Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-01-21 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

KDE kjs encodeuri/decodeuri heap overflow vulnerability

Published: 2006-01-21
Last Updated: 2006-01-21 20:07:13 UTC
by Koon Yaw Tan (Version: 1)
0 comment(s)
There is a vulnerability in KDE kjs JavaScript interpreter engine which can be exploited to cause a DoS or arbitrary code to be executed on a vulnerable system.

The JavaScript interpreter engine used by Konqueror and other parts of KDE contain a heap overflow which can be triggered when decoding specially crafted UTF-8 encoded URI sequences. Vulnerable system can be compromised by malicious javascript code (e.g. on a malicious website) using affected JavaScript interpreter engine.

Details can be found at:
http://secunia.com/advisories/18500/
http://www.kde.org/info/security/advisory-20060119-1.txt
Keywords:
0 comment(s)

Shellbot

Published: 2006-01-21
Last Updated: 2006-01-21 20:05:03 UTC
by Koon Yaw Tan (Version: 1)
0 comment(s)
We received a submission from our reader James reporting on a compromised system. It is likely exploited through the vulnerable mambo installed.

The system being compromised will attempt to download tool and a perl script from:

http://www.fullcrew.net/cmd/tool25.dat
http://shikoe.net/multi.txt
http://shikoe.net/ok.txt

The multi.txt and ok.txt are the same perl script that will perform various tasks such as TCP/UDP/HTTP flood, port scan and will also use Google to search for vulnerable targets. This is very similar to what is seen on:

http://www.webhostingtalk.com/archive/thread/478039-1.html

It will also attempt to connect to an IRC server (shell.durresi.be) over port 34345. The interesting part of the domain durresi.be is:

* The domain is just registered on 20 Jan 06.
* Some of the registration information is suspicious and fake. It is a .be domain but registered using a .it email address, a UK snail mail address and a fake US telephone number.

How interesting. If you are running mambo application, make sure it is running the latest version.

Thanks to Patrick Nolan, Marc Sachs and Swa Frantzen for the information.

Keywords:
0 comment(s)
Diary Archives