Diaries

Published: 2013-04-30

Apache binary backdoor adds malicious redirect to Blackhole

On 26 APR, Sucuri's Daniel Cid posted Apache Binary Backdoors on Cpanel-based servers. This coincided closely with a technical study of the Linux/Cdorked.A malware provided by ESET.

Sucuri stated that "on cPanel-based servers, instead of adding modules or modifying the Apache configuration, the attackers started to replace the Apache binary (httpd) with a malicious one."

ESET's analysis of this malware revealed that it is a "sophisticated and stealthy backdoor meant to drive traffic to malicious websites."

Speculation regarding how the initial entry occured to allow injection in the first place is varied, but SSH bruteforce is on the list.  

See ESET's guidance regarding shared memory, and as always, validate the intergrity of httpd packages.

Review both articles, and if you're utilizing a shared webserver provided by a colo/ISP, be sure your confidence in their ability to manage and administer that server on your behalf is high.

Russ McRee | @holisticinfosec

5 Comments

Published: 2013-04-29

Report Fake Tech Support Calls submission form reminder

Previously we detailed this project in Feature of the Week: Report Fake Tech Support Calls and some initial statistic reports at Feature of the Week: Report Fake Tech Support Call Statistics.

We have steadily been receiving first and second hand information emails about fake tech support calls and sms spam. I wanted to highlight our data collection project again at https://isc.sans.edu/reportfakecall.html where you, or anyone that reports these to you, can submit as much information as you are comfortable sending us to help better understand how common "Fake Tech Support" calls are, and what they are trying to achieve.

The emphasis today is on SMS (texting) type messages! The first question on the form "Was the call automated or did a person call you?" has choices for automated, personal or SMS. Follow on questions for SMS can include message language, URL if any and the phone number. Fill in any or all of the information, nothing is required but anything is helpful.

I can't wait to get my first call and go round-and-round trying to find the start button on my linux system :D but I have received numerous SMS spam and submitted to the form.

 

Post suggestions or comments in the section below or send us any questions or comments in the contact form on https://isc.sans.edu/contact.html#contact-form
--
Adam Swanger, Web Developer (GWEB, GWAPT)
Internet Storm Center https://isc.sans.edu

1 Comments

Published: 2013-04-28

SANS's Alan Paller discusses the threat of cyberterrorism on CNN

On the heels of the fake Tweet this past week regarding injury to President Obama, and the subsequent stock market decline estimated to have wiped out $130 billion in stock value, SANS's Alan Paller spoke with CNN's Christine Romans during a Your Money segment on Friday 26 APR. Watch this succinct and impactful interview as they discuss the danger hackers pose to our banks and our economy.

Alan Paller discusses threat of cyberterrorism on CNN's Your Money

Russ McRee | @holisticinfosec

 

10 Comments

Published: 2013-04-26

What is "up to date anti-virus software"?

On the heels of my post on Microsoft's SIRv4 earlier this week, reader Ray posed a great question that elicited some nuanced responses from fellow handlers Mark H and Swa F. All parties have agreed to allow me to share the conversation with the ISC readership.

From Ray:

What is, "up to date anti-virus software"?  Is there a de facto standard of how often or what defines when a system is up to date or not up to date?  My goal isn't to split hairs.  There are a lot of moving pieces (in the background) to this question & where I work.  I would like to know what other organizations use; besides sooner is better. 

Mark H's response:

To me the definition of up to date is the latest pattern file for that particular application.  So I tend to configure AV products to check at least hourly for updates and apply them.  Some product interestingly however still consider daily or weekly to be ok.  Putting on my QSA hat usually I accept daily updates as being ok (assuming that the AV product is therefore at the lates pattern update), go beyond that and you'd best have a very good reason for lagging.

Ray's reply:

While wearing the AV hat at my last company I expected a drop in infections when I stabilized our (pattern file) distributions, but didn't expect such a dramatic drop in the rate.  With three updates a day I hit < .5% systems were more than one day out of date.  Since moving to a different company with different responsibilities I see one update a day and a 5 day window for updates with the target of only 90% of systems updated I see...room for improvement but face a mind set challenge.  I was curious what other "standards" were.

Swa's feedback:

Agreement with Mark: hourly is THE way to go. 

Add internal servers to help distribute it and allow in the field updates for machines at home or while roaming out there.
Make it so that the machine gets isolated in quarantine on your internal network if it's more than a long weekend out of date on updates. 
I'd suggest a trade off between this aggressive updating - transparent to the user as long as they do not sabotage it - vs a daily scan of the entire drive - which is far from transparent. 
Also focus on those not getting updated on time: figure out why and how to fix it. 
There's no point in paying for AV updates if you do not use them. Any self respecting attacker checks their handy work against something like VirusTotal, so being behind even a little bit makes the AV useless. 
Sure you might someday trip over a bad AV update. So what? It's easy to know what it did wrong and recover from it? Easy to know what it did is absolutely untrue for any modern malware. Those that still think that need a reality check. The only recovery of malware that works is "nuke from high orbit" all the rest does not yield reliable machines. 
 
Russ' 2 cents:
 
I'll follow up on Swa's point. There is no "recovery" from malware in my world. There is no running a tool to "clean up" after an infection. Nuke from space is the only solution or the machine(s) remain entirely suspect.
So have a plan for reimaging systems conveniently and efficiently, store data on separare drives or partions, and practice safe backup. Because when you pop a valid AV alert in my shop? BOOM...
 

Photo courtesy of nukeitfromorbit.com 

Great discussion, Ray and handlers. Thanks for letting us share.

Russ McRee | @holisticinfosec

12 Comments

Published: 2013-04-25

Guest Diary: Dylan Johnson - A week in the life of some Perimeter Firewalls

[Guest Diary: Dylan Johnson BSc.CISSP] [A week in the life of some Perimeter Firewalls]

I hope the title of this blog doesn’t appear a dry and dull topic because a week in the life of an Internet facing firewall is anything but dull.

This is just a short blog detailing an interesting piece of research aimed at promoting situational awareness in relation to the threat from the internet.

Perimeter firewalls are the main barriers protecting you from the Internet, should these be misconfigured either maliciously or accidentally, what would you be exposed too?

Graph 1 below shows the amount of dropped traffic (Axis-Y) against time (Axis-X). You can see at peak periods the number of dropped connections is 3.6k over a 30 minute period.

Graph 1

The summary graphs below drill into more of the detail present in the audit data from the firewalls and present this in the same format as graph 1 however the different colors highlight the traffics country of origin.

If you look at the bottom right graph you can see traffic from China with a peak drop rate of 1250 connections every 30 minutes. Also notice the erratic trends within the graph, bottom right.

Graph 2

So as you can see firewalls are constantly busy fighting off a constant slew of malicious traffic. A lot of the traffic dropped may be reconnaissance or to make an analogy someone checking the quality of your locks, windows and doors, however they can still post via the letter box!

To explain the firewall letter box analogy, firewalls wouldn’t be much use if they blocked absolutely everything, if that was the case why would we even need a network connection to the internet at all? Perimeter firewalls need to pass certain types of traffic to applications, its then up to the applications to deal with the traffic profile we saw previously in graph 2 i.e all that traffic from China and the other countries.

Graph 3 below shows actions taken by an application firewall as you can see there is a constant slew of SQLi (SQL Injection) and XSS (Cross Site Scripting) attacks. These attacks reach the webserver perhaps because there is no security control upstream capable of understanding and dealing with Layer 7 or Application Layer traffic. A traditional firewall operates at layers 3(Network Layer) and layers 4(Transport Layer) they are often oblivious to what is happening at layer 7 they only care about getting the traffic to its intended destination.

Graph 3

So as you can see you are indeed connected to the global internet and are being probed by traffic from the four corners of the known world, from Amsterdam to Zimbabwe.

The purpose of this blog was to demonstrate that you may be in a quiet and relatively tranquil part of the world but you are connected to a network that remains mainly un-policed and carry’s a very real and persistent threat as I hope you can see from the data and explanation presented in this blog. Make sure you understand the threat, monitor it and ensure you have controls in place to keep it out.

 

Post suggestions or comments in the section below or send us any questions or comments in the contact form on https://isc.sans.edu/contact.html#contact-form
--
Adam Swanger, Web Developer (GWEB, GWAPT)
Internet Storm Center https://isc.sans.edu

0 Comments

Published: 2013-04-24

Interesting Credit Card transactions, are you seeing similar?

In my day job we get involved in payment systems, credit card transactions etc. We are also asked to investigate and explain incidents as well as "unusual" activity.

When looking at credit card payments there are always payments for people like lkjsdflkjs and "famous person name", usually small value transactions $2, $5, $10 although recently we've started seeing $60 transactions.  These are easily identified and the motive is very clear, test the card.  If the transaction goes through the card number and CVC (if needed) or other details are correct.

Recently however I've been seeing more interesting transactions. The transactions start with a high value and step down until the transaction is accepted.  ie. we start with a charge of 10K, the next transaction 9K , 8K ......3K, $1000, $900, $800, ....$100.  The process is automated so if the limit on the card is high enough multiple transactions are sometimes accepted. Again these transactions are easily identified, however the motive eludes me. We looked at a number of possibilities:

  • identify the upper limit on the card. - The process however results in the card being maxed out. The issuing bank or card brand blocks the card. The number now no longer has any value. You know the upper limit, but can no longer use the card.
  • purchases for resale - This was the obvious one, but in the cases I worked on, none actually deliver physical product to the purchaser.   
  • Refunds? - Another scenario we looked at is that after the transactions are done the organisation is called by the fake cardholder and a refund is requested. Because their bank has blocked the card they'd like to be refunded to a different card or some other payment mechanism. Looking at refunds and refund requests through customer service avenues allowed us to discard this scenario in the cases we worked on.
  • Credit Card DOS - A third scenario was a DOS on cards,  max out the card and as many as possible and irritate either the bank or the card brand, or the proper cardholders. The volumes however would be annoying for the merchant and issuing bank, but were certainly not on epic scales. Unless of course we were only seeing one small part of a much larger distributed effort.

So what I'm asking those of you that deal with credit card payments is this.  Have you seen similar behaviour in your payment systems?  Multiple transactions on the same card, starting with a big value, stepping down in increments to lower values until the transaction is accepted and in some cases beyond. Those of you that deal with donation sites or online delivery (i.e. no physical product) are more likely to see these.

If you have other ideas on what the point of these transactions is by all means share, either as a comment or through the contact form.

Regards
Mark H  (markh.isc at gmail.com)

 

7 Comments

Published: 2013-04-23

Verizon Data Breach report has been released

This report is pretty much an annual staple. The 2013 report has been released and can be obtained here.  

http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2013_en_xg.pdf

 

M

0 Comments

Published: 2013-04-23

MS13-036 has been re-released

The troublesome KB2823324 from last month has been re-released through KB2840149.  The theory is that this one will not cause the same isue.  Let us know if it does.  

More details here http://technet.microsoft.com/en-us/security/bulletin/ms13-036

Mark 

2 Comments

Published: 2013-04-23

Microsoft's Security Intelligence Report (SIRv14) released

Full disclosure: I work at Microsoft.

This past Thursday (17 APR) Microsoft released  volume 14 of its Security Intelligence Report (SIRv14) which includes new threat intelligence from over a billion systems worldwide. 

It should come as no surprise that network worms are on the decrease and that web-based attacks are all the rage. Interesting report highlights include:

  • The proportion of Conficker and Autorun threats reported by enterprise computers each decreased by 37% from 2011 to 2H12
  • In the second half of 2012, 7 out of the top 10 threats affecting enterprises were associated with malicious or compromised websites (see example below)
  • Enterprises were more likely to encounter the iFrame redirection technique than any other malware family tracked in 4Q12
  • One specific iFrame redirection family called IframeRef, increased fivefold in the fourth quarter of 2012 to become the number one malicious technique encountered by enterprises worldwide
  • IframeRef was detected nearly 3.3 million times in the fourth quarter of 2012

The report also takes a close look at the dangers of not using up-to-date antivirus software in an article titled “Measuring the Benefits of Real-time Security Software.” I read this with some skepticism imagining it might be heavily slanted to the use of Microsoft AV products, but read on, it's not. It refers to a ton of data generated via Microsoft telemetry but remains data-centric to point out that, on average, computers without AV protection were five and a half times more likely to be infected (What?! I'm shocked. This is my shocked face surprise). The study also found that 2.5 out of 10, or an estimated 270 million computers worldwide were not protected by up-to-date antivirus software. Now that actually is shocking. Really? What's the matter with people? For more information on that analysis, see details on TechNet.

On the related subject of web-based attacks, I recently completed a forensic review of an elderly Windows XP system that had clearly crossed paths with Blackhole, or as the SIR referers to it, Blacole; said system was infected with Exploit:Java/CVE-2011-3544. The behavior discovered warrants a quick review as it details just one of the plethora of manners in which web-based attacks can own you. Of interest, SIRv14 states that "detections of exploits targeting CVE-2011-3544 and CVE-2010-0840, two vulnerabilities with significant exploitation in the first half of the year, declined by large amounts in 2H12. Both are cross-platform vulnerabilities that were formerly targeted by the Blacole kit but have been removed from more recent versions of the kit." That's in keeping with findings on the machine I analyzed given that the related JAR files had been on the system since February 2012. Nonetheless, at the risk of oversimplifying the analysis, the writeup for CVE 2011-3544 describes a vulnerability that allows a remote attacker to execute arbitrary code on the system, caused by the improper handling of Rhino Javascript errors. Of note when unpacked from the initial JAR file were efira.class and efira.java (the applet). As ripped directly from the conclusion of Michael Schierl's excellent writeup on CVE-2011-3544:

Steps to exploit this vulnerability include:

  1. Assign a toString() method to this that will disable the security manager and then run your payload
  2. Create a new JavaScript error object
  3. Overwrite the error object's message property by this
  4. Return the error object
  5. Create a new script engine and bind the applet to a JS variable (in case your payload needs it)
  6. Evaluate the script mentioned above
  7. Add the resulting object to a JList
  8. Display the JList to the user and wait for the UI thread to render it
Strings analysis of Efira.class (see VirusTotal if you want hashes) returned the requisite steps including:
  • toString() (1)
  • java/lang/Object error (2)
  • javax/script/ScriptEngine (5) 
  • eval (6)
  • javax/swing/JList (7)
And this was but one example of six Java-specific exploits dropped on this victim system during its unfortunate visit to a Blackhole infected site. Stay tuned for new and interesting web-based exploits for 2013.
Takeaways:
1) Run AV
2) Patch
3) Pray 
smiley
 
As always the SIR is a great read. Download it here.
 
 
 
 

2 Comments

Published: 2013-04-21

A Chargen-based DDoS? Chargen is still a thing?

In the recent few days there was another denial of service attack launched at financial organizations. (Yeah, I know, DDoS on a bank, that's *totally* never happens). What is newsworthy isn't that it happened, it was the means used to execute the attack. Specifically, the organizations were flooded with UDP port 19 traffic which is the chargen protocol. I am not sure I've ever seen a legitimate use of this protocol or encountered a machine that had it on intentionally before.

For review, chargen is basically a character generation protocol that listens on port 19 with TCP or UDP.  If you connect to TCP, it continues to stream random characters until you close the connection. With UDP, it will respond with an up to 512 byte response depending on the request.  In this particular case, it was another amplification attack using UDP.  What makes chargen under UDP so desirable is that you can spoof sources without having to worry about establishing a fake connection and that it responds with packets much larger than the request. In short, if your networks are exposing a service that responds to UDP with packets much larger than the request (DNS in particular is popular these days), take due care that you are doing rate-limiting if those protocols are Internet-accessible.

It's not a common attack using chargen and there is some evidence that in a few of the cases in the past few years the attack was used as a smoke screen to hide other attack traffic.

In this case, many of the devices used were commodity multifunction copiers and the like. Which leads to two questions:

1) Why are these Internet accessible?
2) Why did the vendor enable this protocol by default? (or possible some malicious individual enabled it)

So your takeaways are two-fold:

- Check to make sure you don't have Internet-accessible devices that don't need to be (and if they need to be, you are regulating UDP requests).
- Make sure you are doing some form of BCP 38 where you filter outbound traffic to ensure that no packets leave your network that don't have internal addresses. Amplification attacks rely on spoofed packets and if every provider implemented this filtering, we would see these attacks greatly diminish overnight.

And don't forget old and dead protocols, sometimes they're still around. :)

--
John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting

3 Comments

Published: 2013-04-19

Java 8 release schedule delayed for renewed focus on security

ISC Handler Rob V pointed out a blog post from Oracle's Mark Reinhold stating that Oracle has "mounted an intense effort to address those issues in a series of critical-patch update releases" and that they've also upgraded their "development processes to increase the level of scrutiny applied to new code, so that new code doesn’t introduce new vulnerabilities."

Framing statements state that Oracle:

  • is committed to continue fixing security issues at an accelerated pace
  • will enhance the Java security model
  • will introduce new security features
  • recoginizes that more engineer hours are required than can be freed up by dropping features from Java 8 or otherwise reducing the scope of the release at this stage

As such, the likely release of Java 8 will be in the first quarter of 2014 (had been intended for September 2013).

Read the full article for yourself here: http://mreinhold.org/blog/secure-the-train

Russ McRee | @holisticinfosec

 

0 Comments

Published: 2013-04-18

ISC Handler Lenny Zeltser's REMnux v4 Reviewed on Hak5

Earlier this morning, Lenny released version 4 of REMnux, a lightweight Ubuntu Linux-based distro for analyzing malware.  It was recently reviewed on Hak5.  Take a look and if you haven't already, download the image and send Lenny your feedback.

--
John Bambenek
bambenek at gmail /dot/ com
Bambenek Consulting

0 Comments

Published: 2013-04-17

UPDATEDx1: Boston-Related Malware Campaigns Have Begun - Now with Waco Plant Explosion Fun

UPDATE: 04-18-2013 @ 10:10 AM CDT -

Some of the spam campaigns are now changing over to the Waco plant explosion. Basically the lure is the same, a subject that talks mentions the video and then an IP only url with /texas.html or /news.html.  The landing page has a few embedded YouTube videos and an iframe with malicious content at the end.

** End Update 1 **

About mid-afternoon yesterday (Central time - US), Boston related spam campaigns have begun. The general "hook" is that it sends a URL with a subject about the video from the explosions. Similar to when Osama Bin Laden was killed and fake images were used as a hook, in this case, the video is relevant to the story and being used as a hook.  Right now, very roughly 10-20% of all spam is related to this (some spamtraps reporting more, some less).  Similar IPs have also been sending pump & dump scams so likely the same group has re-tasted itself.

Here is a list of subjects I've seen hit spam traps:

Subject: 2 Explosions at Boston Marathon
Subject: Aftermath to explosion at Boston Marathon
Subject: Arbitron. Dial Global. Boston Bombings
Subject: Boston Explosion Caught on Video
Subject: BREAKING - Boston Marathon Explosion
Subject: Explosion at Boston Marathon
Subject: Explosion at the Boston Marathon
Subject: Explosions at Boston Marathon
Subject: Explosions at the Boston Marathon
Subject: Opinion: Boston Marathon Explosions made by radical Gays? Really? - CNN.com
Subject: Opinion: Boston Marathon Explosions - Romney Benefits? - CNN.com
Subject: Opinion: Boston Marathon Worse Sensation - Osama bin Laden still alive!? - CNN.com
Subject: Opinion: FBI knew about bombs 3 days before Boston Marathon - Why and Who Benefits? - CNN.com
Subject: Opinion: Osama Bin Laden video about Boston Marathon Explosions - bad news for all the world. - CNN.com
Subject:[SPAM] 2 Explosions at Boston Marathon
Subject:[SPAM] Boston Explosion Caught on Video
Subject:[SPAM] Explosions at the Boston Marathon
Subject:[SPAM] Video of Explosion at the Boston Marathon 2013
Subject: Stiri:EXPLOZIILE de la maratonul din Boston/Spaga este negociata la granita Romaniei/A inventat bautura care INLOCUIESTE MANCAREA/TUNELUL cu mecanisme de NEINTELES al lui STALIN/70 % din infrastructura RCS-RDS este amplasata ILEGAL/BOMBA ANULUI IN SHOWBIZ
Subject: Video of Explosion at the Boston Marathon 2013

Here is a list of malicious URLs in those messages (use at your own risk):

hxxp://109.87.205.222/boston.html
hxxp://109.87.205.222/news.html
hxxp://110.92.80.47/boston.html
hxxp://110.92.80.47/news.html
hxxp://118.141.37.122/boston.html
hxxp://118.141.37.122/news.html
hxxp://176.241.148.169/boston.html
hxxp://176.241.148.169/news.html
hxxp://178.137.100.12/boston.html
hxxp://178.137.100.12/news.html
hxxp://178.137.120.224/boston.html
hxxp://178.137.120.224/news.html
hxxp://188.2.164.112/boston.html
hxxp://188.2.164.112/news.html
hxxp://190.245.177.248/boston.html
hxxp://190.245.177.248/news.html
hxxp://212.75.18.190/boston.html
hxxp://212.75.18.190/news.html
hxxp://213.34.205.27/boston.html
hxxp://213.34.205.27/news.html
hxxp://217.145.222.14/boston.html
hxxp://217.145.222.14/news.html
hxxp://219.198.196.116/boston.html
hxxp://219.198.196.116/news.html
hxxp://24.180.60.184/boston.html
hxxp://24.180.60.184/news.html
hxxp://24.214.242.227/boston.html
hxxp://24.214.242.227/news.html
hxxp://31.133.84.65/boston.html
hxxp://31.133.84.65/news.html
hxxp://37.229.215.183/boston.html
hxxp://37.229.215.183/news.html
hxxp://37.229.92.116/boston.html
hxxp://37.229.92.116/news.html
hxxp://46.233.4.113/boston.html
hxxp://46.233.4.113/news.html
hxxp://46.233.4.113/xxxxx.html
hxxp://50.136.163.28/boston.html
hxxp://50.136.163.28/news.html
hxxp://61.63.123.44/boston.html
hxxp://61.63.123.44/news.html
hxxp://62.45.148.76/boston.html
hxxp://62.45.148.76/news.html
hxxp://62.45.148.76/xxxxx.html
hxxp://78.90.133.133/boston.html
hxxp://78.90.133.133/news.html
hxxp://83.170.192.154/boston.html
hxxp://83.170.192.154/news.html
hxxp://85.198.81.26/boston.html
hxxp://85.198.81.26/news.html
hxxp://85.204.15.40/boston.html
hxxp://85.204.15.40/news.html
hxxp://85.217.234.98/boston.html
hxxp://85.217.234.98/news.html
hxxp://91.241.177.162/boston.html
hxxp://91.241.177.162/news.html
hxxp://91.241.177.162/xxxxx.html
hxxp://94.153.15.249/boston.html
hxxp://94.153.15.249/news.html
hxxp://94.28.49.130/boston.html
hxxp://94.28.49.130/news.html
hxxp://95.69.141.121/boston.html
hxxp://95.69.141.121/news.html
hxxp://95.87.6.156/boston.html
hxxp://95.87.6.156/news.html
 
Some of these are already down, but basically plain pages with a handful of embedded YouTube videos that are relevant.  Early versions would redirect to fetch a file: boston___________AVI.exe and on down the rabbit hole it goes.  It was pretty loud so most AV should have sigs already.
 
H/T to Nick Tabick and Corbin Souffrant, two of my students at the University of Illinois who helped dig into this last night.
 

--
John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting

2 Comments

Published: 2013-04-17

Apple iTunes Services Outage

UPDATE: All seems to be well and the interuption was brief. You can check status @ http://www.apple.com/support/systemstatus/

We are getting reports of an Apple services outage and or diffuculty connecting to iTunes services. If you are seeing this please report it?

 

Richard Porter

--- ISC Handler on Duty

3 Comments

Published: 2013-04-16

Java 7 Update 21 is available - Watch for Behaviour Changes !

Several of our readers have written in to let us know about the latest Java Update. 

So why isn't this a normal one-liner with a pointer off to the readme?  Because Oracle has significantly changed how Java runs with this version.  Java now requires code signing, and will pop up brightly coloured dialogue boxes if your code is not signed.  They now alert on unsigned, signed-but-expired and self-signed certificates.

We'll even need to click "OK" when we try to download and execute signed and trusted Java.

This is a really positive move on their part - with as many problems as Java has, it'll be nice to stop blaming the developers of the language entirely for malicious code - Java doesn't give you malware, running malware gives you malware. 

(not that Java is perfect, mind you)

 

The graphics you can expect to see once you update are:

Valid Certificate Self-Signed Certificate

 

 

Expired Certificate Unsigned Application

Full details on the new run policy can be found here ==> https://www.java.com/en/download/help/appsecuritydialogs.xml

And more information can be found here ==> http://www.oracle.com/technetwork/java/javase/tech/java-code-signing-1915323.html

 

===============
Rob VandenBrink
Metafore

8 Comments

Published: 2013-04-16

Fake Boston Marathon Scams Update

Yesterday, TheDomains reported there was 125 potentially fake domains registered just hours after the attack in Boston. By my current count, I see 234. Some of these are just parked domains, some are squatters who are keeping the domains from bad people. A couple are soliciting donations (one is soliciting bitcoins, oddly enough). So far, there has been no reports of any spam related to this but there have been a few fake twitter accounts which are fairly quickly getting squashed. Oh, and one lawsuit-lawyer related site in connection to the event but that's a different kind of scum then we typically deal with here. But so far, most of the domains are parked (typically at GoDaddy, but don't read that as a swipe at them) or they don't resolve anywhere.

In short, I would have thought this would have picked up quicker than it had.

That said, it did give me the impetus to finish scripting a few things to basically monitor these domains automagically to start looking for indicators and to see when (or if) they ever come out of "parked" status.

As usual, the standard advice applies in events like these. If you want to donate (or have friends/family/collegaues who do) work through well-known and established charities to do so.

Feel free to send any suspicious sites/spam/twitter accounts/etc to use so we can keep doing analysis.

--
John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting

3 Comments

Published: 2013-04-15

Oops - You Mean That Deleted Server was a Certificate Authority?

I was recently working at a client, implementing wireless.  As in many Enterprise Wireless projects, we needed an Enterprise Certificate Authority (CA).  Imagine my surprise, that when we went to create an Enterprise Root CA, that one already existed.  And when we went to take a closer look at that Root CA, when we found that the server was retired - dead and gone, I got that sinking feeling and realized we might be on a trip down the project-over-run rabbit hole.

While you can certainly inventory all the certificates issued and active on a Certificate Authority, if the CA is gone there isn't a good way to do that.  So while you can easily delete a Root CA from Active Directory, once you delete it, that CA is no longer in the list of Trusted Roots.  All the Certificates issued by it will be invalid, and in this case nobody really was sure what that CA was put in to do.  So what we needed was an idea of what the impact of deleting that CA might be.

Then I remembered the story I wrote a while back on Microsoft certutil ( https://isc.sans.edu/diary/11962 ).  With a bit of playing, I was able to use certutil and psexec ( from Mark R's excellent  Sysinternals Utilities) to inventory the "Local Computer" certificate store of every machine in the domain.  

Luckily, in this case we only needed to worry about machines in the Active Directory Domain, so this survey got the job done for us.

What we needed to run was a short script like this, on each machine in the domain:

REM ============== getiss.cmd ==============
echo ========================== >> \\utilserver\sharename\certs.txt
hostname >> \\utilserver\sharename\certs.txt
certutil -store my | find "Issuer" >> \\utilserver\sharename\certs.txt

The first 2 lines (the echo and hostname commands) just break up the output, and identify the machine being evaluated in each test.  The last line is where all the action is - we're dumping the local certificate store, only looking at the Local Machine store.  In this case all we're only interested in is which server issued the certificate, so we're looking for the word "Issuer" in the output.  Since we're looking anyway, I'm not going to parse this out further, I'll happily look at *all* the issuers in the domain to see if we've got any other issuer-based certificate problems in our domain.

Now I'll call this little script for every computer in the domain:

psexec \\* -u domainname\adminuser -p adminuserspassword -cf getiss.cmd

Our output looks like:

==========================
KMS
Issuer: CN=CA01-CA, DC=domain, DC=com
==========================
SERVERNAME2
==========================
BACKUPS
==========================
SERVERNAME5
==========================
SERVERNAME6
==========================
SERVERNAME7
Issuer: CN=SERVERNAME7, L=1720207907, OU=SharePoint, O=Microsoft
Root Certificate: Subject matches Issuer
==========================

... and so on.

So what did we find?  The old CA hadn't issued any certificates that were currently in play on anything in the domain.   We also found a number of self-signed certificates (where the Issuer matched the hostname).  So, with this in hand, we can delete that old CA from the Domain and know in our hearts that we're not going to mess up any of the critical services in the organization (Sharepoint or Exchange for instance).  Details on doing this, now that the impact has been assessed, can be found at these and many other links on microsoft.com ( http://support.microsoft.com/kb/555151  , http://support.microsoft.com/kb/889250http://blogs.technet.com/b/pki/archive/2011/10/07/how-to-decommission-a-windows-enterprise-certification-authority-and-how-to-remove-all-related-objects.aspx )

Scripting saves the day again, in about 10 minutes no less !

If you've had a similar experience, or if you've got a simpler or more elegant scripting approach for this type of problem, by all means use our comment form and share.

===============
Rob VandenBrink
Metafore

4 Comments

Published: 2013-04-14

Protocol 61 Packets Follow Up

Thanks for all the tips and packets we have received so far regarding protocol 61 traffic. I would like to summarize some of the responses here.

We got two captures of the suspect traffic. The source IPs are identical (5.5.128.1 and 2.2.128.1). The last octet of the target IP address is always 1. In each target network, only 1 or 2 IPs are hit by the odd packets.

The captures exhibit different time to live values, which may indicate that the packets originated from the same source in either case, but the sample is clearly too small at this point to decide about spoofed or not spoofed. My "guess" is that the IP addresses are spoofed. Yes, they are assigned real networks according to whois, but the addresses themselves just loop suspicious. Two addresses with the same last two octets, but very different first two octets doesn't sound right.

One reader pointed to a recent talk at a security conference showing that some routers are susceptibe to a denial of service if hit by odd protocols. It is possible that this tool attempts to trigger this condition, but unlikely as this wouldn't require packets at a high rate.

Most of the packets are 40 bytes in length with 20 bytes of IP header and 20 bytes of payload. One possible explanation would be that the 20 bytes of payload are actually a TCP header, but the data doesn't quite line up for that. For example, if interpreted as TCP, the TCP header length doesn't come up as 20 Bytes, and the flags are "wrong".

There are a couple of larger packets (up to 1500 bytes), but the vast majority is 40 bytes.

One reader provided some insight that the packets may be caused by an unspecified configuration or hardware error:

I have exactly the same, now for the 3rd or 4th time. Pretty unclear what this should be my guess after discussion with our upstram ISP's NOC was that there is something broken. The packets seem not to be spoofed and typically it lasts a week or so.

Personally, my bet is that this will turn out to be a configuration error or a bug, not an attack. But keep the packets coming (if you have any). Thanks to everybody contributing to this.

Two Sample packets (anonymized. The target network was changed to 10.10)

 

IP 5.5.128.1 > 10.10.128.1:  ip-proto-61 20
0x0000:  4500 0028 0000 0000 2f3d 7c88 0505 8001  E..(..../=|.....
0x0010:  0a0a 8001 0060 0ff3 c69c 78e1 7b42 1a25  .....`....x.{B.%
0x0020:  1197 1c27 d964 0000 0000 0000 0000       ...'.d........

IP 2.2.128.1 > 10.10.128.1:  ip-proto-61 20
0x0000:  4500 0028 0000 0000 2f3d 7f8b 0202 8001  E..(..../=......
0x0010:  0a0a 8001 0060 0ff7 c69c 60e6 7b36 e948  .....`....`.{6.H
0x0020:  ecf5 3f78 3a8d 0000 0000 0000 0000       ..?x:.........

Marked up fields for first packet

 

IP 5.5.128.1 > 10.10.128.1:  ip-proto-61 20
0x0000:  4500 0028 0000 0000 2f3d 7c88 0505 8001  E..(..../=|.....
         VHTO LEN  IPID FLAG TTPR CHSU Source IP
0x0010:  0a0a 8001 0060 0ff3 c69c 78e1 7b42 1a25  .....`....x.{B.%
         Target IP <--- Payload 
0x0020:  1197 1c27 d964 0000 0000 0000 0000       ...'.d........
                   ---> (ethernet padding)

V = version, H=header length, LEN=datagram length, FLAG: Frag. flags and offsets
TT: TTL, PR: Protocol, CHSU: checksum

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

4 Comments

Published: 2013-04-13

Protocol 61: Anybody got packets?

Jason is writing us saying that his firewall is dropping 600-700 packets per second with protocol 61 (not port 61). He hasn't been able to capture full packets but is working on it.

This looks very much like a corrupt packet, maybe as a result of a DoS upstream, or a broken attack tools. If anybody sees something similar, please let us know (and we really like full packets)

The source IP addresses are 2.2.128.1 and 5.5.128.1 (again, odd addresses... )

Here are some anonymized firewall logs from Jason:

	2013-04-12 00:00:00 firewall %ASA-3-106010: Deny inbound protocol 61 src outside:2.2.128.1 dst outside:xxx.xxx.xx6.1
	2013-04-12 00:00:00 firewall %ASA-3-106010: Deny inbound protocol 61 src outside:5.5.128.1 dst outside:xxx.xxx.xx6.1
	2013-04-12 00:00:00 firewall %ASA-3-106010: Deny inbound protocol 61 src outside:2.2.128.1 dst outside:xxx.xxx.xx8.1
	2013-04-12 00:00:00 firewall %ASA-3-106010: Deny inbound protocol 61 src outside:5.5.128.1 dst outside:xxx.xxx.xx8.1

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

3 Comments

Published: 2013-04-12

More massive malicious spam! This time claiming to be from Almacenes Exito

------------------------------ BEGIN OF WARNING SECTION ------------------------------

This diary have live malware links, so be careful if you decide to access them.

------------------------------ END OF WARNING SECTION ------------------------------

Spammers are busy this week in my Country! Today april 11 2013 I received a spam claiming to be a promotion from the biggest retail company in the country and statng that they are giving for free debit cards for US$274.54.

SCAM from Almacenes Exito

This link points to http://katiepriceuk.com/wp-content/gallery/ecards/www.exito.com.tarjetaderegalo.php. Having a look with wireshark shows the following:

First redirect from malicious site

This looks like a vulnerable wordpress site which got modified by a redirect injection. Second one looks like a hacked drupal with the FCKEditor module compromised. Check below:

Malware Location

MD5 for the downloaded zip file is 11da149ca99f2cc9f64c5e4fca76a9f1. The following are the zip content details:

After analyzing this little thing, it turned out to be a koobface variant. Virustotal detection rate is pretty high (36/42), but as I stated in my previous diary, too many people around here does not like to install security controls inside their computers because they do not allow them to use insecure programs or they just think that investing in antimalware / HIPS licenses is not worth it.

If you are in Colombia, please remember that cybercrime is rising and local computer criminals are diseminating specific antimalware targeting banking software from local banks (Bancolombia, Grupo Aval, Corpbanca, ...) and of course every web access you perform to the personal banking sites or payment sites using your banking information. You will do yourself a favor if you invest in basic security controls for your computer like:

  • Firewall Software: Windows Firewall is good but lacks advanced functions that really can enhance the protection of your information assets.
  • Antimalware: Remember that there are too many malicious software pieces out there, too many of them are not exe files but content delivered through web sites. You need to be protected for malicious javascripts, flash applets, java applets, PDF and so on.
  • Host IPS: Most 0-day vulnerabilities can be catched with this protection since it catches buffer overflows and common malicious operations performed by exploits to gain privileges or perform malicious tasks inside your computer.

 

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

2 Comments

Published: 2013-04-11

KB2823324 causing boot issues in Brazil and some other locales

An article in Linha Defensiva (http://www.linhadefensiva.com/2013/04/brazilian-users-unable-to-boot-windows-after-botched-update/) reports that after applying the update machines were no longer able to boot.  According to the article Microsoft has recognised that there is an issue with the Brazillian version of the OS, but the links in the article do point to other locales having a similar issues. 

I wasn't able to find any futher reference on the microsoft site, but in the mean time if you do approve this KB for deployment make sure you test it thouroughly prior to a production implementation.

If you've had issues with this KB please let us know.

Mark H

13 Comments

Published: 2013-04-11

Windows XP end of life, 12 months to go.

The Microsoft Security Response Center put up a little note reminding people that windows XP will be out of extended support in 12 months time (http://blogs.technet.com/b/msrc/archive/2013/04/09/out-with-the-old-in-with-the-april-2013-security-updates.aspx).  From April next year there will be no more security patches or updates to the operating system.  Reality teaches us that that many organisations will still have Windows XP running within their networks at that time.  So as security professionals we should probably put the risk of an unsupported operating system in the environment in the risk register. 

How big a problem will it be? That will depend on the issues that will no doubt be released in May 2014. With the XP install base still being quite large it is likely that there are vulnerabilities that people are sitting on and may not release until after Microsoft has stopped support.  So we should work on the assumption that:

  1. we wiill still have XP in the environment
  2. there are going to be vulnerabilities that exploit the OS. 

Some of the common techniques that we use today may help address the issue.  Application whitelisting should help protect the operating system, assuming the products will support XP going forwards. Network segmentation will help contain any issues in the environment.  But essentially we are going to have to look at the problem of having known compromised machines in the network that we may not be able to do much about. 

I've put up a poll asking "What are your plans when XP is no longer supported" feel free to provide additional comments in the poll or here. How will your organisation deal with this?

Mark H

1 Comments

Published: 2013-04-10

Massive Google scam sent by email to Colombian domains

This morning many users in my city woke up with supposedly good news from a resume they sent to google looking for open positions:

Google SCAM

Of course this scam does not have anything new and innovative to cause a massive impact, but here is the catch: in this part of the world, people love P2P networks and love to download unlicensed content like Windows Operating Systems, music and paid programs so they don't have to pay a cent for it. Since standard security controls like antivirus and Host IPS shows those programs like malicious and then block most of its functionality, there are a huge number of people that disregard such measures to access freely those unlicensed contents.

The file referenced in the e-mail is zip compressed, MD5 4e85b6c9e9815984087f6722498a6dfc. Once uncompressed, you get document.exe, MD5 3e41ab7c70701452d046b93f764564ec. This file is widely recognized by VirusTotal with a 40/46 detection radio. It is a mass mailer with backdoor capabilities. The mass mailer malware description can be found at http://home.mcafee.com/virusinfo/virusprofile.aspx?key=153521#none and the backdoor description can be found at http://home.mcafee.com/virusinfo/virusprofile.aspx?key=100938.

This little thing caused lots of help desk calls this morning to my company because people complained about very slow internet links without performing any download operations. If you were affected by this malware, please keep in mind the following recommendations:

  • Do not *ever* open attachments from not reliable sources, specially zipped files that have inside exe files. Nothing good can come from it.
  • Do not disable any security controls inside your computer like host IPS, antivirus and personal firewall. If you require to work with software that is blocked by any of these controls and there is no way no enable it through them, it is definitely something you should consider not to use.
  • Malware can control your machine and handle your machine as desired, affecting confidentiality, integrity, availability, traceability and non repudiation of your information. Avoid  performing actions that could materialize such risks like dealing with p2p software.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

1 Comments

Published: 2013-04-09

Adobe April 2013 Black Tuesday Overview

Adobe released their April 2013 Black Tueday bulletins:

# Affected CVE Adobe rating
APSB13-10 ColdFusion CVE-2013-1387
CVE-2013-1388
Important
APSB13-11 Flash Player and AIR CVE-2013-1378
CVE-2013-1379
CVE-2013-1380
CVE-2013-2555
Critical
APSB13-12 Shockwave Player CVE-2013-1383
CVE-2013-1384
CVE-2013-1385
CVE-2013-1386
Critical

--
Swa Frantzen -- Section 66

2 Comments

Published: 2013-04-09

Microsoft April 2013 Black Tuesday Overview

Overview of the April 2013 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*)
clients servers
MS13-028 The usual monthly MSIE cumulative patch, adding fixes for two more vulnerabilities. Both are "use after free" memory management issues and they both allow random code execution.  
Replaces MS13-021.
MSIE
CVE-2013-1303
CVE-2013-1304
KB 2817183 No publicly known exploits Severity:Critical
Exploitability:2
Critical Important
MS13-029 A memory management problem with the Remote Desktop Connection ActiveX control allows random code execution.
Replaces MS09-044 and MS11-017.
RDP

CVE-2013-1296
KB 2828223 No publicly known exploits Severity:Critical
Exploitability:1
Critical Important
MS13-030 A vulnerability in the default access control lists (ACL) that sharepoint applies to lists allows unauthorized access to lists on a sharepoint server. 
Sharepoint

CVE-2013-1290
KB 2827663 Microsoft claims the vulnerability CVE-2013-1290 was publicly disclosed. Severity:Important
Exploitability:3
N/A Important
MS13-031 Two kernel race conditions allow privilege escalation and read access to kernel memory.
Replaces MS13-017.
Kernel

CVE-2013-1284
CVE-2013-1294
KB 2813170 No publicly known exploits. Severity:Important
Exploitability:2
Important Important
MS13-032 A denial of service vulnerability exists in the LDAP services provided by Active Directory. Also affects services such as ADAM and AD LDS.
Active Directory

CVE-2013-1282
KB 2830914 No publicly known exploits. Severity:Important
Exploitability:3
N/A Important
MS13-033 A memory corruption vulnerability in CSRSS (Client/Server Runtime SubSystem) allows for privilege escalation to the context of the local system and/or Denial of Service. 
Replaces MS12-003.
CSRSS

CVE-2013-1295
KB 2820917 No publicly known exploits Severity:Important
Exploitability:3
Important Important
MS13-034 Improper path names used by the Microsoft Anti-malware Client (MSAC) allow privilege escalation to the LocalSystem account.   
Affects Windows Defender on Windows 8 and Windows RT.

The update also contains functional updates.
MSAC

CVE-2013-1285
CVE-2013-1286
CVE-2013-1287
KB 2823482 No publicly known exploits Severity:Important
Exploitability:1
Important Less Urgent
MS13-035 HTML validation is not done properly in Microsoft Office (InfoPath), Sharepoint Server, Groove Server, Sharepoint Foundation resulting in what looks like an XSS exploit resulting in privilege escalation.
Replace MS12-066.
HTML sanitization

CVE-2013-0078
KB 2821818 Microsoft claims "limited, targeted attacks" against the vulnerability. Severity:Important
Exploitability:3
N/A Important
MS13-036 Multiple vulnerabilities in the windows kernel mode drivers allow privilege escalation and read access to kernel memory as well as Denial of Service. 
Replaces MS13-016.
Kernel Mode Drivers

CVE-2013-1283
CVE-2013-1991
CVE-2013-1292
CVE-2013-1293
KB 2829996 No publicly known exploits Severity:Important
Exploitability:1
Important Important
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.

--
Swa Frantzen -- Section 66

3 Comments

Published: 2013-04-08

Cleaning Up After the Leak: Hiding exposed web content

Just this weekend, a user notified us of a company leaking sensitive information on its website. The information was readily available via Google, which is how the reader found it. The news outlets also talked about a case where the secret firmware key used to sign BIOS firmware from motherboard vendor MSI leaked due to an open FTP server, essentially invalidating the security of modern UEFI motherboards.

So what do you do? Someone notifies you "hey, I found this document on your website, and I don't think it should be there". First thing would be to verify the leak ("Identification"). Don't forget to send back a big thank you.

Next we need to contain the incident. You are probably looking for a quick fix first. Something to stop the bleeding. Lets assume you don't have an actual "breach", so your systems are not compromised, just someone didn't use proper care when they published the documents.

Here are some quick fix options:

- setup a web application firewall rule to block access to the documents if you can identify common properties ("all PDFs", "all Excel spreadsheets in the /accounting directory", "all documents that contain the string 'SECRET' in the header).

- if you don't have a web application firewall, you may be able to do something similar with your web server configuration, but sometimes you are less flexible when it comes to that

- remove the documents from the web server. You probably don't just want to delete them. Either move them out of the document root (minimum) or to a different system, tape, CD or some other medium

This may be part of the identification step, but I suggest you first remove access to the content before you check your web logs to figure out who accessed the documents. Who needs to be notified of the leak internally or externally? 

Next plan the real fix (Eradication)

- who needs access to the documents?
- do we already have an authentication system we can leverage?
- how critical are the documents? What is an appropriate authentication scheme for them?

Don't rush this part! It can be hard to come up with correct access control rules after the fact, and it will take some time to get this right.

Finally, don't forget the cleanup of external copies. Remember: Once it is online, it is online for ever

- check search engines for cached copies of the content, and ask them to remove it
- while "robots.txt" is not a security feature, blocking access via robots.txt can speed up search engine removal
- search for other copies online of the content (Google, Bing, Pastebin, Twitter...) and try to remove these copies

It may be very hard, or impossible, to remove all copies. 

Once the fix is tested, you probably want to make the documents available, or in some cases, the real solution may be not to offer the documents online in the form in which you had them online. ("Recovery").

Lastly, don't forget the "Lessons Learned" part. In particular, don't forget to look at other spots where you made the same mistake, and try to fix the process used to make content live on your website. It is hardly ever the fault of an individual, but instead, a failure in the content management process, that leads to leaks like this.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

1 Comments

Published: 2013-04-05

Back to the past with penny stock spam

Most of you will remember the penny stock SPAM messages from a fair few years ago.  The main aim of the game is to buy a bunch of penny stock and then do a SPAM campaign to drive buying interest, artifically inflating the price of the stock.  They sell and make their money. It may be a few cents per share, but if you own enough of it can be quite profitable.  Most SPAM filters are more than capable of identifying and dumping this kind of SPAM. 

It looks however like it is becoming popular again.  My little SPAM traps have been receiving a few of these messages over the last few days. 

It is making noise again!!! It Started Moving After this

News!!!

Date: Thursday, Apr 4th, 2013

Name: Pac West Equities, Inc.

To buy: P_WEI

Current price: $.19

Long Term Target: $.55

 

OTC News Subscriber Reminder!!! Releases Breaking News This

Morning!

 

What is old is new again. It might be agood idea to check that your filters are taking care of these for you.

Mark 

(to much Big bang theory before writing ;-) thanks for pointing it out )

11 Comments

Published: 2013-04-04

Microsoft April Patch Tuesday Advance Notification

Microsoft is expecting to release a total of 9 bulletins, 2 of which are critical, and the rest important. One of the critical bulletins affects Windows and Internet Explorer, so we expect the usual Internet Explorer cumulative patch, maybe fixing some of the "pwn2own" vulnerabilities discovered during CanSecWest.

Otherwise it is a lot of "the usual" with Windows, Office and "Server Software" (Sharepoint and Groove) patches. The one that sticks out a bit is the bulletin fixing "Security Software". It will patch a vulnerability in Windows Defender on Windows 8 and RT. 

So overall an average patch Tuesday. 

http://technet.microsoft.com/en-us/security/bulletin/ms13-apr

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

0 Comments

Published: 2013-04-04

Postgresql Patches Critical Vulnerability

The Postgresql team announced earlier today the release of patches for its popular open source database. The description of the vulnerability sounds quite scary. An attacker may cause corruption to the database, or if the attacker is able to log in, the attacker may then escalate privileges and in some cases execute arbitrary code.

The vulnerability is triggered by connecting to the database and specifying a database name that starts with a "-". This database does not have to exist for the vulnerability to be triggered. The database name starting with a "-" is then parsed as a command line argument and can be used to corrupt the database. 

There was some controversy about how the bug was handled by the postgresql team. But overall, they appear to have done a good job in patching this quickly. For the last few days, the postgresql source code repository was not viewable to prevent an early release of the vulnerability.

Of course, nobody should allow direct connections to the database from the Internet, but this bug may be exploitable after for example compromising a web server with a postgresql backend (a simple SQL injection is probably not enough, but other exploits that modify the database connect string could be used).

So in short: patch 

References:

http://seclists.org/bugtraq/2013/Apr/26
http://www.postgresql.org/support/security/faq/2013-04-04/

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

2 Comments

Published: 2013-04-03

The HTTP "Range" Header

One of the topics we cover in our "Defending Web Applications" class is how to secure static files. For example, you are faced with multiple PDFs with confidential information, and you need to integrate authorization to read these PDFs into your web application. The standard solution involves two steps:

- Move the file out of the document root
- create a script that will perform the necessary authorization and then stream the file back to the user

Typically, the process of streaming the file back to the user is pretty simple. Most languages offer the ability to read the file, and then echo it back to the browser. In some cases, like for example PHP, there is a special command for this (readfile). This makes writing these access control scripts pretty easy, until you are faced with a new twist, the "Range" header.

The "Range" header is meant to be used to support partial downloads. A client may request just part of a file, instead of asking for the entire file.

RFC 2616 is a bit ambiguous when it comes to "Range" headers. First of all, it introduces the "Accept-Ranges" header, which can be used by the server to signal that it supports the "Range" header. Next, it states that the client may send a request using a "Range" header anyway, even if the server doesn't advertise support for it. The server also has the option to send "Accept-Ranges: none" to explicitly state that it does not support this type of header.

So what's the problem? It turns out that different HTTP clients appear to deal with "Range" headers slightly differently. In particular the iOS Podcast client requires support for the Range header, and will only download parts of the file if they are not supported. Apple recently advised iTunes publishers of this issue and requires content to be hosted on servers that support the Range header.

For a server, this is usually not a problem, wouldn't it be for a recent Apache DoS attack that caused some to block Range requests. Also, our "file streaming" script now needs to support the range requests. 

Here is a quick outline of how to support "Range" requests properly:

  1. Figure out if the Range header is used and extract the requested range. The range header should look like: 
    Range: bytes=1234-5678
    but could look like:
    Range: bytes=0-
    If the upper end is missing, it is assumed to empty "until the end of the file".
  1. load the file (if possible, only the part that needs to be send)
     
  2. Send the file, but use a "206 Partial Content" response code. Also, add the "Content-Range" header to indicate what you are sending. 
    Content-Range: bytes 1234-5678/1234567    (start-end/total size). One interesting twist: The "size" is indicated in bytes, while the range is indicated as an offset. So the maximum "Range" is the size-1.

Aside from the annoyance of having to write a more complex script, why does this matter for security?

Think Intrusion Detection systems, and maybe even web application firewalls: It is now for example possible for an attacker to request your secret document one byte at a time, possibly defeating data leakage protection. Or an attacker streaming an exploit from a web server could do so in small chunks to again defeat content filtering by the client. I played with various overlapping ranges and such, and it looks like browsers will discard these requests as they should. 

It is also possible to specify multiple ranges in one request (which is what the Apache DoS was about), but so far I haven't observed any requests like this.

In short: watch it but don't block it. It may make sense to log and pay attention to Range requests, but you shouldn't blindly block all of them as they may be required by the browser/http client.

References:
RFC 2616: http://www.rfc-editor.org/rfc/rfc2616.txt

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

4 Comments

Published: 2013-04-02

SSH scans from 188.95.234.6

We received the following earlier today regarding scans to SSH from this IP address which is a research group in Germany.  As far as we are aware it is legitimate research and the scans have been conducted previously.   So if you see scans from this IP address, this is what it is about. I'll leave whether you wish to block it or take advantage of their blocklist up to you.  

Cheers

Mark.  

Dear colleagues,

Our team at the Network Architectures and Services Dept. (I8) of TU
München, Germany, has started an IPv4-wide SSH scan. This is the same
kind of scan that we have conducted several times over the past few
months. Once again, the purpose is purely scientific.

The scanning machine is 188.95.234.6.

It is not infected, nor is an attack intended (we do *not attempt to
login*, in fact we send the most harmless username ever). However, this
is a large-scale scan, which we expect to last up to 10 days. The
long-term goal are continuous scans.

We are perfectly aware that many IDS systems will count this as
an attack. We are thus writing in order to inform you of our activity.
If there is anything you can do - adding us to a whitelist, adding a
comment in your DB etc. - we would very much appreciate your help.

Please note that we respond to every complaint and are happy to
blocklist systems with annoyed admins.

Background information can be found here:

29C3 Lightning Talk, from minute 9:
http://www.youtube.com/watch?
v=eao8yBKHYT8

Crossbear-Paper:
http://www.net.in.tum.de/
fileadmin/bibtex/publications/papers/holz_x509forensics_esorics2012.pdf

Project homepage: https://pki.net.in.tum.de

15 Comments

Published: 2013-04-01

Request for web log files (mainly 500 error messages)

At the moment I'm working on a few projects one of which is looking at SQL injections.  What I do not have however is enough samples of web logs especially those with 500 errors in them.  If you are able to share you 500 error records, please send them in. Feel free to obfuscate the server IP, but if you could leave the first three octets preferably, but first two are fine as well that would be great. 

Please just send them to markh.isc at gmail.com rather than upload them to the contact form as I don't want to flood that address. The results will be published here in a couple of months (anonymised) and If I find anything of interest in your log files, you'll be the first to know. So think of this as a free review of your web logs :-)

Thanks in advance.

Mark H 

2 Comments

Published: 2013-04-01

World Backup day, Did you miss it?

March 31st was designated as world backup day (http://www.worldbackupday.com/) with a quite catchy slogan of "Don't be ab April fool". 

In corporate world backups tend to be taken care of quite nicely by corporate IT, however most of us are now storing significant amounts of data at home. Quite a lot of it has never been backed up, or at least not recently. I had a look earelir today what data I do have backed up and what I do not have backed up.  To say that I was a little bit disappointed with myself is an understatement.  Most of the critcal work related stuff is all backed up, Kudos to me.  However when it comes to music, or photos I stink. It doesn't look like I have backed up as much as I thought I had (fixed now).  

So in light of the world backup day have a look at your systems at home and make sure that you have a backup available of the things that are important (or other people will tell you are important) and back them up. 

Probably the easiest is to use a removable harddrive, but there are many online options available as well which can be quite attractive.  Just remember  sucking 30GB from the internet back down to your machine may take some time.  Also consider who will have access to your stuff whilst backed up in the cloud.  You may want to encrypt the data whilst you are at it.  

If you are backing up your stuff, well done. Make sure though that you can get it back again.  On occasion I get asked to recover data from drives that have not been used in years and years.  Sometimes that is a happy story, many times it is not.  Don't forget DVDs also degrade over time, so data stored on those may also ned to be rewritten every few years or so.  

For those of you that are the IT help for friends and family, I have your gifts for the year sorted out.  Buy them a harddrive so they can back up their stuff.  Many now have some backup software included.  Or set up an online backup service for friends and family. 

Happy backing up. 

Mark H

7 Comments