Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: InfoSec Handlers Diary Blog - Vulnerability in tcpdump, Increase in UDP/1027 activity, Save Your Ship article InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Vulnerability in tcpdump, Increase in UDP/1027 activity, Save Your Ship article

Published: 2004-03-30
Last Updated: 2004-03-30 22:24:42 UTC
by Joshua Wright (Version: 1)
0 comment(s)
Vulnerability in TCPDUMP versions 3.8.1 and earlier

---------------------------------------------------

An advisory was issued on the BUGTRAQ mailing list indicating a buffer overflow in the popular tcpdump sniffer tool. When processing malformed ISAKMP traffic in verbose display mode, tcpdump is vulnerable to a denial of service attack. This vulnerability is believed to be limited to a denial of service attack at this time. The two vulnerabilities associated with this flaw have been assigned CVE numbers CAN-2004-0183 and CAN-2004-0184. It is recommended that users upgrade their version of tcpdump to the 3.8.3 version to resolve this flaw.


http://www.rapid7.com/advisories/R7-0017.html



Increase in UDP/1027 activity

-----------------------------

UDP/1027 is commonly associated with the Windows messenging service, often used to send "Windows Popup" SPAM messages to unsuspecting victims. We've seen a recent increase in traffic sent to this port, with content ranging from adult website advertisements, to prescription medication sales to deceptive marketing campaigns. Some popup messages even claim to be from Microsoft, offering links to web pages that appear to be a legitimate Microsoft website.


Note that the source addresses for this traffic are always suspect, since they do not require any kind of a response to be effective. An attacker can use any source address they desire to send the UDP traffic to a wide range of targets.


Organizations with stateful firewalls should consider dropping UDP traffic with a destination port of 1026 or 1027 to curtail this kind of activity. If you are seeing these type of popup messages sent to your computer, you should consider investing in a personal firewall product.




Save Your Ship Article

----------------------

Network Magazine has published an article written by the Storm Center Incident Handler Greg Shipley on the process and policy end of patching. The article includes a timeline correlating exploit announcements to worm activity for various Windows, Solaris and Linux worms over the years. The article is informative, insightful and available at:


http://i.cmpnet.com/nc/1506/graphics/1506f1_file.pdf



The illustration for the vulnerability/worm timeline is also available at:
http://i.cmpnet.com/nc/1506/graphics/1506f1a.gif




--Joshua Wright/Handler on Duty
Keywords:
0 comment(s)
Diary Archives