Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2015-01-21 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Flash 0-Day Exploit Used by Angler Exploit Kit

Published: 2015-01-21
Last Updated: 2015-01-21 18:07:57 UTC
by Johannes Ullrich (Version: 1)
9 comment(s)

The "Angler" exploit kit is a tool frequently used in drive-by download attacks to probe the browser for different vulnerabilities, and then exploit them to install malware. The exploit kit is very flexible and new exploits are added to it constantly.

However, the blog post below shows how this exploit kit is currently using an unpatched Flash 0-day to install malware. Current versions of Windows (e.g. Window 8 + IE 10) appear to be vulnerable. Windows 8.1, or Google Chrome do not appear to be vulnerable.

This is still a developing story, but typically we see these exploits more in targeted attacks, not in widely used exploit kits. This flaw could affect a large number of users very quickly. Please refer to the original blog for details.

[1] http://malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
9 comment(s)

Oracle Critical Patch Update for Q1 2015 (Includes Java Updates)

Published: 2015-01-21
Last Updated: 2015-01-21 17:51:43 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

Oracle released it's critical patch update. This quarter's CPU fixes a total of 169 vulnerabilities across the entire Oracle product portfolio. 

For end users, Java is probably the most important part of this update. This time around, 13 Java vulnerabilities are patched that allow remote code execution. 

None of the vulnerabilities in Oracle, the flagship database product, are remotely exploitable without authentication. But in particular one bug got some press as it exposes a rather simple configuration issues in Oracle's database allowing for privilege escalation within the database. 

Yesterday, we talked about privilege escalation in Linux. But similar problems exist in databases. Your end-user application (often a web application) should only connect back to the database using a user with carefully tailored permissions. However, all users need to have limited access to some system tables, for example to be able to find tables they have access to.

In this case, the table in question is called "DUAL". This table has only one column, and one value: "X". It's main function is to allow for syntactically correct SQL commands if values are selected that do not correspond to a particular table. For example, to write a SQL statement to retrieve the current date, you may write: SELECT sysdate FROM DUAL; "sysdate" isn't an actual column, but by using the DUAL table we can make this look like a normal SQL query.

Given this, the "DUAL" table doesn't really need any indexes. In particular since it only contains one value. Nevertheless, Oracle allows all users to create indexes on this table. For the non-oracle DBA, this may not sound that bad. But Oracle has a neat feature to use user defined functions to create indexes. This can lead to more efficient indexes if specific functions are used to query the table.

An attacker can now define a function that would give the attacker "DBA" privileges, and then ask the database to create an index using this function. By creating the index, the function that grants DBA privileges is executed.

[1] http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
4 comment(s)
Diary Archives