Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

* Veritas Backup Exec 0-day; POC code available for multiple updated MS vulns; P2P on the Vista

Published: 2005-08-11
Last Updated: 2005-08-12 18:58:13 UTC
by George Bakos (Version: 1)
0 comment(s)


ISCAlert has been activated (that blinking globe thing) to warn people about
MS05-039 related activity that may go critical over the weekend. Three
seperate exploits for the UPnP issue have been released over the last 24 hours.
Please patch your systems if you haven't already. Thank you.




FrSIRT has released an advisory containing what they call "Veritas Backup Exec Windows Agent Remote File Access Exploit (0day)"




The ISC has already seen an increase in scans for port 10000, and advise any users of Backup Exec deny access to that port from all untrusted networks. Frank Knobbe has made available a rough draft signature that may help identify attempts against B.E.:


alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"BLEEDING-EDGE Veritas \
Backup Exec Windows Agent Remote File Access Exploit"; \
flow:to_server,established; \
content:"|b4 b8 0f 26 20 5c 42 34 03 fc ae ee 8f 91 3d 6f|"; \
reference:url,www.frsirt.com/english/advisories/2005/1387; \
reference:url,www.frsirt.com/exploits/20050811.backupexec_dump.pm.php; \
classtype:string-detect; sid:2002176; rev:1;)


Thanks, Frank!

POC code available for multiple updated MS vulns


The vulnerabilities addressed in MS005-038, MS005-039, MS05-040 and MS-043, all covered in this month's Fat Tuesday festivities, AKA
, have fallen victim already to publicly released exploits. Both bugtraq and Daily Dave have postings today announcing the availability of said code. Now, I haven't built or tested any of it, so I can't personally vouch for the effectiveness ot any of it, but if it isn't working as intended you can bet it will be shortly. Patch up, folks.

P2P on the Vista


We received some packets today from someone who was chomping at the bit to get his Windows Vista up and on the wire, and was in for an interesting surprise. After a short while, he was being barraged with a good number of UDP port 53186 packets from around the globe. A bit of digging gave me an education in Teredo - Microsoft's IPv6 over IPv4 encapsulation, discussed in:
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/teredo.mspx and RFC3904. Teredo's strength is it's ability to traverse NAT firewalls while maintaining the protections offered by IPv6, and it has been used to build tunnels for plenty of OSes and applications, including Windows P2P and especially the Peer Name Resolution Protocol, PRNP.



Gee, George, why do I care? Well, Tommy, there are wonderful things waiting just around the corner...let me show you.



From "Introduction to Windows Peer-to-Peer Networking":


"P2P PNRP uses multiple clouds, in which a cloud is a grouping of computers that use addresses of a specific scope. A scope is an area of the network over which the address is unique. PNRP clouds are based on the address scopes for IPv6 addresses."



Now, to test the scalability of some new PNRP features, Microsoft has decided to turn on prnpauto, or PNRP Auto Registration, by default in Vista beta. Boot up your shiny new Vista and a PNRP name gets generated & out goes the registration. Now come the name resolvers a-knockin'. Bingo! Instant anomaly IDS test!

If you aren't all too happy with this arrangement, feel free to kill it off using the Task Manager or "net stop pnrpauto". My advise is to do this before ever putting the box on the wire. Otherwise, it may take some time for the cloud to realize that you aren't playing anymore and the traffic will continue.



Many thanks to Noah Horton for helping the ISC get a handle on what was going on. He also made a blog entry discussing this a bit further at: http://blogs.msdn.com/noahh/

Cheers!

g

Keywords:
0 comment(s)
Diary Archives