UTC
by Adrien de Beaupre (Version: 1)
1 comment(s)

We wrote about the new IIS FTP service vulnerabilities when the exploit code became public in diary 7039 and when Microsoft published their advisory some time afterwards in diary 7063. Not surprisingly Microsoft have revised their security advisory letting us know that there have been reports of incidents where this exploit was used to compromise systems. This might seem counter intuitive as the exploit code was public prior to the advisory coming out. It is more likely that there were few reports, however the exploit was being actively used. There are not all that many IIS servers running FTP on the Internet, in fact there are fewer public FTP servers than in the past. Where this exploit may have been used is attacking internal FTP servers. 

Microsoft have also reminded admins that version 7.5 of their FTP service is available for download (although only for Windows Server 2008), and is not vulnerable to these attacks. Hopefully a patch will be out shortly.

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

 

1 comment(s)

Microsoft September 2009 Black Tuesday Overview

Published: 2009-09-08
Last Updated: 2009-09-09 16:04:53 UTC
by Guy Bruneau (Version: 1)
3 comment(s)

Overview of the September 2009 Microsoft patches and their status.

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
MS09-045

Request handling vulnerability leads to a remote code execution.
Replaces MS06-023 for MS Windows 2000 SP4

JScript Scripting Engine
CVE-2009-1920
 KB 971961 No known exploits Severity:Critical
Exploitability:1
Critical Critical
 MS09-046 A vulnerability exist in DHTML Editing Component ActiveX Control.
DHTML Editing Component
CVE-2009-2519
KB 956844  No known exploits Severity:Critical
Exploitability:2
Critical Important
MS09-047

This vulnerability could allow remote code execution if a user opened a specially crafted media file.
Replaces MS08-076 for MS Windows Media Services 2008

Windows Media Format
CVE-2009-2499
CVE-2009-2498

KB 973812

No known exploits Severity:Critical
Exploitability:1,1
Critical Critical
MS09-048 Vulnerabilities exist in Transmission Control Protocol/Internet Protocol (TCP/IP) processing.

Windows TCP/IP
CVE-2008-4609
CVE-2009-1925
CVE-2009-1926 

KB 967723 No known exploits Severity:Critical
Exploitability:3,2,3
Critical Critical
 MS09-049 A vulnerability in Wireless LAN AutoConfig Service.

 Wireless LAN AutoConfig Service
CVE-2009-1132


KB 970710 No known exploits. Severity:Important
Exploitability:2
Critical Critical
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them

(**): If installed.

(***): Critical of ISA servers

Update 1: All KB and CVE links have been updated

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

3 comment(s)

Vista/2008/Windows 7 SMB2 BSOD 0Day

Published: 2009-09-08
Last Updated: 2009-09-09 11:54:16 UTC
by Guy Bruneau (Version: 3)
5 comment(s)

We have received a report from Tyler that a vulnerability affecting Microsoft SMB2 can be remotely crashed with proof-of-concept code that has been published yesterday and a Metasploit module is out.

We have confirmed  it affects Windows 7/Vista/Server 2008. The exploit needs no authentication, only file sharing enabled with one 1 packet to create a BSOD. We recommend filtering access to port TCP 445 with a firewall.

Windows 2000/XP are NOT affected by this exploit.

We will update this diary with more information as we get it.

Update 1: Theodore, an ISC contributor has sent us a couple links on how to disable SMB version 2.0 on Vista or Server 2008. The first post is by Hameed on AskPerf here an the second post is by Daniel Petri here.

Update 2: Microsoft released an new advisory here that shows only the following OS are affected:

  • Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
  • Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

Keywords: Windows SMB2
5 comment(s)

Cisco Security Advisory TCP DoS

Published: 2009-09-08
Last Updated: 2009-09-09 11:10:09 UTC
by Guy Bruneau (Version: 1)
1 comment(s)

ISC reader Kurt reported that Cisco has released an advisory affecting TCP State Manipulation which cause a Denial of Service that affect multiple Cisco Products. If an attacker send TCP connections forced into long-lived or indefinite state by preventing new TCP connections from being accepted, it could possibly cause a DoS indefinitely.

Additional information on the Cisco advisory is available here.

The following products are affected:

  • Cisco IOS-XE Software
  • Cisco ASA and Cisco PIX security appliances running versions 7.0, 7.1, 7.2, 8.0, and 8.1 are affected if they are configure with specific features
  • The version of Cisco NX-OS Software that is running on Cisco Nexus 5000 and 7000 series devices
  • Scientific Atlanta customers are instructed to contact Scientific Atlanta's Technical Support for questions regarding the impact, mitigation and remediation of the vulnerabilities
  • Customers with Linksys products should contact Linksys security for questions regarding the impact, mitigation and remediation of the vulnerabilities

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

UPDATE

In addition to the Cisco advisory there is some additional information and response to the issue from other vendors here ==> https://www.cert.fi/haavoittuvuudet/2008/tcp-vulnerabilities.html  - M

Keywords: Cisco DoS
1 comment(s)

Bug Fixes in Sun SDK 5 and Java SE 6

Published: 2009-09-08
Last Updated: 2009-09-08 22:08:37 UTC
by Guy Bruneau (Version: 1)
1 comment(s)

Sun released 17 bug fixes for JDK 5 Update 21. There are no new security vulnerabilities fixes part of this update. Support has also been added for Windows Vista SP2 and Windows Server 2008 SP2. The bulletin is available here.

Sun released a bug fixe for Java SE 6 Update 16. There are no new security vulnerabilities fixes part of this update. Users who have Java SE 6 Update 15 have the latest security fixes and do not need to upgrade to this release to be current on security fixes. The bulletin is available here.
 

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

Keywords: Sun SDK Java SE
1 comment(s)

Anybody recognize these packets?

Published: 2009-09-08
Last Updated: 2009-09-08 15:49:40 UTC
by Rick Wanner (Version: 1)
3 comment(s)

I have been looking at a packet trace sent in by a reader, and have reached a dead end. He has been receiving the packets on his network for better than a month.  The volume is not high enough to be a DOS.  The sources are all over the world, although mostly high-speed customers. I was hoping one of you may have seen these packets before...

The packets are all UDP. The source ports vary, but the destination port in this case is always 49261.  The data portion of the packets is either 35 or 31 bytes.  Although the data changes from source address to source address, for any given source the source port and the data is always the same.

There does not appear to be any return traffic.

The data portion of a typical 35 byte packet will look similar to the following (colon delimited):

 8d:da:d1:17:5d:5c:68:96:cb:45:e7:a7:03:dc:9b:00:00:01:00:0c:00:00:00:c3:02:49:50:40:83:53:43:50:41:02:00

The final portion 49:50:40:83:53:43:50:41:02:00 is identical for every 35 byte data packet.

The data portion of a typical 31 byte packet will look similar to the following:

70:d4:30:05:70:5b:42:43:3a:7b:07:51:ce:f7:49:00:00:01:00:08:00:00:00:c3:83:53:43:50:41:02:00

The final portion 43:50:41:02:00 is identical for every 31 byte data packet.

Anybody seen these before?  Can anybody shed light on what they might be?

 

UPDATE: 

I have a couple of Universities who contacted me indicating that this is related to Limewire.  One sent me packets that were very similar to the ones I received originally.

There also appears to be a Emerging Threats signature to detect this traffic.

Thanks for the help!

-- Rick Wanner - rwanner at isc dot sans dot org

Keywords:
3 comment(s)
Diary Archives